Skip to content

fix(ci): link digest-pinned evidence ref in UAT summaries#1498

Merged
njhensley merged 2 commits into
NVIDIA:mainfrom
njhensley:ci/uat-evidence-summary-digest-ref
Jun 26, 2026
Merged

fix(ci): link digest-pinned evidence ref in UAT summaries#1498
njhensley merged 2 commits into
NVIDIA:mainfrom
njhensley:ci/uat-evidence-summary-digest-ref

Conversation

@njhensley

Copy link
Copy Markdown
Member

Summary

Print the digest-pinned evidence bundle ref in the UAT (AWS + GCP) Actions summaries instead of a reconstructed mutable :run-<run_id> OCI tag.

Motivation / Context

Follow-up to the GP2 evidence-ingest work (#1402 / #1484). CodeRabbit flagged that the UAT summaries rebuilt a mutable …aicr-evidence/<recipe>:run-${{ github.run_id }} tag for the human-facing "Evidence (OCI)" link. That tag can drift from the actual bundle if the naming scheme changes or the tag is later repointed, sending reviewers to the wrong artifact — while ingest itself already uses the verified digest. Both jobs already export the validated, digest-pinned ref via steps.evidence_ref.outputs.ref (the same value fed to the ingest-evidence job), so the summary should use it too.

Fixes: N/A
Related: #1484, #1402

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • Build/CI/tooling

Component(s) Affected

  • Other: GitHub Actions UAT workflows (.github/workflows/uat-aws.yaml, .github/workflows/uat-gcp.yaml)

Implementation Notes

  • Replace the hand-built …:run-${{ github.run_id }} string with ${{ steps.evidence_ref.outputs.ref }} in both summary steps.
  • Tighten the guard from conformance.outcome == 'success' to -n <ref>: the ref is non-empty only when conformance succeeded and a bundle was produced, so the summary degrades cleanly (no empty `Evidence (OCI): ``) when no bundle exists.
  • The explanatory comment blocks that document the conformance step's push tag are left unchanged — they accurately describe the push naming, not the reviewer-facing link.

Testing

yamllint .github/workflows/uat-aws.yaml .github/workflows/uat-gcp.yaml  # clean

No Go changes; this is a workflow-summary string fix only. The summaries render at runtime, exercised by the scheduled UAT runs.

Risk Assessment

  • Low — Isolated change, well-tested, easy to revert

Rollout notes: N/A — cosmetic/summary-only; ingest behavior is unchanged.

Checklist

  • Tests pass locally (make test with -race) — N/A, no Go changes
  • Linter passes (make lint) — yamllint clean on both files
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality — N/A
  • I updated docs if user-facing behavior changed — N/A
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

The UAT Actions summaries rebuilt a mutable
`…aicr-evidence/<recipe>:run-${{ github.run_id }}` OCI tag, which can
drift from the actual bundle if the naming scheme changes or the tag is
repointed — pointing reviewers at the wrong artifact while ingest uses
the verified digest.

Print the digest-pinned `steps.evidence_ref.outputs.ref` instead — the
same validated, immutable ref the ingest job consumes — and guard the
line on that ref being non-empty so the summary degrades cleanly when no
bundle was produced.

Signed-off-by: Nathan Hensley <[email protected]>
@njhensley njhensley requested a review from a team as a code owner June 26, 2026 20:30
@njhensley njhensley added the theme/ci-dx CI pipelines, developer experience, and build tooling label Jun 26, 2026
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 661b2197-4974-4a05-a19a-39d0cfc50adb

📥 Commits

Reviewing files that changed from the base of the PR and between 14e347a and ad717e1.

📒 Files selected for processing (2)
  • .github/workflows/uat-aws.yaml
  • .github/workflows/uat-gcp.yaml

📝 Walkthrough

Walkthrough

The UAT AWS and GCP workflow summaries now conditionally print the Evidence (OCI) line only when steps.evidence_ref.outputs.ref is non-empty. In both workflows, the printed OCI reference now comes directly from that exported value instead of being reconstructed from the run id.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

  • NVIDIA/aicr#1479: Also changes the UAT AWS/GCP workflow Evidence (OCI) summary output in the same step.

Suggested reviewers

  • mchmarny
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: using the digest-pinned evidence ref in UAT summaries.
Description check ✅ Passed The description directly matches the workflow summary fix and explains the digest-pinned evidence ref change.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@njhensley njhensley enabled auto-merge (squash) June 26, 2026 20:41

@mchmarny mchmarny left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right fix — the summary now links the same validated, digest-pinned ref (steps.evidence_ref.outputs.ref) that ingest consumes, instead of rebuilding a mutable :run- tag that could drift. Confirmed evidence_ref and the summary step live in the same job in both workflows, so the output reference resolves. The -n guard is also a strict improvement over conformance.outcome == 'success': it degrades cleanly when no bundle was produced. LGTM.

@njhensley njhensley merged commit eebd348 into NVIDIA:main Jun 26, 2026
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci size/XS theme/ci-dx CI pipelines, developer experience, and build tooling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants