feat(sbom): add stable-daily GHCR stream to SBOM pipeline and changelogs#744
Conversation
Bluefin stable-daily-YYYYMMDD builds are pushed to GHCR without a corresponding GitHub Release. They were invisible on the changelogs page because the SBOM pipeline only tracked streams whose tags appear in GitHub Releases, and the feed parser couldn't produce entries for GHCR-only tags. Changes: - fetch-github-sbom.js: add bluefin-stable-daily stream spec (streamPrefix: "stable-daily") so the nightly GHCR tags are picked up by findRecentTagsForStream and their SBOMs are fetched and cached. - parseOsRelease.ts: fix detectStream() to check ^stable-daily- before the broader ^(stable|beta)- guard so compound prefixes aren't misdetected as "stable". Fix extractTag() to handle compound prefixes (word-word-YYYYMMDD) via a dedicated regex before the standard single-word check. - FirehoseFeed.tsx: update sbomKeyForRelease() to route stable-daily events to bluefin-stable-daily stream (was incorrectly routing to bluefin-stable). Add loadStableDailyEventsFromSbom() which synthesises OsReleaseEvent entries directly from the SBOM cache for GHCR-only daily builds — these never appear in bluefin-releases.json so they need a separate code path. Include STABLE_DAILY_OS_EVENTS in ALL_OS_STREAM_EVENTS. - generate-card-images.mjs: same sbomKeyForRelease() fix for consistency. - fetch-github-sbom.test.js: 2 new tests verifying stable-daily tag filtering and that stable spec does not accidentally match stable-daily. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces support for the stable-daily release stream, enabling the application to fetch and display daily builds from GHCR that lack formal GitHub releases. Key changes include updates to the SBOM fetching script, new test cases, and logic in the FirehoseFeed component to synthesize release events from the SBOM cache. Review feedback highlights an improvement opportunity regarding the robustness of date parsing and provides a suggestion to make the tag extraction regex more flexible for future stream naming conventions.
| const dateMs = Date.parse( | ||
| `${dateStr.slice(0, 4)}-${dateStr.slice(4, 6)}-${dateStr.slice(6, 8)}T00:00:00Z`, | ||
| ); |
There was a problem hiding this comment.
The date string construction for Date.parse assumes that dateStr is always exactly 8 characters (YYYYMMDD). While the regex on line 201 ensures 8 digits are present at the end of the key, if the cacheKey format ever changes in the SBOM pipeline, this slicing logic will break. Additionally, using Date.parse with a manually constructed ISO string can sometimes lead to inconsistent results across different JavaScript environments if the format is not strictly followed. A more robust approach would be to use new Date(year, month - 1, day) or a dedicated date library, although the current implementation is acceptable if the input format is guaranteed.
| */ | ||
| function extractTag(title: string, stream: OsStream): string { | ||
| // Compound prefix format: "stable-daily-YYYYMMDD" (two word segments before the date) | ||
| const compoundMatch = title.match(/^([a-z]+-[a-z]+-\d{8})/i); |
There was a problem hiding this comment.
The regex ^([a-z]+-[a-z]+-\d{8}) is quite specific to a two-word prefix (e.g., stable-daily). If a stream with a three-word prefix or a different naming convention is introduced in the future, this will fail to extract the tag correctly. Consider making the prefix matching more flexible to support multiple hyphenated words before the date.
| const compoundMatch = title.match(/^([a-z]+-[a-z]+-\d{8})/i); | |
| const compoundMatch = title.match(/^([a-z]+(?:-[a-z]+)*-\d{8})/i); |
…ntsFromSbom In the stable-daily SBOM loader loop, chipName was destructured from CHIP_TO_SBOM but not used — displayName and field are sufficient. This unblocks the ESLint error that failed CI after PR projectbluefin#744. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 participant
Bluefin stable-daily-YYYYMMDD builds are pushed to GHCR without a corresponding GitHub Release. They were invisible on the changelogs page because the SBOM pipeline only tracked streams whose tags appear in GitHub Releases, and the feed parser couldn't produce entries for GHCR-only tags.
Changes: