@greptileai I think this needs to be added to the renovate exclusions

You're right. Renovate uses helpers:pinGitHubActionDigests which will automatically re-pin ghcr.io/jdx/mise:copr with a digest the next time it runs — putting you right back in the same situation.

You should add a packageRule to .github/renovate.json to exclude this image:

  "packageRules": [
    {
      "description": "AWS SDK requires MSRV 1.91.1, project is 1.88.0. Re-enable when MSRV is bumped.",
      "matchPackageNames": ["aws-config", "aws-sdk-*"],
      "matchManagers": ["cargo"],
      "enabled": false
    },
    {
      "description": "copr image is rebuilt from source on Dockerfile changes; pinning a digest would cause stale image regressions.",
      "matchPackageNames": ["ghcr.io/jdx/mise"],
      "matchCurrentValue": "copr",
      "enabled": false
    }
  ]

This targets the ghcr.io/jdx/mise package only when the tag is copr, so Renovate won't touch it while still managing other images normally.

Greptile Summary

This PR fixes the copr-publish workflow by removing a stale hardcoded image digest that continued pointing to the broken pre-fix image even after packaging/copr/Dockerfile was corrected in #9421. It also adds a Renovate ignore rule to prevent the digest from being re-pinned in the future, and cleans up long-commented-out dev/dev-test job blocks from docker.yml.

• The PR title and description promise automatic :copr image rebuilds on packaging/copr/Dockerfile changes, but the on: trigger in docker.yml was not modified — the workflow still only fires on version tags and workflow_dispatch, so that prevention mechanism is not yet in place.

Confidence Score: 5/5

Safe to merge — the core regression fix is correct and the only gap is a missing future-proofing trigger described in the title but not implemented.

No P0 or P1 findings. The one P2 observation (missing auto-rebuild trigger) is a future-proofing gap, not a current breakage. The primary fix (removing the stale digest) is sound, and the Renovate rule correctly prevents re-pinning.

docker.yml — the on: section was not updated despite the PR title implying it would be.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant GHCR as ghcr.io (GHCR)
    participant COPR as COPR Build

    Note over Dev,COPR: Before this PR (broken state)
    Dev->>GH: Push fix to packaging/copr/Dockerfile
    GH-->>GHCR: No rebuild triggered (only tags/workflow_dispatch)
    GH->>COPR: copr-publish uses stale digest → ModuleNotFoundError

    Note over Dev,COPR: After this PR (fixed state)
    Dev->>GH: Push release tag
    GH->>GHCR: docker.yml rebuilds :copr image
    GH->>COPR: copr-publish pulls latest :copr tag → success

    Note over Dev,COPR: Still missing (paths trigger not added)
    Dev->>GH: Push change to packaging/copr/Dockerfile on main
    GH-->>GHCR: No rebuild triggered (paths trigger absent)
    Note over GHCR: :copr tag stays at previous build until next tag push

_{Reviews (5): Last reviewed commit: "fix(copr): drop docker-copr.yml per main..." | Re-trigger Greptile}

Thanks for digging into this! I think the scope can be trimmed — the two essential changes are dropping the @sha256: pin in copr-publish.yml and the renovate rule. Those alone fix the bug.

The new docker-copr.yml isn't needed: copr-publish.yml runs on release: published, and releases push a v* tag which already triggers docker.yml to rebuild :copr. Once the pin is gone, the next release publishes a fresh image and copr-publish pulls it. For ad-hoc rebuilds between releases, workflow_dispatch on docker.yml already works.

Could you drop the docker-copr.yml addition and keep just the two-line copr-publish.yml change plus the renovate rule? That's a tight, easy-to-review fix.

This comment was generated by an AI coding assistant.

Thanks for the clear feedback, @jdx! You're absolutely right — the docker-copr.yml was redundant since v* tag pushes already trigger docker.yml to rebuild :copr, and workflow_dispatch covers ad-hoc cases.

I've just dropped docker-copr.yml in the latest commit (797b5ab). The PR now contains only the two essential changes:

• copr-publish.yml: floating ghcr.io/jdx/mise:copr tag (no stale digest)
• .github/renovate.json: packageRule to prevent Renovate from re-pinning the :copr tag

Should be a clean, easy-to-review diff now. Let me know if anything else needs adjusting!

Want your agent to iterate on Greptile's feedback? Try greploops.