fix: render per-instance container image from the verified manifest (${PIC_IMAGE})
Unit Tests / test (push) Successful in 9m54s
Unit Tests / test (push) Successful in 9m54s
Connectivity compose-templates hardcoded an unpinned image:tag (proxy even
referenced the renamed-away svc-redsocks), so the per-instance container that
actually ran pulled an unverified :latest — bypassing the cosign/digest
verification the store performs at install. Add a ${PIC_IMAGE} render variable
that resolves to the manifest's digest-pinned, verified image; the matching
pic-services templates switch to image: ${PIC_IMAGE} so the container that runs
is exactly the ref the store verified.
Verified on pic1: rendering the proxy template yields the pinned
svc-proxy@sha256 image.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -157,6 +157,11 @@ class ServiceComposer:
|
||||
result = result.replace('${PIC_CELL_NAME}', cell_name)
|
||||
result = result.replace('${PIC_SERVICE_ID}', service_id)
|
||||
result = result.replace('${PIC_DATA_DIR}', str(Path(self.data_dir).resolve()))
|
||||
# ${PIC_IMAGE} resolves to the manifest's image — the digest-pinned,
|
||||
# cosign-verified reference. Templates (especially instanceable ones)
|
||||
# MUST use this rather than hardcoding an image:tag, so the container
|
||||
# that actually runs is the same image the store verified at install.
|
||||
result = result.replace('${PIC_IMAGE}', str(manifest.get('image', '')))
|
||||
|
||||
if instance_vars:
|
||||
for var in ('INSTANCE_ID', 'REDIRECT_PORT'):
|
||||
|
||||
Reference in New Issue
Block a user