[BUILD] Stamp org.opencontainers.image.revision label on UI image#3708
Merged
Conversation
Add a GIT_COMMIT_SHA build-arg (full git sha) and set it as the org.opencontainers.image.revision OCI label on the production image so the release promotion workflow can recover the UI commit via skopeo inspect. The existing short-hash COMMIT_HASH file is left unchanged.
Merged
11 tasks
pini-sh-panda
approved these changes
Jun 25, 2026
bar-shem-tov
added a commit
to mlrun/mlrun
that referenced
this pull request
Jul 2, 2026
…s latest (#9868) ### 📝 Description Reworks the `release-promotion` workflow so the operator only needs to provide the release `version`. The other tagging inputs (`commit_sha`, `ui_commit_sha`, `previous_version`) are now optional and derived from artifacts the private release already produced for that version. Also fixes RC promotions being incorrectly marked as the "latest" GitHub release. --- ### 🛠️ Changes Made - Made `commit_sha`, `ui_commit_sha`, and `previous_version` optional; when empty they are derived, and any provided value still wins as an override. - Derive `previous_version` (job `prepare-inputs`) from the repo's `v*` tags — the greatest GA tag strictly below `version` (skips all pre-releases, so a GA or RC compares against the previous GA). - Added a `derive-shas` job on the `mlrun-release` runner (only runner with private Artifactory access): - `commit_sha` from `mlrun/utils/version/version.json` (`git_commit`) inside the promoted wheel. - `ui_commit_sha` from the `org.opencontainers.image.revision` OCI label on the private `mlrun-ui:<version>` image. - Fixed RC-as-latest: a GA gets `prerelease=false`/`makeLatest=true`, an RC gets `prerelease=true`/`makeLatest=false`, applied to every `ncipollo/release-action` call. - Removed the dead `target_artifactory_pypi_repo` input. - Each derived value fails loud with an actionable message (pass the input explicitly) when it can't be resolved, instead of tagging the wrong/empty commit. --- ### ✅ Checklist - [ ] I updated the documentation (if applicable) - [ ] I have tested the changes in this PR - [ ] I confirmed whether my changes are covered by system tests - [ ] If yes, I ran all relevant system tests and ensured they passed before submitting this PR - [ ] I updated existing system tests and/or added new ones if needed to cover my changes - [ ] If I introduced a deprecation: - [ ] I followed the [Deprecation Guidelines](./DEPRECATION.md) - [ ] I updated the relevant Jira ticket for documentation - [ ] Please run [Smoke-tests](https://github.com/mlrun/mlrun/actions/workflows/smoke-tests.yml) workflow, providing it the PR number as input (upon success, the workflow run will add label "Smoke tests: Pass" to the PR) --- ### 🧪 Testing <!-- - How it was tested (unit tests, manual, integration) --> - Dry-run the workflow with only `version` set against a recently released version; confirm derived `commit_sha`/`ui_commit_sha`/`previous_version` match the private release outputs. - Override paths covered by passing each input explicitly. --- ### 🔗 References - Ticket link: DEVOPS-1976 (generalize inputs), DEVOPS-1814 (RC marked as latest), ML-12716 (Artifactory input cleanup) - Design docs links: - External links: Builds on (merged) mlrun/ui#3708 — adds the UI image revision label this workflow reads --- ### 🚨 Breaking Changes? - [ ] Yes (explain below) - [x] No Backward compatible: callers that pass all inputs keep working unchanged. --- ### 🔍️ Additional Notes - Builds on the (merged) revision-label change in mlrun/ui#3708. Only UI images built after that merge carry the label; for older versions `ui_commit_sha` derivation fails loud and asks the operator to pass it explicitly. - Relies on `mlrun` and `mlrun/ui` being released in version lockstep (verified across the full modern tag history).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📝 Description
Adds the standard OCI revision label (
org.opencontainers.image.revision) to the production UI image so the full UI commit SHA travels with the published image. This lets the MLRunrelease-promotionworkflow derive the UI commit to tag straight from the image, instead of requiring an operator to paste it by hand.🛠️ Changes Made
Dockerfile: declareARG GIT_COMMIT_SHAand setLABEL org.opencontainers.image.revision=$GIT_COMMIT_SHAon the production stage.package.json: pass--build-arg GIT_COMMIT_SHA="$(git rev-parse HEAD)"(the full SHA) from thedockerbuild script.✅ Checklist
🔗 References
skopeo inspectto deriveui_commit_sha)🚨 Potentially Breaking Changes
Metadata only — no behavior change to the running image. Images built before this change have no label; the consumer handles that by failing loud and asking for an explicit
ui_commit_sha.Includes DRC change
🔍 Additional Notes
release-promotiongeneralization; that workflow consumes this label.📸 Screenshots / Demos
N/A — no UI change.