ci(base-image): push prebuilt multi-arch openlock-base to ghcr (bd openlock-awo)#48
Merged
Conversation
…enlock-awo) Adds the CI half of registry-pull for the base sandbox image. The host side (ensure-base.ts: imageExists -> tryPull -> build) and the `openlock --print-base-tag` affordance already shipped with the 8op slim restructure; this is the missing push. On a v*.*.* release tag (or manual dispatch) the workflow computes the base tag via the SAME code path as the host (`openlock --print-base-tag` -> sha256(base.Containerfile)[0..12]), skips if the tag already exists in ghcr, then builds amd64+arm64 via buildx+QEMU and pushes the multi-arch manifest to ghcr.io/vessux/openlock-base:<hash>. provenance disabled to match the fork-binary trust model and keep podman arch-selection clean. A fresh install then pulls the base instead of running the slow apt/node/uv build; local build stays the offline/air-gapped fallback.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds the CI workflow that builds the multi-arch (amd64+arm64)
openlock-baseimage and pushes it toghcr.io/vessux/openlock-base:<hash>— completing bd openlock-awo (prebuilt core images via registry-pull).Why this is small
The host side already shipped with the 8op slim restructure (#47):
src/sandbox/ensure-base.tsalready doesimageExists → tryPull → buildagainst the GHCR tag.base.Containerfile's header already documents "CI computes the same hash and pushes to that exact tag."openlock --print-base-tagCLI flag (with a test) specifically so CI can compute the matching tag.The only missing piece was the push. This PR is one YAML file.
How the tag stays in sync (the one correctness constraint)
CI computes the tag via the exact same code path as the host —
bun run src/cli.ts --print-base-tag→sha256(base.Containerfile)[0..12]— rather than re-hashing the file in bash, so it's immune to any Bun text-import byte normalization drift. Locally this printsghcr.io/vessux/openlock-base:c00459a7735d.Design decisions (confirmed with maintainer)
v*.*.*) + manual dispatch. A released binary embeds a frozenbase.Containerfile, so building on the tag guarantees that release's base hash exists. Separate workflow (not folded intorelease.yml) to scopepackages: writeand isolate failure — a slow base build never blocks the binary release.setup-qemu-action+buildx --platform linux/amd64,linux/arm64 --push. The arm64 leg is emulated (~10-15 min) but runs only on the rare release wherebase.Containerfilechanged — an idempotency check (buildx imagetools inspect) skips the build entirely when the tag is already in ghcr.provenance: false— matches the fork-binary trust model (no attestation) and keeps the pushed manifest a clean per-arch index that podman resolves reliably.Local build remains first-class for offline/air-gapped users — this is a cold-start perf win, not a hard dependency.
The first push creates a private ghcr package. Flip
ghcr.io/vessux/openlock-baseto public (GitHub → Packages → Package settings) so end users' unauthenticatedpodman pullworks.Verification
bun run src/cli.ts --print-base-tag→ valid ghcr ref ✅bun test src/cli/print-base-tag.test.ts→ 1 pass ✅[push, workflow_dispatch], permscontents:read packages:write✅