Skip to content

Container Image Versions

Jump to bottom
Yoom Lam edited this page Jun 26, 2023 · 16 revisions

Container images are built and published to GHCR -- see Deploying VRO. The images are tagged with an image tag, representing the version of the image. The image tag (or "image version" or "version") is:

  • the first 7 of commit hash when the image is built as part of Continuous Integration (CI CD Workflows)
  • or a semantic version string formatted as v1.2.3 when a release tag is created, typically for testing in LHDI environments
  • or a semantic version string formatted as release-1.2.3 when a manual release tag is created, typically for deployment to prod LHDI

See different image versions in the GitHub Container Repository. The latest image tag, always refers to the last published image.

The scripts/image_vars.src and scripts/image_versions.src files determine which versions of each container is used during deployment. These files should not be modified manually. The versions can be overridden by manually-specified version in GitHub Action workflows.

Relevant ticket: Allow deployed containers to have different release versions #1725

Terminology:

  • pinning an image version = set the version for a particular container image so that:
    • the image is not republished to GHCR and SecRel does not rescan the (same) image;
    • the pinned version is used during LHDI deployments;
  • unpinning an image version = unset the version for a particular container image so that:
    • a new image is built and SecRel scans the new image;
    • the new image is deployed to LHDI;

Pinning and unpinning is performed by scripts/image-version.sh, which updates scripts/image_versions.src and is automatically called when certain events are triggered. The result is that for images that don't change, they stay at their pinned versions.

Pinning versions

When a release is created, image versions that are unpinned will become pinned to that specified release version.

Unpinning versions

When the codebase is changed (e.g., a PR is merged), if the container image has changed For image versions that are pinned, then it will be unpinned.

Clone this wiki locally