Skip to content

fix(supply-chain): pass --source-digest from promote-core to the lock updater#235

Merged
williaby merged 1 commit into
mainfrom
fix/promote-core-source-digest
Jun 30, 2026
Merged

fix(supply-chain): pass --source-digest from promote-core to the lock updater#235
williaby merged 1 commit into
mainfrom
fix/promote-core-source-digest

Conversation

@williaby

Copy link
Copy Markdown
Collaborator

Summary

While validating the supply-chain reusable workflows (#234) ahead of wiring the first caller, I found a deterministic contract bug between promote-core and the per-repo lock updater it invokes.

supply-chain-promote-core.yml's update-lock job shells out to the caller repo's scripts/update_approved_lock.py, but never passes --source-digest, which that script marks required=True. Every write_lock: true run would die at the lock step with:

update_approved_lock.py: error: the following arguments are required: --source-digest

CI never caught it because no caller exists yet, so the update-lock job has never executed.

Fix

Derive the source digest in the job and pass it:

  • Mirror path (source_kind=registry): the upstream digest embedded in source_ref (registry/name@sha256:...). crane copy-by-digest preserves it, so source_digest == target_digest and the lock records the equality the schema intends.
  • Build path (source_kind=oci-tar): no separate upstream, so it collapses to the target digest.

The derived value is shape-guarded (^sha256:[0-9a-f]{64}$) before it reaches the updater.

Validation

  • python3 -c yaml.safe_load parses clean; actionlint clean; all pre-commit hooks pass.
  • This is a prerequisite for the first P3 caller (container-images public mirror) to write the approved-lock without failing.

Context

Found during Task P3 (route both repos through the shared trust core). Two further P3 gates surfaced in the same validation pass and are tracked separately: the homelab-infra private-overlay updater/schema (P2 deliverable, not yet present) and the Trivy re-vetting #VERIFY baked into promote-core (PR #229 removed Trivy after its March 2026 release-infra compromise).

Generated with Claude Code

… updater

The promote-core update-lock job shelled out to the caller repo's
scripts/update_approved_lock.py but never passed --source-digest, which that
script marks required. Every write_lock: true run would have died at the lock
step with 'argument --source-digest is required'. CI never caught it because
no caller exists yet, so update-lock has never executed.

Derive the source digest in the job: for a mirror (source_kind=registry) it
is the upstream digest embedded in source_ref, which crane copy-by-digest
preserves so source_digest == target_digest; for a build there is no separate
upstream, so it collapses to the target digest. Shape-guard the derived value
before it reaches the updater.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 44 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d60f070a-ef42-4908-bdbc-2d84f84c5ee1

📥 Commits

Reviewing files that changed from the base of the PR and between c7fb2b4 and 58e1220.

📒 Files selected for processing (1)
  • .github/workflows/supply-chain-promote-core.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/promote-core-source-digest

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@williaby williaby added this pull request to the merge queue Jun 30, 2026
Merged via the queue into main with commit 83cc391 Jun 30, 2026
34 checks passed
@williaby williaby deleted the fix/promote-core-source-digest branch June 30, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant