fix(ci): safe manifest publishing#586
Merged
Merged
Conversation
Stop mutating latest/edge manifests in place. The --amend flag preserves existing manifest-list state instead of replacing it cleanly, which can leak stale or unknown/unknown descriptors into mutable aliases. Switch both on-tag (latest) and on-push (edge) to docker buildx imagetools create, which atomically replaces the manifest list from the specified source images. Add a post-publish verification step that fails unless both linux/amd64 and linux/arm64 are present and no unknown/unknown descriptors exist. Hoist VALIDATOR_PHASES and EXPECTED_PLATFORMS to workflow-level env vars so loop parameters are obvious to update and cross-referenced with the build-docker matrix.
mchmarny
approved these changes
Apr 15, 2026
yuanchen8911
pushed a commit
to yuanchen8911/aicr
that referenced
this pull request
Apr 16, 2026
Co-authored-by: Mark Chmarny <[email protected]>
yuanchen8911
pushed a commit
to yuanchen8911/aicr
that referenced
this pull request
Apr 16, 2026
Co-authored-by: Mark Chmarny <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace
docker manifest create --amendwithdocker buildx imagetools createfor mutable aliases (:latest,:edge) and add post-publish verification that all expected platforms are present.Motivation / Context
--amendpreserves existing manifest-list state instead of replacing it cleanly, which can leak stale orunknown/unknowndescriptors into mutable aliases. This caused the:latesttag to either not exist or contain a corrupted manifest list, resulting inErrImagePullfor all deployment-phase validator checks.Fixes: #525
Related: N/A
Type of Change
Component(s) Affected
cmd/aicr,pkg/cli)cmd/aicrd,pkg/api,pkg/server)pkg/recipe)pkg/bundler,pkg/component/*)pkg/collector,pkg/snapshotter)pkg/validator)pkg/errors,pkg/k8s)docs/,examples/)on-tag.yaml,on-push.yaml)Implementation Notes
docker buildx imagetools createatomically replaces the manifest list from the specified source images — no--amendsemantics, no stale state carried forward.:edgealias now sources fromsha-<commit>-{arch}images instead ofedge-{arch}, ensuring both tags derive from the same build artifacts deterministically.linux/amd64orlinux/arm64is missing, or if anyunknown/unknowndescriptor is present. This will also catch future regressions ifprovenance: falseis removed from the build steps without updating the check.VALIDATOR_PHASESandEXPECTED_PLATFORMShoisted to workflow-level env vars with cross-reference comments to thebuild-dockermatrix.Testing
Risk Assessment
Rollout notes: No migration needed. Next push to main publishes
:edgevia the new path. Next tag release publishes:latestvia the new path.Checklist
make testwith-race)make lint)git commit -S) — GPG signing info