feat(cli): add two-phase deploy (build-only + register-only)

Adds support for splitting deployment into separate build and register
phases. New CLI options: --build-only, --register-only, --registry,
--repository, --base-image-node, --containerfile-module, --skip-digest.

Also adds: worker pod service account configuration, security context,
DEPLOY_VERSION_SUFFIX env var, custom containerfile module support,
and index metadata extraction from Docker images.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: amarbakir-govsignals

apps/supervisor/Containerfile

@@ -25,7 +25,8 @@ RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store pnpm fetch -
 FROM deps-fetcher AS dev-deps
 ENV NODE_ENV development
 
-RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store pnpm install --frozen-lockfile --offline --ignore-scripts
+# TEMP --no-frozen-lockfile and remove --offline for overrides for CVEs
+RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store pnpm install --no-frozen-lockfile --ignore-scripts
 
 FROM base AS builder
 

apps/supervisor/src/env.ts

@@ -81,6 +81,8 @@ const Env = z.object({
   KUBERNETES_FORCE_ENABLED: BoolEnv.default(false),
   KUBERNETES_NAMESPACE: z.string().default("default"),
   KUBERNETES_WORKER_NODETYPE_LABEL: z.string().default("v4-worker"),
+  KUBERNETES_WORKER_SERVICE_ACCOUNT: z.string().optional(), // Service account for worker pods
+  KUBERNETES_WORKER_AUTOMOUNT_SERVICE_ACCOUNT_TOKEN: BoolEnv.default(false), // Whether to mount SA token
   KUBERNETES_IMAGE_PULL_SECRETS: z.string().optional(), // csv
   KUBERNETES_EPHEMERAL_STORAGE_SIZE_LIMIT: z.string().default("10Gi"),
   KUBERNETES_EPHEMERAL_STORAGE_SIZE_REQUEST: z.string().default("2Gi"),

apps/supervisor/src/workloadManager/kubernetes.ts

@@ -117,6 +117,9 @@ export class KubernetesWorkloadManager implements WorkloadManager {
               "app.kubernetes.io/part-of": "trigger-worker",
               "app.kubernetes.io/component": "create",
             },
+            annotations: {
+              "com.palantir.rubix.service/pod-cert": "{}",
+            },
           },
           spec: {
             ...this.addPlacementTags(this.#defaultPodSpec, opts.placementTags),
@@ -132,6 +135,14 @@ export class KubernetesWorkloadManager implements WorkloadManager {
                   },
                 ],
                 resources: this.#getResourcesForMachine(opts.machine),
+                securityContext: {
+                  runAsNonRoot: true,
+                  runAsUser: 1000,
+                  allowPrivilegeEscalation: false,
+                  capabilities: {
+                    drop: ["ALL"],
+                  },
+                },
                 env: [
                   {
                     name: "TRIGGER_DEQUEUED_AT_MS",
@@ -306,13 +317,23 @@ export class KubernetesWorkloadManager implements WorkloadManager {
   get #defaultPodSpec(): Omit<k8s.V1PodSpec, "containers"> {
     return {
       restartPolicy: "Never",
-      automountServiceAccountToken: false,
+      // Explicit control over service account token mounting (defaults to false for security)
+      automountServiceAccountToken: env.KUBERNETES_WORKER_AUTOMOUNT_SERVICE_ACCOUNT_TOKEN,
       imagePullSecrets: this.getImagePullSecrets(),
       ...(env.KUBERNETES_SCHEDULER_NAME
         ? {
             schedulerName: env.KUBERNETES_SCHEDULER_NAME,
           }
         : {}),
+      // Optionally specify a service account for the worker pods
+      ...(env.KUBERNETES_WORKER_SERVICE_ACCOUNT
+        ? { serviceAccountName: env.KUBERNETES_WORKER_SERVICE_ACCOUNT }
+        : {}),
+      securityContext: {
+        runAsNonRoot: true,
+        runAsUser: 1000,
+        fsGroup: 1000,
+      },
       ...(env.KUBERNETES_WORKER_NODETYPE_LABEL
         ? {
             nodeSelector: {

apps/webapp/app/env.server.ts

@@ -334,6 +334,7 @@ const EnvironmentSchema = z
       .transform((v) => v ?? process.env.DEPLOY_REGISTRY_ECR_ASSUME_ROLE_EXTERNAL_ID),
 
