Skip to content

ci: harden chronicle-image-pin-gate (64-hex digest + self-test)#318

Merged
devkoriel merged 1 commit into
mainfrom
ci/harden-pin-gate
Jun 30, 2026
Merged

ci: harden chronicle-image-pin-gate (64-hex digest + self-test)#318
devkoriel merged 1 commit into
mainfrom
ci/harden-pin-gate

Conversation

@devkoriel

Copy link
Copy Markdown
Contributor

What

Hardens chronicle-image-pin-gate to flag every unpinned/malformed chronicle image form, and adds an embedded self-test so the detector cannot silently regress.

Why

The first version had narrow false-passes: a chronicle ref ending in @sha256:<short-or-invalid-hex> (e.g. @sha256:abc) passed, and the malformed @sha256- hyphen form (the cosign sig-tag shape behind the 06-22 archiver incident) was only caught by accidental truncation. "Pinned" must mean a real multi-arch index digest, not any @sha256: substring.

How

  • Detector captures the whole ref token and requires @sha256: + EXACTLY 64 lowercase-hex chars. It now flags bare semver, git-sha tags (sha-xxxxxx), :latest, no-tag, the @sha256- hyphen form, and short/over-long/invalid digests; it passes only genuine 64-hex digests.
  • An embedded 10-case self-test runs before the gate and fails the job if the detector regresses.

Validated locally: 10/10 self-test cases pass; the gate flags an unpinned render and passes pinned ones.

@devkoriel devkoriel self-assigned this Jun 30, 2026
@devkoriel devkoriel merged commit aae3dcd into main Jun 30, 2026
2 checks passed
@devkoriel devkoriel deleted the ci/harden-pin-gate branch June 30, 2026 05:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant