fix: download github CLI for target platform#42
Closed
magus424 wants to merge 1 commit into
Closed
Conversation
Owner
|
@magus424 -- looking into this -- thank you! |
maniator
added a commit
that referenced
this pull request
Jun 19, 2026
…; CI Base image / CVE fixes (apply to `latest` and all future builds — no breakage): - Bump Alpine 3.21.3 -> 3.24.1 in both build stages - Add `apk upgrade --no-cache` to pull OS package security patches - Bump default GH_VERSION 2.10.1 -> 2.95.0 (CI still overrides with latest) Multi-arch correctness (fixes a real bug; supersedes #42): - Download the gh release for TARGETPLATFORM, not BUILDPLATFORM, so arm64/arm images stop shipping the amd64 binary. gh asset names don't map 1:1 to Docker platforms (linux/arm64/v8 -> linux_arm64; no armv7 build, armv6 runs on armv7), so map them explicitly. Verified by a linux/amd64+arm64+arm/v7 buildx build. Tag strategy — protect pinners without breaking reproducibility: - set_tags publishes rolling `vMAJOR`/`vMAJOR.MINOR` (e.g. v2, v2.95) + `latest`, only when building the newest release. - Exact `vX.Y.Z` tags are immutable by default (published once); the nightly job no longer republishes them, so a pin stays byte-for-byte reproducible. - REBUILD_EXACT=1 (workflow_dispatch input) force-refreshes a recent exact tag on the patched base; hooks/scripts/rebuild_recent does this for the latest N=3. - README documents the scheme. New PR-validation workflows (parity with dind-buildx + vuln focus): - Trivy image scan (PR + weekly), hadolint (+ .hadolint.yaml), shellcheck, and dependabot for the base image and Actions. Add downstream-usage-report.md: consumer exposure + Docker Hub tag_last_pulled. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Owner
|
👍 Thanks for catching this — you're right that the build downloads for Heads up that #43 now includes a fix for the same bug, with one extra wrinkle: gh's release asset names don't map 1:1 to Docker platform strings, so the plain |
maniator
added a commit
that referenced
this pull request
Jun 19, 2026
…; CI Base image / CVE fixes (apply to `latest` and all future builds — no breakage): - Bump Alpine 3.21.3 -> 3.24.1 in both build stages - Add `apk upgrade --no-cache` to pull OS package security patches - Bump default GH_VERSION 2.10.1 -> 2.95.0 (CI still overrides with latest) Multi-arch correctness (fixes a real bug; supersedes #42): - Download the gh release for TARGETPLATFORM, not BUILDPLATFORM, so arm64/arm images stop shipping the amd64 binary. gh asset names don't map 1:1 to Docker platforms (linux/arm64/v8 -> linux_arm64; no armv7 build, armv6 runs on armv7), so map them explicitly. Verified by a linux/amd64+arm64+arm/v7 buildx build. Tag strategy — protect pinners without breaking reproducibility: - set_tags publishes rolling `vMAJOR`/`vMAJOR.MINOR` (e.g. v2, v2.95) + `latest`, only when building the newest release. - Exact `vX.Y.Z` tags are immutable by default (published once); the nightly job no longer republishes them, so a pin stays byte-for-byte reproducible. - REBUILD_EXACT=1 (workflow_dispatch input) force-refreshes a recent exact tag on the patched base; hooks/scripts/rebuild_recent does this for the latest N=3. - README documents the scheme. New PR-validation workflows (parity with dind-buildx + vuln focus): - Trivy image scan (PR + weekly), hadolint (+ .hadolint.yaml), shellcheck, and dependabot for the base image and Actions. Add downstream-usage-report.md: consumer exposure + Docker Hub tag_last_pulled. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Owner
|
Thanks again @magus424 — your diagnosis was spot on: the build was downloading for Recommend we resolve this one in favor of #43 so the two don't conflict on the same line — but credit for catching the bug is yours. 🙏 |
maniator
added a commit
that referenced
this pull request
Jun 19, 2026
