Skip to content

feat: runner ghcr auth (direct private-image pull) + W3C traceId propagation [A2 4/5]#702

Draft
law-chain-hot wants to merge 1 commit into
a2pr3-org-membershipfrom
a2pr4-runner-ghcr-traceid
Draft

feat: runner ghcr auth (direct private-image pull) + W3C traceId propagation [A2 4/5]#702
law-chain-hot wants to merge 1 commit into
a2pr3-org-membershipfrom
a2pr4-runner-ghcr-traceid

Conversation

@law-chain-hot

@law-chain-hot law-chain-hot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

PR 4 of 5 (effort: A2). Stacks on #701. Runner direct-ghcr auth + end-to-end traceId. Go-only, additive. Draft / WIP.

These two changes are what make A2's "box pulls private ghcr directly" possible — the deletion PR (5/5) relies on this runner auth. Incremental diff only (11 files).

Before

Runner image pull
+------------------------------------------+
| runner pulls via internal ArtifactRegistry|
| (no direct ghcr credentials)             |
+------------------------------------------+
traceId: the API creates one, but it is LOST at the
runner -> box (daemon) boundary -> can't follow one box end to end.

After

Runner image pull
+------------------------------------------+
| runtime-scoped ghcr auth (env-gated:     |
|   GHCR_USERNAME / GHCR_TOKEN)            |
| -> runner pulls private ghcr DIRECTLY    |
+------------------------------------------+
traceId: W3C traceparent injected api -> runner -> daemon
-> ONE traceId spans the whole box-create lifecycle.

What Changed

  • Runner buildImageRegistries adds a ghcr.io HTTPS + Basic-auth registry entry when GHCR_USERNAME / GHCR_TOKEN are set (env-gated; behavior identical when unset).
  • Inject BOXLITE_TRACEPARENT into the box env (runner) and seed a sandbox.boot span from it (daemon) so the box joins the API traceId.

Next

5/5 (later): delete the snapshotManager machinery (registry / backup / build) and collapse the schema to box_template + runner_artifact_cache (rebuilt clean). Held until the e2e track and the sandbox -> box rename land.

@law-chain-hot
feat(a2-pr4): runner ghcr auth (A2-P1) + W3C traceId propagation [sta…
b882880 
…cked on org-membership]

Runtime-scoped ghcr auth for direct private-image pull (GHCR_USERNAME/GHCR_TOKEN, env-gated) +
W3C traceparent injection api->runner->daemon (one traceId spans the create lifecycle).
Go-only, additive. Stacked on PR3. Draft for progress visibility.
@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 836c20ea-2f3a-4777-8cf2-1f089c180d81

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch a2pr4-runner-ghcr-traceid

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@law-chain-hot