Skip to content

ci(e2e): scheduled repin to keep the act runner image off the GC edge#426

Merged
joshua-temple merged 1 commit into
mainfrom
ci/durable-act-image
Jul 1, 2026
Merged

ci(e2e): scheduled repin to keep the act runner image off the GC edge#426
joshua-temple merged 1 commit into
mainfrom
ci/durable-act-image

Conversation

@joshua-temple

Copy link
Copy Markdown
Collaborator

What

Addresses #400. The act runner image (e2e/harness/act.go) is a bare upstream digest; if GC'd, all e2e cannot pull. Adds a scheduled workflow (act-image-repin.yml) that re-resolves the upstream act-latest tag to its current digest and opens a reviewer-gated repin PR whenever it moves, so the pin stays on a live tag-referenced digest instead of aging into a GC window.

Approach (Option B, no maintainer blocker)

A durable ghcr mirror under stablekernel (Option A) is the stronger fix but needs a ghcr package create + write + make-public grant that is not available from here (the token lacks write:packages). So this ships the no-blocker path: the scheduled repin uses only github.token, refuses any digest below the Node 24 floor (mirroring the harness preflight), and verifies the e2e module builds before opening the PR.

Safety / no e2e impact

The pinned digest in act.go is UNCHANGED (this PR only updates the repin doc comment + adds the workflow), so existing e2e legs pull the same green image. The runtime only changes when a future repin PR is independently reviewed and merged. actionlint clean (shellcheck included; step outputs routed through env, no injection).

Operational note

PRs authored by GITHUB_TOKEN do not fire on: pull_request checks, so a repin PR must be added to the merge queue (which triggers e2e) before merge. Optional upgrade: author it with CASCADE_STATE_TOKEN to auto-trigger.

Maintainer hand-off (optional): if a durable ghcr mirror (Option A) is wanted, it needs a one-time ghcr package create + set-public under stablekernel.

Re-resolve the catthehacker/ubuntu act-latest digest on a schedule and open a
repin pull request when it moves, so the e2e runner pin keeps tracking a live,
tag-referenced digest ahead of any upstream garbage-collection window. The job
refuses to repin below the Node floor, mirroring the harness startup preflight.

Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
@joshua-temple joshua-temple merged commit 03a9251 into main Jul 1, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant