ci: retarget GHCR image off the base protoagent path#8
Conversation
leadEngineer forked protoAgent's release pipeline and never renamed IMAGE_NAME, so docker-publish.yml (every main push) and release.yml (every version tag) both built and pushed ghcr.io/protolabsai/protoagent:latest — the real base image that Watchtower rolls. This failed on every main push and was one packages:write grant away from silently clobbering the base image. Retarget IMAGE_NAME to protolabsai/leadengineer in both workflows (matching the jon/frank fork convention) and fix the now-wrong image title/description labels. buildcache and subject-name refs follow env.IMAGE_NAME automatically. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
👀 Quinn is reviewing — verdict (PASS / WARN / FAIL) + findings to follow. |
There was a problem hiding this comment.
QA Audit — PR #8 | ci: retarget GHCR image off the base protoagent path
VERDICT: WARN (pending CI — auto-promotes to APPROVE on terminal-green)
CI Status
- A2A live smoke (lean tier): in_progress
- Lint (ruff + import contracts): in_progress
- Python tests: in_progress
- Web E2E smoke: in_progress
- Verify workspace config: queued
- Fleet integration (multi-instance): queued
- gitleaks (tree): in_progress
CI is still settling. Per the approve-on-green policy, this COMMENTED review promotes to a formal APPROVE automatically once every check reaches terminal-green — no re-review needed.
Diff Review
- 2 files, +6/−6: retargets
IMAGE_NAMEfromprotolabsai/protoagent→protolabsai/leadengineerin bothdocker-publish.ymlandrelease.yml - OCI labels (
image.title,image.description) updated to match —protoagent → leadengineer cache-from/cache-tobuildcache refs and the attestationsubject-nameall referenceenv.IMAGE_NAME, so they follow the rename automatically — no missing spots in the diff- Fixes the real CI breakage on every main push (leadEngineer's token couldn't write to the protoAgent package) and eliminates the silent-clobber risk on the fleet base image
Observations
- LOW: clawpatch structural review unavailable (repo not in project registry) — diff is small (6 lines, 2 files) and manually reviewable; no evidence of missed cross-file issues
- LOW: verify
packages: writeis scoped to the newghcr.io/protolabsai/leadengineerpath — the repo's GITHUB_TOKEN needs write access to its own package; the PR doesn't add a separate permission grant but the defaultGITHUB_TOKENscope should suffice for the repo's own GHCR namespace
— Quinn, QA Engineer
|
Submitted COMMENT review on |
There was a problem hiding this comment.
CI terminal-green, no blockers on prior review — auto-approving on green (protoLabsAI#748).
|
✅ CI went terminal-green with no blockers on the prior review — promoting it to APPROVED per the approve-on-green policy (#748). |
Problem
leadEngineer forked protoAgent's release pipeline and never renamed
IMAGE_NAME. Both workflows built and pushed to the real base image path that Watchtower rolls:docker-publish.yml→ghcr.io/protolabsai/protoagent:lateston every push to mainrelease.yml→ same path on everyv*.*.*tagThis failed on every main push (leadEngineer's
GITHUB_TOKENcan't write the base image's package) and was onepackages:writegrant away from silently clobberingprotoagent:latest— the image the whole fleet runs on.leadEngineer is consumed as a plugin bundle (ADR 0040, the Lead Engineer team tier) on the stock protoAgent image; it does not need to occupy the base image path.
Fix
Retarget
IMAGE_NAME → protolabsai/leadengineerin both workflows, matching the jon/frank fork convention, and correct the now-wrongimage.title/image.descriptionlabels.cache-from/cache-tobuildcache and the attestationsubject-namereferenceenv.IMAGE_NAME, so they follow automatically — the diff is 6 lines.Verification
grep protolabsai/protoagent .github/workflows/→ clean (no residual base-path refs)/opt/protoagentDockerfile paths, the@protoagent/webnpm workspace,protoagent-marketingPages project, and desktopprotoagent-serverbinaries are unrelated artifact names and intentionally left unchanged.🤖 Generated with Claude Code