Skip to content

Build: implement semver tagging and tag/lineage annotations#129

Merged
toddysm merged 2 commits into
mainfrom
feature/semver-image-tagging
Jul 2, 2026
Merged

Build: implement semver tagging and tag/lineage annotations#129
toddysm merged 2 commits into
mainfrom
feature/semver-image-tagging

Conversation

@toddysm

@toddysm toddysm commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Implements #125 (part of #123). Follows the architecture design in #124.

What changed

.github/workflows/build-cssc-dashboard.yml:

  • Resolves the release version from the latest published GitHub Release (strips a leading v; 0.1.0 currently).
  • Derives four tags: moving major (0) and minor (0.1), immutable patch (0.1.0), and immutable build (0.1.0-<short-sha>).
  • Tags the index with all four; no longer publishes latest.
  • Sets org.opencontainers.image.version to the immutable build tag.
  • Adds com.toddysm.image.lineage=<minor> and com.toddysm.image.tags=<major>|<minor>|<patch>|<build> (index + per-platform scope).
  • Passes the build tag to the referrer step via GITHUB_ENV so the SBOM/provenance attachment keys off the immutable tag.
  • Fails the build with a clear error if no published release is found.

Validation

  • actionlint clean.
  • shellcheck -S warning clean on both run blocks.

Closes #125

Resolve the release version from the latest published GitHub Release (strip a
leading v) and derive the moving major (0) and minor (0.1) tags, the immutable
patch tag (0.1.0), and the immutable build tag (0.1.0-<short-sha>). Tag the
index with all four and stop publishing the moving latest tag.

Set org.opencontainers.image.version to the immutable build tag and add
com.toddysm.image.lineage (minor) and com.toddysm.image.tags (all four tags,
pipe separated). Pass the build tag to the referrer step via GITHUB_ENV so the
SBOM/provenance attachment keys off the immutable tag rather than a fixed SHA.

Closes #125
Copilot AI review requested due to automatic review settings July 2, 2026 02:28

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the CSSC Dashboard build workflow to tag/publish GHCR images using semver-derived tags from the latest GitHub Release, and to emit new lineage/tag annotations while removing the latest tag.

Changes:

  • Resolve the release version via gh release view, derive major, minor, patch, and immutable build tags, and push all four tags (no latest).
  • Update OCI annotations to set org.opencontainers.image.version to the immutable build tag and add com.toddysm.image.lineage / com.toddysm.image.tags.
  • Pass the immutable build tag to the referrer/SBOM/provenance publishing step via GITHUB_ENV.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/build-cssc-dashboard.yml Outdated
Distinguish a missing GitHub Release (fail with a clear message) from other gh
failures (auth/network/API — fail loudly with the captured error) instead of
treating every failure as "no release". Validate that the release tag is a
plain x.y.z semantic version before splitting it into the tag set, so
unexpected or pre-release tags cannot produce wrong/invalid tags.
@toddysm toddysm merged commit 7678de5 into main Jul 2, 2026
3 checks passed
@toddysm toddysm deleted the feature/semver-image-tagging branch July 2, 2026 02:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Build: implement semver tagging and tag/lineage annotations

2 participants