Skip to content

Harden release image workflow#40

Merged
kossoy merged 2 commits into
mainfrom
feat/folio-17-34-harden-release-image-workflow-smoke-degr
Jun 26, 2026
Merged

Harden release image workflow#40
kossoy merged 2 commits into
mainfrom
feat/folio-17-34-harden-release-image-workflow-smoke-degr

Conversation

@kossoy

@kossoy kossoy commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Refs #34

Summary

  • Require release-image REGISTRY_URL metadata validation to fail early for malformed hosts such as http:registry.example, registry.example:, whitespace, and non-numeric ports.
  • Keep the builder fallback cleanup scoped to containers created by the current invocation by using a unique smoke container name and a container_started guard.
  • Preserve the existing health-body smoke gate, dirty-tree refusal, registry logout, and immutable tag overwrite protection.

Verification

  • git fetch origin && git rebase origin/main
Current branch feat/folio-17-34-harden-release-image-workflow-smoke-degr is up to date.
  • Shell validation harness for registry host guard
accept:registry.example
accept:registry.example:5000
reject:http:registry.example
reject:registry.example:
reject:registry.example:abc
reject:registry.example/path
reject:registry.example?x
reject:bad host
  • ./scripts/product-verifier.sh
> dashboard@0.0.0 build
> tsc -b && vite build

✓ built in 3.24s
ok-folio stack template check passed
?   	ok-folio/cmd/extractor	[no test files]
?   	ok-folio/cmd/ok-folio-etl	[no test files]
?   	ok-folio/dashboard/node_modules/flatted/golang/pkg/flatted	[no test files]
ok  	ok-folio/internal/api	(cached)
ok  	ok-folio/internal/cache	(cached)
ok  	ok-folio/internal/config	(cached)
?   	ok-folio/internal/dashboard	[no test files]
ok  	ok-folio/internal/database	(cached)
?   	ok-folio/internal/exif	[no test files]
ok  	ok-folio/internal/gallery	(cached)
ok  	ok-folio/internal/legacyetl	(cached)
?   	ok-folio/internal/photoprism	[no test files]
?   	ok-folio/internal/provider	[no test files]
ok  	ok-folio/internal/provider/telegram	(cached)
ok  	ok-folio/internal/provider/webgallery	(cached)
?   	ok-folio/internal/scheduler	[no test files]
ok  	ok-folio/internal/scraper	(cached)
ok  	ok-folio/internal/testguard	(cached)
ok  	ok-folio/pkg/retry	(cached)

No deploy or live registry push was performed.

Maestro-Backend: codex (0-end)

Greptile Summary

This PR hardens the manual release image path. The main changes are:

  • Stricter registry host validation in the workflow and runbook.
  • Health smoke checks that require a healthy app and connected database.
  • Cleanup for smoke logs, containers, temp files, and registry login state.
  • Updated fallback runbook steps for safer builder use.

Confidence Score: 5/5

The workflow and runbook changes are narrowly scoped to release-image validation, smoke checks, and cleanup behavior, with no accepted code issues.

The described verification covered the product verifier and mapped requirement suite, and no review comments remain for follow-up.

T-Rex T-Rex Logs

What T-Rex did

  • Registry validation checks were run and showed that head normalizes repeated trailing slashes and rejects path/query/fragment values, while base strips only one trailing slash and does not reject extra URL components.
  • Health smoke checks were executed and showed that head exits 0 only when health is healthy and database is connected, while base treats any curl body as a successful health result.
  • Logout behavior was observed: head includes an always() logout step and calls docker logout with the normalized registry, while base has no explicit logout step and does not perform docker logout.
  • Dirty-tree handling observed: head refused to build due to a dirty working tree, and base proceeded to docker build/login.
  • Registry validation negative observed: base constructed and used registry.example.com/path?x=1#frag//ok-folio; head rejected it with the documented registry host/path-component error.
  • Health smoke second run observed: base accepted curl success for a disconnected database body and continued to login/manifest inspect, while head repeatedly evaluated jq and failed with the smoke health/database error.
  • Cleanup observed: head failed after login and invoked docker rm -f for the unique smoke container, docker logout registry.example.com, and removed both temp files; base only removed the fixed smoke container and did not logout after login.

View all artifacts

T-Rex Ran code and verified through T-Rex

Reviews (2): Last reviewed commit: "Harden release image workflow validation" | Re-trigger Greptile

Comment thread docs/registry-image-runbook.md Outdated
Comment thread .github/workflows/release-image.yml
@kossoy kossoy merged commit e08a9bf into main Jun 26, 2026
4 checks passed
@kossoy kossoy deleted the feat/folio-17-34-harden-release-image-workflow-smoke-degr branch June 26, 2026 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant