Skip to content

fix: drop container image digest pinning, unify uv version, bump Fedora to 44#781

Merged
raballew merged 18 commits into
jumpstarter-dev:mainfrom
raballew:fix/drop-container-digest-pinning
Jun 16, 2026
Merged

fix: drop container image digest pinning, unify uv version, bump Fedora to 44#781
raballew merged 18 commits into
jumpstarter-dev:mainfrom
raballew:fix/drop-container-digest-pinning

Conversation

@raballew

@raballew raballew commented Jun 9, 2026

Copy link
Copy Markdown
Member

Summary

Drop container image digest pinning

  • Disable pinDigests in Renovate config -- most container registries prune untagged manifests within weeks, so pinned digests break reproducibility instead of guaranteeing it and force an unsustainable biweekly update cycle
  • Keep helpers:pinGitHubActionDigests for GitHub Action commit-SHA pinning (those are permanent, not pruned)
  • Rename renovate.json to renovate.jsonc to formally support comments, add rationale for the pinDigests decision

Unify uv version management

  • Add .uv-version as single source of truth for the uv toolchain version
  • Dockerfiles install uv via curl reading .uv-version at build time -- no hardcoded image tags or ARG defaults
  • CI workflows read .uv-version into a step output and pass it to setup-uv
  • E2e scripts (setup-e2e.sh, compat/setup.sh) pin the curl installer to .uv-version
  • Renovate tracks .uv-version via a custom regex manager using the github-releases datasource
  • Fixes a cross-platform build bug: the old COPY --from=uv copied the build-platform binary into the target-platform product stage

Bump Fedora 43 to 44

  • python/Dockerfile, python/Dockerfile.utils, .github/workflows/build-oci-bundle.yaml
  • build_fits.sh podman fallback: replaced hardcoded fedora:44 with a Containerfile so Renovate's native dockerfile manager tracks it (no custom regex needed)

Test plan

  • renovate-config-validator passes
  • No @sha256: digest references remain in Dockerfiles, Containerfiles, or CI workflows
  • No fedora:43 references remain in tracked files
  • No hardcoded ghcr.io/astral-sh/uv: references remain -- all read from .uv-version
  • All setup-uv version pins unified at 0.11.19 via .uv-version
  • Verify Renovate stops opening digest-pinning PRs after merge
  • Verify container image builds succeed

@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR upgrades Fedora base images from version 43 to 44 across CI workflows and Dockerfiles, and enhances Renovate to automatically track Fedora updates in shell scripts via a custom regex manager while disabling digest pinning.

Changes

Infrastructure Updates

Layer / File(s) Summary
Fedora base image upgrade across CI and build containers
.github/workflows/build-oci-bundle.yaml, python/Dockerfile, python/Dockerfile.utils, python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh
All container base images are bumped from fedora:43 to fedora:44 in the CI workflow, multi-stage Python build, utilities Dockerfile, and the podman re-exec path in the build script.
Renovate configuration for automated Fedora tracking
renovate.jsonc, .github/workflows/lint.yaml
Digest pinning is disabled; a new regex-based custom manager targets shell scripts to parse renovate: directives and extract datasource, depName, and version; a package rule groups Fedora updates from the custom manager into docker-base-images with automerge: false; the lint workflow path filter is updated to trigger on renovate.jsonc.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested reviewers

  • bennyz
  • kirkbrauer
  • mangelajo

Poem

A rabbit hops with glee, preparing for the newest Fedora spree—
From forty-three to forty-four, the containers improve once more! 🐰🐳
Renovate scripts now parse directives true, ensuring updates pull through.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the three main changes: disabling digest pinning, unifying uv version management, and upgrading Fedora from 43 to 44.
Description check ✅ Passed The pull request description clearly relates to the changeset, describing the removal of container image digest pinning, Fedora version bumps, and uv version management unification.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-oci-bundle.yaml:
- Line 9: The podman fallback image in the script build_fits.sh is still
hardcoded to fedora:43 while the CI workflow uses container: fedora:44; update
the podman run invocation that references "fedora:43" in
python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh
to "fedora:44" (or add a clear comment documenting why 43 must be retained) so
local/manual builds match the CI environment.

