fix(ci): capture stderr when parsing helm push output#249
Merged
Conversation
`helm push` (3.16+) writes the human-readable "Pushed:" and "Digest:"
lines to stderr, so the existing `$(helm push ...)` only captured an
empty stdout and the awk that extracts the digest produced no match.
Redirect stderr into stdout for the command substitution so the
digest-parser sees the same output that's already visible in the
runner log. The follow-up `sha256:[a-f0-9]{64}` regex check still
guards against malformed input.
Surfaced when publishing chart/v0.16.0 to oci://ghcr.io/nvidia/nodewright/charts:
the push itself succeeded, but the subsequent attestation steps failed
because no digest was extracted.
Signed-off-by: Alex Yuskauskas <ayuskauskas@nvidia.com>
ayuskauskas
requested review from
lockwobr,
mskalka and
rice-riley
as code owners
lockwobr
approved these changes
May 22, 2026
Contributor
|
Caution Review failedPull request was closed or merged during review No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe PR updates the Helm chart push step in the release workflow by redirecting stderr to stdout during output capture. This ensures that when Helm 3.16+ emits "Pushed:" and "Digest:" messages to stderr, they are included in the captured Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
lockwobr
pushed a commit
that referenced
this pull request
May 22, 2026
* fix(ci): capture stderr when parsing helm push output (#249) `helm push` (3.16+) writes the human-readable "Pushed:" and "Digest:" lines to stderr, so the existing `$(helm push ...)` only captured an empty stdout and the awk that extracts the digest produced no match. Redirect stderr into stdout for the command substitution so the digest-parser sees the same output that's already visible in the runner log. The follow-up `sha256:[a-f0-9]{64}` regex check still guards against malformed input. Surfaced when publishing chart/v0.16.0 to oci://ghcr.io/nvidia/nodewright/charts: the push itself succeeded, but the subsequent attestation steps failed because no digest was extracted. Signed-off-by: Alex Yuskauskas <ayuskauskas@nvidia.com> * fix(chart): agent container path pointing to skyhook not nodewright --------- Signed-off-by: Alex Yuskauskas <ayuskauskas@nvidia.com>
3 tasks
lockwobr
pushed a commit
that referenced
this pull request
May 22, 2026
…253) `helm registry login` writes to helm's own config (~/.config/helm/registry/config.json), which cosign doesn't read. After `helm push` succeeds, the subsequent `cosign sign` against the just-published OCI subject fails with `UNAUTHORIZED: unauthenticated` because cosign reads ~/.docker/config.json instead. Add a docker/login-action step alongside the helm registry login (same pattern operator-ci.yaml uses for signing operator images) so cosign can upload the .sig layer and the cyclonedx SBOM attestation to the same ghcr.io repository. Surfaced when publishing chart/v0.16.0 once the prior `helm push` stderr parsing fix (PR #249) let the workflow reach the cosign step. Signed-off-by: Alex Yuskauskas <ayuskauskas@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The chart-publish step in `release.yml` failed for `chart/v0.16.0` with:
```
Pushed: ghcr.io/nvidia/nodewright/charts/nodewright:v0.16.0
Digest: sha256:e487043f621145fe7dc6b21eb48cf560d2357beb6ff459d88bfb448657096b12
Error: failed to parse Helm chart digest from helm push output
```
The push itself succeeded — the parser bailed. Root cause: `helm push` (3.16+) writes the `Pushed:` and `Digest:` lines to stderr, while the workflow only captured stdout via `$(helm push ...)`. The GHA runner displays both streams in the job log, which is why the lines were visible above the error.
Fix: redirect stderr into stdout for the command substitution. The subsequent `sha256:[a-f0-9]{64}` regex check is unchanged, so malformed input still fails fast.
Test plan