From 68f63228524b47e1d5f19dce9ae9d3aa529dd3d3 Mon Sep 17 00:00:00 2001 From: Christopher Beaulieu Date: Tue, 5 May 2026 15:55:00 -0400 Subject: [PATCH] fix(ci): repoint container pins to post-#195 overlay digests (closes #194) PR #195 rebuilt the runtime base image with `unzip` + `gh` baked in, producing new overlay digests on the post-merge runtime-build run. This commit updates the 5 container-pinned reusable workflows + the claude-tag-respond.yml dispatch mapping to point at those new digests. Image map (review / fix / explain): - claude-runtime-review@sha256:e0bb9972... - claude-runtime-fix@sha256:3e8fd1b7... - claude-runtime-explain@sha256:c3fb56ee... With this in, every container-init goes against an image that has the dependencies the composite actions need; PR #191's `review` check should pass on its next rebase, end-to-end validating the #192 / #194 diagnosis. Closes #194. --- .github/workflows/claude-apply-fix.yml | 4 ++-- .github/workflows/claude-ci-failure.yml | 4 ++-- .github/workflows/claude-lint-failure.yml | 4 ++-- .github/workflows/claude-pr-review.yml | 4 ++-- .github/workflows/claude-tag-respond.yml | 6 +++--- CLAUDE.md | 2 ++ 6 files changed, 13 insertions(+), 11 deletions(-) diff --git a/.github/workflows/claude-apply-fix.yml b/.github/workflows/claude-apply-fix.yml index 4f7dce1..308f51c 100644 --- a/.github/workflows/claude-apply-fix.yml +++ b/.github/workflows/claude-apply-fix.yml @@ -39,8 +39,8 @@ jobs: runs-on: ubuntu-latest # Phase 5: pin the fix overlay image by SHA256 digest. The fix overlay # carries the agent set required for code-write tasks (per spec §7.5). - # Digest source: STAGE 3 build run 25261308990 (Phase 3 merge, c8d9b7e). - container: ghcr.io/glitchwerks/claude-runtime-fix@sha256:da2b6e52ad20159252cb6f24147d4ece221182dbb0b21df9fb32966126e24a20 + # Digest source: runtime-build run 25398539323 (post-#195 rebuild, unzip+gh baked in). + container: ghcr.io/glitchwerks/claude-runtime-fix@sha256:3e8fd1b77b5e92c83f759059fc76c764f84f3d85ca14df3af4c27979febded24 concurrency: group: claude-apply-fix-${{ github.repository }}-${{ inputs.pr_number }} cancel-in-progress: false diff --git a/.github/workflows/claude-ci-failure.yml b/.github/workflows/claude-ci-failure.yml index 5995b5a..32cb911 100644 --- a/.github/workflows/claude-ci-failure.yml +++ b/.github/workflows/claude-ci-failure.yml @@ -56,8 +56,8 @@ jobs: # uses the fix overlay (per §7.5) rather than a dedicated diagnose overlay # — the same agent set handles read-only and apply paths, behavior is # gated by the `auto_apply` input passed to the prompt. - # Digest source: STAGE 3 build run 25261308990 (Phase 3 merge, c8d9b7e). - container: ghcr.io/glitchwerks/claude-runtime-fix@sha256:da2b6e52ad20159252cb6f24147d4ece221182dbb0b21df9fb32966126e24a20 + # Digest source: runtime-build run 25398539323 (post-#195 rebuild, unzip+gh baked in). + container: ghcr.io/glitchwerks/claude-runtime-fix@sha256:3e8fd1b77b5e92c83f759059fc76c764f84f3d85ca14df3af4c27979febded24 concurrency: group: claude-ci-failure-${{ github.repository }}-${{ inputs.pr_number }} cancel-in-progress: true diff --git a/.github/workflows/claude-lint-failure.yml b/.github/workflows/claude-lint-failure.yml index 66f886c..cfbc259 100644 --- a/.github/workflows/claude-lint-failure.yml +++ b/.github/workflows/claude-lint-failure.yml @@ -57,8 +57,8 @@ jobs: # the fix overlay handles both read-only diagnosis (auto_apply: false) # and the auto-apply path (auto_apply: true) — the composite action's # behavior switches on the input, the image does not. - # Digest source: STAGE 3 build run 25261308990 (Phase 3 merge, c8d9b7e). - container: ghcr.io/glitchwerks/claude-runtime-fix@sha256:da2b6e52ad20159252cb6f24147d4ece221182dbb0b21df9fb32966126e24a20 + # Digest source: runtime-build run 25398539323 (post-#195 rebuild, unzip+gh baked in). + container: ghcr.io/glitchwerks/claude-runtime-fix@sha256:3e8fd1b77b5e92c83f759059fc76c764f84f3d85ca14df3af4c27979febded24 concurrency: group: claude-lint-failure-${{ github.repository }}-${{ inputs.pr_number }} cancel-in-progress: true diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml index ffbca2e..d8df6bd 100644 --- a/.github/workflows/claude-pr-review.yml +++ b/.github/workflows/claude-pr-review.yml @@ -45,8 +45,8 @@ jobs: # invocation all run inside this container. The image bakes in Claude CLI # at $PATH_TO_CLAUDE_CODE_EXECUTABLE plus the review-specific agent set # (different-eyes guarantee per spec §3.1, §10.2). - # Digest source: STAGE 3 build run 25261308990 (Phase 3 merge, c8d9b7e). - container: ghcr.io/glitchwerks/claude-runtime-review@sha256:776980ed9009fe17dfdb782960978bd573842dc867728bd4e63d734871cdeef1 + # Digest source: runtime-build run 25398539323 (post-#195 rebuild, unzip+gh baked in). + container: ghcr.io/glitchwerks/claude-runtime-review@sha256:e0bb9972fb1273bb6cd4fa4e2db06834eb65fe88563477a6933832647c2184ca concurrency: group: claude-pr-review-${{ github.repository }}-${{ github.event.pull_request.number }} cancel-in-progress: true diff --git a/.github/workflows/claude-tag-respond.yml b/.github/workflows/claude-tag-respond.yml index b939804..e357fb1 100644 --- a/.github/workflows/claude-tag-respond.yml +++ b/.github/workflows/claude-tag-respond.yml @@ -96,13 +96,13 @@ jobs: set -euo pipefail case "$OVERLAY" in review) - IMG="ghcr.io/glitchwerks/claude-runtime-review@sha256:776980ed9009fe17dfdb782960978bd573842dc867728bd4e63d734871cdeef1" + IMG="ghcr.io/glitchwerks/claude-runtime-review@sha256:e0bb9972fb1273bb6cd4fa4e2db06834eb65fe88563477a6933832647c2184ca" ;; fix) - IMG="ghcr.io/glitchwerks/claude-runtime-fix@sha256:da2b6e52ad20159252cb6f24147d4ece221182dbb0b21df9fb32966126e24a20" + IMG="ghcr.io/glitchwerks/claude-runtime-fix@sha256:3e8fd1b77b5e92c83f759059fc76c764f84f3d85ca14df3af4c27979febded24" ;; explain) - IMG="ghcr.io/glitchwerks/claude-runtime-explain@sha256:23dd59f2651ebc9aba93b5c143d5b78d256c8abe1ebf970ad9c218f6aa06ff77" + IMG="ghcr.io/glitchwerks/claude-runtime-explain@sha256:c3fb56ee7bd95177ad7658a953035c40071b797187f48e215d90e8a2f31f424c" ;; *) echo "::error::router emitted status=ok but overlay=$OVERLAY is not in the known set (review|fix|explain). Add the new overlay to the case statement in the 'image' step of the route job (.github/workflows/claude-tag-respond.yml)." diff --git a/CLAUDE.md b/CLAUDE.md index e0d5f28..fb1fa47 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -84,6 +84,8 @@ The build workflow `.github/workflows/runtime-build.yml` runs STAGE 1 on `pull_r **Phase 3 status (post-merge of this PR):** three overlay images at `ghcr.io/glitchwerks/claude-runtime-{review,fix,explain}@sha256:` build FROM the Phase 2 base. Each overlay carries verb-specific agents/plugins per `overlays..imports_from_private` and a verb-scoped `runtime/overlays//CLAUDE.md` that becomes the active persona at job time (replaces the base shared CLAUDE.md per §3.4 layer 2). Each overlay also declares an `expected.yaml` inventory contract that the matcher (`runtime/scripts/inventory-match.sh`) enforces in STAGE 4-overlay smoke. The "different eyes" guarantee (§3.1, §10.2) is enforced mechanically — a future edit that accidentally imports `code-writer` into review fails the build. Phase 3 also introduces `overlays..subtract_from_shared.plugins` (manifest schema extension; see spec §4.2/§5.1 amendments) to remove base-inherited plugins from a specific overlay (review subtracts `skill-creator`). Issue [#141](https://github.com/glitchwerks/github-actions/issues/141). +**Phase 5 image refresh (post-#194):** PR [#195](https://github.com/glitchwerks/github-actions/pull/195) rebuilt the runtime base image with `unzip` and `gh` baked in, producing new overlay digests on the post-merge `runtime-build` run (run id 25398539323); the five container-pinned reusable workflows and the `claude-tag-respond.yml` dispatch mapping were repointed to those new digests in PR-B of [#194](https://github.com/glitchwerks/github-actions/issues/194). The underlying overlay set, layer model, and "different eyes" guarantee are unchanged. + ## Versioning - `v2.0.0` — pinned tag for reproducible builds