Merged
Conversation
added 19 commits
March 23, 2026 22:51
smecsia
approved these changes
Mar 23, 2026
Cre-eD
added a commit
that referenced
this pull request
Apr 20, 2026
The upload-artifact glob required a hyphen before the wildcard (sc-os-arch-*.tar.gz), which only matched versioned tarballs (sc-os-arch-vX.Y.Z.tar.gz). The unversioned sc-os-arch.tar.gz that sc.sh installs when SIMPLE_CONTAINER_VERSION is empty was silently dropped from the artifact bundle, never copied into the dist bundle by docker-finalize, and never re-uploaded to GCS. Result: https://dist.simple-container.com/sc-linux-amd64.tar.gz has been stuck at v2026.3.6 since PR #186 merged on 2026-03-24, even though versioned tarballs have been published on every main push. Any downstream CI that calls 'bash <(curl -Ls .../sc.sh)' without pinning SIMPLE_CONTAINER_VERSION has been running SC v2026.3.6 for 4+ weeks — silently missing everything merged since, including the container security pipeline from PR #104. Fix: drop the hyphen before the glob so the pattern matches both versioned and unversioned tarballs.
Cre-eD
added a commit
that referenced
this pull request
Apr 20, 2026
…226) ## Summary Fix artifact upload glob in `push.yaml` so the unversioned `sc-{linux,darwin}-*.tar.gz` tarballs are actually uploaded to `dist.simple-container.com`. They have been stale since PR #186 merged on 2026-03-24. ## Root cause In the `build-platforms` matrix job, two tarballs are created per platform ([`push.yaml:149-150`](.github/workflows/push.yaml#L149-L150)): ```bash tar -czf .sc/stacks/dist/bundle/sc-${GOOS}-${GOARCH}.tar.gz ... # unversioned cp .../sc-${GOOS}-${GOARCH}.tar.gz .../sc-${GOOS}-${GOARCH}-v${VERSION}.tar.gz # versioned ``` But the `upload-artifact` glob had a hyphen before the wildcard: ```yaml path: .sc/stacks/dist/bundle/sc-${{ matrix.os }}-${{ matrix.arch }}-*.tar.gz # ^ # only matches versioned ``` So `sc-linux-amd64.tar.gz` (no hyphen before `.tar.gz`) was dropped from the artifact. `docker-finalize` never saw it, never placed it in the bundle dir, `sc deploy -s dist -e prod` never uploaded it to GCS. ## Impact `https://dist.simple-container.com/sc-linux-amd64.tar.gz` has `Last-Modified: 2026-03-23 21:14:38 GMT` and contains v2026.3.6. That's the last successful upload — the day before PR #186 merged. `sc.sh` downloads this unversioned tarball when `$SIMPLE_CONTAINER_VERSION` is empty. Every downstream CI that uses the standard install command: ```bash bash <(curl -Ls "https://dist.simple-container.com/sc.sh") ``` …has been running **SC v2026.3.6 for 4+ weeks**, silently missing every feature merged since — including PR #104 (container security pipeline: Grype+Trivy scan, Cosign keyless signing, CycloneDX SBOM, SLSA v1.0 provenance, DefectDojo reporting). Concretely: Integrail EW repos (`everworker`, `baas`, `code-executor`, `storage-service`) all added the `security:` block to their `client.yaml` and merged rollout PRs last week. Zero scans/signatures/SBOMs have been produced because the deployed SC binary predates the security code. ## Fix Drop the hyphen before the wildcard so the glob matches both versioned and unversioned tarballs: ```diff - path: .sc/stacks/dist/bundle/sc-${{ matrix.os }}-${{ matrix.arch }}-*.tar.gz + path: .sc/stacks/dist/bundle/sc-${{ matrix.os }}-${{ matrix.arch }}*.tar.gz ``` Added a comment explaining the subtlety so it's not re-introduced. ## Verification After merge, the next push to main will run `push.yaml`. The `docker-finalize` → `sc deploy -s dist -e prod` step will now upload the unversioned tarballs. Check with: ```bash curl -sIL https://dist.simple-container.com/sc-linux-amd64.tar.gz | grep -i last-modified # Should show today's date, not 2026-03-23. curl -sL https://dist.simple-container.com/sc-linux-amd64.tar.gz | tar -xzO sc | head -c 256 | strings | grep -i version # Should show the new calver version, not 2026.3.6. ``` ## Out of scope The architectural question of whether `sc.sh` should default to "latest" by downloading an unversioned tarball vs. resolving the newest versioned artifact via a manifest is real but separate. This PR is the minimal fix to unbreak the existing contract.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Optimizing builds