remove docker as a release channel; strip dockerfile + publish-ghcr

imanimanyara · imanimanyara · commit 7e3839a4e41f · 2026-05-14T19:48:02.000-04:00
Per the brief, the four documented install methods are uv / pipx /
brew / pip; Docker was used during development as a testing artifact
(notably the adguard-mutating-integration job, which pulls a
third-party systemd image — not ours). It was never an intended
distribution channel.

Removed:

- `Dockerfile` (the file itself)
- `publish-ghcr` job from `release.yml`
- `dockerfile-hadolint` job from `ci.yml`
- Dependabot's `docker` ecosystem entry (now just pip + GH Actions)
- The PR-template "If I touched Dockerfile" checklist row
- Every operative reference to GHCR / publish-ghcr / Dockerfile in
  installation.md, release.md, shipping-checklist.md, onboarding.md,
  validation-scope.md, plans/known-issues.md, and the brief's DAG
  description. The brief below its banner remains intact as
  historical narrative — the banner already points at the cleanup
  plan as the source of truth for what shipped.

The existing GHCR image at ghcr.io/simtabi/shimkit:0.2.x stays
where it is — no auto-deletion. Future tags simply won't push to
GHCR. README.md drops the "container image" phrase from its install
pointer; installation.md leads with the GitHub-Release wheel and
`pip install git+...@tag`.

Gates: pytest 233 passed, ruff clean, mypy strict clean, all
release.yml + ci.yml + dependabot.yml YAML parses.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -36,4 +36,3 @@ Thanks for your contribution! A few notes:
 - [ ] I have not introduced subprocess calls outside `CommandRunner`
 - [ ] I have not put logic-critical strings in config (markers, regexes,
       atomic-replace semantics stay in code)
-- [ ] If I touched `Dockerfile`: image still builds (`docker build .`)
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,9 +1,8 @@
 version: 2
 
-# Dependabot watches three ecosystems for shimkit:
+# Dependabot watches two ecosystems for shimkit:
 #   1. Python package dependencies (pyproject.toml)
 #   2. GitHub Actions used by .github/workflows/
-#   3. The Dockerfile's base image
 #
 # Weekly is enough for a maintenance project; daily is noise. Security
 # updates fire immediately regardless of schedule.
@@ -41,13 +40,3 @@ updates:
       timezone: "America/New_York"
     open-pull-requests-limit: 5
     labels: ["dependencies", "ci"]
-
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-      time: "06:00"
-      timezone: "America/New_York"
-    open-pull-requests-limit: 3
-    labels: ["dependencies", "docker"]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -54,19 +54,6 @@ jobs:
         # invocation still exits non-zero on real vulnerabilities.
         run: pip-audit --skip-editable
 
-  dockerfile-hadolint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-      - uses: hadolint/hadolint-action@v3.1.0
-        with:
-          dockerfile: Dockerfile
-          # DL3008 (apt-get install without =version) is intentional for slim images;
-          # security updates come from rebuilds.
-          # DL3013 (pin pip versions) fires on `pip install --upgrade pip
-          # build` in the builder stage — we want the latest pip there.
-          ignore: DL3008,DL3013
-
   build:
     needs: test
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -75,12 +75,12 @@ jobs:
           path: dist/
 
   # PyPI publishing is deliberately disabled. Distribution for v0.2.x
-  # is via the container at ghcr.io/simtabi/shimkit and the GitHub
-  # Release page's wheel + sdist. To re-enable, restore the
-  # publish-pypi + bump-homebrew-tap jobs from git history and
-  # configure trusted publishing at https://pypi.org/manage/account/publishing/
-  # (Owner=simtabi, Repository=shimkit, Workflow=release.yml,
-  # Environment=pypi, PyPI Project Name=shimkit).
+  # is via the GitHub Release page's wheel + sdist. To re-enable PyPI,
+  # restore the publish-pypi + bump-homebrew-tap jobs from git history
+  # and configure trusted publishing at
+  # https://pypi.org/manage/account/publishing/ (Owner=simtabi,
+  # Repository=shimkit, Workflow=release.yml, Environment=pypi,
+  # PyPI Project Name=shimkit).
 
