fix: gate release tags behind container scan, add retag workflow#186
Merged
Conversation
On tag pushes, build to an ephemeral :vX.Y.Z-rc tag first, scan it, then retag to :vX.Y.Z / :X.Y / :X / :latest only when the scan passes. This ensures :latest always points to a clean image. Edge continues to track every main commit without scanning — it's a mutable dev target and scan failures there are acceptable. Also bumps GRYPE_VERSION from 0.111.0 (non-existent release) to 0.111.1, applies the same PATH fix and tee-to-stdout report approach from the CVE jobs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Release flow for tag pushes: - Build to ephemeral :vX.Y.Z-pending tag - Scan by digest (fails build on high CVEs with a fix) - On scan pass: retag to :vX.Y.Z / :X.Y / :X / :latest, delete -pending :edge continues to track every main commit without scanning — mutable dev target, scan failures acceptable there. :latest now always points to a scan-clean release image. Also adds retag.yml — workflow_dispatch to retag any digest to arbitrary tags without rebuilding, for emergency promotions and re-pointing :latest. Bumps GRYPE_VERSION 0.111.0 → 0.111.1. The root cause of the original scan-action failure was a bug in that pinned commit of anchore/scan-action which constructs the download URL as /releases/0.111.0 instead of /releases/tag/v0.111.0, causing a 404. The fix bypasses the install script entirely and downloads directly from the GitHub releases URL. Applies PATH fix and tee-to-stdout report from the CVE jobs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
:vX.Y.Z-pendingimage, scan it, and only promote to:vX.Y.Z/:X.Y/:X/:latestafter the scan passes. The ephemeral tag is deleted post-promotion.:latestnow always points to a scan-clean image.:edgecontinues to track every main commit without scanning — it's a mutable dev target and scan failures there are acceptable.retag.yml: newworkflow_dispatchworkflow to retag any existing digest to arbitrary tags without rebuilding. Use for emergency promotions or re-pointing:latestto a previous known-good release.anchore/scan-actioncommit which constructs the download URL as/releases/0.111.0instead of/releases/tag/v0.111.0. The fix bypasses the install script and downloads directly from the GitHub releases URL.$GITHUB_PATHfix andtee-to-stdout report pattern from the CVE jobs.Test plan
v*tag and confirm: build pushes:vX.Y.Z-pending, scan runs against that digest,publish-releasepromotes to final tags,-pendingtag is deleted from GHCR:latestand:vX.Y.Zpoint to the same digest post-promotionpublish-release(:latestnot updated)retag.ymlmanually with a known digest and confirm tags are created without a rebuildmainand confirm only:edgeis published, no scan runs🤖 Generated with Claude Code