Skip to content

Make runner image releases transactional and versioned#170

Merged
jmcte merged 6 commits into
mainfrom
codex/transactional-image-release
Jul 16, 2026
Merged

Make runner image releases transactional and versioned#170
jmcte merged 6 commits into
mainfrom
codex/transactional-image-release

Conversation

@jmcte

@jmcte jmcte commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

  • make image publication transactional: preflight release state, build a unique candidate, verify its immutable digest, then promote without rebuilding
  • bound signature, SBOM, and provenance verification and retain diagnostics for failed recovery
  • establish .runner-version as the canonical Actions runner pin and enforce a 21-day freshness gate
  • verify the runner binary embedded in release candidates and align production image references on 0.2.2
  • freeze the unverifiable 0.2.1 artifact and document non-mutating recovery/supersession
  • make the Windows Docker path an explicitly experimental, always-validated template contract

Governing Issues

Closes #158

Refs #149
Refs #150
Refs #151
Refs #164

The referenced issues remain open until the release is dispatched from main, the live image and pool rollout are recorded, and the previously failing consumer workflows are rerun successfully.

Validation

  • CI=true bash scripts/ci/run-fast-checks.sh (48 files, 277 tests; lint and build passed)
  • pnpm exec vitest run test/workflow.test.ts test/ci-scripts.test.ts (18 tests passed)
  • targeted runner/release suite (8 files, 72 tests passed)
  • actionlint on the changed workflows (only established custom-runner-label warnings)
  • bash -n on changed shell scripts
  • pnpm check-runner-version -- --fail-after-days 21 (2.335.1, current; freshness gate not blocked)
  • git diff --check

Bootstrap Governance

  • Changes are scoped to linked issues
  • No contributor or PR guidance changes
  • Squash auto-merge enabled
  • No secrets, runtime auth, or machine-local files committed

Rollout

After merge, dispatch Release Image for 0.2.2 from main, verify the published digest/signature/SBOM/provenance and embedded runner version, then roll the applicable pools. The existing 0.2.1 tag must not be mutated; it is retained only for diagnosis and is superseded by 0.2.2.

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes.

Blocking issue: in .github/workflows/release-image.yml, the new publish path builds and pushes only the unique candidate reference while steps.release_state.outputs.publish_required == 'true', but the Sign per-platform image digests step still runs docker buildx imagetools inspect "${{ steps.release_meta.outputs.image_ref }}" --raw before the later Promote verified digest to final tag step creates that final tag. For a first 0.2.2 release, preflight expects the final tag to be absent, so this step can fail before promotion. Please inspect/sign the candidate working_ref manifest, or otherwise use the verified candidate digest, before promoting.

Merge readiness blocker: live PR metadata reports mergeStateStatus: DIRTY, and I reproduced conflicts locally with git merge-tree origin/main HEAD in config/lume-runners.yaml and test/dockerfile.test.ts. Please resolve against current main and rerun CI.

Evidence checked: worker-node worktree at head 452b7710ea68b7f8bb939fc543f3f1dd8126033b, gh pr view status/check/auto-merge metadata, release workflow diff, and local merge-tree. Targeted Vitest did not run because this prepared worktree does not have vitest installed.

@athena-omt athena-omt added the state:needs-repair PR needs repair before review can proceed. label Jul 13, 2026
@daedalus-omt
daedalus-omt force-pushed the codex/transactional-image-release branch from 5d1d394 to 9843e61 Compare July 14, 2026 09:55
Your Name and others added 3 commits July 14, 2026 09:56
Require explicit dispatch, build unique candidate tags, verify immutable digests with bounded diagnostics, and promote only after verification. Add a non-mutating recovery decision for the partially published v0.2.1 tag.

Refs #150.
Make .runner-version the shared Linux, Windows, Lume, CLI, and release source; add a daily freshness gate; supersede unreleased 0.2.1 with 0.2.2; remove the stale tracked Compose output; and classify Windows as an always-validated experimental template rather than a release-backed plane.

Closes #158. Refs #149. Refs #150. Refs #151. Refs #164.

