book-keepings.

Kabuki94 · Kabuki94 · commit ab16e406fc71 · 2026-05-02T20:55:28.000-04:00
diff --git a/automation/10-gnome.sh b/automation/10-gnome.sh
@@ -79,7 +79,7 @@ BIBATA_VER=$( (scurl -sL --connect-timeout 15 --max-time 30 \
     | grep -m1 '"tag_name"' | sed 's/.*"v\?\([^"]*\)".*/\1/') 2>/dev/null || true)
 
 [[ -n "$BIBATA_VER" ]] || die "Bibata: api.github.com release-latest lookup returned empty"
-echo "[10-gnome]   Latest release: v${BIBATA_VER}"
+record_version bibata "v${BIBATA_VER}" "https://github.com/ful1e5/Bibata_Cursor/releases/tag/v${BIBATA_VER}"
 
 BIBATA_URL="https://github.com/ful1e5/Bibata_Cursor/releases/download/v${BIBATA_VER}/Bibata-Modern-Classic.tar.xz"
 BIBATA_DIR="/usr/share/icons/Bibata-Modern-Classic"
diff --git a/automation/13-ceph-k3s.sh b/automation/13-ceph-k3s.sh
@@ -42,6 +42,7 @@ fi
 
 if [[ -n "$K3S_TAG" ]]; then
     echo "[13-ceph-k3s] Latest K3s tag: $K3S_TAG"
+    record_version k3s "$K3S_TAG" "https://github.com/k3s-io/k3s/releases/tag/${K3S_TAG}"
 
     echo "[13-ceph-k3s] Downloading K3s binary, checksum, and install script..."
     K3S_URL="https://github.com/k3s-io/k3s/releases/download/${K3S_TAG}/k3s"
diff --git a/automation/19-k3s-selinux.sh b/automation/19-k3s-selinux.sh
@@ -22,6 +22,7 @@ if [[ -z "${K3S_SELINUX_TAG:-}" ]]; then
         | tail -n1) || true
     K3S_SELINUX_TAG="${K3S_SELINUX_TAG:-master}"
 fi
+record_version k3s-selinux "$K3S_SELINUX_TAG" "https://github.com/k3s-io/k3s-selinux/tree/${K3S_SELINUX_TAG}"
 
 echo "==> Cloning k3s-selinux at ref ${K3S_SELINUX_TAG}..."
 git clone --depth 1 --branch "${K3S_SELINUX_TAG}" \
diff --git a/automation/37-aichat.sh b/automation/37-aichat.sh
@@ -19,8 +19,8 @@ AICHAT_NG_TAG=$( (scurl -s https://api.github.com/repos/blob42/aichat-ng/release
 
 [[ -n "$AICHAT_TAG"    ]] || die "AIChat: api.github.com release-latest lookup returned empty"
 [[ -n "$AICHAT_NG_TAG" ]] || die "AIChat-NG: api.github.com release-latest lookup returned empty"
-echo "[37-aichat]   AIChat latest:    ${AICHAT_TAG}"
-echo "[37-aichat]   AIChat-NG latest: ${AICHAT_NG_TAG}"
+record_version aichat    "$AICHAT_TAG"    "https://github.com/sigoden/aichat/releases/tag/${AICHAT_TAG}"
+record_version aichat-ng "$AICHAT_NG_TAG" "https://github.com/blob42/aichat-ng/releases/tag/${AICHAT_NG_TAG}"
 
 # ── AIChat ────────────────────────────────────────────────────────────────────
 AICHAT_ARCH="aichat-${AICHAT_TAG}-x86_64-unknown-linux-musl.tar.gz"
diff --git a/automation/42-cosign-policy.sh b/automation/42-cosign-policy.sh
@@ -14,10 +14,18 @@ source "$(dirname "$0")/lib/common.sh"
 
 log "42-cosign-policy: ensuring cosign + trust roots + policy.json"
 
