Release v0.36.0-alpha.1 #1365
Release v0.36.0-alpha.1 #1365
Conversation
Signed-off-by: cozystack-bot <217169706+cozystack-bot@users.noreply.github.com>
WalkthroughImage tags and digests were updated across apps and system charts, aligning components to new versions (notably v0.36.0-alpha.1), with specific bumps for Kubernetes-related images (cluster-autoscaler 0.28.0, kubevirt components 0.28.0) and KubeOVN (v1.14.5). Several YAML values files and *.tag pin files were modified. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Summary of Changes
Hello @cozystack-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request is dedicated to preparing the v0.36.0-alpha.1 release. It primarily involves updating numerous image tags and versions across various components of the system to reflect the new alpha release, ensuring all dependencies point to the correct, updated images.
Highlights
- Core Component Version Bumps: Numerous core component images, including
installer,e2e-sandbox,matchbox,objectstorage-sidecar,s3manager,cozystack-api,cozystack-controller,dashboard,kubeapps-apis,kamaji,kubeovn-webhook, andobjectstorage-controller, have been updated to thev0.36.0-alpha.1tag with corresponding SHA updates. - Kubernetes Application Image Updates: Kubernetes-related application images such as
cluster-autoscaler,kubevirt-cloud-provider, andkubevirt-csi-driverhave been upgraded from version0.27.0to0.28.0. - KubeOVN Version Upgrade: The
kubeovnimage has been updated fromv1.13.14tov1.14.5. - Configuration Version Synchronization: Configuration files have been synchronized, with
appVersionandcozystackVersionfields updated to reflect the newv0.36.0-alpha.1release.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request prepares for the v0.36.0-alpha.1 release by updating various image tags and versions. While most updates seem correct, I've found several critical inconsistencies where image tags were updated but their corresponding SHA256 digests were not. This would lead to deploying outdated images, which could cause correctness and security issues. Please review and correct the identified image digests.
| @@ -1 +1 @@ | |||
| ghcr.io/cozystack/cozystack/cluster-autoscaler:0.27.0@sha256:e4fbb7d2043f25b90cc8840468d0880e9d3d72ae8b1c8801bf8c35f944cc485d | |||
| ghcr.io/cozystack/cozystack/cluster-autoscaler:0.28.0@sha256:e4fbb7d2043f25b90cc8840468d0880e9d3d72ae8b1c8801bf8c35f944cc485d | |||
There was a problem hiding this comment.
The image tag for cluster-autoscaler has been updated from 0.27.0 to 0.28.0, but the SHA256 digest has not been changed. This will likely cause the old image to be used despite the version bump. Please update the digest to match the new image version.
| @@ -1 +1 @@ | |||
| ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.27.0@sha256:5335c044313b69ee13b30ca4941687e509005e55f4ae25723861edbf2fbd6dd2 | |||
| ghcr.io/cozystack/cozystack/kubevirt-cloud-provider:0.28.0@sha256:5335c044313b69ee13b30ca4941687e509005e55f4ae25723861edbf2fbd6dd2 | |||
There was a problem hiding this comment.
The image tag for kubevirt-cloud-provider has been updated from 0.27.0 to 0.28.0, but the SHA256 digest has remained the same. This is incorrect and will result in deploying an older version of the image. Please ensure the digest corresponds to the 0.28.0 image.
| @@ -1 +1 @@ | |||
| ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.27.0@sha256:c35987e8b37ad3b34a9a32fe6e80eee77b4c57b99090ca5cdbc3d16c25edb3b9 | |||
| ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.28.0@sha256:c35987e8b37ad3b34a9a32fe6e80eee77b4c57b99090ca5cdbc3d16c25edb3b9 | |||
There was a problem hiding this comment.
The image tag for kubevirt-csi-driver has been updated from 0.27.0 to 0.28.0, but the SHA256 digest is unchanged. This will cause an older image to be used. Please update the digest to match the new image version.
| @@ -1,2 +1,2 @@ | |||
| cozystackAPI: | |||
| image: ghcr.io/cozystack/cozystack/cozystack-api:v0.35.2@sha256:c545ecf298ce5f70d947ba3b9cbdb4415d540e62b1e991984bc8847db8e1943c | |||
| image: ghcr.io/cozystack/cozystack/cozystack-api:v0.36.0-alpha.1@sha256:c545ecf298ce5f70d947ba3b9cbdb4415d540e62b1e991984bc8847db8e1943c | |||
There was a problem hiding this comment.
The cozystack-api image tag has been updated to v0.36.0-alpha.1, but the SHA256 digest has not been updated. This will cause the old image version to be pulled. Please update the digest to match the new image.
| @@ -19,7 +19,7 @@ kubeapps: | |||
| image: | |||
| registry: ghcr.io/cozystack/cozystack | |||
| repository: dashboard | |||
| tag: v0.35.2 | |||
| tag: v0.36.0-alpha.1 | |||
There was a problem hiding this comment.
