Disambiguate release artifacts and tags by base digest.

Author: fnando

.github/workflows/publish.yml

@@ -141,7 +141,7 @@ jobs:
         with:
           image: ${{ steps.tag.outputs.image }}@${{ steps.build.outputs.digest }}
           format: spdx-json
-          output-file: sbom-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_key }}-${{ matrix.arch }}.spdx.json
+          output-file: sbom-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_id }}-${{ matrix.arch }}.spdx.json
           upload-release-assets: false
           upload-artifact: false
 
@@ -164,14 +164,14 @@ jobs:
         with:
           subject-name: ${{ env.REGISTRY }}
           subject-digest: ${{ steps.build.outputs.digest }}
-          sbom-path: sbom-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_key }}-${{ matrix.arch }}.spdx.json
+          sbom-path: sbom-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_id }}-${{ matrix.arch }}.spdx.json
           push-to-registry: true
 
       - name: write per-arch metadata
         if: steps.skip.outputs.skipped != 'true'
         run: |
           ./scripts/write_metadata.py \
-            --output "meta-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_key }}-${{ matrix.arch }}.json" \
+            --output "meta-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_id }}-${{ matrix.arch }}.json" \
             --arch "${{ matrix.arch }}" \
             --stellar-cli-version "${{ matrix.stellar_cli_version }}" \
             --digest "${{ steps.build.outputs.digest }}" \
@@ -184,7 +184,7 @@ jobs:
         if: steps.skip.outputs.skipped != 'true'
         run: |
           cp "${{ steps.attest-prov.outputs.bundle-path }}" \
-            "prov-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_key }}-${{ matrix.arch }}.intoto.jsonl"
+            "prov-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_id }}-${{ matrix.arch }}.intoto.jsonl"
 
       # Skipped pairs still need metadata so the release-body composer can
       # show the full state of every declared pair, not just the freshly
@@ -196,7 +196,7 @@ jobs:
         if: steps.skip.outputs.skipped == 'true'
         run: |
           ./scripts/write_metadata.py \
-            --output "meta-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_key }}-${{ matrix.arch }}.json" \
+            --output "meta-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_id }}-${{ matrix.arch }}.json" \
             --arch "${{ matrix.arch }}" \
             --stellar-cli-version "${{ matrix.stellar_cli_version }}" \
             --image "${{ steps.tag.outputs.image }}" \
@@ -207,7 +207,7 @@ jobs:
       - name: upload release artifacts
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
-          name: release-artifacts-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_key }}-${{ matrix.arch }}
+          name: release-artifacts-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_base_id }}-${{ matrix.arch }}
           path: |
             sbom-*.spdx.json
             prov-*.intoto.jsonl

scripts/release_body.py

@@ -35,13 +35,19 @@ def load_metadata(metadata_dir: Path, expected_cli: str) -> list[dict]:
     return rows
 
 
-def rust_keys_newest_first(rows: list[dict]) -> list[str]:
-    """Unique rust base keys, ordered by toolchain version descending."""
+def list_tag(row: dict) -> str:
+    """The multi-arch manifest-list tag for a row: its per-arch tag minus the arch."""
+    return row["tag"].removesuffix(f"-{row['arch']}")
+
+
+def pins_newest_first(rows: list[dict]) -> list[str]:
+    """Unique multi-arch list tags (one per base pin), ordered by version descending."""
     seen: dict[str, tuple] = {}
     for row in rows:
-        if row["rust_base_key"] not in seen:
-            seen[row["rust_base_key"]] = semver.parse(row["rust_version"])
-    return sorted(seen.keys(), key=lambda k: (seen[k], k), reverse=True)
+        tag = list_tag(row)
+        if tag not in seen:
+            seen[tag] = semver.parse(row["rust_version"])
+    return sorted(seen.keys(), key=lambda t: (seen[t], t), reverse=True)
 
 
 def emit_body(*, cli: str, rows: list[dict], registry: str, repo: str, stellar_ref: str) -> str:
@@ -57,36 +63,38 @@ def emit_body(*, cli: str, rows: list[dict], registry: str, repo: str, stellar_r
     p(f"- `{registry}:{cli}` — this cli, default Rust")
     p()
     p(f"Immutable, pinned to stellar-cli `{stellar_ref}`:\n")
-    for key in rust_keys_newest_first(rows):
-        p(f"- `{registry}:{cli}-{stellar_ref}-rust{key}` — multi-arch")
-        p(f"- `{registry}:{cli}-{stellar_ref}-rust{key}-amd64`")
-        p(f"- `{registry}:{cli}-{stellar_ref}-rust{key}-arm64`")
+    for tag in pins_newest_first(rows):
+        p(f"- `{registry}:{tag}` — multi-arch")
+        for row in [r for r in rows if list_tag(r) == tag]:
+            p(f"- `{registry}:{row['tag']}`")
 
     p("\n## Per-architecture digests (for SEP-58 `bldimg`)\n")
     p(
         f"Use the per-architecture digest when recording `bldimg` in your contract "
         f"metadata. Never use a moving tag like `:latest` or `:{cli}`.\n"
     )
 
-    for key in rust_keys_newest_first(rows):
-        p(f"### Rust {key}\n")
-        key_rows = [r for r in rows if r["rust_base_key"] == key]
-        for row in key_rows:
+    for tag in pins_newest_first(rows):
+        pin_rows = [r for r in rows if list_tag(r) == tag]
+        key = pin_rows[0]["rust_base_key"]
+        base_digest = tag.rsplit("-", 1)[1]
+        p(f"### Rust {key} (base {base_digest})\n")
+        for row in pin_rows:
             p(f"- `linux/{row['arch']}`: `{registry}@{row['digest']}`")
         p("\nVerify:\n")
         p("```sh")
-        for row in key_rows:
+        for row in pin_rows:
             p(f"gh attestation verify oci://{registry}@{row['digest']} --repo {repo}")
         p()
-        for row in key_rows:
+        for row in pin_rows:
             p("cosign verify-attestation \\")
             p("  --type slsaprovenance1 \\")
             identity_re = f"https://github.com/{repo}/\\.github/workflows/.*"
             p(f'  --certificate-identity-regexp "{identity_re}" \\')
             p("  --certificate-oidc-issuer https://token.actions.githubusercontent.com \\")
             p(f"  {registry}@{row['digest']}")
         p()
-        for row in key_rows:
+        for row in pin_rows:
             p(f"docker buildx imagetools inspect {registry}@{row['digest']}")
         p("```\n")
 

scripts/resolve_matrix.py

@@ -10,6 +10,7 @@
 import json
 import sys
 
+import tag_names
 from lib import builds, common, rust_keys
 
 ARCHES = ("amd64", "arm64")
@@ -28,11 +29,13 @@ def build_matrix(data: dict, only_cli: str = "") -> dict:
         for pin in entry["rust_versions"]:
             label, digest = builds.split_entry(pin)
             parsed = rust_keys.parse(label)
+            rust_base_id = f"{label}-{tag_names.short_digest(digest)}"
             for arch in ARCHES:
                 rows.append(
                     {
                         "arch": arch,
                         "platform": f"linux/{arch}",
+                        "rust_base_id": rust_base_id,
                         "rust_base_key": label,
                         "rust_base_suffix": parsed.suffix,
                         "rust_image_digest": digest,

scripts/tag_names.py

@@ -32,7 +32,8 @@ def _short_ref(ref: str) -> str:
     return ref[:_SHORT]
 
 
-def _short_digest(digest: str) -> str:
+def short_digest(digest: str) -> str:
+    """First 15 hex chars of an image digest, with any `sha256:` prefix stripped."""
     return digest.removeprefix("sha256:")[:_SHORT]
 
 
@@ -48,7 +49,7 @@ def compose_tag(
     if stellar_cli_ref:
         tag = f"{tag}-{_short_ref(stellar_cli_ref)}"
     tag = f"{tag}-rust{rust_version}"
-    tag = f"{tag}-{_short_digest(rust_image_digest)}"
+    tag = f"{tag}-{short_digest(rust_image_digest)}"
     if platform:
         arch = _ARCH_FOR_PLATFORM.get(platform)
         if arch is None:

tests/fixtures/meta_amd64.json

@@ -1,9 +1,9 @@
 {
   "arch": "amd64",
   "digest": "sha256:1111111111111111111111111111111111111111111111111111111111111111",
-  "image": "docker.io/stellar/stellar-cli:26.0.0-abc123-rust1.94.0-slim-trixie-amd64",
+  "image": "docker.io/stellar/stellar-cli:26.0.0-abc123-rust1.94.0-slim-trixie-f7bf1c266d9e48c-amd64",
   "rust_base_key": "1.94.0-slim-trixie",
   "rust_version": "1.94.0",
   "stellar_cli_version": "26.0.0",
-  "tag": "26.0.0-abc123-rust1.94.0-slim-trixie-amd64"
+  "tag": "26.0.0-abc123-rust1.94.0-slim-trixie-f7bf1c266d9e48c-amd64"
 }

tests/fixtures/meta_arm64.json

@@ -1,9 +1,9 @@
 {
   "arch": "arm64",
   "digest": "sha256:2222222222222222222222222222222222222222222222222222222222222222",
-  "image": "docker.io/stellar/stellar-cli:26.0.0-abc123-rust1.94.0-slim-trixie-arm64",
+  "image": "docker.io/stellar/stellar-cli:26.0.0-abc123-rust1.94.0-slim-trixie-f7bf1c266d9e48c-arm64",
   "rust_base_key": "1.94.0-slim-trixie",
   "rust_version": "1.94.0",
   "stellar_cli_version": "26.0.0",
-  "tag": "26.0.0-abc123-rust1.94.0-slim-trixie-arm64"
+  "tag": "26.0.0-abc123-rust1.94.0-slim-trixie-f7bf1c266d9e48c-arm64"
 }

tests/unit/test_release_body.py

@@ -68,44 +68,46 @@ def test_load_metadata_sorts_by_rust_version_then_key_then_arch(tmp_path: Path)
     ]
 
 
-def test_rust_keys_newest_first_orders_by_version_desc() -> None:
+def _pin_rows(label: str, version: str, digest15: str) -> list[dict]:
+    base = f"26.0.0-abc123-rust{label}-{digest15}"
+    return [
+        {
+            "arch": arch,
+            "digest": "sha256:" + char * 64,
+            "rust_base_key": label,
+            "rust_version": version,
+            "tag": f"{base}-{arch}",
+        }
+        for arch, char in (("amd64", "1"), ("arm64", "2"))
+    ]
+
+
+def test_pins_newest_first_orders_by_version_desc() -> None:
     rows = [
-        {"rust_base_key": "1.94.0-slim-trixie", "rust_version": "1.94.0"},
-        {"rust_base_key": "1.100.0-slim-trixie", "rust_version": "1.100.0"},
-        {"rust_base_key": "1.94.0-slim-trixie", "rust_version": "1.94.0"},  # dup
+        *_pin_rows("1.94.0-slim-trixie", "1.94.0", "a" * 15),
+        *_pin_rows("1.100.0-slim-trixie", "1.100.0", "b" * 15),
     ]
-    assert release_body.rust_keys_newest_first(rows) == [
-        "1.100.0-slim-trixie",
-        "1.94.0-slim-trixie",
+    assert release_body.pins_newest_first(rows) == [
+        "26.0.0-abc123-rust1.100.0-slim-trixie-" + "b" * 15,
+        "26.0.0-abc123-rust1.94.0-slim-trixie-" + "a" * 15,
     ]
 
 
 def test_emit_body_includes_expected_sections() -> None:
-    rows = [
-        {
-            "arch": "amd64",
-            "digest": "sha256:" + "1" * 64,
-            "rust_base_key": "1.94.0-slim-trixie",
-            "rust_version": "1.94.0",
-        },
-        {
-            "arch": "arm64",
-            "digest": "sha256:" + "2" * 64,
-            "rust_base_key": "1.94.0-slim-trixie",
-            "rust_version": "1.94.0",
-        },
-    ]
+    rows = _pin_rows("1.94.0-slim-trixie", "1.94.0", "f7bf1c266d9e48c")
     body = release_body.emit_body(
         cli="26.0.0",
         rows=rows,
         registry="docker.io/stellar/stellar-cli",
         repo="stellar/stellar-cli-docker",
         stellar_ref="abc123",
     )
+    list_tag = "26.0.0-abc123-rust1.94.0-slim-trixie-f7bf1c266d9e48c"
     assert "# stellar-cli 26.0.0" in body
     assert "## Tags" in body
     assert "docker.io/stellar/stellar-cli:latest" in body
-    assert "26.0.0-abc123-rust1.94.0-slim-trixie" in body
+    assert f"docker.io/stellar/stellar-cli:{list_tag}" in body
+    assert f"{list_tag}-amd64" in body
     assert "## Per-architecture digests" in body
     assert "### Rust 1.94.0-slim-trixie" in body
     assert "linux/amd64" in body
@@ -115,6 +117,24 @@ def test_emit_body_includes_expected_sections() -> None:
     assert "docker buildx imagetools inspect" in body
     assert "## Verification" in body
     assert "## Assets" in body
+
+
+def test_emit_body_two_digests_same_label_render_distinctly() -> None:
+    rows = [
+        *_pin_rows("1.94.0-slim-trixie", "1.94.0", "a" * 15),
+        *_pin_rows("1.94.0-slim-trixie", "1.94.0", "c" * 15),
+    ]
+    body = release_body.emit_body(
+        cli="26.0.0",
+        rows=rows,
+        registry="docker.io/stellar/stellar-cli",
+        repo="stellar/stellar-cli-docker",
+        stellar_ref="abc123",
+    )
+    # Both pins surface as their own multi-arch tag and their own section.
+    assert "26.0.0-abc123-rust1.94.0-slim-trixie-" + "a" * 15 in body
+    assert "26.0.0-abc123-rust1.94.0-slim-trixie-" + "c" * 15 in body
+    assert body.count("### Rust 1.94.0-slim-trixie") == 2
     # Each shell-continuation line in the cosign block must end with a single
     # backslash, not two — `\\` in the rendered markdown would land as a
     # literal `\\` in the user's terminal instead of a line continuation.

tests/unit/test_resolve_matrix.py

@@ -29,6 +29,7 @@ def test_build_matrix_row_carries_expected_keys(minimal_builds: dict) -> None:
     assert set(row.keys()) == {
         "arch",
         "platform",
+        "rust_base_id",
         "rust_base_key",
         "rust_base_suffix",
         "rust_image_digest",
@@ -38,6 +39,35 @@ def test_build_matrix_row_carries_expected_keys(minimal_builds: dict) -> None:
     }
 
 
+def test_build_matrix_row_id_carries_digest_fragment(minimal_builds: dict) -> None:
+    matrix = resolve_matrix.build_matrix(minimal_builds)
+    row = matrix["include"][0]
+    # rust_base_id disambiguates two pins that share a label but differ by digest,
+    # so downstream artifact/file names never collide.
+    assert row["rust_base_id"] == "1.94.0-slim-trixie-f7bf1c266d9e48c"
+
+
+def test_build_matrix_same_label_two_digests_distinct_ids() -> None:
+    data = {
+        "default_distro": "trixie",
+        "stellar_cli_versions": [
+            {
+                "ref": "a" * 40,
+                "version": "26.0.0",
+                "rust_versions": [
+                    "1.94.0-slim-trixie@sha256:" + "a" * 64,
+                    "1.94.0-slim-trixie@sha256:" + "b" * 64,
+                ],
+            }
+        ],
+    }
+    ids = {row["rust_base_id"] for row in resolve_matrix.build_matrix(data)["include"]}
+    assert ids == {
+        "1.94.0-slim-trixie-" + "a" * 15,
+        "1.94.0-slim-trixie-" + "b" * 15,
+    }
+
+
 def test_build_matrix_parses_rust_key(minimal_builds: dict) -> None:
     matrix = resolve_matrix.build_matrix(minimal_builds)
     row = matrix["include"][0]