Skip to content

release: gate on resolved container SHA pins before push_tag#38608

Merged
pelikhan merged 2 commits into
mainfrom
copilot/add-pre-validation-step
Jun 11, 2026
Merged

release: gate on resolved container SHA pins before push_tag#38608
pelikhan merged 2 commits into
mainfrom
copilot/add-pre-validation-step

Conversation

Copilot AI commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

A release could proceed even if container images (mcpg, firewall, etc.) had no cached SHA pins in actions-lock.json — e.g. after bumping a container version without re-running gh aw compile.

Changes

  • release.md — adds a validate_container_pins job that runs after activation and before config. It scans all actions-lock.json files and fails if any container entry is missing a valid digest / pinned_image (both must match sha256:[64 hex]). Error output names the offending images and instructs the releaser to run gh aw compile.
  • config jobneeds updated to include validate_container_pins, blocking the entire downstream chain (push_tagdefendersync_actionsrelease) until the check passes.
  • release.lock.yml — regenerated via make recompile.

The validation logic in the new step:

missing_pins=$(jq -r '
  .containers // {} |
  to_entries[] |
  select(
    ((.value.digest // "") | test("^sha256:[a-f0-9]{64}$") | not) or
    ((.value.pinned_image // "") | test("@sha256:[a-f0-9]{64}$") | not)
  ) |
  .key
' "$lock_file")

Copilot AI and others added 2 commits June 11, 2026 12:56
@pelikhan
Add validate_container_pins pre-validation job to release.md
b320282 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Improve error message for missing actions-lock.json files
26537b0 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title Add validate_container_pins pre-validation job to release.md release: gate on resolved container SHA pins before push_tag Jun 11, 2026
Copilot AI requested a review from pelikhan June 11, 2026 12:58
@pelikhan pelikhan marked this pull request as ready for review June 11, 2026 13:00
Copilot AI review requested due to automatic review settings June 11, 2026 13:00
@pelikhan pelikhan merged commit da81c26 into main Jun 11, 2026
1 check passed
@pelikhan pelikhan deleted the copilot/add-pre-validation-step branch June 11, 2026 13:00
Copilot AI reviewed Jun 11, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an explicit release-gating validation to ensure all actions-lock.json files contain resolved (SHA256) container pins before the workflow proceeds to tagging/publishing. This prevents releases from continuing when container versions have been bumped but gh aw compile hasn’t been rerun to refresh cached digests.

Changes:

  • Added a validate_container_pins job to scan all actions-lock.json files and fail if any container entry lacks a valid digest and pinned_image.
  • Updated the config job to need the new validation job, blocking downstream release stages until the validation passes.
  • Regenerated release.lock.yml to include the new job and updated dependency graph.
Show a summary per file
File Description
.github/workflows/release.md Introduces a new validation job and wires it into the release dependency chain.
.github/workflows/release.lock.yml Regenerated compiled workflow including the new validation job and updated needs.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 2

Comment thread .github/workflows/release.md
LOCK_FILES=()
while IFS= read -r -d '' f; do
LOCK_FILES+=("$f")
done < <(find . -name "actions-lock.json" -not -path "*/node_modules/*" -print0)
Comment thread .github/workflows/release.lock.yml
LOCK_FILES=()
while IFS= read -r -d '' f; do
LOCK_FILES+=("$f")
done < <(find . -name "actions-lock.json" -not -path "*/node_modules/*" -print0)
@github-actions github-actions Bot mentioned this pull request Jun 12, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan