fix(release): scan gates docker push, rc tags spare :latest, mirror waits for stable assets #128

2026-06-12T21:21:04Z

lerko commented

2026-06-12 21:21:04 +00:00

Order-of-operations review across all four pipelines (prompted by rc.2/rc.3 observations):

ci.yml — fine; three independent parallel jobs.
release-binaries.yml — fine; cliff → GoReleaser is the right order.
release-docker.yml — two real defects, fixed:
1. Scan gate was decorative: buildx pushed (push: true) before grype ran, so rc.2's red run still shipped 0.1.0-rc.2 + latest to Docker Hub. Now: build amd64 with --load → scan the local image → multi-arch push only after the gate passes (amd64 layers reused from builder cache; only arm64 is new work in the second build).
2. rc tags moved :latest: Hub's latest currently serves an rc build. :latest now only applied to non-prerelease tags.
mirror-release.yml — two ordering risks, fixed:
1. Polled for assets > 0, which can catch GoReleaser mid-upload and mirror a partial asset set → now requires the count stable across two consecutive polls.
2. 10-min timeout races the binaries run when it queues behind the ~18-min Docker job on the single runner → 20 min.

After merge: v0.1.0-rc.4 exercises the reordered build→scan→push path; if green, v0.1.0 is next.

Order-of-operations review across all four pipelines (prompted by rc.2/rc.3 observations): - **ci.yml** — fine; three independent parallel jobs. - **release-binaries.yml** — fine; cliff → GoReleaser is the right order. - **release-docker.yml** — two real defects, fixed: 1. **Scan gate was decorative**: buildx pushed (`push: true`) *before* grype ran, so rc.2's red run still shipped `0.1.0-rc.2` + `latest` to Docker Hub. Now: build amd64 with `--load` → scan the local image → multi-arch push only after the gate passes (amd64 layers reused from builder cache; only arm64 is new work in the second build). 2. **rc tags moved `:latest`**: Hub's `latest` currently serves an rc build. `:latest` now only applied to non-prerelease tags. - **mirror-release.yml** — two ordering risks, fixed: 1. Polled for `assets > 0`, which can catch GoReleaser mid-upload and mirror a partial asset set → now requires the count stable across two consecutive polls. 2. 10-min timeout races the binaries run when it queues behind the ~18-min Docker job on the single runner → 20 min. After merge: `v0.1.0-rc.4` exercises the reordered build→scan→push path; if green, v0.1.0 is next.

lerko added 1 commit 2026-06-12 21:21:04 +00:00

fix(release): scan gates docker push, rc tags spare :latest, mirror waits for stable assets

CI / test (pull_request) Successful in 1m52s

Details

CI / lint (pull_request) Successful in 1m16s

Details

CI / vulncheck (pull_request) Successful in 50s

Details

96eb3e8185

rc.2 proved the grype gate was decorative — buildx pushed before the
scan ran, so a red run still shipped the image (and rc tags moved
:latest). Build amd64 locally, scan that, then run the multi-arch push
from the warm builder cache. :latest now only moves on non-rc tags.

mirror-release: poll until the Gitea asset count is stable across two
polls (GoReleaser uploads sequentially — assets>0 could mirror a partial
set) and stretch the timeout to 20 min since the release run can queue
behind the Docker job on the single runner.

lerko added 1 commit 2026-06-12 21:21:43 +00:00

fix(release): remove tagged scan image in cleanup step

CI / test (pull_request) Successful in 1m51s

Details

CI / lint (pull_request) Successful in 1m12s

Details

CI / vulncheck (pull_request) Successful in 51s

Details

Release Binaries / release (push) Successful in 2m18s

Details

Release Docker / docker (push) Successful in 10m52s

Details

dc4c5fdf8a

lerko merged commit dc4c5fdf8a into main

2026-06-12 21:31:51 +00:00

lerko deleted branch fix/docker-scan-gate-ordering

2026-06-12 21:31:52 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lerkolabs/uptop#128