ci: verify pushed OCI digest and drop dead BUILD_MODE arg #52

Merged

nrupard merged 1 commit from fix/oci-publish-verify-digest-LINKS-18 into main 2026-06-08 18:27:37 +02:00

Conversation 0 Commits 1 Files changed 2 +25 -2

nrupard commented 2026-06-08 18:16:33 +02:00

Owner

Copy link

Summary

Hardens the OCI publish workflow with a post-push digest verification step, and removes a dead build-arg left over from the standalone/saas unify.

This came out of the LINKS-18 investigation. The original premise (a successful build that did not publish) turned out to be wrong: run #136 publishes correctly to dev.a8n.run/a8n-tools-private/rusty-links. The apparent staleness was caused by inspecting the deprecated a8n-tools/rusty-links path, which nothing publishes to since the registry owner moved to the a8n-tools-private org (where lets-chat also lives). Confirmed from the run #136 log via fj actions logs 136 (pushing manifest for dev.a8n.run/a8n-tools-private/rusty-links:v0.4.0 ... done).

Changes

• build-oci-image.yml: capture the pushed digest with docker buildx build --iidfile, then add a "Verify pushed image" step that asserts every pushed tag resolves in the registry to that exact digest, failing the job on a mismatch or a missing tag. This makes the canonical publish target self-checking and guards against the silent-no-op publish class that LINKS-18 was opened to catch.
• examples/compose.yml: drop the BUILD_MODE: standalone build-arg. It is a leftover from before the unify (LINKS-13); the Dockerfile no longer accepts BUILD_MODE, and no BUILD_MODE reference remains anywhere in the repo.

Notes

• No env-var changes, so .env.standalone.example / .env.saas.example are unaffected.
• The verify step uses docker buildx imagetools inspect --format "{{.Manifest.Digest}}" against the just-pushed tags; it runs after login so it has registry read access.
• Separate follow-ups (out of scope here): the dx and dioxus versions are incompatible + wasm-opt SIGABRT errors seen in the run #136 build log, and repointing any external consumer or docs that still reference the dead a8n-tools/rusty-links image path.

#LINKS-18

## Summary Hardens the OCI publish workflow with a post-push digest verification step, and removes a dead build-arg left over from the standalone/saas unify. This came out of the LINKS-18 investigation. The original premise (a successful build that did not publish) turned out to be wrong: run #136 publishes correctly to `dev.a8n.run/a8n-tools-private/rusty-links`. The apparent staleness was caused by inspecting the deprecated `a8n-tools/rusty-links` path, which nothing publishes to since the registry owner moved to the `a8n-tools-private` org (where `lets-chat` also lives). Confirmed from the run #136 log via `fj actions logs 136` (`pushing manifest for dev.a8n.run/a8n-tools-private/rusty-links:v0.4.0 ... done`). ## Changes - `build-oci-image.yml`: capture the pushed digest with `docker buildx build --iidfile`, then add a "Verify pushed image" step that asserts every pushed tag resolves in the registry to that exact digest, failing the job on a mismatch or a missing tag. This makes the canonical publish target self-checking and guards against the silent-no-op publish class that LINKS-18 was opened to catch. - `examples/compose.yml`: drop the `BUILD_MODE: standalone` build-arg. It is a leftover from before the unify (LINKS-13); the Dockerfile no longer accepts `BUILD_MODE`, and no `BUILD_MODE` reference remains anywhere in the repo. ## Notes - No env-var changes, so `.env.standalone.example` / `.env.saas.example` are unaffected. - The verify step uses `docker buildx imagetools inspect --format "{{.Manifest.Digest}}"` against the just-pushed tags; it runs after login so it has registry read access. - Separate follow-ups (out of scope here): the `dx and dioxus versions are incompatible` + `wasm-opt SIGABRT` errors seen in the run #136 build log, and repointing any external consumer or docs that still reference the dead `a8n-tools/rusty-links` image path. #LINKS-18

nrupard added 1 commit 2026-06-08 18:16:33 +02:00

ci: verify pushed OCI digest and drop dead BUILD_MODE arg ... f492f452ed

Add a post-push "Verify pushed image" step to build-oci-image.yml that reads the buildx --iidfile digest and asserts each pushed tag resolves to that same digest in the registry, failing the job on a mismatch or a missing tag. This guards against a green build that does not actually update the registry (the silent-no-op class behind LINKS-18) and makes the canonical publish target self-checking.

Remove the dead BUILD_MODE: standalone build-arg from examples/compose.yml; it is a leftover from before the standalone/saas unify (LINKS-13), and the Dockerfile no longer accepts BUILD_MODE.

Root cause note for LINKS-18: run #136 already publishes correctly to dev.a8n.run/a8n-tools-private/rusty-links; the apparent staleness was inspection of the deprecated a8n-tools path, not a failed push.

#LINKS-18

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

nrupard merged commit 28cb7997c8 into main 2026-06-08 18:27:37 +02:00

nrupard deleted branch fix/oci-publish-verify-digest-LINKS-18 2026-06-08 18:27:37 +02:00

nrupard referenced this pull request from a commit 2026-06-08 18:27:39 +02:00

Merge pull request 'ci: verify pushed OCI digest and drop dead BUILD_MODE arg' (#52) from fix/oci-publish-verify-digest-LINKS-18 into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

a8n-tools/rusty-links!52

No description provided.