Gate final-version docker tags on release publish, not draft#10306
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the release workflows so version-specific Docker tags are only published when a GitHub release is published (not while it’s still a draft), by promoting already-burned-in RC images to final tags at publish time.
Changes:
- Gate Docker publishing in
draft-release.ymlto RC tags only (*-RC<n>), skipping Docker for final version tags. - Extend
docker-promote.ymlto locate the RC tag at the release SHA and retag RC images into versioned andlatesttags using registry-level manifest retagging. - Expand
docker-verifyto validate both version-specific andlatesttags across architectures.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/workflows/draft-release.yml | Adds RC-only conditionals to Docker publish/manifest/verify jobs to prevent premature final tag publication. |
| .github/workflows/docker-promote.yml | Finds the matching RC tag for a published release and retags RC images to final version and latest tags, plus broadens verification. |
| - name: Retag RC images as version-specific and latest | ||
| env: | ||
| IMAGE: ${{ env.registry }}/${{ secrets.DOCKER_ORG }}/besu | ||
| run: | | ||
| set -euxo pipefail | ||
| # Per-arch single-platform tags: RC-<arch> -> <VERSION>-<arch>, latest-<arch> | ||
| for ARCH in amd64 arm64; do | ||
| docker buildx imagetools create \ |
There was a problem hiding this comment.
This job uses 'docker buildx imagetools', but there’s no explicit buildx setup step. On some runners (especially self-hosted), buildx may be missing or not configured, which would make promotions flaky. Add an explicit buildx setup step (e.g., docker/setup-buildx-action) before invoking 'docker buildx imagetools create' to make the workflow deterministic across runner environments.
There was a problem hiding this comment.
this could be a legit concern on self hosted runners for example. might be worth an extra step to be sure, especially since this would not have triggered for this PR
The draft-release workflow previously pushed version-specific docker tags (e.g. hyperledger/besu:26.4.0) as soon as it ran, regardless of whether the GitHub release was still in draft. For 26.4.0 this meant the final docker tag became publicly pullable before burn-in sign-off; if an RC had failed we'd have had stale production tags pointing to broken code. - draft-release.yml: the docker-publish, docker-manifest, and docker-verify jobs now run only when the input tag contains `-RC`. Running the workflow with an RC tag still pushes 26.4.0-RCn, 26.4.0-RCn-amd64, 26.4.0-RCn-arm64 for burn-in use. Running with a final tag (e.g. 26.4.0) skips docker entirely — the draft release artifacts are still produced. - docker-promote.yml: triggered on `release: released`, it now retags the matching RC images (found by locating the RC git tag pointing at the release sha) into the version-specific tags AND the `latest` tags using `docker buildx imagetools create`. Retagging at the registry level preserves byte-identical manifests — published binaries are exactly what burn-in validated. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: jflo <justin+github@florentine.us>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Justin Florentine <justin+github@florentine.us> Signed-off-by: jflo <justin+github@florentine.us>
…0298) * Add ChaindId, Coinbase, Gaslimit and PrevRandao to EVM v2 Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> * Address comments Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> --------- Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> Signed-off-by: jflo <justin+github@florentine.us>
jflo
force-pushed
the
docker-publish-rc-only
branch
from
2b10913 to
0b761f4
Compare
garyschulte
left a comment
garyschulte
left a comment
There was a problem hiding this comment.
LGTM, some non-blocking feedback
| - name: Retag RC images as version-specific and latest | ||
| env: | ||
| IMAGE: ${{ env.registry }}/${{ secrets.DOCKER_ORG }}/besu | ||
| run: | | ||
| set -euxo pipefail | ||
| # Per-arch single-platform tags: RC-<arch> -> <VERSION>-<arch>, latest-<arch> | ||
| for ARCH in amd64 arm64; do | ||
| docker buildx imagetools create \ |
There was a problem hiding this comment.
this could be a legit concern on self hosted runners for example. might be worth an extra step to be sure, especially since this would not have triggered for this PR
| - name: Stop container | ||
| run: docker stop ${{ env.CONTAINER_NAME }} | ||
|
|
||
| release-draft: |
There was a problem hiding this comment.
should we gate this on -RC as well ? it isn't clear what value this step has if we are not releasing
There was a problem hiding this comment.
it just creates the usable artifacts, then gives time for the burn-in
Summary
Fix a policy bug where
draft-release.ymlpublishes version-specific docker tags (e.g.besu:26.4.0,besu:26.4.0-amd64,besu:26.4.0-arm64) immediately when run — regardless of whether the GitHub release is still in draft. This meant the final docker tag for 26.4.0 became publicly pullable on 2026-04-17, five days before the release was actually published and burn-in signed off. If an RC burn-in had failed, we would have had stale production docker tags pointing to broken code.Changes
.github/workflows/draft-release.yml— thedocker-publish,docker-manifest, anddocker-verifyjobs now only run when the input tag contains-RC. Running the workflow with an RC tag still pushes the RC-suffixed docker images for burn-in use (26.4.0-RCn,26.4.0-RCn-amd64,26.4.0-RCn-arm64). Running with a final tag (26.4.0) skips docker entirely — release-draft artifacts are still produced as before..github/workflows/docker-promote.yml— extended from just promotinglatesttags to also publishing the version-specific tags. On release publish, the workflow now:<VERSION>-RC<n>) pointing at the release shalatesttags usingdocker buildx imagetools createlatesttagsRetagging at the registry level (instead of rebuilding from source) preserves byte-identical manifests — the published binaries are exactly what burn-in validated.
Flow comparison
26.4.0-RC3besu:26.4.0-RC3*besu:26.4.0-RC3*(same)26.4.0besu:26.4.0*publicly (bug)latest*besu:26.4.0*andbesu:latest*Fail-loud on missing RC
If no RC tag matching
<VERSION>-RC<n>is found at the release sha,docker-promotefails with a clear error rather than silently skipping the promotion. This enforces the policy that every released version must have gone through an RC.Test plan
draft-releaseon main with a test RC tag (e.g. on a fork) and confirm only RC-suffixed docker tags are pusheddraft-releasewith a non-RC tag and confirm docker jobs skipdocker-promoteretags correctlydocker buildx imagetools createretagging produces identical manifest digests (no rebuild)Follow-ups (not in this PR)
besu-releaseskill to reflect the new flow (run draft-release with RC tag during burn-in, then with final tag for the release artifacts)Consensys/protocols-release-sandboxworkflows used for simulation🤖 Generated with Claude Code