Skip to content

Publish hosted managed runtime images#134

Merged
SoundBlaster merged 1 commit into
mainfrom
codex/publish-hosted-managed-images
Jul 13, 2026
Merged

Publish hosted managed runtime images#134
SoundBlaster merged 1 commit into
mainfrom
codex/publish-hosted-managed-images

Conversation

@SoundBlaster

Copy link
Copy Markdown
Member

Summary

  • Add a manual, main-only multi-architecture GHCR publication workflow for the Platform hosted runtime and capability-free ingress.
  • Emit and validate a versioned digest-pinned image lock with provenance/SBOM evidence.
  • Link related issue/task (if any): Secure Hosted Runtime Deployment & Production Canary

Motivation

  • The production Compose contract requires immutable image refs, but Platform did not yet publish deployable hosted runtime images or a machine-checkable lock.

Goals

  • Publish amd64/arm64 images from merged main only.
  • Make the validated image lock, rather than mutable commit tags, the production deployment input.
  • Image publication does not deploy, expand the operation allowlist, or execute managed operations.

Changes

  • Add the manual GHCR workflow with QEMU/Buildx, digest-pinned Caddy base, provenance, and SBOM attestations.
  • Add image-lock validation, regression tests, CI coverage, and production runbook guidance.

Validation

  • Tests added/updated for changed behavior
  • Local checks passed

Commands run:

make python-quality
make hosted-managed-image-lock-contract
ruff check scripts/validate_hosted_managed_image_lock.py tests/test_hosted_managed_image_lock.py
git diff --check

Results:

  • Full Platform suite: 353 passed, 7 skipped.
  • Image-lock contract: 3 passed.

Risks / Notes

  • Backward compatibility impact: no runtime behavior changes.
  • Migration/config changes required: production operators download the workflow artifact and use its digest refs.
  • Known limitations: the workflow is intentionally manual and can publish only from main; actual production deployment remains separate.

Checklist

  • PR title clearly describes the change
  • Scope is focused and minimal
  • Documentation updated (or N/A)
  • Workflow/artifact changes distinguish artifact presence from readiness/status
  • Temporary or intermediate paths are scoped to the current run/task where relevant
  • No secrets or sensitive data added

@SoundBlaster SoundBlaster merged commit 642bba2 into main Jul 13, 2026
4 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6df38e4f30

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +95 to +96
if _authority_findings(payload):
diagnostics.append("authority_boundary_expanded")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Require authority boundary fields before accepting locks

When the downloaded lock omits authority_boundary entirely, _authority_findings(payload) returns an empty list and the validator still reports success as long as the other fields are present. For the production image-lock handoff, that lets a malformed or stripped artifact be treated as the machine-checkable proof that publishing cannot deploy, expand allowlists, or execute operations even though those explicit false grants are absent; require the expected authority_boundary object and may_*: false keys before accepting the lock.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant