feat(supply-chain): verify multi-arch image manifests post-release (#5)#33
Merged
Conversation
GoReleaser already produces multi-arch manifest lists for every release via the docker_manifests: block. Verified manually against v0.10.2: both registries serve linux/amd64 + linux/arm64 under the plain tag, so users get the right variant from docker pull without specifying an arch suffix. What was missing was the regression safety net + the docs to tell users this works. What ships in this change: - .github/workflows/release.yml — new verify-images job, runs after goreleaser publishes. docker manifest inspect against both ghcr.io/awbx/cronix:<version> and docker.io/awbx/cronix:<version>, asserting both linux/amd64 and linux/arm64 platforms are listed. Fails the release workflow loudly if docker_manifests: gets dropped from .goreleaser.yaml or if a per-arch build silently fails to push. - README.md — Install section now documents the multi-arch pull pattern explicitly. Previously suggested "docker pull awbx/cronix" with no version, which works but doesn't surface that arm64 is supported. - deploy/helm/cronix/README.md — new Architecture section documenting that the chart resolves the right image variant per node automatically, including in mixed-arch clusters. Calls out the per-arch tag override pattern for users who want to pin. Out of scope: - Arm64 smoke job (qemu-based "cronix version" run in CI). The third bullet from #5's acceptance criteria. Worth a follow-up; not blocking now that the manifest list itself is verified. Note: GHCR package visibility was flipped to public in the same session as this PR. Before the flip, ghcr.io/awbx/cronix was 403 to anonymous pulls, which would have made the cosign verify example in the README's §Verify a release fail for everyone but the owner. Verified anonymous pull works post-flip. Signed-off-by: Abdelhadi Sabani <asabani.work@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #5.
Summary
Adds a post-release `verify-images` job that runs `docker manifest inspect` on both registries and asserts `linux/amd64` + `linux/arm64` are both listed. Documents the multi-arch pull pattern in the README and the Helm chart.
What changes
Discovered along the way: GHCR was private
`ghcr.io/awbx/cronix` was set to private package visibility when first published. Anonymous pulls returned 401, which silently broke the `cosign verify ghcr.io/awbx/cronix:-amd64` example in the README — every adopter following the verify-a-release instructions would have hit a wall.
Flipped to public via the GitHub UI in the same session as opening this PR. Verified anonymous pull works post-flip. Docker Hub was already public.
Out of scope
Test plan