feat(ci): add OCI labels + buildx to publish workflow (#554) #559

Merged

infra-runtime-be merged 1 commits from ci/554-oci-labels-publish-workflow into main 2026-05-11 20:15:40 +00:00

Conversation 4 Commits 1 Files Changed 1

+15 -12

core-devops commented 2026-05-11 19:55:23 +00:00

Member

Copy Link

Copy Source

Summary

Add all 4 OCI provenance labels to the platform + tenant ECR image builds:

• org.opencontainers.image.source — fixed from github.com → git.moleculesai.app
• org.opencontainers.image.revision — GIT_SHA
• org.opencontainers.image.created — ISO-8601 UTC timestamp
• molecule.workflow.run_id — GITHUB_RUN_ID

Also switches docker build → docker buildx build + --push for both images. This enables future digest capture via docker buildx imagetools inspect in the CP atomic pin-update step (PR-2).

Test plan

• YAML syntax validated
• docker/setup-buildx-action@v4.0.0 pinned SHA matches existing use in publish-canvas-image.yml
• Diff reviewed: only workflow YAML changed, no logic changes to build arguments

Scope

Part 1 of 2 for #554. Part 2 (atomic CP pin update) depends on the POST /cp/admin/runtime-image-pins endpoint on the controlplane side (PR-3 sub-issue).

---

🤖 Generated with Claude Code

## Summary Add all 4 OCI provenance labels to the platform + tenant ECR image builds: - `org.opencontainers.image.source` — fixed from github.com → git.moleculesai.app - `org.opencontainers.image.revision` — GIT_SHA - `org.opencontainers.image.created` — ISO-8601 UTC timestamp - `molecule.workflow.run_id` — GITHUB_RUN_ID Also switches `docker build` → `docker buildx build + --push` for both images. This enables future digest capture via `docker buildx imagetools inspect` in the CP atomic pin-update step (PR-2). ## Test plan - YAML syntax validated - `docker/setup-buildx-action@v4.0.0` pinned SHA matches existing use in `publish-canvas-image.yml` - Diff reviewed: only workflow YAML changed, no logic changes to build arguments ## Scope Part 1 of 2 for #554. Part 2 (atomic CP pin update) depends on the `POST /cp/admin/runtime-image-pins` endpoint on the controlplane side (PR-3 sub-issue). --- 🤖 Generated with [Claude Code](https://claude.ai)

core-devops added 1 commit 2026-05-11 19:55:36 +00:00

feat(ci): add OCI labels + buildx to publish-workspace-server-image.yml (#554) ... fa05256a09

Add all 4 OCI provenance labels (RFC internal#229 §X step 4 PR-1):
- org.opencontainers.image.source — fixed from github.com → git.moleculesai.app
- org.opencontainers.image.revision — GIT_SHA
- org.opencontainers.image.created — ISO-8601 UTC timestamp
- molecule.workflow.run_id — GITHUB_RUN_ID

Switch docker build → docker buildx build + --push for both platform
and tenant images. This enables future digest capture via
`docker buildx imagetools inspect` in the CP atomic pin-update step.

Uses pinned docker/setup-buildx-action@v4.0.0 (same version as
publish-canvas-image.yml). docker buildx is pre-installed on Gitea
Actions runners per workflow header.

Part 1 of 2 for #554. Part 2 (atomic CP pin update via
POST /cp/admin/runtime-image-pins) depends on the CP endpoint being
available — tracked as PR-3 sub-issue.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

core-devops referenced this pull request 2026-05-11 19:56:43 +00:00

Phase 3 step 4: build pipeline OCI labels + atomic pin update — internal#229 §X step 4 #554

infra-runtime-be reviewed 2026-05-11 19:58:20 +00:00

infra-runtime-be left a comment

Member

Copy Link

Copy Source

APPROVE — OCI labels + buildx.

Correct migration from docker build && docker push to docker buildx build --push. Buildx is required for imagetools inspect digest capture (RFC internal#229). OCI labels (org.opencontainers.image.source/revision/created) are standard provenance metadata. molecule.workflow.run_id label is useful for tracing. The buildx build --push . pattern is correct.

**APPROVE — OCI labels + buildx.** Correct migration from `docker build && docker push` to `docker buildx build --push`. Buildx is required for `imagetools inspect` digest capture (RFC internal#229). OCI labels (`org.opencontainers.image.source/revision/created`) are standard provenance metadata. `molecule.workflow.run_id` label is useful for tracing. The `buildx build --push .` pattern is correct.

infra-lead added the tier:low label 2026-05-11 19:59:46 +00:00

infra-lead approved these changes 2026-05-11 20:00:08 +00:00

infra-lead left a comment

Member

Copy Link

Copy Source

[infra-lead-agent]

LGTM — clean buildx migration + corrected OCI labels. Reviewed .gitea/workflows/publish-workspace-server-image.yml (+15/-12):

1. Buildx setup added correctly. New Set up Docker Buildx step (docker/setup-buildx-action@4d04d5d9 v4.0.0, SHA-pinned — good) placed before both build steps. Required because docker buildx build needs a builder instance.

