Feat/cherry pick to 16#251
Conversation
* ci: publish keyless release attestations * ci: drop nvcr release attestations * ci: narrow release attestation identity * ci: gate attestations to release tags * docs: show immutable release subjects * ci: attest helm chart releases --------- Signed-off-by: AnouarMohamed <m.anouar@mundiapolis.ma> Co-authored-by: Anouar Mohamed <m.anouar@mundiapolis.ma>
Updates chart/values.yaml to pin the multi-arch manifest digests for the newly released operator (v0.16.0) and agent (v6.4.2) images, bumps chart/Chart.yaml version and appVersion to v0.16.0 to match, and regenerates chart/CHANGELOG.md via `make changelog COMPONENT=chart`. The new chart/v0.16.0 section calls out the bundled component versions and links to their GitHub releases. Signed-off-by: Alex Yuskauskas <ayuskauskas@nvidia.com>
chore(chart): bump to v0.16.0 with pinned operator and agent digests
`helm push` (3.16+) writes the human-readable "Pushed:" and "Digest:"
lines to stderr, so the existing `$(helm push ...)` only captured an
empty stdout and the awk that extracts the digest produced no match.
Redirect stderr into stdout for the command substitution so the
digest-parser sees the same output that's already visible in the
runner log. The follow-up `sha256:[a-f0-9]{64}` regex check still
guards against malformed input.
Surfaced when publishing chart/v0.16.0 to oci://ghcr.io/nvidia/nodewright/charts:
the push itself succeeded, but the subsequent attestation steps failed
because no digest was extracted.
Signed-off-by: Alex Yuskauskas <ayuskauskas@nvidia.com>
ayuskauskas
requested review from
lockwobr,
mskalka and
rice-riley
as code owners
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (22)
📝 WalkthroughWalkthroughThis PR coordinates the NodeWright v0.16.0 release, introducing artifact signing and attestation via three new GitHub composite actions (resolve-oci-digest, cosign-sign-sbom, cosign-verify-release) integrated into the agent, operator, and release CI workflows. It migrates software distribution to OCI-only (ghcr.io), bumps the Helm chart to v0.16.0 with new image registries, refactors the lychee link-checking workflow, updates the release process documentation with branch strategy and signature verification steps, and rebrand all Kubernetes test assertions to NodeWright. Configuration, documentation, and developer guidance are updated throughout to reflect the Skyhook-to-NodeWright transition. Estimated code review effort🎯 4 (Complex) | ⏱️ ~75 minutes Possibly related PRs
Suggested reviewers
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 Trivy (0.69.3)Trivy execution failed: 2026-05-22T21:45:10Z FATAL Fatal error run error: fs scan error: scan error: scan failed: failed analysis: post analysis error: post analysis error: cloudformation scan error: fs filter error: fs filter error: walk error range error: stat smartylint.json: no such file or directory: range error: stat smartylint.json: no such file or directory Comment |
2 participants
Description
git cherry-pick 046fe2e 4b3caae
Checklist
git commit -s) per the DCO.