From c791a67167229d1161863db0e01569cc5ca9122e Mon Sep 17 00:00:00 2001 From: Larry Chen Date: Thu, 16 Apr 2026 15:15:03 +0800 Subject: [PATCH 1/4] test: ci-test-ghcr --- .github/workflows/build-cds-containers.yml | 18 +++++++++--------- cds-containers/tools/Dockerfile | 18 +++++++++--------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build-cds-containers.yml b/.github/workflows/build-cds-containers.yml index aefabd4..fec7e99 100644 --- a/.github/workflows/build-cds-containers.yml +++ b/.github/workflows/build-cds-containers.yml @@ -80,13 +80,13 @@ jobs: with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_PREFIX }}${{ matrix.image.name }} tags: | - # Version from VERSION.md: 0.0.1 - type=raw,value=${{ needs.get-version.outputs.version }} - # Major.minor: 0.0.1 → 0.0 - type=raw,value=${{ needs.get-version.outputs.version }},enable=true,suffix=-latest - # Latest tag - type=raw,value=latest - # Commit SHA: dev-abc1234 (for testing specific builds) + # Version from VERSION.md: 0.0.1 (main only) + type=raw,value=${{ needs.get-version.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} + # Major.minor: 0.0.1 → 0.0-latest (main only) + type=raw,value=${{ needs.get-version.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }},suffix=-latest + # Latest tag (main only) + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + # Commit SHA: dev-abc1234 (all branches) type=sha,prefix=dev- # Branch name (for PR/branch builds) type=ref,event=branch @@ -101,8 +101,8 @@ jobs: with: context: ./cds-containers file: ${{ matrix.image.path }}/Dockerfile - # Only push on main to avoid publishing images from PR mirror branches - push: ${{ github.ref == 'refs/heads/main' }} + # Push on main (version + latest) and pull-request/** (dev tags only) + push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/pull-request/') }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha diff --git a/cds-containers/tools/Dockerfile b/cds-containers/tools/Dockerfile index 4cc2836..704b708 100644 --- a/cds-containers/tools/Dockerfile +++ b/cds-containers/tools/Dockerfile @@ -31,28 +31,28 @@ RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - \ # For internal GitLab runners, use the GitLab version of this container # kubectl (latest version: curl -sSL https://dl.k8s.io/release/stable.txt) -ARG KUBECTL_VERSION="1.32.1" +ARG KUBECTL_VERSION="1.35.4" RUN curl -fsSL -o kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl" \ && mv ./kubectl /usr/local/bin/kubectl \ && chmod +x /usr/local/bin/kubectl \ && kubectl version --client # kubelogin -ARG KUBELOGIN_VERSION="0.1.7" +ARG KUBELOGIN_VERSION="0.2.17" RUN curl -fsSL -o kubelogin.zip "https://github.com/Azure/kubelogin/releases/download/v${KUBELOGIN_VERSION}/kubelogin-linux-amd64.zip" \ && unzip -j kubelogin.zip \ && mv kubelogin /usr/local/bin/kubelogin \ && kubelogin --version # yq -ARG YQ_VERSION="4.45.1" +ARG YQ_VERSION="4.52.5" RUN curl -fsSL -o yq "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64" \ && mv ./yq /usr/local/bin/yq \ && chmod +x /usr/local/bin/yq \ && yq --version # ngccli -ARG NGCCLI_VERSION="4.8.2" +ARG NGCCLI_VERSION="4.17.0" RUN curl -sSL -O "https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip" \ && unzip ngccli_linux.zip \ && rm ngccli_linux.zip \ @@ -82,7 +82,7 @@ RUN curl -sSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/ && docker --version # regctl -ARG REGCTL_VERSION="0.9.2" +ARG REGCTL_VERSION="0.11.3" RUN curl -fsSL -o regctl "https://github.com/regclient/regclient/releases/download/v${REGCTL_VERSION}/regctl-linux-amd64" \ && mv ./regctl /usr/local/bin/regctl \ && chmod +x /usr/local/bin/regctl \ @@ -95,7 +95,7 @@ RUN curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | b && helm version # terraform -ARG TERRAFORM_VERSION="1.13.3" +ARG TERRAFORM_VERSION="1.14.8" RUN curl -fsSL -o terraform.zip "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" && \ unzip terraform.zip && \ rm terraform.zip && \ @@ -103,7 +103,7 @@ RUN curl -fsSL -o terraform.zip "https://releases.hashicorp.com/terraform/${TERR && terraform --version # terragrunt -ARG TERRAGRUNT_VERSION="0.72.6" +ARG TERRAGRUNT_VERSION="0.99.5" RUN curl -fsSL -o terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" \ && mv ./terragrunt /usr/local/bin/terragrunt \ && chmod +x /usr/local/bin/terragrunt \ @@ -133,8 +133,8 @@ RUN ln -s /usr/local/bin/bazel8 /usr/local/bin/bazel \ && bazel8 --version \ && bazel --version -# uv (latest version: 0.9.7) -COPY --from=ghcr.io/astral-sh/uv:0.9.7 /uv /uvx /usr/local/bin/ +# uv (latest version: 0.11.7) +COPY --from=ghcr.io/astral-sh/uv:0.11.7 /uv /uvx /usr/local/bin/ RUN uv self version # Note: CDS CLI is not included as GitHub runners cannot reach internal GitLab From d3778001752aef5622218ca595efcee5729b1606 Mon Sep 17 00:00:00 2001 From: Larry Chen Date: Thu, 16 Apr 2026 15:24:08 +0800 Subject: [PATCH 2/4] fix: allow GHCR login and push for pull-request branches Enable container image push for copy-pr-bot mirror branches (pull-request/**) with dev tags only. Version and latest tags remain main-only to avoid overwriting production images. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/build-cds-containers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cds-containers.yml b/.github/workflows/build-cds-containers.yml index fec7e99..15353ca 100644 --- a/.github/workflows/build-cds-containers.yml +++ b/.github/workflows/build-cds-containers.yml @@ -67,7 +67,7 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry - if: github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/pull-request/') uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} From 25013241962526a1cf0707ee41215ba4a8e0921a Mon Sep 17 00:00:00 2001 From: Larry Chen Date: Thu, 16 Apr 2026 15:43:59 +0800 Subject: [PATCH 3/4] fix: disable helm GPG signature verification in CI VERIFY_SIGNATURES=true causes flaky failures when the GPG keyserver is unreachable in CI. VERIFY_CHECKSUM=true (SHA256) is kept for integrity verification. Co-Authored-By: Claude Opus 4.6 --- cds-containers/tools/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cds-containers/tools/Dockerfile b/cds-containers/tools/Dockerfile index 704b708..1d45991 100644 --- a/cds-containers/tools/Dockerfile +++ b/cds-containers/tools/Dockerfile @@ -90,7 +90,7 @@ RUN curl -fsSL -o regctl "https://github.com/regclient/regclient/releases/downlo # helm ENV VERIFY_CHECKSUM=true \ - VERIFY_SIGNATURES=true + VERIFY_SIGNATURES=false RUN curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash \ && helm version From fd5b8b211a86019c8e98e53e00f80ab72c9664e8 Mon Sep 17 00:00:00 2001 From: Larry Chen Date: Thu, 16 Apr 2026 17:30:27 +0800 Subject: [PATCH 4/4] revert: restore build-cds-containers.yml to main version Co-Authored-By: Claude Opus 4.6 --- .github/workflows/build-cds-containers.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-cds-containers.yml b/.github/workflows/build-cds-containers.yml index 15353ca..aefabd4 100644 --- a/.github/workflows/build-cds-containers.yml +++ b/.github/workflows/build-cds-containers.yml @@ -67,7 +67,7 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry - if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/pull-request/') + if: github.ref == 'refs/heads/main' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} @@ -80,13 +80,13 @@ jobs: with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_PREFIX }}${{ matrix.image.name }} tags: | - # Version from VERSION.md: 0.0.1 (main only) - type=raw,value=${{ needs.get-version.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} - # Major.minor: 0.0.1 → 0.0-latest (main only) - type=raw,value=${{ needs.get-version.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }},suffix=-latest - # Latest tag (main only) - type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - # Commit SHA: dev-abc1234 (all branches) + # Version from VERSION.md: 0.0.1 + type=raw,value=${{ needs.get-version.outputs.version }} + # Major.minor: 0.0.1 → 0.0 + type=raw,value=${{ needs.get-version.outputs.version }},enable=true,suffix=-latest + # Latest tag + type=raw,value=latest + # Commit SHA: dev-abc1234 (for testing specific builds) type=sha,prefix=dev- # Branch name (for PR/branch builds) type=ref,event=branch @@ -101,8 +101,8 @@ jobs: with: context: ./cds-containers file: ${{ matrix.image.path }}/Dockerfile - # Push on main (version + latest) and pull-request/** (dev tags only) - push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/pull-request/') }} + # Only push on main to avoid publishing images from PR mirror branches + push: ${{ github.ref == 'refs/heads/main' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha