Merge branch 'main' into lelia/v2-release

lelia · web-flow · commit 4b64616fa69a · 2026-03-20T16:37:48.000-04:00
diff --git a/.github/workflows/_docker-pipeline.yml b/.github/workflows/_docker-pipeline.yml
@@ -70,7 +70,7 @@ jobs:
       - name: 🔨 Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
-      # Logins and metadata are only needed in push mode
+      # GHCR login runs before the build — needed to pull ghcr.io/astral-sh/uv.
       - name: Login to GHCR
         if: inputs.push
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
@@ -79,12 +79,11 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ github.token }}
 
-      - name: Login to Docker Hub
-        if: inputs.push
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      # Docker Hub login is deferred until after the build and tests.
+      # A repo-scoped Docker Hub token (socketdev/socket-basics only) would cause
+      # 401s if active during the build, since BuildKit uses it for ALL Docker Hub
+      # requests including pulling public base images (python, trivy, trufflehog).
+      # Those public images pull fine without auth; only the push needs credentials.
 
       - name: Extract image metadata
         if: inputs.push
@@ -124,6 +123,11 @@ jobs:
             BUILD_DATE=${{ github.event.repository.updated_at }}
           cache-from: type=gha,scope=${{ inputs.name }}
           cache-to: type=gha,mode=max,scope=${{ inputs.name }}
+          # Disable attestations for the test build — provenance/SBOM cause BuildKit
+          # to pull docker/buildkit-syft-scanner from Docker Hub, which fails with a
+          # repo-scoped token. Attestations are enabled on the push step only.
+          provenance: false
+          sbom: false
 
       # ── Step 2: Smoke test ─────────────────────────────────────────────────
       - name: 🧪 Smoke test
@@ -141,6 +145,16 @@ jobs:
             --image-tag ${{ inputs.name }}:pipeline-test
 
       # ── Step 4: Push to registries (publish mode only) ─────────────────────
+      # Docker Hub login happens here — after build and tests, immediately before
+      # push. Keeping it here prevents the repo-scoped token from interfering
+      # with public image pulls during the build step.
+      - name: Login to Docker Hub
+        if: inputs.push
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       # All layers are in the GHA cache from step 1 — this is just an upload.
       - name: 🚀 Push to registries
         if: inputs.push
@@ -157,8 +171,11 @@ jobs:
             VCS_REF=${{ github.sha }}
             BUILD_DATE=${{ github.event.repository.updated_at }}
           cache-from: type=gha,scope=${{ inputs.name }}
-          provenance: true
-          sbom: true
+          # SBOM and provenance generation pull docker/buildkit-syft-scanner from
+          # Docker Hub, which fails with a repo-scoped token. Disabled until a
+          # token with broader Docker Hub read access is available.
+          provenance: false
+          sbom: false
 
       # Floating major version tags (v2 → latest v2.x.y) have been intentionally
       # removed. Mutable tags are structurally equivalent to :latest and are
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -5,9 +5,8 @@ name: publish-docker
 # Flow: resolve-version → build-test-push → create-release
 #
 # Tag convention:
-#   v2.0.0  — immutable exact release
-#   v2      — floating, always points to latest v2.x.y
-#   See docs/github-action.md → "Pinning strategies" for the tradeoff guide.
+#   v2.0.0  — immutable exact release (floating major tags intentionally not published)
+#   See docs/github-action.md → "Pinning strategies" for the full rationale.
 #
 # Required repository secrets:
 #   DOCKERHUB_USERNAME  — Docker Hub account name
@@ -20,7 +19,7 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: "Version to publish without v prefix (e.g. 2.0.0). Must match an existing git tag."
+        description: "Full git tag to publish (e.g. v2.0.0 for new releases, 1.1.3 for old). Must exist in the repo."
         required: true
 
 # Default: deny everything. Each job below grants only what it needs.
@@ -42,17 +41,17 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ github.event_name == 'workflow_dispatch' && format('v{0}', inputs.tag) || github.ref }}
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref }}
 
       - name: 🏷️ Resolve version
         id: version
         run: |
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            CLEAN="${{ inputs.tag }}"      # user provides without v prefix
+            CLEAN="${{ inputs.tag }}"      # full tag as provided (e.g. 1.1.3 or v2.0.0)
           else
             CLEAN="${{ github.ref_name }}" # e.g. v2.0.0
-            CLEAN="${CLEAN#v}"             # strip leading v → 2.0.0
           fi
+          CLEAN="${CLEAN#v}"               # strip leading v if present → 2.0.0 or 1.1.3
           echo "clean=$CLEAN" >> "$GITHUB_OUTPUT"
 
   # ── Job 2: Build → test → push ─────────────────────────────────────────────
@@ -61,7 +60,7 @@ jobs:
     name: publish (socket-basics)
     needs: resolve-version
     permissions:
-      contents: write   # force-update the floating major version tag (e.g. v2)
+      contents: read
       packages: write   # push images to GHCR
     uses: ./.github/workflows/_docker-pipeline.yml
     with:
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,3 @@
-# syntax=docker/dockerfile:1
-
 # ─── Global version pins (single source of truth) ────────────────────────────
 # Dependabot tracks all ARGs below via the FROM lines that reference them.
 # To override at build time: docker build --build-arg TRIVY_VERSION=0.70.0 .
diff --git a/app_tests/Dockerfile b/app_tests/Dockerfile
@@ -1,5 +1,3 @@
-# syntax=docker/dockerfile:1
-
 # ─── Global version pins (single source of truth) ────────────────────────────
 # Dependabot tracks all ARGs below via the FROM lines that reference them.
 # To override at build time: docker build --build-arg TRIVY_VERSION=0.70.0 .

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-# syntax=docker/dockerfile:1`
`2`		`-`
`3`	`1`	`# ─── Global version pins (single source of truth) ────────────────────────────`
`4`	`2`	`# Dependabot tracks all ARGs below via the FROM lines that reference them.`
`5`	`3`	`# To override at build time: docker build --build-arg TRIVY_VERSION=0.70.0 .`