Push release image via internal registry URL (forge.int.wynning.tech) #75
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#75
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The release workflow added in #16 pushes to
forge.wynning.tech/james/carol, which sits behind Cloudflare. Container image layer uploads exceed Cloudflare's per-request body-size limit and the push fails before anything is signed or attested — the very first tag push after the keypair was registered hit this.The fix is the internal hostname:
forge.int.wynning.techbypasses Cloudflare and reaches the Forgejo registry directly. Same underlying registry backend, so artifacts pushed via the internal URL are still readable via the public one — but uploads must go through the internal URL.Scope
REGISTRYin.forgejo/workflows/release.ymlfromforge.wynning.techtoforge.int.wynning.tech. This flows through the image tag, the cosign sign target, the SLSA predicate's builder URL, and the verification URL embedded in the release notes.docs/ci.md"Release pipeline" (push target, verify command, cosign.pub URL) to use the internal hostname.CLAUDE.md(forge.wynning.tech/james/carol→forge.int.wynning.tech/james/carol).docker-referencefield to whatever name we sign. Signing the internal reference means a downstream verifier must use the internal URL too. That's acceptable today (one self-hoster, internal reachability assumed). If/when there are other self-hosters who can only reach the public URL, see "Out of scope" below.Acceptance criteria
v0.0.1-rc.0) produces a pushed image, a valid cosign signature, a SLSA attestation, and a Forgejo release page — full pipeline green end-to-end.cosign verify --key <cosign.pub URL> forge.int.wynning.tech/james/carol@<digest>succeeds against the published image using the verification command pasted from the release notes.Out of scope
A future "split-URL" refinement would let downstream verifiers (other self-hosters) pull and verify via
forge.wynning.techwhile we still push viaforge.int.wynning.tech. That needs the cosign sign step to upload its (small) signature artifacts via the public URL while the docker push goes via the internal URL — possible because cosign sig artifacts are tiny and pass Cloudflare cleanly, but it requires logging into both registries and being deliberate about which reference is in the signature payload. Not needed today; file a follow-up if/when the audience expands.Part of epic #2. Follow-up from #16.