Skip to content

Make runner image releases transactional and versioned#170

Open
jmcte wants to merge 4 commits into
mainfrom
codex/transactional-image-release
Open

Make runner image releases transactional and versioned#170
jmcte wants to merge 4 commits into
mainfrom
codex/transactional-image-release

Conversation

@jmcte

@jmcte jmcte commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

  • make image publication transactional: preflight release state, build a unique candidate, verify its immutable digest, then promote without rebuilding
  • bound signature, SBOM, and provenance verification and retain diagnostics for failed recovery
  • establish .runner-version as the canonical Actions runner pin and enforce a 21-day freshness gate
  • verify the runner binary embedded in release candidates and align production image references on 0.2.2
  • freeze the unverifiable 0.2.1 artifact and document non-mutating recovery/supersession
  • make the Windows Docker path an explicitly experimental, always-validated template contract

Governing Issues

Closes #158

Refs #149
Refs #150
Refs #151
Refs #164

The referenced issues remain open until the release is dispatched from main, the live image and pool rollout are recorded, and the previously failing consumer workflows are rerun successfully.

Validation

  • CI=true bash scripts/ci/run-fast-checks.sh (48 files, 277 tests; lint and build passed)
  • pnpm exec vitest run test/workflow.test.ts test/ci-scripts.test.ts (18 tests passed)
  • targeted runner/release suite (8 files, 72 tests passed)
  • actionlint on the changed workflows (only established custom-runner-label warnings)
  • bash -n on changed shell scripts
  • pnpm check-runner-version -- --fail-after-days 21 (2.335.1, current; freshness gate not blocked)
  • git diff --check

Bootstrap Governance

  • Changes are scoped to linked issues
  • No contributor or PR guidance changes
  • Squash auto-merge enabled
  • No secrets, runtime auth, or machine-local files committed

Rollout

After merge, dispatch Release Image for 0.2.2 from main, verify the published digest/signature/SBOM/provenance and embedded runner version, then roll the applicable pools. The existing 0.2.1 tag must not be mutated; it is retained only for diagnosis and is superseded by 0.2.2.

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes.

Blocking issue: in .github/workflows/release-image.yml, the new publish path builds and pushes only the unique candidate reference while steps.release_state.outputs.publish_required == 'true', but the Sign per-platform image digests step still runs docker buildx imagetools inspect "${{ steps.release_meta.outputs.image_ref }}" --raw before the later Promote verified digest to final tag step creates that final tag. For a first 0.2.2 release, preflight expects the final tag to be absent, so this step can fail before promotion. Please inspect/sign the candidate working_ref manifest, or otherwise use the verified candidate digest, before promoting.

Merge readiness blocker: live PR metadata reports mergeStateStatus: DIRTY, and I reproduced conflicts locally with git merge-tree origin/main HEAD in config/lume-runners.yaml and test/dockerfile.test.ts. Please resolve against current main and rerun CI.

Evidence checked: worker-node worktree at head 452b7710ea68b7f8bb939fc543f3f1dd8126033b, gh pr view status/check/auto-merge metadata, release workflow diff, and local merge-tree. Targeted Vitest did not run because this prepared worktree does not have vitest installed.

@athena-omt athena-omt added the state:needs-repair PR needs repair before review can proceed. label Jul 13, 2026
@daedalus-omt daedalus-omt force-pushed the codex/transactional-image-release branch from 5d1d394 to 9843e61 Compare July 14, 2026 09:55
Your Name and others added 3 commits July 14, 2026 09:56
Require explicit dispatch, build unique candidate tags, verify immutable digests with bounded diagnostics, and promote only after verification. Add a non-mutating recovery decision for the partially published v0.2.1 tag.

Refs #150.
Make .runner-version the shared Linux, Windows, Lume, CLI, and release source; add a daily freshness gate; supersede unreleased 0.2.1 with 0.2.2; remove the stale tracked Compose output; and classify Windows as an always-validated experimental template rather than a release-backed plane.

Closes #158. Refs #149. Refs #150. Refs #151. Refs #164.

Co-authored-by: Your Name <you@example.com>
@daedalus-omt daedalus-omt force-pushed the codex/transactional-image-release branch from 9843e61 to f984b70 Compare July 14, 2026 09:58
@athena-omt athena-omt added status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. state:waiting-checks Waiting for CI/check status to settle. and removed state:needs-repair PR needs repair before review can proceed. labels Jul 15, 2026

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Superseded due to a formatting error. Please use the subsequent Athena request-changes review on this same head for the complete actionable blocker and repair request.

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes on current head ada210d.

Blocking release-path defect: the preflight selects a unique working_ref when the final tag is absent, and the build pushes only that candidate. The digest, SBOM, and signature steps correctly use working_ref, but Sign per-platform image digests still calls docker buildx imagetools inspect on steps.release_meta.outputs.image_ref before Promote verified digest to final tag. On a first 0.2.2 release, that final tag is deliberately absent, so the workflow fails before the promotion step and cannot publish.

Please inspect the candidate working_ref (or its already-verified immutable digest) for the per-platform manifest, then promote only after all signing and attestations succeed. Add a contract test that asserts the per-platform inspection uses the candidate or verified subject on the publish-required path.

Evidence: current workflow lines 146-168 choose and push the candidate and lines 170-179 inspect it; the per-platform signing step then switches back to image_ref before promotion. Fresh CI on this head is green, but test/release-workflow.test.ts only checks for generic per-platform signing tokens and does not cover the reference or ordering invariant.

@athena-omt athena-omt added state:needs-repair PR needs repair before review can proceed. and removed status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. state:waiting-checks Waiting for CI/check status to settle. labels Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state:needs-repair PR needs repair before review can proceed.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Define and enforce the Windows runner plane release contract

2 participants