-# 1. Install cosign binary (pinned to v2.x for rpm-ostree compatibility)
+# 1. Install cosign binary
+# Project policy: every dependency tracks :latest from its source. Cosign is
+# constrained to the v2.x series here because v3+ breaks rpm-ostree OCI 1.1
+# bundle format (see header). Lift the v2 filter when v3 compat is confirmed.
 if ! command -v cosign >/dev/null 2>&1; then
-    COSIGN_VERSION="v2.4.3"
+    COSIGN_VERSION=$( (scurl -s https://api.github.com/repos/sigstore/cosign/releases?per_page=30 \
+        | grep -Po '"tag_name": "\Kv2\.[^"]+' \
+        | head -n1) 2>/dev/null || true)
+    [[ -n "$COSIGN_VERSION" ]] || die "cosign: api.github.com release lookup returned no v2.x match"
     COSIGN_BASE_URL="https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}"
+    record_version cosign "$COSIGN_VERSION" "https://github.com/sigstore/cosign/releases/tag/${COSIGN_VERSION}"
+    log "  resolved cosign latest v2.x: ${COSIGN_VERSION}"
     log "  downloading cosign ${COSIGN_VERSION} static binary..."
     mkdir -p /tmp/cosign-dl
     scurl -sfL "${COSIGN_BASE_URL}/cosign-linux-amd64" -o /tmp/cosign-dl/cosign-linux-amd64
diff --git a/automation/53-bake-lookingglass-client.sh b/automation/53-bake-lookingglass-client.sh
@@ -35,7 +35,17 @@ if [[ -n "$MISSING" ]]; then
     exit 0
 fi
 
-LG_BRANCH="${LG_BRANCH:-B7}"
+# Resolve latest Looking Glass release branch from upstream. Project policy:
+# every dependency tracks :latest from its source. LG uses letter-numbered
+# release branches (B6, B7, …); pick the highest by version sort.
+if [[ -z "${LG_BRANCH:-}" ]]; then
+    LG_BRANCH=$(git ls-remote --heads https://github.com/gnif/LookingGlass.git 'B*' 2>/dev/null \
+        | awk -F/ '{print $NF}' \
+        | sort -V \
+        | tail -n1 || true)
+    [[ -n "$LG_BRANCH" ]] || die "Looking Glass: git ls-remote returned no B* release branch"
+fi
+record_version looking-glass "$LG_BRANCH" "https://github.com/gnif/LookingGlass/tree/${LG_BRANCH}"
 BUILD_DIR="/tmp/LookingGlass-build"
 
 # --- Clone -----------------------------------------------------------------
diff --git a/automation/build.sh b/automation/build.sh
@@ -211,6 +211,17 @@ _section_header
 echo ""
 
 TOTAL_START=$SECONDS
+
+# ── Build-time version manifest (records :latest -> observed-version) ────────
+# Project policy: every dependency tracks :latest from upstream. To make
+# day-0 images reproducible-after-the-fact, every script that resolves a
+# floating tag calls record_version (lib/common.sh). build.sh seeds the
+# manifest with image-level metadata; phase scripts append component rows.
+rm -f "$MIOS_VERSION_MANIFEST"
+record_version mios       "$VERSION_STR"                               "git:$(cat /ctx/VERSION 2>/dev/null || echo unknown)"
+record_version base-image "${BASE_IMAGE:-ghcr.io/ublue-os/ucore-hci:stable-nvidia}" "build-time floating tag"
+record_version kernel     "$(find /usr/lib/modules/ -mindepth 1 -maxdepth 1 -printf '%f\n' 2>/dev/null | sort -V | tail -1)" "from base image"
+
 SCRIPT_COUNT=0
 SCRIPT_FAIL=0
 WARN_FAIL=0
@@ -325,28 +336,71 @@ else
     _row "  WARNING: 99-postcheck.sh not found -- skipping"
 fi
 
