Skip to content

Commit 8aecc01

Browse files
committed
Require image smoke before release tags
1 parent c260c5e commit 8aecc01

5 files changed

Lines changed: 47 additions & 11 deletions

File tree

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,10 @@ behavior when the change improves security or project direction.
2626
- Add a release-gate freshness check for compatible non-Pingora crate updates
2727
and strengthen release metadata validation for release notes, README,
2828
build/container docs, and RPM version alignment.
29+
- Copy workspace crates into all container build stages so release images build
30+
correctly after the workspace split.
31+
- Make `scripts/stable_release_gate.sh release` require the root image smoke
32+
plus representative Debian and Alpine variant image smokes before tagging.
2933
- Fix the OpenSSL FIPS support build-script hex literal grouping so Rust 1.96
3034
clippy accepts the vendored support crate under `-D warnings`.
3135
- Keep all feature profiles, binaries, release scripts, RPM/container behavior,

docs/release-checklist.md

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -170,9 +170,22 @@ scripts/validate-owasp-top10-2025.sh run
170170
```
171171

172172
The stable gate includes the promoted cache and observability smoke tests for
173-
the `1.2` line. Optional gates below still cover slower or environment-specific
174-
checks such as TLS backend matrices, load testing, fuzz target compilation, and
175-
Podman image smoke tests.
173+
the `1.2` line. In `release` mode it also requires a local container image
174+
smoke before tagging: the root `Containerfile` plus representative Debian and
175+
Alpine variant builds. This catches workspace, packaging, and image build
176+
context mistakes before an immutable tag is pushed.
177+
178+
If a release builder cannot run Podman, do not skip this silently. Run the
179+
image gate on another builder and attach the evidence before tagging. The
180+
emergency-only bypass is:
181+
182+
```bash
183+
FLUXHEIM_SKIP_IMAGE_GATE=1 scripts/stable_release_gate.sh release
184+
```
185+
186+
Optional gates below still cover slower or environment-specific checks such as
187+
TLS backend matrices, load testing, fuzz target compilation, and full Podman
188+
variant image smoke tests.
176189

177190
For release-candidate validation, run the deeper local gate. It enables the TLS
178191
backend matrix, OpenSSL FIPS-capable validation, rustls/AWS-LC FIPS-capable
@@ -202,7 +215,7 @@ FLUXHEIM_GATE_TLS_SCAN=1 scripts/stable_release_gate.sh release
202215
FLUXHEIM_GATE_LOAD=1 scripts/stable_release_gate.sh release
203216
FLUXHEIM_GATE_FRAMING=1 scripts/stable_release_gate.sh release
204217
FLUXHEIM_GATE_FUZZ_CHECK=1 scripts/stable_release_gate.sh release
205-
FLUXHEIM_GATE_PODMAN=1 FLUXHEIM_GATE_PODMAN_VARIANTS=1 scripts/stable_release_gate.sh release
218+
FLUXHEIM_GATE_IMAGE_VARIANTS="debian alpine wolfi suse-micro" scripts/stable_release_gate.sh release
206219
```
207220

208221
For release builders that are expected to have a working OpenSSL FIPS provider,

docs/release-runbook.md

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ scripts/reproducible_build_check.sh
3636
scripts/validate-release-metadata.sh
3737
scripts/validate-owasp-top10-2025.sh check
3838
scripts/podman_smoke.sh
39+
FLUXHEIM_CONTAINER_VARIANTS="debian alpine" scripts/podman_smoke_variants.sh
3940
```
4041

4142
For PHP-FPM releases, also run:
@@ -62,11 +63,18 @@ For stable or release-candidate builds, prefer the stable gate:
6263
scripts/stable_release_gate.sh release
6364
```
6465

65-
For the `1.3` line this stable gate includes the proxy cache and local
66-
observability smoke suites, plus compile and packaged-config checks for the
67-
published full/default, cache, and proxy container image profiles. That keeps
68-
cache, Prometheus/OpenTelemetry basics, and focused image feature wiring
69-
covered by the same command used for release evidence.
66+
In `release` mode this stable gate is intentionally tag-blocking for container
67+
images: it runs the root image smoke plus representative Debian and Alpine
68+
variant image smokes before a tag should be pushed. Use
69+
`FLUXHEIM_GATE_IMAGE_VARIANTS="debian alpine wolfi suse-micro"` when the release
70+
needs full local variant evidence. Use `FLUXHEIM_SKIP_IMAGE_GATE=1` only when
71+
equivalent image evidence has already been collected on another builder.
72+
73+
For the `1.3` and later lines this stable gate includes the proxy cache and
74+
local observability smoke suites, plus compile and packaged-config checks for
75+
the published image profiles. That keeps cache, Prometheus/OpenTelemetry
76+
basics, and focused image feature wiring covered by the same command used for
77+
release evidence.
7078

7179
If `cargo audit` reports a known upstream advisory that cannot be fixed in this
7280
repository yet, record it explicitly in the release notes with the package,

release-notes/RELEASE_NOTES_1.5.17.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,10 @@ PHP-FPM, Wasm, and runtime extractions smaller and safer.
2525
- Added a release-gate crate freshness check for compatible non-Pingora updates
2626
and stricter release metadata checks for release notes, README,
2727
build/container docs, and RPM version alignment.
28+
- Copied workspace crates into all container build stages so release images
29+
build correctly after the workspace split.
30+
- Made `scripts/stable_release_gate.sh release` require the root image smoke
31+
plus representative Debian and Alpine variant image smokes before tagging.
2832
- Fixed the vendored OpenSSL FIPS support build script so Rust 1.96 clippy
2933
accepts the crate under release `-D warnings` checks.
3034

scripts/stable_release_gate.sh

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -123,8 +123,15 @@ else
123123
echo "stable release gate: skipping fuzz target compile check; set FLUXHEIM_GATE_FUZZ_CHECK=1 to enable"
124124
fi
125125

126-
if [ "${FLUXHEIM_GATE_PODMAN:-0}" = "1" ]; then
127-
echo "stable release gate: Podman smoke"
126+
if [ "$mode" = "release" ] && [ "${FLUXHEIM_SKIP_IMAGE_GATE:-0}" != "1" ]; then
127+
echo "stable release gate: required Podman image smoke"
128+
scripts/podman_smoke.sh
129+
FLUXHEIM_CONTAINER_VARIANTS="${FLUXHEIM_GATE_IMAGE_VARIANTS:-debian alpine}" \
130+
scripts/podman_smoke_variants.sh
131+
elif [ "$mode" = "release" ]; then
132+
echo "stable release gate: skipping required image smoke because FLUXHEIM_SKIP_IMAGE_GATE=1" >&2
133+
elif [ "${FLUXHEIM_GATE_PODMAN:-0}" = "1" ]; then
134+
echo "stable release gate: optional Podman smoke"
128135
scripts/podman_smoke.sh
129136
if [ "${FLUXHEIM_GATE_PODMAN_VARIANTS:-0}" = "1" ]; then
130137
scripts/podman_smoke_variants.sh

0 commit comments

Comments
 (0)