…; CI Base image / CVE fixes (apply to `latest` and all future builds — no breakage): - Bump Alpine 3.21.3 -> 3.24.1 in both build stages - Add `apk upgrade --no-cache` to pull OS package security patches - Bump default GH_VERSION 2.10.1 -> 2.95.0 (CI still overrides with latest) Multi-arch correctness (fixes a real bug; supersedes #42): - Download the gh release for TARGETPLATFORM, not BUILDPLATFORM, so arm64/arm images stop shipping the amd64 binary. gh asset names don't map 1:1 to Docker platforms (linux/arm64/v8 -> linux_arm64; no armv7 build, armv6 runs on armv7), so map them explicitly. Verified by a linux/amd64+arm64+arm/v7 buildx build. Tag strategy — protect pinners without breaking reproducibility: - set_tags publishes rolling `vMAJOR`/`vMAJOR.MINOR` (e.g. v2, v2.95) + `latest`, only when building the newest release. - Exact `vX.Y.Z` tags are immutable by default (published once); the nightly job no longer republishes them, so a pin stays byte-for-byte reproducible. - REBUILD_EXACT=1 (workflow_dispatch input) force-refreshes a recent exact tag on the patched base; hooks/scripts/rebuild_recent does this for the latest N=3. - README documents the scheme. New PR-validation workflows (parity with dind-buildx + vuln focus): - Trivy image scan (PR + weekly), hadolint (+ .hadolint.yaml), shellcheck, and dependabot for the base image and Actions. Add downstream-usage-report.md: consumer exposure + Docker Hub tag_last_pulled. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
maniator
added a commit
that referenced
this pull request
Jun 19, 2026
… + CI (#43) * fix: patch base-image vulnerabilities; correct multi-arch; safer tags; CI Base image / CVE fixes (apply to `latest` and all future builds — no breakage): - Bump Alpine 3.21.3 -> 3.24.1 in both build stages - Add `apk upgrade --no-cache` to pull OS package security patches - Bump default GH_VERSION 2.10.1 -> 2.95.0 (CI still overrides with latest) Multi-arch correctness (fixes a real bug; supersedes #42): - Download the gh release for TARGETPLATFORM, not BUILDPLATFORM, so arm64/arm images stop shipping the amd64 binary. gh asset names don't map 1:1 to Docker platforms (linux/arm64/v8 -> linux_arm64; no armv7 build, armv6 runs on armv7), so map them explicitly. Verified by a linux/amd64+arm64+arm/v7 buildx build. Tag strategy — protect pinners without breaking reproducibility: - set_tags publishes rolling `vMAJOR`/`vMAJOR.MINOR` (e.g. v2, v2.95) + `latest`, only when building the newest release. - Exact `vX.Y.Z` tags are immutable by default (published once); the nightly job no longer republishes them, so a pin stays byte-for-byte reproducible. - REBUILD_EXACT=1 (workflow_dispatch input) force-refreshes a recent exact tag on the patched base; hooks/scripts/rebuild_recent does this for the latest N=3. - README documents the scheme. New PR-validation workflows (parity with dind-buildx + vuln focus): - Trivy image scan (PR + weekly), hadolint (+ .hadolint.yaml), shellcheck, and dependabot for the base image and Actions. Add downstream-usage-report.md: consumer exposure + Docker Hub tag_last_pulled. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci: add weekly "Refresh recent tags" workflow Automates the recent-pin security refresh: a matrix job rebuilds the latest 3 exact vX.Y.Z tags on the current patched base (set_tags + bake, REBUILD_EXACT=1), weekly and on demand. Runs the build directly rather than dispatching "Build and Release", since a GITHUB_TOKEN-triggered workflow_dispatch wouldn't start a run. hooks/scripts/rebuild_recent remains for ad-hoc local runs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci: harden Build and Release per review; explicit skip for no-op set_tags - Split release into its own job with contents: write; the workflow now defaults to contents: read so PR-triggered build steps don't carry a write-capable token - set_tags emits skip=true when there's nothing to publish (exact tag already exists and REBUILD_EXACT unset, non-newest); build/release are gated on it so the run no longer produces an empty tag list and a silent no-op push - shell-check: use the canonical ${{ github.token }} for reviewdog auth Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * style: silence hadolint annotations in the gh download step Quote the gh tarball path/URL expansions (SC2086) and add wget -q (DL3047) so hadolint reports zero findings and stops annotating the diff. No behavior change; image still builds gh 2.95.0 across platforms. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * harden set_tags + refresh workflow per review - set_tags: resolve VERSION from the latest *stable* gh release (skip drafts/prereleases) so rolling tags aren't suppressed or moved onto a prerelease; validate GH_VERSION matches X.Y.Z before interpolating it into the Docker Hub URL and bake tags (rejects malformed/injected values) - refresh-recent-tags: fetch releases with `curl -fsS --retry` + github.token auth so the matrix step fails fast instead of feeding bad JSON to fromJson Verified set_tags across nightly/dispatch/rebuild/invalid cases; build path unchanged for the normal (newest-release) flow. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #41