Skip to content

ci: add chronicle-image-pin-gate (block bare chronicle default images)#317

Merged
devkoriel merged 1 commit into
mainfrom
ci/chronicle-image-pin-gate
Jun 30, 2026
Merged

ci: add chronicle-image-pin-gate (block bare chronicle default images)#317
devkoriel merged 1 commit into
mainfrom
ci/chronicle-image-pin-gate

Conversation

@devkoriel

Copy link
Copy Markdown
Contributor

What

Adds a chronicle-image-pin-gate check: a changed chart must not render a bare (un-digest-pinned) ghcr.io/chronicleprotocol/* image.

Why

Chart defaults authored with an empty tag: (which falls back to .Chart.AppVersion, a bare tag) or a bare version are unpinned. With the chronicle-resolve-digest mutating webhook adding the digest on live pods, that causes perpetual ArgoCD OutOfSync (the ghost / validator / groma incidents) and violates RFC-044.4 (chart defaults must be index-digest-pinned). app-of-apps already has a digest-gate; the chart repos did not.

How

On chart PRs, helm template each changed chart (with its ci/ values) and fail if any rendered ghcr.io/chronicleprotocol/* image lacks @sha256:. Rendering (not a line diff) is what catches the empty-tag -> appVersion case. Third-party images are not gated; un-renderable charts are warned and skipped (ct lint already covers templating).

Rollout

Lands non-blocking (not yet a required check). Suggest letting it run on a few chart PRs, then adding it to branch protection as required (RFC-044.4 prevention).

@devkoriel devkoriel self-assigned this Jun 30, 2026
@devkoriel devkoriel merged commit ff15cba into main Jun 30, 2026
2 checks passed
@devkoriel devkoriel deleted the ci/chronicle-image-pin-gate branch June 30, 2026 01:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant