Skip to content

Harden docker.yml against PyPI CDN propagation race#7

Merged
valani9 merged 1 commit into
mainfrom
docker-hardening
May 25, 2026
Merged

Harden docker.yml against PyPI CDN propagation race#7
valani9 merged 1 commit into
mainfrom
docker-hardening

Conversation

@valani9
Copy link
Copy Markdown
Owner

@valani9 valani9 commented May 25, 2026

Summary

The v0.3.0 release triggered docker.yml ~90s after the tag landed; the previous curl-on-JSON poll loop saw `pypi.org/pypi/.../json` was ready, but pip inside buildx hit a different CDN edge that still served only 0.1.0 and 0.2.0 from the simple-index. Manual workflow_dispatch retry succeeded once the CDN settled.

Two changes:

  • New `workflow_run` trigger keyed off Release completing successfully. After release.yml's PyPI publish step returns, the CDN has a head start before docker.yml even begins.
  • Replace curl-on-JSON poll with `pip download --dry-run --no-deps` against the simple-index pip itself uses, plus a 30-second buffer to let straggling edges catch up before multi-arch buildx starts hitting them.

Test plan

  • Manual rebuild of v0.3.0 via workflow_dispatch succeeded with the old workflow (proves the underlying build path works once CDN settles)
  • Next release will trigger via workflow_run as the primary path; tag-push + manual remain as fallbacks

@valani9
Harden docker.yml against PyPI CDN propagation race
0d3d7cd 
The v0.3.0 push triggered docker.yml ~90s after the tag landed; the
old curl-on-JSON poll loop saw pypi.org/pypi/.../json was ready, but
pip inside buildx hit a different CDN edge that still served only
0.1.0 and 0.2.0 from the simple-index. Build failed; manual
workflow_dispatch re-trigger worked.

Two hardening changes so the next release doesn't race:

1. Add a workflow_run trigger keyed off Release completing
   successfully. Once release.yml's PyPI publish step returns, the
   upload is acknowledged and the CDN has had a head start before
   docker.yml even starts. Old tag-push + workflow_dispatch triggers
   stay as fallbacks.

2. Replace the curl-on-JSON poll with a pip simple-index probe:
   'pip download --dry-run --no-deps valanistack==X.Y.Z' uses the
   same resolver pip will use inside docker, so a positive signal
   means the docker build will actually succeed. Adds a 30-second
   buffer after the probe passes to let any straggling edges
   catch up before multi-arch buildx starts hitting them.
@valani9 valani9 merged commit 9a4c28d into main May 25, 2026
10 checks passed
@valani9 valani9 deleted the docker-hardening branch May 25, 2026 11:20
@valani9 valani9 mentioned this pull request May 25, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@valani9