@@ -170,9 +170,22 @@ scripts/validate-owasp-top10-2025.sh run
170170```
171171
172172The stable gate includes the promoted cache and observability smoke tests for
173- the ` 1.2 ` line. Optional gates below still cover slower or environment-specific
174- checks such as TLS backend matrices, load testing, fuzz target compilation, and
175- Podman image smoke tests.
173+ the ` 1.2 ` line. In ` release ` mode it also requires a local container image
174+ smoke before tagging: the root ` Containerfile ` plus representative Debian and
175+ Alpine variant builds. This catches workspace, packaging, and image build
176+ context mistakes before an immutable tag is pushed.
177+
178+ If a release builder cannot run Podman, do not skip this silently. Run the
179+ image gate on another builder and attach the evidence before tagging. The
180+ emergency-only bypass is:
181+
182+ ``` bash
183+ FLUXHEIM_SKIP_IMAGE_GATE=1 scripts/stable_release_gate.sh release
184+ ```
185+
186+ Optional gates below still cover slower or environment-specific checks such as
187+ TLS backend matrices, load testing, fuzz target compilation, and full Podman
188+ variant image smoke tests.
176189
177190For release-candidate validation, run the deeper local gate. It enables the TLS
178191backend matrix, OpenSSL FIPS-capable validation, rustls/AWS-LC FIPS-capable
@@ -202,7 +215,7 @@ FLUXHEIM_GATE_TLS_SCAN=1 scripts/stable_release_gate.sh release
202215FLUXHEIM_GATE_LOAD=1 scripts/stable_release_gate.sh release
203216FLUXHEIM_GATE_FRAMING=1 scripts/stable_release_gate.sh release
204217FLUXHEIM_GATE_FUZZ_CHECK=1 scripts/stable_release_gate.sh release
205- FLUXHEIM_GATE_PODMAN=1 FLUXHEIM_GATE_PODMAN_VARIANTS=1 scripts/stable_release_gate.sh release
218+ FLUXHEIM_GATE_IMAGE_VARIANTS= " debian alpine wolfi suse-micro " scripts/stable_release_gate.sh release
206219```
207220
208221For release builders that are expected to have a working OpenSSL FIPS provider,
0 commit comments