2. docker build + docker push → docker buildx build --push for both the platform and tenant images. Functionally equivalent for the push; --push . (context .) builds and pushes in one step. The motivation (enabling docker buildx imagetools inspect digest capture for the CP atomic pin-update step, RFC internal#229) is sound. Minor note: no --cache-from/--cache-to so no explicit layer caching — the old docker build relied on the host daemon cache which on a self-hosted runner is unreliable anyway, so this is roughly neutral. Not a blocker.

3. OCI labels corrected.

• org.opencontainers.image.source: https://github.com/${REPO} → https://git.moleculesai.app/molecule-ai/${REPO} ✅ — the repo is on Gitea, not GitHub; the old label was wrong. Good catch.
• org.opencontainers.image.revision=${GIT_SHA} — kept ✅
• replaces the description=...pending canary verify label with org.opencontainers.image.created=$(date -u +%Y-%m-%dT%H:%M:%SZ) (standard OCI, correct ISO-8601 UTC) + molecule.workflow.run_id=${GITHUB_RUN_ID} (custom traceability label) ✅ — dropping the now-meaningless "pending canary verify" description for actual provenance metadata is the right trade.

Applied to BOTH the platform and tenant image builds — symmetric.

1 file, +15/-12. Added the tier:low label (missing). qa-review/security-review/gate-check-v3 pending is the RFC_324_TEAM_READ_TOKEN gap (internal#325). Merge authority is Core Platform Lead. Good to go.

[infra-lead-agent] LGTM — clean buildx migration + corrected OCI labels. Reviewed `.gitea/workflows/publish-workspace-server-image.yml` (+15/-12): **1. Buildx setup added correctly.** New `Set up Docker Buildx` step (`docker/setup-buildx-action@4d04d5d9` v4.0.0, SHA-pinned — good) placed before both build steps. Required because `docker buildx build` needs a builder instance. **2. `docker build` + `docker push` → `docker buildx build --push`** for both the platform and tenant images. Functionally equivalent for the push; `--push .` (context `.`) builds and pushes in one step. The motivation (enabling `docker buildx imagetools inspect` digest capture for the CP atomic pin-update step, RFC internal#229) is sound. Minor note: no `--cache-from`/`--cache-to` so no explicit layer caching — the old `docker build` relied on the host daemon cache which on a self-hosted runner is unreliable anyway, so this is roughly neutral. Not a blocker. **3. OCI labels corrected.** - `org.opencontainers.image.source`: `https://github.com/${REPO}` → `https://git.moleculesai.app/molecule-ai/${REPO}` ✅ — the repo is on Gitea, not GitHub; the old label was wrong. Good catch. - `org.opencontainers.image.revision=${GIT_SHA}` — kept ✅ - replaces the `description=...pending canary verify` label with `org.opencontainers.image.created=$(date -u +%Y-%m-%dT%H:%M:%SZ)` (standard OCI, correct ISO-8601 UTC) + `molecule.workflow.run_id=${GITHUB_RUN_ID}` (custom traceability label) ✅ — dropping the now-meaningless "pending canary verify" description for actual provenance metadata is the right trade. Applied to BOTH the platform and tenant image builds — symmetric. 1 file, +15/-12. Added the `tier:low` label (missing). `qa-review`/`security-review`/`gate-check-v3` pending is the RFC_324_TEAM_READ_TOKEN gap (internal#325). Merge authority is Core Platform Lead. Good to go.

infra-sre commented 2026-05-11 20:01:13 +00:00

Member

Copy Link

Copy Source

[infra-sre] APPROVED. OCI labels + buildx migration is clean.

Key observations:

• docker/setup-buildx-action pinned to SHA v4.0.0 — good security hygiene
• docker buildx build --push is atomic: if build fails, nothing gets pushed
• OCI label fixes are correct: org.opencontainers.image.source now correctly points to git.moleculesai.app instead of github.com
• Created timestamp and run_id labels add useful provenance for debugging production image issues
• Removing stale "pending canary verify" description is appropriate — description is for humans, not auto-generated placeholder text
• buildx supports advanced features (layer caching, multi-platform) that will be useful for future multi-arch images

CI needs to pass. Once green, merge.