In `@python/Dockerfile.utils`:
- Around line 1-4: The Dockerfile is missing a non-root runtime user, leaving
the container running as root; add creation of a dedicated unprivileged user
(e.g., "utils" or "appuser") and group during image build, ensure any
directories the runtime will need (WORKDIR, caches, or installed app
directories) are chowned to that user, and add a USER <username> directive near
the end of the Dockerfile (after installations and ownership changes) so the
container runs unprivileged by default; reference the Dockerfile build steps
that run dnf install and cleanup to locate where to add the user creation,
chown, and USER directives.

In `@renovate.json`:
- Around line 7-12: The file renovate.json contains C-style comments (//) which
break strict JSON parsers; either remove all comments to produce valid JSON
(keeping the "pinDigests": false value intact) or rename the file to
renovate.jsonc and update the workflow's paths-filter entry that currently
references renovate.json so the linter/CI and local Biome will accept JSONC;
ensure any references to helpers:pinGitHubActionDigests remain unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4608b8f3-7c2d-4dce-ae75-84f9b1463619

📥 Commits

Reviewing files that changed from the base of the PR and between 1cebbd0 and 2d68a97.

📒 Files selected for processing (4)
  • .github/workflows/build-oci-bundle.yaml
  • python/Dockerfile
  • python/Dockerfile.utils
  • renovate.json

Comment thread .github/workflows/build-oci-bundle.yaml Outdated
Comment thread python/Dockerfile.utils Outdated
Comment thread renovate.jsonc Outdated
@raballew raballew force-pushed the fix/drop-container-digest-pinning branch 2 times, most recently from 88d2f41 to 3462daa Compare June 9, 2026 13:00

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh (1)

7-7: ⚡ Quick win

Quote $(pwd) to prevent word splitting.

The Fedora upgrade looks good, but since this line is already being modified, please quote the $(pwd) expansion to prevent word splitting if the path contains spaces.

♻️ Proposed fix
-    exec podman run --rm -it -v $(pwd):/host:Z -w /host fedora:44 "$0" "$@"
+    exec podman run --rm -it -v "$(pwd)":/host:Z -w /host fedora:44 "$0" "$@"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh`
at line 7, The podman invocation in build_fits.sh uses an unquoted command
substitution $(pwd) which can suffer word-splitting for paths with spaces;
update the exec podman run line so the volume mount uses a quoted expansion like
"$(pwd)":/host:Z (i.e., replace $(pwd) with "$(pwd)") to ensure the current
directory is passed as a single argument to -v.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh`:
- Line 7: The podman invocation in build_fits.sh uses an unquoted command
substitution $(pwd) which can suffer word-splitting for paths with spaces;
update the exec podman run line so the volume mount uses a quoted expansion like
"$(pwd)":/host:Z (i.e., replace $(pwd) with "$(pwd)") to ensure the current
directory is passed as a single argument to -v.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 45e433c0-79dd-4015-afd9-7d97c2d0a2bf

📥 Commits

Reviewing files that changed from the base of the PR and between 88d2f41 and 3462daa.

📒 Files selected for processing (5)
  • .github/workflows/build-oci-bundle.yaml
  • python/Dockerfile
  • python/Dockerfile.utils
  • python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh
  • renovate.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/build-oci-bundle.yaml

@raballew raballew force-pushed the fix/drop-container-digest-pinning branch 2 times, most recently from 109b82b to 302501e Compare June 9, 2026 14:27

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh`:
- Line 8: The podman bind-mount uses unquoted command substitution which breaks
on paths with spaces; update the exec line in build_fits.sh (the podman run
invocation) to quote the host path or use $PWD so the -v argument is passed as a
single token (e.g., change -v $(pwd):/host:Z to use a quoted or $PWD form) to
avoid word splitting when the working directory contains whitespace.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 46b24725-d323-4c1e-a798-0d2f388f8d9a

📥 Commits

Reviewing files that changed from the base of the PR and between 3462daa and 302501e.

