Conversation
PR #222 added the sc symlink to this Dockerfile on the staging branch, but push.yaml (triggered on push to main) also builds and pushes simplecontainer/github-actions:staging using MAIN's copy of this file. When any main push triggers push.yaml, it overwrites the :staging image with a build that doesn't include the symlink — reintroducing 'sc: not found' on downstream deploys (e.g. PAY-SPACE/crypto-tools at 2026-04-19T20:02, right after PR #223 merged to main and re-triggered push.yaml). Root cause: two workflows publish the same tag from two branches. Fix keeps the Dockerfiles in sync by applying the same symlink+verify lines to main's copy. Mirror of #222 exactly.
Cre-eD
added a commit
that referenced
this pull request
Apr 19, 2026
…image Brings into staging: - PR #223 (trivy cache isolation, 0.70.0 bump, multi-image report heading) - AWS tags, cloudflare worker fix, Caddy preStop drain, etc. Conflicts (4 files): - trivy.go, trivy_test.go, security_report.go: take main (new features) - simple_container.go: KEEP staging's serviceSpec() helper + serviceTypeStr (main regresses here — inline ServiceSpecArgs lacks ClusterIP guard that codex flagged as a P1 during PR #221 review) Triggers build-staging.yml to publish a :staging image with staging's fixed Dockerfile (sc symlink from PR #222) AND main's improvements. Note: this is a TEMPORARY fix. PR #224 (still in review) fixes the root cause — main's github-actions-staging.Dockerfile. Until that merges, every push to main re-overwrites :staging with a broken image and this merge must be repeated.
Merged
3 tasks
Cre-eD
added a commit
that referenced
this pull request
Apr 19, 2026
…staging with sc symlink (#225) ## Why now `:staging` image is currently broken (`/bin/sh: sc: not found` on PAY-SPACE/crypto-tools). Root cause in #224 (main's Dockerfile also needs the symlink). Until that merges, we can unblock PAY-SPACE by re-triggering `build-staging.yml` — which builds from **staging's** Dockerfile (already fixed by #222). This PR takes the opportunity to also pull main's improvements into staging so the rebuilt image includes: - PR #223 — trivy cache isolation, 0.70.0 bump, multi-image report heading - Misc main commits (AWS tags, Caddy preStop drain, cloudflare worker fix, etc.) ## Conflict resolution (4 files) | File | Taken | Why | |---|---|---| | `pkg/security/scan/trivy.go` | main | New cache-isolation + 0.70.0 version bump | | `pkg/security/scan/trivy_test.go` | main | Updated tests for per-invocation cache dir | | `pkg/clouds/pulumi/docker/security_report.go` | main | Multi-image heading fix | | `pkg/clouds/pulumi/kubernetes/simple_container.go` | **staging** | Keep `serviceSpec()` helper + `serviceTypeStr` — main inline regresses on ClusterIP guard (was P1 in #221 codex review) | ## Verification - `go build ./...` clean - `go test ./pkg/security/scan/... ./pkg/clouds/pulumi/kubernetes/... ./pkg/clouds/pulumi/docker/...` all green ## Test plan - [ ] Merge triggers `build-staging.yml` - [ ] `docker pull simplecontainer/github-actions:staging && docker run --rm --entrypoint sh ... -c 'which sc'` returns `/usr/local/bin/sc` - [ ] Re-run PAY-SPACE/crypto-tools deploy — passes ## Follow-up Still need **PR #224** (main's Dockerfile fix) to merge — otherwise the next push to main will overwrite `:staging` with a broken image again. --------- Co-authored-by: universe-ops <177390656+universe-ops@users.noreply.github.com> Co-authored-by: Universe Ops <universe-ops@github.com> Co-authored-by: simple-container-forge[bot] <257785999+simple-container-forge[bot]@users.noreply.github.com> Co-authored-by: GitHub Action <action@github.com> Co-authored-by: Ilya <smecsia@gmail.com> Co-authored-by: Bao Tran <baotn166@users.noreply.github.com>
smecsia
approved these changes
Apr 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Symptom
After #221 merged main→staging and #222 added the sc symlink to staging's Dockerfile, PAY-SPACE deploys briefly worked. Then #223 merged to main and immediately after, PAY-SPACE/crypto-tools started failing again with:
Root cause
Two separate workflows build and push
simplecontainer/github-actions:staging:build-staging.ymlstaginggithub-actions-staging.Dockerfileonstagingbranchpush.yamlmaingithub-actions-staging.DockerfileonmainbranchPR #222 only fixed the Dockerfile on staging. The main branch copy never got the
ln -s /root/github-actions /usr/local/bin/scline. So every time anything merges to main,push.yamlruns, builds without the symlink, and overwrites the good:stagingimage that was pushed bybuild-staging.yml.Verified by
docker pull simplecontainer/github-actions:staging && docker run --rm --entrypoint sh .../github-actions:staging -c 'ls -la /usr/local/bin/sc':Image created timestamp matches
push.yamlrun at 19:47 (after PR #223 merged at 19:47), notbuild-staging.ymlrun at 17:53 (after #222).Fix
Apply the identical symlink + verify lines to main's copy of
github-actions-staging.Dockerfile. Both workflows now produce an image withscin PATH. This keeps the two Dockerfiles in sync going forward.Long-term
Two workflows publishing the same tag from two branches is fragile — whichever runs last wins. Consider consolidating: either
build-staging.ymlis the sole publisher of:staging, orpush.yamldrops the staging tag. Out of scope for this PR.Test plan
push.yaml→ new:stagingimage pusheddocker pull simplecontainer/github-actions:staging && docker run --rm --entrypoint sh ... -c 'sc --help | head -1'succeeds