feat(ci): resolve stack images by short SHA, drop repin train#726
feat(ci): resolve stack images by short SHA, drop repin train#726bussyjd wants to merge 4 commits into
Conversation
Stop storing x402 image digests in git. Embedded templates use :__OBOL_IMAGE__; CopyInfrastructure rewrites via internal/images to repo:<GitCommit>@sha256:<index-digest> at apply time (short-SHA tag privileged; digest bound from GHCR when reachable). Dev still uses dev-<sha>. Delete release-prep, repin/verify-x402-pins scripts, and continuous open-repin. Release gate is verify-release-images.sh (GHCR tags exist for the commit short SHA). Publish job-broker with the other components. Supersedes #725 (job-broker publish without expanding the repin regime).
|
Ready to merge for v0.13.0-rc3 — blocked only on required review (cannot self-approve). CI: Go build/vet/unit tests pass; gitleaks/helm/lint green. Once approved I will:
Please approve when you can. |
|
@OisinKyne @mcdee CI is green and auto-merge is armed — only missing: one approving review so we can cut |
Cut multi-arch publish from ~20–40m to a few minutes: - Dockerfile.x402 multi-target: one shared builder builds all five pure-Go binaries; final distroless stages stay separate - docker-bake.hcl + bake-action: single job, shared GHA cache scope - FROM --platform=\$BUILDPLATFORM + GOARCH=\$TARGETARCH (CGO off) — drop QEMU emulation that dominated wall time - BuildKit cache mounts for modules + go-build - .dockerignore: exclude web/** bulk (keep public-storefront), tests Thin per-component Dockerfiles kept for local stack builds with the same cross-compile + cache-mount pattern.
| gh workflow run docker-publish-x402.yml --ref main | ||
| ``` | ||
|
|
||
| CLI `version.GitCommit` selects `repo:<short-sha>`; apply-time `images.Resolve` binds the GHCR index digest for security. Digests are never committed. |
There was a problem hiding this comment.
apply-time
images.Resolvebinds the GHCR index digest for security. Digests are never committed.
Does this mean if a sha changes on server side we pull the new one? its still better than latest etc but it might not grant us super surety we're keeping a single digest dockerimage across restarts etc. maybe not the end of the world but something to keep on the security considerations
There was a problem hiding this comment.
Good catch — you're right about the mutability gap.
Before: every apply re-HEAded GHCR for repo:<short-sha>, so if a package writer overwrote that tag, the next stack up would bind a new digest (still better than :latest, but not “same image across restarts” for a given install).
Now (d1d0aa1):
- First resolve for
(repo, GitCommit)fetches the multi-arch index digest and persists it to$OBOL_CONFIG_DIR/image-digests.json. - Later applies / restarts with the same CLI version reuse the pin and do not re-query GHCR.
OBOL_REFRESH_IMAGE_DIGESTS=trueis the explicit escape hatch to re-bind.- Ops policy remains: never retag a published short SHA; package write ACL on
ghcr.io/obolnetwork/*is still part of the trust root.
Trade-off vs digests-in-git is documented under Security considerations in docs/release-images.md. Cross-host / fresh install still first-fetches GHCR (same short SHA → same digest if tags weren't retagged).
Thanks for flagging it.
Address review: apply-time re-fetch of GHCR digests would pick up a retagged short-SHA on the next stack up. Bind the multi-arch index digest on first resolve for each repo:GitCommit, store it in $OBOL_CONFIG_DIR/image-digests.json, and reuse it on later applies (unless OBOL_REFRESH_IMAGE_DIGESTS=true). Document the threat model in docs/release-images.md.
Summary
Replaces digest-in-git + repin PR ceremony with a single image policy:
image: ghcr.io/obolnetwork/…:__OBOL_IMAGE__(no digests in git).CopyInfrastructure/images.Resolve): production →repo:<GitCommit>@sha256:<index-digest>when GHCR is reachable; short-SHA alone if offline. Dev →repo:dev-<sha>.verify-release-images.shchecks GHCR has tags for the commit short SHA.docker-publish-x402builds/pushes only (includes job-broker).Supersedes #725 — that PR added job-broker to the old repin regime. This lands job-broker publish and removes the regime.
Net: −419 LOC (662 added / 1081 removed). Deleted
release-prep.yml,repin-x402-images.sh,verify-x402-pins.sh,docs/release-x402-pins.md.Risk level: medium (release path change; first tag after merge needs GHCR images for that short SHA — already true for commits that hit the publish path).
Scope
internal/images,internal/defaults, templates, tests)docs/release-images.md, release-train)Validation
Unit tests:
Release train after merge
No repin PR. Before tagging:
.github/scripts/verify-release-images.sh HEAD.Docs:
docs/release-images.md.Review Notes
OBOL_SKIP_IMAGE_DIGEST=truefor offline apply/tests.