   github-release:
     needs: build
@@ -98,58 +98,4 @@ jobs:
             dist/*.whl
             dist/*.tar.gz
             dist/shimkit-sbom.spdx.json
-
-  publish-ghcr:
-    name: Publish container to GHCR
-    needs: build
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      # contents: write so anchore/sbom-action can attach the
-      # container SBOM to the GitHub Release page (default
-      # upload-release-assets=true on tag refs). Without write, the
-      # action errors "Resource not accessible by integration".
-      contents: write
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v6
-      - uses: docker/setup-qemu-action@v4
-      - uses: docker/setup-buildx-action@v4
-      - uses: docker/login-action@v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=ref,event=tag
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=latest
-      - id: build-push
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-      - name: Attest container build provenance
-        uses: actions/attest-build-provenance@v3
-        with:
-          subject-name: ghcr.io/${{ github.repository }}
-          subject-digest: ${{ steps.build-push.outputs.digest }}
-          push-to-registry: true
-      - name: Generate container SBOM
-        uses: anchore/sbom-action@v0
-        with:
-          image: ghcr.io/${{ github.repository }}@${{ steps.build-push.outputs.digest }}
-          format: spdx-json
-          artifact-name: shimkit-container-sbom.spdx.json
           upload-artifact: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,21 +6,32 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [Unreleased]
 
+### Removed
+
+- Container image as a release channel. Docker was a testing
+  artifact during development (used by the `adguard-mutating-
+  integration` CI job, which pulls a third-party systemd-capable
+  image, not ours). The brief's documented install methods are uv /
+  pipx / brew / pip — Docker was never one of them. Removed:
+  `Dockerfile`, `publish-ghcr` workflow job, `dockerfile-hadolint`
+  CI job, Dependabot's `docker` ecosystem entry, the Dockerfile
+  checklist row in the PR template. The existing
+  `ghcr.io/simtabi/shimkit:0.2.x` image is left in place but won't
+  be updated by future tags.
+- `publish-pypi` and `bump-homebrew-tap` jobs (deferred). v0.2.2's
+  `publish-pypi` repeatedly failed with `invalid-publisher` even
+  with trusted-publishing configured on pypi.org. Restoration
+  path: [`docs/shipping-checklist.md`](docs/shipping-checklist.md)
+  Phase 4.
+
 ### Changed
 
-- Release pipeline: `publish-pypi` and `bump-homebrew-tap` jobs
-  removed from `release.yml`. Distribution channels for v0.2.x are
-  the GHCR container (`ghcr.io/simtabi/shimkit`) and the GitHub
-  Release wheel + sdist. v0.2.2's `publish-pypi` job repeatedly
-  failed with `invalid-publisher` even with trusted-publishing
-  configured on pypi.org; rather than chase the OIDC-claim mismatch
-  further this cycle, the project ships without PyPI for now.
-  [`docs/shipping-checklist.md`](docs/shipping-checklist.md) Phase
-  4 documents how to re-enable.
-- Docs: `docs/installation.md` now leads with the container and
-  GitHub-Release wheel; PyPI-style install commands are marked
-  pending. `docs/release.md` carries a banner noting the deferred
-  PyPI channel.
+- `docs/installation.md` leads with the GitHub-Release wheel +
+  `pip install git+...@tag`; PyPI-style commands are marked
+  pending. `docs/release.md`, `docs/shipping-checklist.md`,
+  `docs/validation-scope.md`, `docs/onboarding.md`,
+  `docs/plans/known-issues.md`, and `prompt.md` updated to drop
+  `publish-ghcr` / `dockerfile-hadolint` / Dockerfile references.
 
 ## [0.2.2] — 2026-05-14
 
diff --git a/Dockerfile b/Dockerfile
diff --git a/README.md b/README.md
@@ -22,8 +22,8 @@ brew install simtabi/tap/shimkit
 pip install --user shimkit
 ```
 
-Full install matrix, container image, optional dependency extras, and
-self-update behaviour: [`docs/installation.md`](docs/installation.md).
+Full install matrix, optional dependency extras, and self-update
+behaviour: [`docs/installation.md`](docs/installation.md).
 
 ## Tools
 
diff --git a/docs/installation.md b/docs/installation.md
@@ -1,36 +1,28 @@
 # Installation
 
-> **As of v0.2.2:** shimkit is distributed via the container at
-> `ghcr.io/simtabi/shimkit` and the wheel attached to each
-> [GitHub Release](https://github.com/simtabi/shimkit/releases).
+> **As of v0.2.2:** shimkit ships via the wheel + sdist attached to
+> each [GitHub Release](https://github.com/simtabi/shimkit/releases).
 > Publishing to PyPI is deferred — the trusted-publisher setup is in
 > place on the GitHub side (`release.yml` + `pypi` environment) but
-> the matching publisher on pypi.org is not configured yet, so
-> `pip install shimkit` does not work. Use one of the channels
-> below.
+> the matching publisher on pypi.org is not configured yet, so the
+> bare `pip install shimkit` / `uv tool install shimkit` /
+> `pipx install shimkit` / `brew install simtabi/tap/shimkit`
+> commands do not work yet. Use one of the install-from-source paths
+> below until PyPI is wired up.
 
-## Recommended channels
+## Install from a release tag
 
 ```bash
-# 1. Container (fully attested, multi-arch, no Python toolchain needed on host).
-docker pull ghcr.io/simtabi/shimkit:0.2.2
-docker run --rm ghcr.io/simtabi/shimkit:0.2.2 --help
-
-# 2. Wheel from the GitHub Release page (works with any Python ≥ 3.10).
+# 1. Wheel from the GitHub Release page (works with any Python ≥ 3.10).
 pip install --user \
   https://github.com/simtabi/shimkit/releases/download/v0.2.2/shimkit-0.2.2-py3-none-any.whl
 
-# 3. Direct from a tag (no release-page step).
+# 2. Direct from a tag (no release-page step).
 pip install --user git+https://github.com/simtabi/shimkit@v0.2.2
 uv tool install   git+https://github.com/simtabi/shimkit@v0.2.2
 pipx install      git+https://github.com/simtabi/shimkit@v0.2.2
 ```
 
-The container is the most reproducible — pin to a digest
-(`ghcr.io/simtabi/shimkit@sha256:…`) for fully deterministic
-deploys. The wheel works on any system that already has a Python
-≥ 3.10 toolchain.
-
 ## PyPI-style channels (pending)
 
 These will become the primary install once PyPI trusted-publishing
@@ -99,19 +91,6 @@ sha256sum /tmp/shimkit-${release}-py3-none-any.whl
 pip install --user "/tmp/shimkit-${release}-py3-none-any.whl"
 ```
 
-For the container image, `gh attestation verify` checks the
-provenance signature published to GHCR alongside each tag.
-
-## Container image
-
-```bash
-docker run --rm ghcr.io/simtabi/shimkit:latest version
-docker run --rm -v "$HOME/.config/shimkit:/home/shimkit/.config/shimkit" \
-  ghcr.io/simtabi/shimkit:latest doctor
-```
-
-Multi-arch (linux/amd64 + linux/arm64) is published per release.
-
 ## <a id="updates"></a>Updates
 
