Skip to content

update release to target all consumers, not just hash consumers#129

Merged
derekmisler merged 1 commit intodocker:mainfrom
derekmisler:update-release-to-target-all-consumers-not-just-h
Apr 14, 2026
Merged

update release to target all consumers, not just hash consumers#129
derekmisler merged 1 commit intodocker:mainfrom
derekmisler:update-release-to-target-all-consumers-not-just-h

Conversation

@derekmisler
Copy link
Copy Markdown
Contributor

@derekmisler derekmisler commented Apr 14, 2026
edited
Loading

Related Issues

Closes: https://github.com/docker/gordon/issues/386

Summary

Fixes a critical bug where the release workflow pinned self-refs to a SHA that lacked compiled dist/ output, which would break setup-credentials resolution for every consumer. Also broadens ref matching so consumers pinned by any format (not just SHA # v…) are correctly updated, and expands the pinning scope to cover all workflow files.

Key changes

Release workflow (.github/workflows/release.yml)

  • Two-pass release commit — Pass 1 stages dist/ and creates TEMP_SHA; Pass 2 pins all self-refs to TEMP_SHA and creates RELEASE_SHA parented on it. Consumers resolving sub-actions now land on a commit where dist/ exists.
  • Wider sed patterns@.* replaces the old @[a-f0-9]{40} # v… regex, catching any ref format (tag, branch, bare SHA).
  • Expanded grep scope — scans review-pr/, .github/workflows/, .github/actions/ instead of 3 hardcoded files.
  • Validationdist/ existence check before staging; stricter post-pin verification (exact @SHA # version match, comment-line exclusion).

Expression injection hardening (action.yml, review-pr/action.yml, review-pr/reply/action.yml, review-pr.yml)

  • GitHub context expressions moved from inline run: scripts to env: blocks.

Dependency pinning (package.json, pnpm-lock.yaml)

  • All deps pinned to exact versions (no ^). Notable: @actions/core → 3.0.0, vitest → 4.0.18, typescript → 5.9.3.

Test fixes — Mocks updated for vitest 4.x ESM compatibility; rollup config suppresses harmless CJS/ESM interop warnings.

Tip

Comment /review to trigger the PR Reviewer agent for automated feedback.
Comment /describe to generate a PR description.

@derekmisler derekmisler self-assigned this Apr 14, 2026
@derekmisler
Copy link
Copy Markdown
Contributor Author

derekmisler commented Apr 14, 2026

/describe

@derekmisler derekmisler force-pushed the update-release-to-target-all-consumers-not-just-h branch 3 times, most recently from cd1a79f to c217949 Compare April 14, 2026 17:43
@derekmisler derekmisler requested a review from a team April 14, 2026 17:43
@derekmisler derekmisler marked this pull request as ready for review April 14, 2026 17:44
@derekmisler derekmisler marked this pull request as draft April 14, 2026 18:41
@derekmisler derekmisler force-pushed the update-release-to-target-all-consumers-not-just-h branch 2 times, most recently from d51fd53 to 435a51c Compare April 14, 2026 19:11
@derekmisler
update release to target all consumers, not just hash consumers
8918a7c 
Signed-off-by: Derek Misler <derek.misler@docker.com>
@derekmisler derekmisler force-pushed the update-release-to-target-all-consumers-not-just-h branch from 435a51c to 8918a7c Compare April 14, 2026 19:20
@derekmisler derekmisler marked this pull request as ready for review April 14, 2026 19:25
@derekmisler derekmisler merged commit 3ccecb5 into docker:main Apr 14, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rumpl rumpl rumpl approved these changes

@trungutt trungutt trungutt approved these changes

Assignees

@derekmisler derekmisler

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@derekmisler @rumpl @trungutt