📒 Files selected for processing (6)
  • .github/workflows/build-oci-bundle.yaml
  • .github/workflows/lint.yaml
  • python/Dockerfile
  • python/Dockerfile.utils
  • python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh
  • renovate.json5
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/build-oci-bundle.yaml

Comment thread python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh Outdated
@raballew raballew force-pushed the fix/drop-container-digest-pinning branch 6 times, most recently from 2599a04 to ea3e923 Compare June 9, 2026 15:18
@raballew raballew changed the title fix: drop container image digest pinning and bump Fedora to 44 fix: drop container image digest pinning, unify uv version, bump Fedora to 44 Jun 9, 2026
@raballew raballew force-pushed the fix/drop-container-digest-pinning branch 6 times, most recently from 30fedcb to 6a2c982 Compare June 9, 2026 17:25

@kirkbrauer kirkbrauer left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a comment, overall, I think this looks good, switching to the Containerfile is nice, agnostic, and Red Hat friendly ;)

Comment thread .devcontainer/Containerfile Outdated
@raballew raballew force-pushed the fix/drop-container-digest-pinning branch from 78bf408 to 7d67894 Compare June 12, 2026 15:15
raballew and others added 7 commits June 16, 2026 07:42
Standardize on the vendor-neutral Containerfile naming convention.
Pure rename, no content changes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…igrate to Fedora

- Disable pinDigests in Renovate -- most registries prune untagged
  manifests within weeks, making pinned digests counterproductive
- Rename renovate.json to renovate.jsonc to formally support comments
- Centralize uv version in .uv-version -- Containerfiles install via
  curl at build time, CI workflows and e2e scripts read the same file
- Migrate controller images from UBI9 to Fedora, install Go from
  .go-version via go.dev (replaces ubi9/go-toolset)
- Use fedora-minimal for controller/operator runtime stages
- Pin all Fedora images to registry.fedoraproject.org
- Parameterize Python version from .py-version in devfile Containerfiles
- Replace hardcoded podman fallback image in build_fits.sh with a
  Containerfile managed by Renovate natively
- Bump Fedora from 43 to 44

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The base-developer-image runs as UID 10001 (non-root) by default. The
curl-based uv installer writes to /root/.local/bin/ and the subsequent
mv to /bin/ both require root permissions. Move USER root before the
uv install block to prevent permission errors at build time.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
Replace the multi-stage ghcr.io/astral-sh/uv COPY-from pattern with
curl-based install reading .uv-version. Update both builder and product
stages from bare fedora:43 to fully qualified
registry.fedoraproject.org/fedora:44 so the Renovate version cap rule
applies correctly.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
…gistry

Update from bare fedora:43 to registry.fedoraproject.org/fedora:44 so
the Renovate allowedVersions constraint applies correctly.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
…tainer

Replace COPY --from=ghcr.io/astral-sh/uv:0.11.19 with curl-based
install reading .uv-version, centralizing the version and eliminating
the hardcoded container image reference.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
The controller Containerfiles do not declare ARG GO_VERSION so the
build-arg was silently ignored. Remove it from both controller
Makefiles and the build-images CI workflow until the Containerfiles
are ready to consume it.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
raballew and others added 8 commits June 16, 2026 07:42
Move set -euo pipefail before the container detection branch so podman
build failures abort the script instead of proceeding to podman run
with a stale or nonexistent image. Also quote $(pwd) to prevent word
splitting on paths containing spaces.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
Add regex guards to reject version files containing unexpected content
before they are interpolated into URLs or executable paths. This
prevents accidental shell injection from malformed version files.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
Add explicit semver versioning to match the pattern used by the
.go-version and .py-version custom managers.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
Add registry.access.redhat.com/ubi9/go-toolset to the go-toolchain
group with automerge disabled, preventing go-toolset patch bumps from
being auto-merged without coordination with Go toolchain updates.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
…tion workflow

The documentation.yaml workflow sets defaults.run.working-directory to
python, causing `cat .uv-version` to look for python/.uv-version which
does not exist. Add explicit working-directory: . to all three id: uv
steps so they read .uv-version from the repository root.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
After the Dockerfile to Containerfile rename, Docker (which defaults to
looking for Dockerfile) no longer finds the build file. The e2e workflow
sets CONTAINER_TOOL=docker, so this breaks e2e controller image builds.
Add -f Containerfile for compatibility with both Docker and Podman.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
The astral-sh/uv GitHub releases use v-prefixed tags (e.g. v0.11.19)
but .uv-version stores the bare version (0.11.19). Without
extractVersionTemplate, Renovate may fail to match versions or write
the v-prefixed form into the file.

