Skip to content

fix(011): drop explicit manifest check, trust mikebom release contract#24

Merged
mlieberman85 merged 1 commit into
kusari-oss:mainfrom
mlieberman85:fix/011-trust-release-contract
Jul 11, 2026
Merged

fix(011): drop explicit manifest check, trust mikebom release contract#24
mlieberman85 merged 1 commit into
kusari-oss:mainfrom
mlieberman85:fix/011-trust-release-contract

Conversation

@mlieberman85

Copy link
Copy Markdown
Contributor

Summary

The cumulative debug journey across #20/#21/#22/#23 established that explicit ghcr.io manifest verification is infeasible without a cross-org PAT. Each method hit the same underlying wall:

PR Method Failure
#20 docker manifest inspect (no auth) 401 unauthorized — ghcr.io v2 requires SOME token
#21 docker manifest inspect (GITHUB_TOKEN auth) 401 denied — token has no cross-org scope
#22 crane manifest Same as #21 in a different wrapper. My "verified locally" claim was a false positive — I had stale ghcr.io creds in my Docker config
#23 gh api /orgs/.../packages/container/.../versions Silent empty response — GITHUB_TOKEN's packages: read scope doesn't map to REST-API cross-org container-metadata reads

Every path back to strict verification requires storing a cross-org PAT as a repo secret. That's a real ongoing cost (rotation, principle of least privilege, another attack surface) for a check that:

  1. Duplicates mikebom's release contract — their release.yml publishes the GitHub release AND pushes the multi-arch image atomically. If the release exists, the image exists (within seconds).
  2. Covers a tiny race window — seconds between release publish and image push. The next nightly (or maintainer dispatch) picks it up cleanly.
  3. Has the same failure mode as skipping — if the release-and-image contract is ever broken, users hit ImagePullBackOff at Job-spawn regardless of what we check workflow-side.

Fix

Test plan

  • CI passes (Rust, helm, shellcheck, SHA-pin discipline)
  • Kusari Inspector: no new findings
  • Post-merge dry-run: decision=should_bump, current_pin=v0.1.0-alpha.57, latest_mikebom=v0.1.0-alpha.58, next_operator_tag=v0.1.0-alpha.2. Zero side effects (dry-run branch prints "would push", "would open PR").
  • If dry-run finally clean, next step is to run without dry_run=true and exercise the real end-to-end pipeline.

🤖 Generated with Claude Code

Cumulative debug journey (PRs kusari-oss#20, kusari-oss#21, kusari-oss#22, kusari-oss#23) established that
explicit ghcr.io manifest verification is infeasible without a
cross-org PAT:

- `docker manifest inspect` — 401 unauthorized, then 401 denied even
  with `docker login` using GITHUB_TOKEN. GITHUB_TOKEN's `packages:
  read` scope only covers this repo's own packages.
- `crane manifest` — same issue at a different layer. My "verified
  locally" claim was a false positive from stale ghcr.io creds in my
  Docker config.
- `gh api /orgs/kusari-oss/packages/container/mikebom/versions` —
  fails silently on the runner. Cross-org REST-API access to
  container metadata also requires an explicit cross-org token.

Every path back to strict manifest verification requires a
cross-org PAT stored as a repo secret. That's a real ongoing cost
(rotation, principle of least privilege, another attack surface)
for a check that:
  1. duplicates what mikebom's release contract already guarantees
     (release + image published atomically by their release.yml);
  2. covers a tiny race window (seconds between release publish
     and image push);
  3. produces the same failure mode (ImagePullBackOff at Job-spawn)
     when its assumption breaks as we'd get if we skipped it.

Drop the check. Trust the mikebom release contract. Contract updated
to explicitly document this design decision and the removed
`noop_manifest_pending` variant. Reference the hotfix chain (kusari-oss#20kusari-oss#23) for future readers investigating the design.

If we ever want strict verification back, add a `MIKEBOM_GHCR_TOKEN`
repo secret with `read:packages` scope and use `crane manifest`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@mlieberman85 mlieberman85 merged commit 9e8f29e into kusari-oss:main Jul 11, 2026
5 checks passed
@mlieberman85 mlieberman85 deleted the fix/011-trust-release-contract branch July 11, 2026 07:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant