Push release image via internal registry URL (forge.int.wynning.tech) #75

Closed
opened 2026-06-17 14:11:00 +00:00 by james · 0 comments
Owner

The release workflow added in #16 pushes to forge.wynning.tech/james/carol, which sits behind Cloudflare. Container image layer uploads exceed Cloudflare's per-request body-size limit and the push fails before anything is signed or attested — the very first tag push after the keypair was registered hit this.

The fix is the internal hostname: forge.int.wynning.tech bypasses Cloudflare and reaches the Forgejo registry directly. Same underlying registry backend, so artifacts pushed via the internal URL are still readable via the public one — but uploads must go through the internal URL.

Scope

  • Change REGISTRY in .forgejo/workflows/release.yml from forge.wynning.tech to forge.int.wynning.tech. This flows through the image tag, the cosign sign target, the SLSA predicate's builder URL, and the verification URL embedded in the release notes.
  • Update the worked examples in docs/ci.md "Release pipeline" (push target, verify command, cosign.pub URL) to use the internal hostname.
  • Update the matching bullet in CLAUDE.md (forge.wynning.tech/james/carolforge.int.wynning.tech/james/carol).
  • Cosign's signature payload binds the docker-reference field to whatever name we sign. Signing the internal reference means a downstream verifier must use the internal URL too. That's acceptable today (one self-hoster, internal reachability assumed). If/when there are other self-hosters who can only reach the public URL, see "Out of scope" below.

Acceptance criteria

  • A fresh tag push (e.g. v0.0.1-rc.0) produces a pushed image, a valid cosign signature, a SLSA attestation, and a Forgejo release page — full pipeline green end-to-end.
  • cosign verify --key <cosign.pub URL> forge.int.wynning.tech/james/carol@<digest> succeeds against the published image using the verification command pasted from the release notes.
  • Docs and CLAUDE.md no longer steer readers at the Cloudflare-fronted URL for any push or push-derived operation.

Out of scope

A future "split-URL" refinement would let downstream verifiers (other self-hosters) pull and verify via forge.wynning.tech while we still push via forge.int.wynning.tech. That needs the cosign sign step to upload its (small) signature artifacts via the public URL while the docker push goes via the internal URL — possible because cosign sig artifacts are tiny and pass Cloudflare cleanly, but it requires logging into both registries and being deliberate about which reference is in the signature payload. Not needed today; file a follow-up if/when the audience expands.

Part of epic #2. Follow-up from #16.

The release workflow added in #16 pushes to `forge.wynning.tech/james/carol`, which sits behind Cloudflare. Container image layer uploads exceed Cloudflare's per-request body-size limit and the push fails before anything is signed or attested — the very first tag push after the keypair was registered hit this. The fix is the internal hostname: `forge.int.wynning.tech` bypasses Cloudflare and reaches the Forgejo registry directly. Same underlying registry backend, so artifacts pushed via the internal URL are still readable via the public one — but uploads must go through the internal URL. ## Scope - Change `REGISTRY` in `.forgejo/workflows/release.yml` from `forge.wynning.tech` to `forge.int.wynning.tech`. This flows through the image tag, the cosign sign target, the SLSA predicate's builder URL, and the verification URL embedded in the release notes. - Update the worked examples in `docs/ci.md` "Release pipeline" (push target, verify command, cosign.pub URL) to use the internal hostname. - Update the matching bullet in `CLAUDE.md` (`forge.wynning.tech/james/carol` → `forge.int.wynning.tech/james/carol`). - Cosign's signature payload binds the `docker-reference` field to whatever name we sign. Signing the internal reference means a downstream verifier must use the internal URL too. That's acceptable today (one self-hoster, internal reachability assumed). If/when there are other self-hosters who can only reach the public URL, see "Out of scope" below. ## Acceptance criteria - [ ] A fresh tag push (e.g. `v0.0.1-rc.0`) produces a pushed image, a valid cosign signature, a SLSA attestation, and a Forgejo release page — full pipeline green end-to-end. - [ ] `cosign verify --key <cosign.pub URL> forge.int.wynning.tech/james/carol@<digest>` succeeds against the published image using the verification command pasted from the release notes. - [ ] Docs and CLAUDE.md no longer steer readers at the Cloudflare-fronted URL for any push or push-derived operation. ## Out of scope A future "split-URL" refinement would let downstream verifiers (other self-hosters) pull and verify via `forge.wynning.tech` while we still push via `forge.int.wynning.tech`. That needs the cosign sign step to upload its (small) signature artifacts via the public URL while the docker push goes via the internal URL — possible because cosign sig artifacts are tiny and pass Cloudflare cleanly, but it requires logging into both registries and being deliberate about which reference is in the signature payload. Not needed today; file a follow-up if/when the audience expands. Part of epic #2. Follow-up from #16.
james closed this issue 2026-06-17 14:40:23 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#75
No description provided.