chore: pin all self-refs to full SHAs and update release flow#115
Merged
derekmisler merged 1 commit intodocker:mainfrom Mar 26, 2026
Merged
chore: pin all self-refs to full SHAs and update release flow#115derekmisler merged 1 commit intodocker:mainfrom
derekmisler merged 1 commit intodocker:mainfrom
Conversation
derekmisler
force-pushed
the
sha-pinned-release-flow
branch
6 times, most recently
from
330e1df to
06cc678
Compare
derekmisler
force-pushed
the
sha-pinned-release-flow
branch
from
06cc678 to
bf319e3
Compare
derekmisler
force-pushed
the
sha-pinned-release-flow
branch
3 times, most recently
from
fa9fec8 to
f02e258
Compare
derekmisler
force-pushed
the
sha-pinned-release-flow
branch
3 times, most recently
from
dfbd3f5 to
4d06b22
Compare
Signed-off-by: Derek Misler <derek.misler@docker.com> chore: remove confused reaction from reply-to-feedback workflow Remove the second confused emoji reaction that was added when reply generation failed. Consistent with the previous commit - failures are already logged in workflow runs. chore: remove confused reaction on thread-build failure The confused emoji reaction was confusing users when thread context building failed. Remove the step entirely - failures are already logged in the workflow run. fix: address code review findings - Add --paginate flag to consumer repo search to handle >100 repos - Add validation for SHA-pinned refs without version comments - Replace unsafe heredoc PR body with printf to prevent command injection - Add trap-based cleanup for temp directories to prevent resource leaks - Move ROOT_COMMENT_ID validation to shared step for both auth paths Fixes identified in strict code review: - HIGH: Consumer repo pagination truncation - MEDIUM: Command injection via FILE_PATH in PR body - MEDIUM: Weak validation pattern for SHA pinning - MEDIUM: Temp directory leaks on errors - MEDIUM: Missing ROOT_COMMENT_ID validation in authorized path chore: remove redundant token validation step Assisted-By: docker-agent
derekmisler
force-pushed
the
sha-pinned-release-flow
branch
from
4d06b22 to
f0f7fe2
Compare
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR successfully implements SHA-pinned self-references and updates the release workflow. The changes are well-structured and secure.
What was reviewed:
- ✅ SHA-pinning logic correctly replaces mutable
@latestrefs with immutable SHA pins - ✅ Token migration from
RELEASE_TOKENto GitHub App token is properly implemented - ✅ New
update-consumersjob safely handles external repo updates with proper error handling - ✅ Shell variable quoting is correct throughout (double-quoted to prevent injection)
- ✅ Validation logic improvements in
review-pr.yml(ROOT_COMMENT_ID validation moved earlier)
Minor observation:
The update-consumers job has a very narrow window where temp directories might not be cleaned up if a signal arrives between clearing the trap (line 326) and manual cleanup. However, this has minimal practical impact since GitHub Actions cleans up runner environments after each run.
Security notes:
- Reviewed for command injection risks - all external inputs (FILE_PATH, REPO) are properly quoted
- GitHub API inputs are constrained by GitHub's own validation
- Error handling appropriately continues on failures without exposing sensitive data
The code is production-ready. Nice work on the comprehensive refactoring! 🚀
krissetto
approved these changes
Mar 26, 2026
rumpl
approved these changes
Mar 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issues
Closes https://github.com/docker/gordon/issues/327
Summary
Replaces all mutable
@latesttag references with immutable full-SHA pins across the repo, rewrites the release workflow to maintain SHA-pinned refs going forward, and migrates all workflows fromRELEASE_TOKENto a GitHub App token. Also adds automatic discovery and updating of consumer repos on release.Changes
SHA-pin all self-references
Every
docker/cagent-action*@latestref is now@dba0ca51... # v1.3.1— across workflow files (release.yml,review-pr.yml), composite actions (review-pr/action.yml,review-pr/reply/action.yml), and documentation (README.md,review-pr/README.md,security/README.md). The mutablelatesttag is no longer created or updated.Rewrite release pinning logic (
release.yml)@<40-hex-sha> # v<semver>instead of@latest, and pins toHEAD_SHA(the parent commit on main) rather than a version tagrelease.ymlitself and markdown filesNew
update-self-refsjob (release.yml)Replaces the old
update-pinatajob. After tagging a release, opens a PR back tomainthat updates all SHA refs (in.yml,.yaml, and.mdfiles) to point at the new release commit. Uses separate sed patterns for YAML (uses:anchored) and Markdown (broader match). Stages all changed files viagit add -Ainstead of a single hardcoded path.New
update-consumersjob (release.yml)Dynamically discovers all
docker/*repos that reference thecagent-actionreusable workflow via GitHub code search, then opens/updates a PR in each one to bump the SHA pin. Gated behind the newpre_releaseinput so test releases can skip consumer updates. Includes permission checks, clone failure handling, and idempotent PR create-or-update logic.Migrate from
RELEASE_TOKENto GitHub App tokenAll jobs in
release.ymland the renamedupdate-docker-agent-version.ymlnow usetibdex/github-app-tokenwithCAGENT_REVIEWER_APP_ID/CAGENT_REVIEWER_APP_PRIVATE_KEY. A new "Validate token permissions" step in the release job fails fast if the token lacks push access. Theupdate-cagent-version.yml→update-docker-agent-version.ymlrename also drops theHAS_APP_SECRETS/continue-on-errorfallback — the app token is now required.Other changes
review-pr.yml: MovedROOT_COMMENT_IDvalidation into its own step (earlier in the pipeline, before the authorization check)reply-to-feedback.yml/review-pr.yml: Removed "React on failure" steps that added confused emoji reactionsupdate-self-refsPR body no longer includes/skip-buildsand/skip-testscommandsTest plan
pre_releasedispatch and verify:update-self-refsPR is opened againstmainupdate-consumersjob is skippedupdate-consumersdiscovers and PRs consumer reposlatesttag is not created/updatedupdate-docker-agent-version.ymlworks withoutRELEASE_TOKENfallbackTip
Comment
/reviewto trigger the PR Reviewer agent for automated feedback.Comment
/describeto generate a PR description.