 `shimkit self-update` detects how shimkit was installed (`uv` /
diff --git a/docs/onboarding.md b/docs/onboarding.md
@@ -463,7 +463,7 @@ security           ← bandit -ll + pip-audit. Fails on medium+.
 build              ← sdist + wheel. Artifact uploaded.
 smoke              ← install built wheel on macOS + Ubuntu, run CLI.
 adguard-integration ← real AGH on ubuntu-latest. JSON-asserted output.
-dockerfile-hadolint  ← hadolint on Dockerfile.
+adguard-mutating-integration ← real `shimkit adguard fix` inside a privileged systemd container.
 ```
 
 All must pass before merge to `main` (once branch protection is
diff --git a/docs/plans/known-issues.md b/docs/plans/known-issues.md
@@ -134,20 +134,18 @@ new logic in the affected paths.
 
 ## Optional: `gh attestation verify` smoke test
 
-The release workflow signs the wheel and the container image with
+The release workflow signs the wheel and sdist with
 `actions/attest-build-provenance@v3`. We don't currently have a CI
 job that **verifies** those attestations after publish (the action
 publishes them; nothing reads them back).
 
 Low priority — Sigstore's transparency log is the authoritative
 record. A post-publish verify job would catch a misconfiguration of
-the publish flow, but the bug shape is rare and would be
-release-blocking by other means (PyPI upload failures, GHCR push
-failures, etc.) before the signature step.
+the publish flow, but the bug shape is rare.
 
-If added: a `verify-release` job that runs after `publish-pypi` and
-`publish-ghcr`, fetching the published artifacts and running
-`gh attestation verify` against them.
+If added: a `verify-release` job that runs after `github-release`,
+fetching the published artifacts and running `gh attestation verify`
+against them.
 
 ---
 
diff --git a/docs/release.md b/docs/release.md
@@ -66,45 +66,30 @@ push tag v*
 │  upload artifact: dist/                                      │
 └───────────────────────────────────────────────────────────────┘
     │
-    ├──► publish-pypi ───── OIDC publish; waits on `pypi` env
-    │                       protection rules if configured.
-    │
-    ├──► github-release ─── creates the GH Release with wheel +
-    │                       sdist + SBOM attached.
-    │
-    ├──► publish-ghcr ───── multi-arch (amd64+arm64) container image
-    │                       to ghcr.io/simtabi/shimkit:{tag,version,major.minor,latest}
-    │
-    └──► bump-homebrew-tap  pushes a formula update to
-                            simtabi/homebrew-tap if the tap exists.
-                            soft-fails otherwise.
+    └──► github-release ─── creates the GH Release with wheel +
+                            sdist + SBOM attached.
 ```
 
-`publish-pypi` is the gating step for downstream effects — it must
-succeed before `bump-homebrew-tap` runs. `publish-ghcr` and
-`github-release` are independent and run in parallel.
+As of v0.2.2 the release pipeline ships **only** the GitHub Release
+artifact set. The `publish-pypi`, `publish-ghcr`, and
+`bump-homebrew-tap` jobs that previously fanned out from `build`
+were removed: PyPI publishing is deferred ([Phase 4 of
+shipping-checklist.md](shipping-checklist.md)), and the GHCR /
+Dockerfile path was always meant as a testing artifact rather than
+a distribution channel (see `prompt.md`'s install-method list).
 
 ## Verifying a release
 
 ```bash
-release=v0.1.0
+release=v0.2.2
 
-# PyPI
-pip install shimkit==${release#v}
+# Wheel from the GitHub Release page
+pip install --user "https://github.com/simtabi/shimkit/releases/download/${release}/shimkit-${release#v}-py3-none-any.whl"
 shimkit version
 
 # GitHub Release SBOM
 curl -fsSL "https://github.com/simtabi/shimkit/releases/download/${release}/shimkit-sbom.spdx.json" -o /tmp/sbom.json
 jq .name /tmp/sbom.json   # should print "shimkit"
-
-# GHCR
-docker run --rm --pull=always ghcr.io/simtabi/shimkit:${release} version
-# Verify the image's signed provenance (Sigstore/GHCR):
-gh attestation verify oci://ghcr.io/simtabi/shimkit:${release} -o simtabi
-
-# Homebrew tap (once the tap is configured)
-brew install simtabi/tap/shimkit
-shimkit version
 ```
 
 ## Cancelling / yanking
diff --git a/docs/shipping-checklist.md b/docs/shipping-checklist.md
diff --git a/docs/validation-scope.md b/docs/validation-scope.md
diff --git a/prompt.md b/prompt.md
