ci: pin Thailand deploy to immutable sha- tag, never a moving tag#38
Conversation
Deploying the "main" (or a feature branch) image via workflow_dispatch resolved
to the moving `latest`/`<slug>` tag and wrote that into the gitops values.yaml.
A mutable tag in a K8s manifest is a smell: it reads as floating even though the
digest pins it, and it isn't traceable to a specific build.
Resolve the moving tag to a digest, then de-reference it to the immutable
sha-<short> tag at the same digest and pin that. Fast path tries
sha-${GITHUB_SHA::7} (the dispatched commit is usually the build commit);
fallback scans sha- tags for the matching digest (e.g. when HEAD built no image
and latest points further back). Refuses to pin if no sha- tag matches.
Semver deploys (workflow_run, or an explicit image_tag input) are unchanged —
already immutable, pinned as-is.
Verified the resolve logic against a mocked registry across fast-path,
fallback, no-match, slug, explicit-input and workflow_run cases.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughThe Thailand deploy workflow ( Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy-thailand.yml:
- Around line 120-125: The condition checking INPUT_TAG on line 120 accepts any
non-empty value without validating whether it's immutable, allowing mutable tags
like latest to be pinned as the tag value. Add validation logic after the `if [
-n "${INPUT_TAG}" ]` check to enforce an allowlist of immutable tag patterns
(such as sha-* or semantic versioning formats) before accepting the INPUT_TAG as
the pinned tag. Reject any INPUT_TAG that doesn't match the immutable pattern
allowlist to prevent mutable tags from being used as pinned deployment tags.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: cbada39b-9024-4a93-937f-11b79837d19c
📒 Files selected for processing (2)
.github/workflows/deploy-thailand.ymlCLAUDE.md
The explicit workflow_dispatch image_tag was pinned verbatim, so image_tag=latest (or a branch slug) would write a mutable tag into the manifest — the very smell this workflow removes for the empty-input path. Validate explicit input against an immutable allowlist (sha-<commit> or X.Y.Z) and reject anything else, pointing the user to leave image_tag empty for a branch deploy (which de-references to the sha- tag). Empty-input and workflow_run paths are unchanged. Verified the allowlist rejects latest / slugs / v-prefixed / malformed and accepts sha-<hex> and X.Y.Z, and that valid immutable inputs still pin as-is. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Problem
Deploying the main (or a feature-branch) Thai image via
workflow_dispatchwith an emptyimage_tagresolved to the movinglatest/<slug>tag and wrote that into the gitopsvalues.yaml:Even though the
digestactually pins the image, alatest(or branch-slug)tag:reads as floating and isn't traceable to a specific build.Fix
For an empty-input dispatch, resolve the moving tag to its digest and then de-reference it to the immutable
sha-<short>tag that carries the same digest, and pin that:sha-${GITHUB_SHA::7}(the dispatched commit is usually the build commit); use it if its digest matches.sha-tags for the matching digest (covers the case where HEAD built no image, solatestpoints further back).sha-tag matches the digest (never writes a mutable tag).Semver deploys are unchanged:
workflow_run(released version) and an explicitimage_taginput are already immutable and pinned as-is.Validation
Exercised the resolve logic against a mocked registry — all pass:
sha-HEAD== latest)sha-<HEAD>sha-sha-matchessha-<HEAD>0.3.0workflow_runsemveractionlint clean; YAML valid; CLAUDE.md updated.
🤖 Generated with Claude Code
Summary by CodeRabbit
Chores
sha-*references (instead of mutable tags), failing when a matching immutable tag can’t be found.Documentation
image_taginput behavior (including the “empty input” case) to explain how moving tags are de-referenced to immutablesha-*pins at the same digest and when errors occur.