ci(e2e): scheduled repin to keep the act runner image off the GC edge#426
Merged
Conversation
Re-resolve the catthehacker/ubuntu act-latest digest on a schedule and open a repin pull request when it moves, so the e2e runner pin keeps tracking a live, tag-referenced digest ahead of any upstream garbage-collection window. The job refuses to repin below the Node floor, mirroring the harness startup preflight. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Addresses #400. The act runner image (e2e/harness/act.go) is a bare upstream digest; if GC'd, all e2e cannot pull. Adds a scheduled workflow (act-image-repin.yml) that re-resolves the upstream act-latest tag to its current digest and opens a reviewer-gated repin PR whenever it moves, so the pin stays on a live tag-referenced digest instead of aging into a GC window.
Approach (Option B, no maintainer blocker)
A durable ghcr mirror under stablekernel (Option A) is the stronger fix but needs a ghcr package create + write + make-public grant that is not available from here (the token lacks write:packages). So this ships the no-blocker path: the scheduled repin uses only github.token, refuses any digest below the Node 24 floor (mirroring the harness preflight), and verifies the e2e module builds before opening the PR.
Safety / no e2e impact
The pinned digest in act.go is UNCHANGED (this PR only updates the repin doc comment + adds the workflow), so existing e2e legs pull the same green image. The runtime only changes when a future repin PR is independently reviewed and merged. actionlint clean (shellcheck included; step outputs routed through env, no injection).
Operational note
PRs authored by GITHUB_TOKEN do not fire on: pull_request checks, so a repin PR must be added to the merge queue (which triggers e2e) before merge. Optional upgrade: author it with CASCADE_STATE_TOKEN to auto-trigger.
Maintainer hand-off (optional): if a durable ghcr mirror (Option A) is wanted, it needs a one-time ghcr package create + set-public under stablekernel.