fix(release): push via forge.int.wynning.tech, sign + reference as forge.wynning.tech (#75) #76
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!76
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "75-internal-registry-url"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #75.
Why
The first tag push after the keypair was registered failed: Cloudflare's per-request body-size limit blocks container layer uploads to
forge.wynning.tech. The release workflow needed to push via the internal hostname that bypasses CF.Approach — split URL
Rather than swap every URL reference to
forge.int.wynning.tech, the fix splits the URL into two roles. The internal hostname is the transport for big uploads; the public hostname is the canonical identity that flows into image labels, the cosign sign target, the signeddocker-reference, the SLSA predicate's builder URL, and the verification command in the release notes.PUSH_REGISTRYforge.int.wynning.techdocker pushof image layers (CF would block on public)PUBLIC_REGISTRYforge.wynning.techdocker-reference, SLSA predicate, verify command in release notes,cosign.pubURLSame registry backend, two URLs. The image is tagged with both hostnames locally, pushed only via the internal URL, then signed against the public reference. cosign signature artifacts are tiny (KBs) and upload fine through Cloudflare, so signing the public reference works and produces a signature that any downstream verifier can check against the canonical name.
Files
.forgejo/workflows/release.ymlREGISTRY→PUSH_REGISTRY+PUBLIC_REGISTRY; two docker/login-action steps (one per URL); build tags with both, pushes via internal;image_refoutput uses public; cosign sign/attest target public; release notes /cosign.pubURL use publicdocs/ci.mdCLAUDE.mdAcceptance criteria
v0.0.1-rc.1) produces a pushed image, a valid cosign signature, a SLSA attestation, and a Forgejo release page. (CI to confirm on next tag push.)cosign verify --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub forge.wynning.tech/james/carol@<digest>succeeds against the published image.docker push.Test plan
python3 -c 'import yaml; yaml.safe_load(open(".forgejo/workflows/release.yml"))'— passes.semgrep scan --config .semgrep --config p/javascript --config p/typescript --config p/nodejsscan --config p/owasp-top-ten --severity ERROR .forgejo/workflows/release.yml— 0 findings (shell-injection fix from #16 still holds).v0.0.1-rc.1after merge; watch the workflow; confirm the push step completes; verify the signature against the public URL.