fix(trace-fixtures): correct bogus nixos/nix container digest#238
Merged
Conversation
The pinned docker.io/nixos/nix@sha256 digest did not exist — a direct pull returns "manifest unknown", so every `podman run` in both the trace-fixtures nightly and the flake.lock workflow would fail at the image-pull step before doing any work. Replace it with the verified multi-arch INDEX digest for nixos/nix:2.24.9 (manifest.list.v2 — podman resolves the right arch from it). Confirmed via `podman run <image> nix --version` → 2.24.9. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Rivet verification gate✅ 20/20 passed
Filter: Failed artifacts(none) Updated automatically by |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
avrabe
added a commit
that referenced
this pull request
May 26, 2026
Workspace bump from 0.10.0 → 0.11.0 across all 22 spar crates (via
[workspace.package].version), plus the VS Code extension's
package.json — the two version surfaces the release workflow's
check-versions job compares against the tag.
What v0.11.0 ships, since v0.10.0:
trace-topology reconciliation engine (incremental rollout):
#239 IdentityUnknown check (PR 3a — component-borne MAC + chassis-id)
#241 GptpOutOfBudget check (PR 3b — single-budget case)
trace-topology fixture pipeline:
#233 Rust gen-fixtures tool (netns + TSN, RAII teardown)
#234 NixOS guest + QEMU harness for fixture generation
#238 corrected nixos/nix container digest (fd7a5c67…, multi-arch index)
#240 podman runner label so workflows schedule on the only
rootless-podman-capable runner in the fleet (runner9)
codegen:
#232 --format wit emits only WIT (strict-filter; no Rust/Bazel
workspace leakage)
#242 per-category file-count summary + hint when WIT was
requested but the model has no `process` subcomponents
(in-flight at bump time; auto-merge armed)
release flow:
#244 standardise on the synth reference — actions/attest-build-
provenance@v2 + sigstore cosign sign-blob (v2.4.1) over
SHA256SUMS.txt, build-env.txt; the v0.11.0 release is the
first one to exercise the standardised cosign + SLSA chain.
Verification after release:
cosign verify-blob \\
--certificate-identity-regexp \\
'https://github.com/pulseengine/spar/.github/workflows/release.yml@.*' \\
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \\
--bundle SHA256SUMS.txt.cosign.bundle SHA256SUMS.txt
gh attestation verify spar-v0.11.0-<triple>.tar.gz --repo pulseengine/spar
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
docker.io/nixos/nix@sha256:4aba8f00…digest pinned in both thetrace-fixture workflows does not exist — a direct pull returns
manifest unknown. Everypodman runintrace-fixtures.yml(thenightly) and
fixture-vm-flake-lock.ymlwould fail at the image-pullstep before doing any work.
nixos/nix:2.24.9(sha256:fd7a5c67…,manifest.list.v2— podmanresolves the right arch from it; a per-arch leaf would be a sharper,
more fragile pin).
podman run <image> nix --version→nix (Nix) 2.24.9.This unblocks dispatching the
fixture-vm flake.lockworkflow, whoseartifact is the missing
tools/fixture-vm/flake.lockthat the nightlyguards on.
Test plan
fixture-vm flake.lockafter merge — first real exerciseof the rootless-podman + digest-pinned
nixos/nixpath.flake.lockin a follow-up PR; nightly goes live.🤖 Generated with Claude Code