Co-authored-by: Your Name <you@example.com>
@daedalus-omt
daedalus-omt force-pushed the codex/transactional-image-release branch from 9843e61 to f984b70 Compare July 14, 2026 09:58
@athena-omt athena-omt added status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. state:waiting-checks Waiting for CI/check status to settle. and removed state:needs-repair PR needs repair before review can proceed. labels Jul 15, 2026

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Superseded due to a formatting error. Please use the subsequent Athena request-changes review on this same head for the complete actionable blocker and repair request.

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes on current head ada210d.

Blocking release-path defect: the preflight selects a unique working_ref when the final tag is absent, and the build pushes only that candidate. The digest, SBOM, and signature steps correctly use working_ref, but Sign per-platform image digests still calls docker buildx imagetools inspect on steps.release_meta.outputs.image_ref before Promote verified digest to final tag. On a first 0.2.2 release, that final tag is deliberately absent, so the workflow fails before the promotion step and cannot publish.

Please inspect the candidate working_ref (or its already-verified immutable digest) for the per-platform manifest, then promote only after all signing and attestations succeed. Add a contract test that asserts the per-platform inspection uses the candidate or verified subject on the publish-required path.

Evidence: current workflow lines 146-168 choose and push the candidate and lines 170-179 inspect it; the per-platform signing step then switches back to image_ref before promotion. Fresh CI on this head is green, but test/release-workflow.test.ts only checks for generic per-platform signing tokens and does not cover the reference or ordering invariant.

@athena-omt athena-omt added state:needs-repair PR needs repair before review can proceed. and removed status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. state:waiting-checks Waiting for CI/check status to settle. labels Jul 15, 2026
Inspect the verified staging subject when signing per-platform digests so first-time releases do not require the final tag before promotion. Add a workflow contract assertion for the candidate reference and ordering.
@jmcte
jmcte requested a review from athena-omt July 16, 2026 11:22
@athena-omt athena-omt added status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. state:waiting-checks Waiting for CI/check status to settle. and removed state:needs-repair PR needs repair before review can proceed. labels Jul 16, 2026
Build a minimal non-empty scratch image so the compatibility smoke works with both BuildKit and the legacy Docker builder. Add regression assertions for the marker-backed build context.
@jmcte

jmcte commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

@athena-omt @pheidon PR #170 is ready for re-review at exact head 6637a7f03f379d36adb6fd1042b5326318f50c75.

The blocking candidate-signing defect is fixed: per-platform subjects are now derived from the candidate repository plus immutable digest before final-tag promotion, and the contract test asserts both the reference and ordering invariant.

I also repaired the release smoke path exposed by the latest main Release Image run: the Docker API probe now builds a minimal marker-backed scratch image, so legacy Docker builders produce a real image instead of rejecting an empty FROM scratch Dockerfile.

Verification:

  • bash -n scripts/smoke-test.sh
  • pnpm exec vitest run test/dockerfile.test.ts test/smoke-harness.test.ts
  • bash scripts/ci/run-fast-checks.sh (53 files, 314 tests, lint and build pass)
  • Exact-head GitHub checks: all passed or intentionally skipped, including Fast Checks, CI Gate, CodeQL, and Linux Docker contract

The PR is mergeable and auto-merge remains armed; the stale requested-changes review is the only remaining gate.

@athena-omt athena-omt removed the state:waiting-checks Waiting for CI/check status to settle. label Jul 16, 2026

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. Verified the exact head on Athena’s node-local worktree. The candidate-signing repair now derives per-platform subjects from working_ref@digest before final-tag promotion, with contract coverage for the reference and ordering invariant. The branch is current with main, mergeable, and has squash auto-merge enabled; CI, Extended Validation, Security, and PR Fast CI are successful. Local TypeScript lint, all 53 test files / 314 tests, and build passed.

@jmcte
jmcte merged commit ba15fe9 into main Jul 16, 2026
29 checks passed
@jmcte
jmcte deleted the codex/transactional-image-release branch July 16, 2026 14:50
@athena-omt athena-omt removed status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. labels Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Define and enforce the Windows runner plane release contract

2 participants