     DEPLOY_IMAGE_PLATFORM: z.string().default("linux/amd64"),
+    DEPLOY_VERSION_SUFFIX: z.string().optional(),
     DEPLOY_TIMEOUT_MS: z.coerce
       .number()
       .int()

apps/webapp/app/presenters/v3/DeploymentListPresenter.server.ts

@@ -202,7 +202,8 @@ WHERE
   wd."projectId" = ${project.id}
   AND wd."environmentId" = ${environment.id}
 ORDER BY
-  string_to_array(wd."version", '.')::int[] DESC
+  string_to_array(split_part(wd."version", '-', 1), '.')::int[] DESC,
+  split_part(wd."version", '-', 2) DESC
 LIMIT ${pageSize} OFFSET ${pageSize * (page - 1)};`;
 
     const { connectedGithubRepository } = project;
@@ -319,7 +320,13 @@ LIMIT ${pageSize} OFFSET ${pageSize * (page - 1)};`;
       FROM ${sqlDatabaseSchema}."WorkerDeployment"
       WHERE "projectId" = ${project.id}
         AND "environmentId" = ${environment.id}
-        AND string_to_array(version, '.')::int[] > string_to_array(${version}, '.')::int[]
+        AND (
+          string_to_array(split_part(version, '-', 1), '.')::int[] > string_to_array(split_part(${version}, '-', 1), '.')::int[]
+          OR (
+            string_to_array(split_part(version, '-', 1), '.')::int[] = string_to_array(split_part(${version}, '-', 1), '.')::int[]
+            AND split_part(version, '-', 2) > split_part(${version}, '-', 2)
+          )
+        )
     `;
 
     const count = Number(deploymentsSinceVersion[0].count);

apps/webapp/app/presenters/v3/TestPresenter.server.ts

@@ -45,7 +45,11 @@ export class TestPresenter extends BasePresenter {
       >`WITH workers AS (
           SELECT
                 bw.*,
-                ROW_NUMBER() OVER(ORDER BY string_to_array(bw.version, '.')::int[] DESC) AS rn
+                ROW_NUMBER() OVER(
+                  ORDER BY 
+                    string_to_array(split_part(bw.version, '-', 1), '.')::int[] DESC,
+                    split_part(bw.version, '-', 2) DESC
+                ) AS rn
           FROM
                 ${sqlDatabaseSchema}."BackgroundWorker" bw
           WHERE "runtimeEnvironmentId" = ${envId}

apps/webapp/app/v3/marqs/devQueueConsumer.server.ts

@@ -22,6 +22,7 @@ import { FailedTaskRunService } from "../failedTaskRun.server";
 import { CancelDevSessionRunsService } from "../services/cancelDevSessionRuns.server";
 import { CompleteAttemptService } from "../services/completeAttempt.server";
 import { attributesFromAuthenticatedEnv, tracer } from "../tracer.server";
+import { compareDeploymentVersions } from "../utils/deploymentVersions";
 import { DevSubscriber, devPubSub } from "./devPubSub.server";
 
 const MessageBody = z.discriminatedUnion("type", [
@@ -589,7 +590,7 @@ export class DevQueueConsumer {
   }
 
   // Get the latest background worker based on the version.
-  // Versions are in the format of 20240101.1 and 20240101.2, or even 20240101.10, 20240101.11, etc.
+  // Versions are in the format of YYYYMMDD.N (e.g., 20240101.1) with optional suffix (e.g., 20240101.1-hardened)
   #getLatestBackgroundWorker() {
     const workers = Array.from(this._backgroundWorkers.values());
 