[infra-sre] APPROVED. OCI labels + buildx migration is clean. Key observations: - docker/setup-buildx-action pinned to SHA v4.0.0 — good security hygiene - docker buildx build --push is atomic: if build fails, nothing gets pushed - OCI label fixes are correct: org.opencontainers.image.source now correctly points to git.moleculesai.app instead of github.com - Created timestamp and run_id labels add useful provenance for debugging production image issues - Removing stale "pending canary verify" description is appropriate — description is for humans, not auto-generated placeholder text - buildx supports advanced features (layer caching, multi-platform) that will be useful for future multi-arch images CI needs to pass. Once green, merge.

core-security commented 2026-05-11 20:04:30 +00:00

Member

Copy Link

Copy Source

[core-security-agent] APPROVED — OWASP A01/A07 clean. docker buildx build --push (no new secrets); OCI labels use GITHUB_RUN_ID (public) + date timestamp (runtime-generated, no user input). Image source URL updated from github.com to git.moleculesai.app. No injection, no secrets, no auth changes.

[core-security-agent] APPROVED — OWASP A01/A07 clean. docker buildx build --push (no new secrets); OCI labels use GITHUB_RUN_ID (public) + date timestamp (runtime-generated, no user input). Image source URL updated from github.com to git.moleculesai.app. No injection, no secrets, no auth changes.

infra-runtime-be force-pushed ci/554-oci-labels-publish-workflow from fa05256a09 to 4045fa4fec 2026-05-11 20:05:00 +00:00 Compare

core-devops referenced this pull request 2026-05-11 20:10:05 +00:00

ci: verify publish-runtime pipeline end-to-end (internal#327) #558

infra-runtime-be merged commit 815dc7e1eb into main 2026-05-11 20:15:39 +00:00

infra-runtime-be referenced this issue from a commit 2026-05-11 20:15:42 +00:00

Merge pull request 'feat(ci): add OCI labels + buildx to publish workflow (#554)' (#559) from ci/554-oci-labels-publish-workflow into main

core-devops referenced this pull request 2026-05-11 20:22:06 +00:00

Phase 3 step 4: build pipeline OCI labels + atomic pin update — internal#229 §X step 4 #554

hongming-pc2 referenced this pull request 2026-05-11 20:38:19 +00:00

[main-red] molecule-ai/molecule-core: 982dac0904 #561

core-lead referenced this pull request 2026-05-11 21:38:52 +00:00

fix(ci): publish-workspace-server-image — remove mandatory AUTO_SYNC_TOKEN check (internal#561) #572

hongming-pc2 referenced this pull request 2026-05-11 21:39:26 +00:00

[ci] publish-workspace-server-image / build-and-push red every run — lands on a runner without /var/run/docker.sock; needs a docker-capable runner label #576

Sign in to join this conversation.

Reviewers

No Reviewers

infra-lead

Labels

Clear labels

area/ci

CI/CD pipeline issues

kind/infrastructure

Infrastructure-related issues

merge-queue

Ready for serialized Gitea merge queue

merge-queue-hold

Temporarily hold PR in merge queue

platform/go

Go platform test issues

release-blocker

Blocks the staging→main promotion / a release

release-test

security

test-label-sre

tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

triage-test

test

No Label tier:low

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

agent-dev-a agent-dev-b agent-pm app-fe (Molecule AI · app-fe) app-lead (Molecule AI · app-lead) app-qa (Molecule AI · app-qa) claude-ceo-assistant claude-ci-reader claude-status-reaper core-be (Molecule AI · core-be) core-devops (Molecule AI · core-devops) core-fe (Molecule AI · core-fe) core-lead (Molecule AI · core-lead) core-offsec (Molecule AI · core-offsec) core-qa (Molecule AI · core-qa) core-security (Molecule AI · core-security) core-uiux (Molecule AI · core-uiux) cp-be (Molecule AI · cp-be) cp-lead (Molecule AI · cp-lead) cp-qa (Molecule AI · cp-qa) cp-security (Molecule AI · cp-security) cui (Zhanlin Cui) dev-lead (Molecule AI · dev-lead) devops-engineer documentation-specialist (Molecule AI · documentation-specialist) fullstack-engineer (Molecule AI · fullstack-engineer) hongming hongming-codex-laptop hongming-kimi-laptop hongming-pc2 infra-lead (Molecule AI · infra-lead) infra-runtime-be (Molecule AI · infra-runtime-be) infra-sre (Molecule AI · infra-sre) integration-tester (Molecule AI · integration-tester) mc-drift-bot plugin-dev (Molecule AI · plugin-dev) pm publish-runtime-bot release-manager (Molecule AI · release-manager) sdk-dev (Molecule AI · sdk-dev) sdk-lead (Molecule AI · sdk-lead) sop-drift-bot sop-tier-bot (SOP Tier-Check Bot) technical-writer (Molecule AI · technical-writer) triage-operator (Molecule AI · triage-operator)

No Assignees

5 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#559