Harden shared release artifact publishing#91
Merged
Conversation
jugonzalez12
approved these changes
Jun 4, 2026
ennyjfrick
reviewed
Jun 5, 2026
| @@ -0,0 +1,185 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
would this make more sense as a Python script? not that I want to introduce another dependency but...
Contributor
Author
There was a problem hiding this comment.
fair question, im actually going to change it to go, keeps things consistent while also getting us away from a big bash script
ennyjfrick
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Managed release repos need the shared Go release workflow to publish immutable S3 artifacts and Public ECR version tags before registry recording. Review found that the Public ECR publish path also needed a same-tag race guard, and custom storage targets needed signature validation to follow the same path as
manifest.json.What this changes
Adds no-overwrite S3 uploads with same-digest idempotency, threads
release_storage_namethrough upload and validation, serializes same repo/tag workflow runs, and publishes Public ECR version tags with digest preflight plus post-write digest assertion. Manifest signature validation now uses the resolved storage target and fails when signature evidence is missing.Validation
make testMerge order
Can merge before the first managed repo release. Registry recording still depends on the registry API PR for kind-aware catalog records.