Resolved GHCR image digest for PR preview deploys

[rob-ghost]

PR preview deploys to Cloud Run have been occasionally serving stale images. The build job pushes a fresh image to GHCR as ghcr.io/tryghost/ghost:pr-N, but the consumer side in Ghost-Moya pulls through GCP Artifact Registry, whose pull-through cache can lag behind GHCR for the mutable pr-N tag. The result is a deploy that succeeds against an older manifest than the one we just built, and reviewers see a preview that does not reflect the latest commit.

This change resolves the canonical sha256 digest from GHCR after the build job succeeds and forwards it to Ghost-Moya as image_digest in the repository_dispatch payload. The resolver fetches an anonymous pull token for the public tryghost/ghost repo, issues a HEAD request against the pr-N manifest with the OCI index and Docker v2 manifest media types in the Accept header, and parses the Docker-Content-Digest response header. The digest is validated as sha256: + 64 hex chars before being written to the step output so a malformed or missing digest fails the job rather than dispatching garbage. The Ghost-Moya half of this change consumes image_digest and pins the Cloud Run deploy to the immutable ref, sidestepping the Artifact Registry cache entirely.

The token is acquired anonymously because the image is public, so no secrets are needed for the lookup. The skip guard from the recheck step is preserved so the digest resolve and dispatch are still gated together.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6f67858f-6072-488e-9d00-f6ee6a9ab4f9

📥 Commits

Reviewing files that changed from the base of the PR and between 319d32d and 6a949b6.

📒 Files selected for processing (1)

• .github/workflows/pr-preview.yml

---

Walkthrough

The PR preview workflow now includes logic to resolve an immutable image digest from GHCR when deploying eligible PRs. A new workflow step acquires an anonymous GHCR pull token, queries the PR-tagged image manifest via HTTP HEAD request, extracts the docker-content-digest header, validates it as a sha256 value, and exports it. The resolved digest is then passed to the repository-dispatch deploy request for TryGhost/Ghost-Moya as part of the client-payload.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Resolved GHCR image digest for PR preview deploys' is directly related to the main change, which adds a step to resolve the canonical sha256 digest from GHCR and forward it to the deploy request.
Description check	✅ Passed	The description comprehensively explains the problem (stale image deployments), the solution (resolving canonical sha256 digest from GHCR), and implementation details, all directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pr-preview-deploy-by-digest

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.81%. Comparing base (319d32d) to head (6a949b6).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #27941   +/-   ##
=======================================
  Coverage   73.81%   73.81%           
=======================================
  Files        1521     1521           
  Lines      128495   128495           
  Branches    15403    15403           
=======================================
  Hits        94848    94848           
- Misses      32689    32713   +24     
+ Partials      958      934   -24     

Flag	Coverage Δ
admin-tests	53.54% <ø> (ø)
e2e-tests	73.81% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.