-# ── Log preservation (flatten all chain logs into /usr/lib/mios/logs/) ──────
+# ── Quadlet image digest capture (build-day :latest snapshot) ───────────────
+# Quadlets are pulled by bootc at deploy time, not at OCI-build time, so
+# their :latest will re-resolve on every deploy. Record the digest skopeo
+# sees right now, so the shipped image carries a precise snapshot of what
+# build day's :latest pointed at — even though deploys may differ later.
+echo ""
+_hline '-' '+' '+'
+_row " POST-BUILD: Capturing Quadlet image digests"
+_hline '-' '+' '+'
+if command -v skopeo >/dev/null 2>&1; then
+    shopt -s nullglob
+    for q in /usr/share/containers/systemd/*.container /etc/containers/systemd/*.container; do
+        img=$(awk -F= '/^Image=/{print $2; exit}' "$q" 2>/dev/null)
+        [[ -n "$img" ]] || continue
+        digest=$(skopeo inspect "docker://${img}" 2>/dev/null \
+            | python3 -c 'import json,sys;d=json.load(sys.stdin);print(d.get("Digest",""))' 2>/dev/null \
+            || true)
+        record_version "quadlet:$(basename "$q" .container)" "$img" "${digest:-<unresolved>}"
+    done
+    shopt -u nullglob
+else
+    warn "skopeo not available — Quadlet image digests not captured"
+fi
+
+# ── Log preservation (flatten all chain logs + version manifest into /usr) ──
 echo ""
 _hline '-' '+' '+'
-_row " LOG CHAIN: Flattening all build logs -> /usr/lib/mios/logs/"
+_row " LOG CHAIN: Flattening logs + version manifest -> /usr/lib/mios/logs/"
 _hline '-' '+' '+'
 mkdir -p /usr/lib/mios/logs
 cp -v /var/log/dnf5.log* /var/log/hawkey.log /usr/lib/mios/logs/ 2>/dev/null || true
-# Flatten per-step logs into single unified chain log
+
+# Promote machine-readable version manifest (TSV, kept uncompressed for grep/awk)
+if [[ -f "$MIOS_VERSION_MANIFEST" ]]; then
+    install -m 0644 "$MIOS_VERSION_MANIFEST" /usr/lib/mios/logs/mios-build-versions.tsv
+    _row "  Version manifest: /usr/lib/mios/logs/mios-build-versions.tsv ($(wc -l < "$MIOS_VERSION_MANIFEST") rows)"
+fi
+
+# Flatten per-step logs + manifest + main build log into single unified chain
 UNIFIED_LOG="/usr/lib/mios/logs/mios-build-chain.log"
-echo "# MiOS ${VERSION_STR} Unified Build Log Chain — $(date '+%Y-%m-%d %H:%M:%S')" > "$UNIFIED_LOG"
-for step_log in /tmp/mios-step-*.log; do
-    [[ -f "$step_log" ]] || continue
-    echo "" >> "$UNIFIED_LOG"
-    echo "# ====== $(basename "$step_log") ======" >> "$UNIFIED_LOG"
-    cat "$step_log" >> "$UNIFIED_LOG"
-done
-# Append main build log
-echo "" >> "$UNIFIED_LOG"
-echo "# ====== mios-build.log ======" >> "$UNIFIED_LOG"
-[[ -f "$BUILD_LOG" ]] && cat "$BUILD_LOG" >> "$UNIFIED_LOG" || true
+{
+    echo "# MiOS ${VERSION_STR} Unified Build Log Chain — $(date '+%Y-%m-%d %H:%M:%S')"
+    echo ""
+    echo "# ====== build-time :latest -> observed-version manifest ======"
+    if [[ -f "$MIOS_VERSION_MANIFEST" ]]; then
+        cat "$MIOS_VERSION_MANIFEST"
+    else
+        echo "(no manifest produced)"
+    fi
+    for step_log in /tmp/mios-step-*.log; do
+        [[ -f "$step_log" ]] || continue
+        echo ""
+        echo "# ====== $(basename "$step_log") ======"
+        cat "$step_log"
+    done
+    echo ""
+    echo "# ====== mios-build.log ======"
+    [[ -f "$BUILD_LOG" ]] && cat "$BUILD_LOG" || true
+} > "$UNIFIED_LOG"
 cp "$UNIFIED_LOG" /usr/lib/mios/logs/mios-build.log 2>/dev/null || true
-_row "  Unified chain log: /usr/lib/mios/logs/mios-build-chain.log"
+
+# Compress the bulky logs; keep the TSV manifest uncompressed for direct query.
+gzip -9f /usr/lib/mios/logs/mios-build-chain.log /usr/lib/mios/logs/mios-build.log 2>/dev/null || true
+gzip -9f /usr/lib/mios/logs/dnf5.log* /usr/lib/mios/logs/hawkey.log 2>/dev/null || true
+_row "  Unified chain log: /usr/lib/mios/logs/mios-build-chain.log.gz"
 _row "  Step count in chain: $(ls /tmp/mios-step-*.log 2>/dev/null | wc -l)"
 
 # ── Cleanup ─────────────────────────────────────────────────────────────────
@@ -356,7 +410,7 @@ rm -rf /usr/share/doc/* /usr/share/man/* /usr/share/info/* 2>/dev/null || true
 rm -rf /usr/share/gnome/help/* /usr/share/help/* 2>/dev/null || true
 rm -f /var/log/dnf5.log* /var/log/hawkey.log 2>/dev/null || true
 rm -rf /run/ceph /run/cockpit /run/k3s /tmp/mios-step-*.log 2>/dev/null || true
-rm -f /var/lib/systemd/random-seed /tmp/mios-build.log 2>/dev/null || true
+rm -f /var/lib/systemd/random-seed /tmp/mios-build.log "$MIOS_VERSION_MANIFEST" 2>/dev/null || true
 
 # ── Final summary + failure/warn report ──────────────────────────────────────
 TOTAL_ELAPSED=$(( SECONDS - TOTAL_START ))
diff --git a/automation/lib/common.sh b/automation/lib/common.sh
@@ -43,3 +43,27 @@ fi
 # String variant for legacy/debug visibility only. Do NOT use in commands.
 export DNF_SETOPT_STR="${DNF_SETOPT[*]}"
 export DNF_OPTS_STR="${DNF_OPTS[*]}"
+
+# --- Build-time version manifest --------------------------------------------
+# Project policy: every dependency tracks :latest from upstream (no human
+# pins). To keep day-0 builds reproducible-after-the-fact, every phase script
+# that resolves a :latest tag MUST call record_version so the observed value
+# is captured into the per-image manifest. build.sh promotes this file into
+# /usr/lib/mios/logs/ at the end of the build, alongside the flattened log.
+#
+# Usage: record_version <component> <version_or_tag> [resolved_to]
+#   component       short id, e.g. "aichat", "cosign", "quadlet:mios-k3s"
+#   version_or_tag  what was observed, e.g. "v0.30.1" or "docker.io/x:latest"
+#   resolved_to     optional: digest, source URL, or commit ref
+export MIOS_VERSION_MANIFEST="${MIOS_VERSION_MANIFEST:-/tmp/mios-build-versions.tsv}"
+
+record_version() {
+    local component="$1" version="$2" resolved_to="${3:-}"
+    if [[ ! -f "$MIOS_VERSION_MANIFEST" ]]; then
+        printf 'component\tversion\tresolved_to\trecorded_at\n' > "$MIOS_VERSION_MANIFEST"
+    fi
+    printf '%s\t%s\t%s\t%s\n' \
+        "$component" "$version" "$resolved_to" "$(log_ts)" \
+        >> "$MIOS_VERSION_MANIFEST"
+    log "version: ${component} = ${version}${resolved_to:+ (${resolved_to})}"
+}
diff --git a/etc/containers/systemd/mios-ai.container b/etc/containers/systemd/mios-ai.container
@@ -12,7 +12,7 @@ Wants=network-online.target
 ConditionPathIsDirectory=/etc/mios/ai
 
 [Container]
-Image=docker.io/localai/localai:v2.20.0
+Image=docker.io/localai/localai:latest
 ContainerName=mios-ai
 PublishPort=8080:8080
 Volume=/srv/ai/models:/build/models:Z
diff --git a/etc/containers/systemd/mios-ceph.container b/etc/containers/systemd/mios-ceph.container
@@ -18,7 +18,7 @@ ConditionPathExists=/etc/ceph/ceph.conf
 ConditionVirtualization=!container
 
 [Container]
-Image=quay.io/ceph/ceph:v18
+Image=quay.io/ceph/ceph:latest
 ContainerName=mios-ceph
 Network=mios.network
 Volume=/var/lib/ceph:/var/lib/ceph:Z
diff --git a/etc/containers/systemd/mios-k3s.container b/etc/containers/systemd/mios-k3s.container
@@ -24,7 +24,7 @@ ConditionVirtualization=!wsl
 ConditionVirtualization=!container
 
 [Container]
-Image=docker.io/rancher/k3s:v1.32.1-k3s1
+Image=docker.io/rancher/k3s:latest
 ContainerName=mios-k3s
 Privileged=true
 Environment=K3S_TOKEN=mios-cluster-secret
diff --git a/usr/share/containers/systemd/guacamole-postgres.container b/usr/share/containers/systemd/guacamole-postgres.container
@@ -7,7 +7,7 @@ Wants=network-online.target
 ConditionVirtualization=!container
 
 [Container]
-Image=docker.io/library/postgres:16
+Image=docker.io/library/postgres:latest
 Network=mios.network
 AutoUpdate=registry
 User=mios-postgres
