Tag-driven service container release #16
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#16
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Scope
v*.*.*is pushed, build the service image and publish to the Forgejo container registry onforge.wynning.tech.vX.Y.Zandlatest;latestonly for stable releases (no-rc,-beta, etc.).Supply-chain hardening for the release artifact
The released image is the artifact a self-hoster pulls and trusts. The three items below are the release-pipeline half of the supply-chain story; the PR-time half lives in #44, #45, #46.
node:22-slimbecomesnode:22-slim@sha256:…in the Dockerfile so the image we publish is bit-for-bit derived from the base we tested. Renovate (#44) keeps the digest fresh; humans review the bump.cosign verify/cosign verify-attestationcommand in the release notes so self-hosters can verify before pulling.npm ciagainst the exactpackage-lock.jsonin the commit being released — no floating-range resolution at release time. The lockfile itself is maintained under the lockfile-only Renovate policy from #44, so what built green CI is what builds the released image.Acceptance criteria
git tag v0.1.0 && git push --tagsproduces a published image and a Forgejo release page with notes.Dockerfilepins the base image by digest, not by tag.npm ci(lockfile-strict) and fails ifpackage-lock.jsonis out of sync withpackage.json.Part of epic #2. Depends on #9, #13. Coordinates with #44 (Renovate keeps the base-image digest fresh and enforces the lockfile-only update policy this release flow relies on).
npm ci --ignore-scriptsin CI with an explicit allowlist #46npm ci#69actionlintpre-commit hook for.forgejo/workflows/#88