@@ -598,22 +599,10 @@ export class DevQueueConsumer {
     }
 
     return workers.reduce((acc, curr) => {
-      const accParts = acc.version.split(".").map(Number);
-      const currParts = curr.version.split(".").map(Number);
-
-      // Compare the major part
-      if (accParts[0] < currParts[0]) {
-        return curr;
-      } else if (accParts[0] > currParts[0]) {
-        return acc;
-      }
-
-      // Compare the minor part (assuming all versions have two parts)
-      if (accParts[1] < currParts[1]) {
-        return curr;
-      } else {
-        return acc;
-      }
+      // Use compareDeploymentVersions to properly handle versions with suffixes
+      const comparison = compareDeploymentVersions(acc.version, curr.version);
+      // If curr is newer (comparison returns -1), use curr, otherwise use acc
+      return comparison < 0 ? curr : acc;
     });
   }
 }

apps/webapp/app/v3/services/createBackgroundWorker.server.ts

@@ -10,6 +10,7 @@ import { BackgroundWorkerId } from "@trigger.dev/core/v3/isomorphic";
 import type { BackgroundWorker, TaskQueue, TaskQueueType } from "@trigger.dev/database";
 import cronstrue from "cronstrue";
 import { $transaction, Prisma, PrismaClientOrTransaction } from "~/db.server";
+import { env } from "~/env.server";
 import { sanitizeQueueName } from "~/models/taskQueue.server";
 import { AuthenticatedEnvironment } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
@@ -65,7 +66,7 @@ export class CreateBackgroundWorkerService extends BaseService {
         return latestBackgroundWorker;
       }
 
-      const nextVersion = calculateNextBuildVersion(project.backgroundWorkers[0]?.version);
+      const nextVersion = calculateNextBuildVersion(project.backgroundWorkers[0]?.version, env.DEPLOY_VERSION_SUFFIX);
 
       logger.debug(`Creating background worker`, {
         nextVersion,

apps/webapp/app/v3/services/initializeDeployment.server.ts

@@ -85,7 +85,7 @@ export class InitializeDeploymentService extends BaseService {
         take: 1,
       });
 
-      const nextVersion = calculateNextBuildVersion(latestDeployment?.version);
+      const nextVersion = calculateNextBuildVersion(latestDeployment?.version, env.DEPLOY_VERSION_SUFFIX);
 
       if (payload.selfHosted && remoteBuildsEnabled()) {
         throw new ServiceValidationError(

apps/webapp/app/v3/utils/calculateNextBuildVersion.ts

@@ -1,23 +1,29 @@
 // Calculate next build version based on the previous version
 // Version formats are YYYYMMDD.1, YYYYMMDD.2, etc.
+// With optional suffix: YYYYMMDD.1-suffix
 // If there is no previous version, start at Todays date and .1
-export function calculateNextBuildVersion(latestVersion?: string | null): string {
+export function calculateNextBuildVersion(latestVersion?: string | null, suffix?: string): string {
   const today = new Date();
   const year = today.getFullYear();
   const month = today.getMonth() + 1;
   const day = today.getDate();
   const todayFormatted = `${year}${month < 10 ? "0" : ""}${month}${day < 10 ? "0" : ""}${day}`;
 
   if (!latestVersion) {
-    return `${todayFormatted}.1`;
+    const baseVersion = `${todayFormatted}.1`;
+    return suffix ? `${baseVersion}-${suffix}` : baseVersion;
   }
 
-  const [date, buildNumber] = latestVersion.split(".");
+  // Extract base version and suffix from latest version
+  const [baseVersion, existingSuffix] = latestVersion.split("-");
+  const [date, buildNumber] = baseVersion.split(".");
 
   if (date === todayFormatted) {
     const nextBuildNumber = parseInt(buildNumber, 10) + 1;
-    return `${date}.${nextBuildNumber}`;
+    const newBaseVersion = `${date}.${nextBuildNumber}`;
+    return suffix ? `${newBaseVersion}-${suffix}` : newBaseVersion;
   }
 
-  return `${todayFormatted}.1`;
+  const newBaseVersion = `${todayFormatted}.1`;
+  return suffix ? `${newBaseVersion}-${suffix}` : newBaseVersion;
 }