fix(supply-chain): pass --source-digest from promote-core to the lock updater#235
Conversation
… updater The promote-core update-lock job shelled out to the caller repo's scripts/update_approved_lock.py but never passed --source-digest, which that script marks required. Every write_lock: true run would have died at the lock step with 'argument --source-digest is required'. CI never caught it because no caller exists yet, so update-lock has never executed. Derive the source digest in the job: for a mirror (source_kind=registry) it is the upstream digest embedded in source_ref, which crane copy-by-digest preserves so source_digest == target_digest; for a build there is no separate upstream, so it collapses to the target digest. Shape-guard the derived value before it reaches the updater. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
|
Warning Review limit reached
Next review available in: 44 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |



Summary
While validating the supply-chain reusable workflows (#234) ahead of wiring the first caller, I found a deterministic contract bug between
promote-coreand the per-repo lock updater it invokes.supply-chain-promote-core.yml'supdate-lockjob shells out to the caller repo'sscripts/update_approved_lock.py, but never passes--source-digest, which that script marksrequired=True. Everywrite_lock: truerun would die at the lock step with:CI never caught it because no caller exists yet, so the
update-lockjob has never executed.Fix
Derive the source digest in the job and pass it:
source_kind=registry): the upstream digest embedded insource_ref(registry/name@sha256:...).cranecopy-by-digest preserves it, sosource_digest == target_digestand the lock records the equality the schema intends.source_kind=oci-tar): no separate upstream, so it collapses to the target digest.The derived value is shape-guarded (
^sha256:[0-9a-f]{64}$) before it reaches the updater.Validation
python3 -c yaml.safe_loadparses clean;actionlintclean; all pre-commit hooks pass.Context
Found during Task P3 (route both repos through the shared trust core). Two further P3 gates surfaced in the same validation pass and are tracked separately: the homelab-infra private-overlay updater/schema (P2 deliverable, not yet present) and the Trivy re-vetting
#VERIFYbaked intopromote-core(PR #229 removed Trivy after its March 2026 release-infra compromise).Generated with Claude Code