ci: serialize Publish Image runs to prevent stale :latest#13
Merged
Conversation
Concurrent merges to main (e.g. several Renovate PRs landing within seconds) each trigger Publish Image with no concurrency guard, so the runs race on the :latest tag. An older commit's run can push :latest last, leaving it pointing at a stale image. Consumers then see the published base as out of date and rebuild the whole role image from the workspace Dockerfile instead of reusing it. Add a per-branch concurrency group with cancel-in-progress so the newest push wins and :latest always reflects the latest commit. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Publish Imageruns on every push tomainwith noconcurrencyguard. When several PRs merge within seconds (common with Renovate batches), multiple publish runs execute concurrently and race on the:latesttag. An older commit's run can push:latestlast, so:latestends up baked from an older role commit thanmainHEAD.Downstream, jackin' inspects the published base's
jackin.role_git_shalabel, sees it behind the role repo HEAD, marks itpublished_image_stale, and rebuilds the entire role image from the workspace Dockerfile on every launch instead of reusing the published base.Fix
Add a top-level concurrency group keyed on the branch with
cancel-in-progress: true, so simultaneous publishes serialize and the newest push wins:latest.🤖 Generated with Claude Code