Update "latest" tagged images on new tag#248
Conversation
davdhacs
force-pushed
the
davdhacs/apollo-ci-latest-tag
branch
from
4258cf5 to
064adca
Compare
On non-PR builds (tag/main pushes), also push a <flavor>-latest tag alongside the versioned tag. This allows consumers to reference a stable floating tag without needing to update on every release. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
davdhacs
force-pushed
the
davdhacs/apollo-ci-latest-tag
branch
from
064adca to
2adceb7
Compare
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Build Images
|
Adds a manually triggered workflow that retags an existing versioned image as stable without rebuilding. Usage: gh workflow run promote-stable.yaml -f version=0.5.7 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Use docker buildx imagetools create for server-side manifest copy instead of pull/tag/push. Run all flavors in one job. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Temporary: adds push tag trigger and shell default for VERSION. Will revert after testing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove temporary push tag trigger used for testing. Keep shell default for VERSION. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
davdhacs
changed the title
Check that the current tag is the highest semver tag reachable from main before pushing latest. This prevents older tags or tags on non-main branches from overwriting the latest images. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
davdhacs
changed the title
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
porridge
left a comment
porridge
left a comment
There was a problem hiding this comment.
It would be good to add a short HOWTO describing the new process, to make sure everyone is on the same page (e.g. AFAICT we should only use -latest in PRs against openshift/release that should not be merged, right)?
Good point. I'll add a doc. And we can add a check for this into the stackrox step in osci/prow to show up as a github check failure to prevent PRs to release configs(and probably all stackrox configs) from having the "latest" tag. |
Describe the versioned/latest/stable tagging strategy, how to promote to stable, and how prow jobs should reference images in openshift/release. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
And to prevent "latest" on the release branch configs: https://github.com/openshift/release/pull/77736/changes#diff-b46f9042e8c7036fccf35cdeab443de14fec0d4b2643500d6854b79363b764fcR773 |
There was a problem hiding this comment.
This is all very nice and describes various bits and pieces. But what a random person who wants to bump a random dependency would look for is a step-by-step guide on how to get it out of the door.
We also need to agree on some sort of synchronization against multiple changes to this repo that are in flight. because there can only be one latest tag at a time so a single change to openshift/release can be tested at a given moment.
There was a problem hiding this comment.
Understood. I'll add a step-by-step walkthrough
And you're right, if someone is testing a latest (current master of rox-ci-image) and a PR merges to rox-ci-image and pushes a new latest image and that gets mirrored, then the testing could get a newer "latest" than they expected.
However, I think that is rare because we do not change these images often. Would it be helped or prevented if I add a GHA check that warns on PRs if the "stable" tag is older than the last "latest" tag on master? (So the PR creator could look at master to see what other changes are "in-flight" and not promoted to stable yet)
There was a problem hiding this comment.
@porridge I merged this to unblock m.clasmeier. Does the updated readme look better, or what can be improved?
Co-authored-by: Marcin Owsiany <porridge@redhat.com>
Co-authored-by: Marcin Owsiany <porridge@redhat.com>
Co-authored-by: Marcin Owsiany <porridge@redhat.com>
Address review feedback requesting a concrete walkthrough for someone bumping a dependency, including the coordination note about the single `latest` tag. Partially generated by AI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
4 participants
Summary
<flavor>-latesttag alongside the versioned tag.<flavor>-stabletag based on a version[default is latest]This allows openshift-release mirror config to reference the floating tags
latestandstable, removing the need to request testplatform review for every version bump.To use this: openshift/release#77606 adds the "-latest"(and -stable) image mirroring into the openshift-release config, and then tests will be able to use a "latest" or "stable" tagged rox-ci-image.
Test plan
🤖 Generated with Claude Code