chore(release): v0.13.0-rc4 candidate — 8 reviewed PRs (#726–#734)#741
Merged
Conversation
Stop storing x402 image digests in git. Embedded templates use :__OBOL_IMAGE__; CopyInfrastructure rewrites via internal/images to repo:<GitCommit>@sha256:<index-digest> at apply time (short-SHA tag privileged; digest bound from GHCR when reachable). Dev still uses dev-<sha>. Delete release-prep, repin/verify-x402-pins scripts, and continuous open-repin. Release gate is verify-release-images.sh (GHCR tags exist for the commit short SHA). Publish job-broker with the other components. Supersedes #725 (job-broker publish without expanding the repin regime).
Cut multi-arch publish from ~20–40m to a few minutes: - Dockerfile.x402 multi-target: one shared builder builds all five pure-Go binaries; final distroless stages stay separate - docker-bake.hcl + bake-action: single job, shared GHA cache scope - FROM --platform=\$BUILDPLATFORM + GOARCH=\$TARGETARCH (CGO off) — drop QEMU emulation that dominated wall time - BuildKit cache mounts for modules + go-build - .dockerignore: exclude web/** bulk (keep public-storefront), tests Thin per-component Dockerfiles kept for local stack builds with the same cross-compile + cache-mount pattern.
Address review: apply-time re-fetch of GHCR digests would pick up a retagged short-SHA on the next stack up. Bind the multi-arch index digest on first resolve for each repo:GitCommit, store it in $OBOL_CONFIG_DIR/image-digests.json, and reuse it on later applies (unless OBOL_REFRESH_IMAGE_DIGESTS=true). Document the threat model in docs/release-images.md.
…s from Agent CR Additive AgentSpec fields (modelProvider, mcpServers, maxTurns, disabledToolsets) threaded through renderHermesConfig so the CR is the source of truth for the agent's inference provider and paid MCP wiring. Unset fields render byte-identical to the prior fixed template (no CRD version bump, no behavior change for existing agents). Claude-Session: https://claude.ai/code/session_01VquWN9UMaSHH7MHGcG8bw1
…rift condition Gate the per-agent hermes-config ConfigMap write on a content-hash annotation (obol.org/hermes-config-hash) stored on the live ConfigMap. Skip the apply when the freshly-rendered desired hash matches the stored annotation — so an unchanged config is not rewritten on every reconcile or controller restart. This ends the every-'obol stack up' re-provision that silently wiped operator config (now CR-driven after b7b1bf4). The skip decision is purely desiredHash == storedAnnotation, never desired-vs-live-content, so operator edits are not treated as drift to revert. Out-of-band ConfigMap edits are surfaced via a new ConfigDrift status condition instead of being clobbered. Annotation lives on the persistent ConfigMap so the skip survives controller-pod restarts. Claude-Session: https://claude.ai/code/session_01VquWN9UMaSHH7MHGcG8bw1
…egration/v0.13.0-rc4
…egration/v0.13.0-rc4
… integration/v0.13.0-rc4
…ration/v0.13.0-rc4
Combined AgentSpec config fields (#728) with storefront spec.branding (#731-#733) required a fresh controller-gen pass; the stacked branches' committed CRD lagged the merged Go types. No hand edits. Claude-Session: https://claude.ai/code/session_01VquWN9UMaSHH7MHGcG8bw1
OisinKyne
approved these changes
Jul 13, 2026
OisinKyne
left a comment
Contributor
There was a problem hiding this comment.
Are these caveats dealt with in this PR or do they need to be dealt with? the swap to light theme default is deliberate, for one.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Collects the v0.13.0-rc4 candidate: eight reviewed PRs merged onto current main, plus a CRD regen for the combined types.
What's in it
HERMES_WRITE_SAFE_ROOTfor the v2026.7 imageEach was reviewed one-by-one by a Fable-5 panel — 4 ship / 4 ship-with-caveat / 0 hold. Direction assessed sound: a clean 3-layer storefront branding system (presets → per-hostname → custom CSS) with every injection surface routed through one sanitizer + XSS corpus test.
Local validation (rc4 tip)
go build ./...✓ ·go vet✓ · tests for controller/x402/storefront/hermes/images/embed ✓serviceoffer-crd.yaml+ deepcopy for the mergedspec.branding+ AgentSpec fields — one stacked branch's committed CRD lagged its Go types).Rollout caveats for silvernuc3 (from the review)
obol sell info set --theme obol(current dark palette) before upgrade or the storefront silently repaints white. Pre-upgrade look/feel is snapshotted with a restore doc.obol-stack-public-storefrontis Resolved by the CLI but not in the release publish/verify set — close before final tag or fresh installs 404.CHAIN_IDS(fast-follow); runobol network addfor the new chains.PR descriptions on #731/#732 are shifted by one (each describes the next PR's feature) — diffs are correct; fix copy before final.
https://claude.ai/code/session_01VquWN9UMaSHH7MHGcG8bw1