ci-fleet-publish: buildx flows can't reproduce ci/local.sh's tag normalization #21
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why: The plugin's entrypoint.sh unconditionally uses raw CI_COMMIT_TAG when present (no tag normalization), while xonsh-image's ci/local.sh strips leading "v" and trailing "-N" suffixes. Migrating xonsh-image to the plugin without a fix would SILENTLY rename tags: publishing v0.22.7-amd64 instead of 0.22.7-amd64 for a live, consumed image.
Problem:
Acceptance:
Links:
Code-level correctness proof (default-preservation)
Extracted and directly executed the actual patched
resolve_version()/render_tag()functions fromentrypoint.sh(not asserted — literally ran them):Default (no
tag_strip_vsetting) is byte-for-byte unchanged from pre-fix behavior.manifests/xonsh-image.yaml(ci-scripts-internal, NOT xonsh-image's own repo) now setstag_strip_v: trueto prove the rendered thin pipeline produces the right scheme without migrating xonsh-image — re-rendering to a scratch dir shows:Status
Committed as
44d6ba9, pushed to main. Still open: the publishedgit.oleks.space/oleks/ci-fleet-publish:v1has not picked this up yet. Taggedv1.0.4—v1.0.4-arm64built and pushed successfully, butbuild-amd64and themanifeststep never completed: the cluster hit an unrelated, active resource-pressure incident (oleks/fleet#114 — CI agent pool went to zero pods fleet-wide) that stalled the pipeline mid-run. Not retrying per team-lead's direction (hammering a starved cluster makes it worse). Will resume once oleks/fleet#114 clears, then verify the multi-arch manifest lands with both arches and that:v1actually moves to the new digest before closing this issue.Separate finding while investigating (oleks/ci-scripts#21 adjacent, not blocking)
Verified via Woodpecker v3.15.0 source (
pipeline/frontend/yaml/linter/linter.go:239,pipeline/frontend/yaml/compiler/convert.go:119-125,pipeline/frontend/yaml/compiler/compiler.go:48-56) that mixingenvironment:andsettings:on one step is a non-fatal linter warning only (newLinterError(..., true)= warning, not thefalseused for the genuinely-blockingcommands+settings/entrypoint+settingsconflicts) —environment:-declared secrets ARE still injected into the container regardless ofsettings:presence (bothParamsToEnvcalls run unconditionally into the same env map), and the plugin-secret-filter check only restricts availability if the secret itself has anAllowedPluginsfilter configured (ours don't — corroborated by the currently-working, pre-migration xonsh-image pipeline using the same secret with a non-"pure-plugin" step shape). Full detail in my report to team-lead. This means no entrypoint.sh change is needed for that concern.However, while checking this I found
buildx_build_flow/buildx_manifest_flownever perform adocker login/registry auth at all — Woodpecker's own registries/AuthConfig mechanism is confirmed pull-only (for the step's own image), not exposed for push. This is a real, currently-latent gap that would block the xonsh-image canary once attempted (docker push would fail unauthorized). Filing separately since it doesn't block anything today (xonsh-image isn't migrated yet) — will need fixing before the canary, likely as part of a v1.0.5 alongside anything else discovered by then.