fix(docker): add sc symlink to github-actions-staging image#222
Merged
fix(docker): add sc symlink to github-actions-staging image#222
Conversation
The staging Dockerfile was missing the /usr/local/bin/sc -> github-actions symlink that the production Dockerfile (github-actions.Dockerfile) has. This causes 'sc: not found' when the security pipeline shells out to the SC CLI (sc image sign, sc image scan, sc sbom generate, etc.) via Pulumi local.Command from within the GitHub Action container. PR #221 merged main into staging to get the security pipeline code on staging, but the :staging image built from this Dockerfile still lacks the symlink — so downstream PAY-SPACE deploys still fail with the same error. Mirrors the symlink line and the build-time verification (test -L / -x) from github-actions.Dockerfile so the two Dockerfiles stay in sync.
smecsia
approved these changes
Apr 19, 2026
Cre-eD
added a commit
that referenced
this pull request
Apr 19, 2026
PR #222 added the sc symlink to this Dockerfile on the staging branch, but push.yaml (triggered on push to main) also builds and pushes simplecontainer/github-actions:staging using MAIN's copy of this file. When any main push triggers push.yaml, it overwrites the :staging image with a build that doesn't include the symlink — reintroducing 'sc: not found' on downstream deploys (e.g. PAY-SPACE/crypto-tools at 2026-04-19T20:02, right after PR #223 merged to main and re-triggered push.yaml). Root cause: two workflows publish the same tag from two branches. Fix keeps the Dockerfiles in sync by applying the same symlink+verify lines to main's copy. Mirror of #222 exactly.
3 tasks
Cre-eD
added a commit
that referenced
this pull request
Apr 19, 2026
…image Brings into staging: - PR #223 (trivy cache isolation, 0.70.0 bump, multi-image report heading) - AWS tags, cloudflare worker fix, Caddy preStop drain, etc. Conflicts (4 files): - trivy.go, trivy_test.go, security_report.go: take main (new features) - simple_container.go: KEEP staging's serviceSpec() helper + serviceTypeStr (main regresses here — inline ServiceSpecArgs lacks ClusterIP guard that codex flagged as a P1 during PR #221 review) Triggers build-staging.yml to publish a :staging image with staging's fixed Dockerfile (sc symlink from PR #222) AND main's improvements. Note: this is a TEMPORARY fix. PR #224 (still in review) fixes the root cause — main's github-actions-staging.Dockerfile. Until that merges, every push to main re-overwrites :staging with a broken image and this merge must be repeated.
Merged
3 tasks
Cre-eD
added a commit
that referenced
this pull request
Apr 19, 2026
…staging with sc symlink (#225) ## Why now `:staging` image is currently broken (`/bin/sh: sc: not found` on PAY-SPACE/crypto-tools). Root cause in #224 (main's Dockerfile also needs the symlink). Until that merges, we can unblock PAY-SPACE by re-triggering `build-staging.yml` — which builds from **staging's** Dockerfile (already fixed by #222). This PR takes the opportunity to also pull main's improvements into staging so the rebuilt image includes: - PR #223 — trivy cache isolation, 0.70.0 bump, multi-image report heading - Misc main commits (AWS tags, Caddy preStop drain, cloudflare worker fix, etc.) ## Conflict resolution (4 files) | File | Taken | Why | |---|---|---| | `pkg/security/scan/trivy.go` | main | New cache-isolation + 0.70.0 version bump | | `pkg/security/scan/trivy_test.go` | main | Updated tests for per-invocation cache dir | | `pkg/clouds/pulumi/docker/security_report.go` | main | Multi-image heading fix | | `pkg/clouds/pulumi/kubernetes/simple_container.go` | **staging** | Keep `serviceSpec()` helper + `serviceTypeStr` — main inline regresses on ClusterIP guard (was P1 in #221 codex review) | ## Verification - `go build ./...` clean - `go test ./pkg/security/scan/... ./pkg/clouds/pulumi/kubernetes/... ./pkg/clouds/pulumi/docker/...` all green ## Test plan - [ ] Merge triggers `build-staging.yml` - [ ] `docker pull simplecontainer/github-actions:staging && docker run --rm --entrypoint sh ... -c 'which sc'` returns `/usr/local/bin/sc` - [ ] Re-run PAY-SPACE/crypto-tools deploy — passes ## Follow-up Still need **PR #224** (main's Dockerfile fix) to merge — otherwise the next push to main will overwrite `:staging` with a broken image again. --------- Co-authored-by: universe-ops <177390656+universe-ops@users.noreply.github.com> Co-authored-by: Universe Ops <universe-ops@github.com> Co-authored-by: simple-container-forge[bot] <257785999+simple-container-forge[bot]@users.noreply.github.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: Ilya <smecsia@gmail.com> Co-authored-by: Bao Tran <baotn166@users.noreply.github.com>
Cre-eD
added a commit
that referenced
this pull request
Apr 20, 2026
…le (root cause of repeated :staging regressions) (#224) ## Symptom After #221 merged main→staging and #222 added the sc symlink to staging's Dockerfile, PAY-SPACE deploys briefly worked. Then #223 merged to main and immediately after, PAY-SPACE/crypto-tools started failing again with: ``` /bin/sh: sc: not found error: exit status 127: running "... 'sc' 'sbom' 'generate' ..." ``` ## Root cause **Two separate workflows build and push `simplecontainer/github-actions:staging`:** | Workflow | Trigger | Dockerfile (from which branch) | |---|---|---| | `build-staging.yml` | push to `staging` | `github-actions-staging.Dockerfile` on `staging` branch | | `push.yaml` | push to `main` | `github-actions-staging.Dockerfile` on `main` branch | PR #222 only fixed the Dockerfile on **staging**. The main branch copy never got the `ln -s /root/github-actions /usr/local/bin/sc` line. So every time anything merges to main, `push.yaml` runs, builds without the symlink, and **overwrites** the good `:staging` image that was pushed by `build-staging.yml`. Verified by `docker pull simplecontainer/github-actions:staging && docker run --rm --entrypoint sh .../github-actions:staging -c 'ls -la /usr/local/bin/sc'`: ``` ls: /usr/local/bin/sc: No such file or directory ``` Image created timestamp matches `push.yaml` run at 19:47 (after PR #223 merged at 19:47), not `build-staging.yml` run at 17:53 (after #222). ## Fix Apply the identical symlink + verify lines to main's copy of `github-actions-staging.Dockerfile`. Both workflows now produce an image with `sc` in PATH. This keeps the two Dockerfiles in sync going forward. ## Long-term Two workflows publishing the same tag from two branches is fragile — whichever runs last wins. Consider consolidating: either `build-staging.yml` is the sole publisher of `:staging`, or `push.yaml` drops the staging tag. Out of scope for this PR. ## Test plan - [ ] Merge triggers `push.yaml` → new `:staging` image pushed - [ ] `docker pull simplecontainer/github-actions:staging && docker run --rm --entrypoint sh ... -c 'sc --help | head -1'` succeeds - [ ] Re-run PAY-SPACE/crypto-tools deploy — passes end-to-end
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
After #221 merged main into staging,
build-staging.ymlrebuilt thesimplecontainer/github-actions:stagingDocker image, but PAY-SPACE deploys are still failing with the same error:Root cause
The production Dockerfile
github-actions.Dockerfilehas this line:…and verifies it with
test -L /usr/local/bin/sc && test -x /usr/local/bin/sc.The staging Dockerfile
github-actions-staging.Dockerfile(whichbuild-staging.ymlbuilds from) does not — so:stagingimages ship thegithub-actionsbinary at/root/github-actionsbut noscin PATH. When the security pipeline shells out tosc image sign/scan,sc sbom generate,sc provenance attachfrom Pulumi'slocal.Command, the shell can't findsc.The two Dockerfiles drifted at some point — the production one was updated when the security pipeline landed, the staging one wasn't.
Fix
Add the
scsymlink and the build-time verification togithub-actions-staging.Dockerfile, mirroring the production file exactly. This keeps the two in sync going forward.Test plan
build-staging.yml→ new:stagingimage pusheddocker run --rm --entrypoint sh simplecontainer/github-actions:staging -c 'which sc && sc --help | head -3'