Generated-By: Forge/20260612_083017_669333_b6e93cd3
…line

- Strip @sha256: digest suffix from controller Containerfiles left by
  Renovate while pinDigests was still enabled
- Use ${container:-} default expansion in build_fits.sh to prevent
  crash from set -euo pipefail when $container is unset
- Add missing trailing newline to .devcontainer/Containerfile

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@raballew raballew force-pushed the fix/drop-container-digest-pinning branch from 3911032 to ff5d108 Compare June 16, 2026 05:42
Replace curl-based uv installation with the official multi-stage COPY
approach in all Containerfiles. Add Renovate package rule to group
.uv-version and ghcr.io/astral-sh/uv updates into a single PR.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@raballew raballew requested a review from kirkbrauer June 16, 2026 06:02
@raballew raballew enabled auto-merge (squash) June 16, 2026 06:02
Renovate merges packageRules in order, so the later docker-base-images
catch-all (matchPackageNames: ["**"]) was overriding the uv-toolchain
groupName for ghcr.io/astral-sh/uv. Moving uv-toolchain after the
catch-all ensures uv container image + version file updates land in the
same PR.

Verified with `npx renovate --dry-run`: ghcr.io/astral-sh/uv now routes
to renovate/uv-toolchain instead of renovate/docker-base-images.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Comment thread controller/Containerfile
Comment thread controller/Containerfile.operator
Comment thread renovate.jsonc Outdated
Fedora prunes untagged manifests, but other registries (ghcr.io,
registry.access.redhat.com, mcr.microsoft.com) keep them. Pin digests
globally for supply-chain safety and disable only for Fedora.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@raballew raballew force-pushed the fix/drop-container-digest-pinning branch from dc110b5 to 46bb088 Compare June 16, 2026 09:41
Comment thread controller/Containerfile
@@ -1,5 +1,5 @@
# Build the manager binary
FROM registry.access.redhat.com/ubi9/go-toolset:1.26.3@sha256:430cd439ea3bb4af3727a843c0302594bb1973211ecbfc98e4450a40798075df AS builder
FROM registry.access.redhat.com/ubi9/go-toolset:1.26.3 AS builder

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The renovate config looks good, but this didn't pin back for some reason.

@mangelajo mangelajo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

based on our conversation renovate will update those pinnings on a 2nd pass once the json is merged to main.

@raballew raballew merged commit 590da7b into jumpstarter-dev:main Jun 16, 2026
35 checks passed
evakhoni pushed a commit to evakhoni/jumpstarter that referenced this pull request Jun 24, 2026
…ra to 44 (jumpstarter-dev#781)

## Summary

### Drop container image digest pinning
- Disable `pinDigests` in Renovate config -- most container registries
prune untagged manifests within weeks, so pinned digests break
reproducibility instead of guaranteeing it and force an unsustainable
biweekly update cycle
- Keep `helpers:pinGitHubActionDigests` for GitHub Action commit-SHA
pinning (those are permanent, not pruned)
- Rename `renovate.json` to `renovate.jsonc` to formally support
comments, add rationale for the `pinDigests` decision

### Unify uv version management
- Add `.uv-version` as single source of truth for the uv toolchain
version
- Dockerfiles install uv via `curl` reading `.uv-version` at build time
-- no hardcoded image tags or `ARG` defaults
- CI workflows read `.uv-version` into a step output and pass it to
`setup-uv`
- E2e scripts (`setup-e2e.sh`, `compat/setup.sh`) pin the curl installer
to `.uv-version`
- Renovate tracks `.uv-version` via a custom regex manager using the
`github-releases` datasource
- Fixes a cross-platform build bug: the old `COPY --from=uv` copied the
build-platform binary into the target-platform product stage

### Bump Fedora 43 to 44
- `python/Dockerfile`, `python/Dockerfile.utils`,
`.github/workflows/build-oci-bundle.yaml`
- `build_fits.sh` podman fallback: replaced hardcoded `fedora:44` with a
`Containerfile` so Renovate's native dockerfile manager tracks it (no
custom regex needed)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants