Skip to content

fix(validator): resolve dev builds to SHA-tagged images #654

Description

@mchmarny

Problem

recipes/validators/catalog.yaml hardcodes :latest for all validator images. ResolveImage() in pkg/validator/catalog/catalog.go only replaces that tag for release versions. Since on-push.yaml builds SHA-tagged images (e.g., sha-<commit>-amd64) but never updates :latest, running validation from main always pulls the last released image rather than what was just built.

This means new validator changes on main don't work by default without creating an overlay to override the validator images.

Proposed Approach

Resolve dev builds to their SHA-tagged image.

The commit SHA is already embedded in the binary via ldflags at build time, and on-push.yaml already pushes images with sha-<commit> tags. The change would be in catalog.go:ResolveImage() — when the version is non-release (e.g., dev, contains -next, or contains a commit hash), resolve :latest to :sha-<commit> instead of leaving it as-is. This gives main full access to its own validator images without touching :latest, which stays reserved for stable releases.

This keeps the current release behavior unchanged and avoids introducing floating tags like :main that are less reproducible.

Key Files

  • recipes/validators/catalog.yaml — hardcoded :latest tags
  • pkg/validator/catalog/catalog.goResolveImage() and isReleaseVersion()
  • .github/workflows/on-push.yaml — SHA-tagged image builds
  • .github/workflows/on-tag.yaml — release :latest tag creation

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions