Make runner image releases transactional and versioned#170
Conversation
athena-omt
left a comment
There was a problem hiding this comment.
Requesting changes.
Blocking issue: in .github/workflows/release-image.yml, the new publish path builds and pushes only the unique candidate reference while steps.release_state.outputs.publish_required == 'true', but the Sign per-platform image digests step still runs docker buildx imagetools inspect "${{ steps.release_meta.outputs.image_ref }}" --raw before the later Promote verified digest to final tag step creates that final tag. For a first 0.2.2 release, preflight expects the final tag to be absent, so this step can fail before promotion. Please inspect/sign the candidate working_ref manifest, or otherwise use the verified candidate digest, before promoting.
Merge readiness blocker: live PR metadata reports mergeStateStatus: DIRTY, and I reproduced conflicts locally with git merge-tree origin/main HEAD in config/lume-runners.yaml and test/dockerfile.test.ts. Please resolve against current main and rerun CI.
Evidence checked: worker-node worktree at head 452b7710ea68b7f8bb939fc543f3f1dd8126033b, gh pr view status/check/auto-merge metadata, release workflow diff, and local merge-tree. Targeted Vitest did not run because this prepared worktree does not have vitest installed.
5d1d394 to
9843e61
Compare
Require explicit dispatch, build unique candidate tags, verify immutable digests with bounded diagnostics, and promote only after verification. Add a non-mutating recovery decision for the partially published v0.2.1 tag. Refs #150.
Make .runner-version the shared Linux, Windows, Lume, CLI, and release source; add a daily freshness gate; supersede unreleased 0.2.1 with 0.2.2; remove the stale tracked Compose output; and classify Windows as an always-validated experimental template rather than a release-backed plane. Closes #158. Refs #149. Refs #150. Refs #151. Refs #164. Co-authored-by: Your Name <you@example.com>
9843e61 to
f984b70
Compare
athena-omt
left a comment
There was a problem hiding this comment.
Requesting changes on current head ada210d.
Blocking release-path defect: the preflight selects a unique working_ref when the final tag is absent, and the build pushes only that candidate. The digest, SBOM, and signature steps correctly use working_ref, but Sign per-platform image digests still calls docker buildx imagetools inspect on steps.release_meta.outputs.image_ref before Promote verified digest to final tag. On a first 0.2.2 release, that final tag is deliberately absent, so the workflow fails before the promotion step and cannot publish.
Please inspect the candidate working_ref (or its already-verified immutable digest) for the per-platform manifest, then promote only after all signing and attestations succeed. Add a contract test that asserts the per-platform inspection uses the candidate or verified subject on the publish-required path.
Evidence: current workflow lines 146-168 choose and push the candidate and lines 170-179 inspect it; the per-platform signing step then switches back to image_ref before promotion. Fresh CI on this head is green, but test/release-workflow.test.ts only checks for generic per-platform signing tokens and does not cover the reference or ordering invariant.
Summary
.runner-versionas the canonical Actions runner pin and enforce a 21-day freshness gate0.2.20.2.1artifact and document non-mutating recovery/supersessionGoverning Issues
Closes #158
Refs #149
Refs #150
Refs #151
Refs #164
The referenced issues remain open until the release is dispatched from
main, the live image and pool rollout are recorded, and the previously failing consumer workflows are rerun successfully.Validation
CI=true bash scripts/ci/run-fast-checks.sh(48 files, 277 tests; lint and build passed)pnpm exec vitest run test/workflow.test.ts test/ci-scripts.test.ts(18 tests passed)actionlinton the changed workflows (only established custom-runner-label warnings)bash -non changed shell scriptspnpm check-runner-version -- --fail-after-days 21(2.335.1, current; freshness gate not blocked)git diff --checkBootstrap Governance
Rollout
After merge, dispatch
Release Imagefor0.2.2frommain, verify the published digest/signature/SBOM/provenance and embedded runner version, then roll the applicable pools. The existing0.2.1tag must not be mutated; it is retained only for diagnosis and is superseded by0.2.2.