fix update consumers workflow#158
Conversation
Signed-off-by: Derek Misler <derek.misler@docker.com>
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| repository: docker/cagent-action | ||
| ref: ${{ github.workflow_sha }} |
There was a problem hiding this comment.
[MEDIUM] Checkout for build uses github.workflow_sha instead of the release SHA, potentially building the CLI from the wrong ref
The new "Checkout source for build" step uses ref: ${{ github.workflow_sha }} — the SHA of the commit that contains the workflow file (typically the current HEAD of main). However, the workflow's purpose is to propagate a specific validated release SHA (steps.resolve.outputs.sha) to consumer repositories.
This creates a semantic mismatch: the dist/signed-commit.js CLI that's built and then used in the "Discover and update consumer repos" step to create signed commits in consumer repos is compiled from a different commit than the release being propagated. If main has moved ahead of the release (which is the common case), consumers will be updated to release SHA X, but the CLI binary that performs those updates was built from a newer, unreleased commit.
Consider whether the intent is:
- Build from the release SHA (consistent, reproducible): use
ref: ${{ steps.resolve.outputs.sha }} - Build from the latest workflow infra (always up-to-date tooling): the current
github.workflow_shais intentional, but this should be documented with a comment explaining the design choice, since it means the CLI used to update consumers is not the same version being released to them.
- name: Checkout source for build
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: docker/cagent-action
ref: ${{ github.workflow_sha }} # <-- builds from main HEAD, not the release SHA2 participants
Related Issues
Closes: https://github.com/docker/gordon/issues/467
Summary
Add build steps to the update-consumers workflow to ensure the signed-commit CLI is built before discovering and updating consumer repositories. This ensures the latest version of the action is available when notifying consumers.
Changes