Skip to content

feat: add containers.txt to release assets for immutable image references#1916

Merged
lpcox merged 3 commits intomainfrom
copilot/add-list-of-containers-file
Apr 11, 2026
Merged

feat: add containers.txt to release assets for immutable image references#1916
lpcox merged 3 commits intomainfrom
copilot/add-list-of-containers-file

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 11, 2026
edited
Loading

Each AWF release publishes container images to GHCR, but consumers have no machine-readable way to know which exact image digests correspond to a given release. This adds a containers.txt file to every release with all five container images pinned by SHA digest, enabling immutable/reproducible consumption.

Changes

  • Job outputs: Added outputs: digest: to each container build job (build-squid, build-agent, build-api-proxy, build-cli-proxy, build-agent-act) — exposes the digest emitted by docker/build-push-action
  • Generate containers list: New step in release job (runs before checksum generation) that writes release/containers.txt using the digests passed down from each build job
  • Release asset: release/containers.txt added to the softprops/action-gh-release files list, placed before checksums.txt so it is covered by the SHA-256 checksum

Output format

ghcr.io/github/gh-aw-firewall/squid@sha256:abc123...
ghcr.io/github/gh-aw-firewall/agent@sha256:def456...
ghcr.io/github/gh-aw-firewall/agent-act@sha256:789ghi...
ghcr.io/github/gh-aw-firewall/api-proxy@sha256:jkl012...
ghcr.io/github/gh-aw-firewall/cli-proxy@sha256:mno345...

Consumers (e.g. gh-aw) can parse this file to pre-download or verify the exact images shipped with a release without relying on mutable tags.

Copilot AI linked an issue Apr 11, 2026 that may be closed by this pull request
List of containers #1751
Closed
Copilot AI changed the title [WIP] Add file to maintain list of containers for predownload feat: add containers.txt to release assets for immutable image references Apr 11, 2026
Copilot AI requested a review from lpcox April 11, 2026 18:45
@lpcox lpcox marked this pull request as ready for review April 11, 2026 18:46
@lpcox lpcox requested a review from Mossaka as a code owner April 11, 2026 18:46
Copilot AI review requested due to automatic review settings April 11, 2026 18:46
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a machine-readable containers.txt release asset listing the exact GHCR image digests for each AWF release, enabling immutable/reproducible image consumption.

Changes:

  • Exposes docker/build-push-action digests as job outputs for all container build jobs.
  • Generates release/containers.txt in the release job using those digests.
  • Uploads release/containers.txt as a GitHub Release asset (and ensures it’s included in checksums.txt generation).
Show a summary per file
File Description
.github/workflows/release.yml Plumbs image digest outputs through build jobs and generates/uploads containers.txt as part of the release assets.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1

Comment thread .github/workflows/release.yml Outdated
@lpcox
Update .github/workflows/release.yml
791f237 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 11, 2026

Smoke test results (run 24289182699)

  • ✅ GitHub MCP: fix: skip add_labels in build-test on workflow_dispatch / fix: remove duplicate paragraph and revert cron in firewall-issue-dispatcher
  • ✅ Playwright: github.com title contains "GitHub"
  • ✅ File write: /tmp/gh-aw/agent/smoke-test-claude-24289182699.txt created and verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 11, 2026

🔥 Smoke Test Results — PASS

Test Result
GitHub MCP (list merged PRs → #1914)
GitHub.com connectivity (HTTP 200)
File write/read (smoke-test-copilot-24289182698.txt)

PR: feat: add containers.txt to release assets for immutable image references
Author: @app/copilot-swe-agent · Assignees: @lpcox @Copilot

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 11, 2026

Smoke test results (Codex)

  • Merged PR titles: "fix: skip add_labels in build-test on workflow_dispatch" | "feat: fail fast when DOCKER_HOST points to an external daemon (workflow-scope DinD)" ✅
  • safeinputs-gh PR query (2 PRs): ❌ (tool unavailable in this runtime)
  • Playwright github.com title contains "GitHub": ✅
  • Tavily search "GitHub Agentic Workflows Firewall": ❌ (Tavily MCP unavailable)
  • File write/read /tmp/gh-aw/agent/smoke-test-codex-24289182710.txt: ✅
  • Bash verification (cat): ✅
  • Discussion query + oracle discussion comment: ❌ (discussion query/write target unavailable)
  • Build (npm ci && npm run build): ✅
    Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

@github-actions github-actions Bot mentioned this pull request Apr 11, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 11, 2026

Smoke Test: GitHub Actions Services Connectivity ✅

Check Result
Redis PING (host.docker.internal:6379) PONG
pg_isready (host.docker.internal:5432) ✅ accepting connections
psql SELECT 1 (db: smoketest, user: postgres) ✅ returned 1

All checks passed. (redis-cli unavailable; used nc for Redis ping.)

🔌 Service connectivity validated by Smoke Services

@lpcox lpcox merged commit a90be4c into main Apr 11, 2026
23 checks passed
@lpcox lpcox deleted the copilot/add-list-of-containers-file branch April 11, 2026 18:56
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 11, 2026

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1916 · ● 1.4M ·

This was referenced Apr 11, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

@Mossaka Mossaka Awaiting requested review from Mossaka Mossaka is a code owner

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

build-test smoke-claude smoke-copilot smoke-services

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

List of containers

3 participants

@lpcox