The dashboard image tag has been updated to v0.36.0-alpha.1, but the digest on line 23 has not been updated. This will result in using an older version of the dashboard image. Please update the digest to match the new tag.
| @@ -1,3 +1,3 @@ | |||
| storageClass: replicated | |||
| csiDriver: | |||
| image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.27.0@sha256:c35987e8b37ad3b34a9a32fe6e80eee77b4c57b99090ca5cdbc3d16c25edb3b9 | |||
| image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.28.0@sha256:c35987e8b37ad3b34a9a32fe6e80eee77b4c57b99090ca5cdbc3d16c25edb3b9 | |||
There was a problem hiding this comment.
The kubevirt-csi-driver image tag has been updated to 0.28.0, but the SHA256 digest is still from version 0.27.0. This will cause an older version of the driver to be deployed. Please update the digest to match the 0.28.0 image.
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/system/seaweedfs/values.yaml (1)
90-104: Ingress TLS hosts don’t match the configured host.
ingress.hostisseaweedfs2.demo.cozystack.io(Line 92) but TLS hosts listseaweedfs.demo.cozystack.io(Lines 101–103). This will break TLS.Fix:
tls: - hosts: - - seaweedfs.demo.cozystack.io + - seaweedfs2.demo.cozystack.io secretName: seaweedfs-s3-ingress-tls
🧹 Nitpick comments (4)
packages/apps/kubernetes/images/kubevirt-csi-driver.tag (1)
1-1: Keep tag→digest pin validated and de-duplicate sources.This file and kubevirt-csi-node/values.yaml must stay in lockstep. Add a CI check to assert equality, or centralize the pin in one SSoT.
Example CI check:
#!/bin/bash set -euo pipefail pin_file="packages/apps/kubernetes/images/kubevirt-csi-driver.tag" values_file="packages/system/kubevirt-csi-node/values.yaml" pin=$(cat "$pin_file") rg -nP --fixed-strings -- "$pin" "$values_file" >/dev/null || { echo "Pin in values.yaml does not match ${pin_file}" exit 1 }packages/core/testing/values.yaml (1)
2-2: LGTM on e2e image bump.No functional risk here. Make sure any docs/examples referencing the old e2e tag are updated in this PR or the release notes.
packages/system/cozystack-api/values.yaml (1)
2-2: Confirm digest matches the new tag.Tag moved to v0.36.0-alpha.1 but the digest may still point to prior content. Please verify the digest corresponds to this tag in GHCR; otherwise update it to the correct digest to avoid pulling the wrong image.
packages/system/kamaji/values.yaml (1)
6-6: Keep image refs in sync and validate templating with tag@digest.Both the chart’s image.tag and the migrate-image arg were updated consistently—good. Ensure the Helm template renders repo:tag@digest correctly (i.e., it concatenates exactly once and doesn’t also append a separate digest field). Consider DRYing migrate-image by deriving it from the same repo+tag to prevent future drift.
Also applies to: 16-16
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (19)
packages/apps/http-cache/images/nginx-cache.tag(1 hunks)packages/apps/kubernetes/images/cluster-autoscaler.tag(1 hunks)packages/apps/kubernetes/images/kubevirt-cloud-provider.tag(1 hunks)packages/apps/kubernetes/images/kubevirt-csi-driver.tag(1 hunks)packages/core/installer/values.yaml(1 hunks)packages/core/testing/values.yaml(1 hunks)packages/extra/bootbox/images/matchbox.tag(1 hunks)packages/extra/seaweedfs/images/objectstorage-sidecar.tag(1 hunks)packages/system/bucket/images/s3manager.tag(1 hunks)packages/system/cozystack-api/values.yaml(1 hunks)packages/system/cozystack-controller/values.yaml(1 hunks)packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml(1 hunks)packages/system/dashboard/values.yaml(2 hunks)packages/system/kamaji/values.yaml(2 hunks)packages/system/kubeovn-webhook/values.yaml(1 hunks)packages/system/kubeovn/values.yaml(1 hunks)packages/system/kubevirt-csi-node/values.yaml(1 hunks)packages/system/objectstorage-controller/values.yaml(1 hunks)packages/system/seaweedfs/values.yaml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Prepare environment
🔇 Additional comments (13)
packages/system/seaweedfs/values.yaml (1)
119-119: LGTM on sidecar bump.Pinning with tag+digest is good practice; no issues spotted here.
packages/system/kubeovn/values.yaml (1)
67-67: Manual digest verification required for kube-ovn v1.14.5
Automated retrieval of the Docker-Content-Digest header from GHCR returned no value—please confirm that the pinned digest (sha256:1f7f4c3f755489f8709d16167573229ff92d8f1b9d3e6f9eedbcf15a853287c9) truly corresponds to tag v1.14.5 (for example, viadocker pull ghcr.io/cozystack/cozystack/kubeovn:v1.14.5anddocker inspect). Also review the 1.13.14→1.14.5 upgrade notes for any CRD or DaemonSet changes.packages/apps/kubernetes/images/cluster-autoscaler.tag (1)
1-1: Confirm 0.28.0 exists and update its digest
HEAD requests for ghcr.io/cozystack/cozystack/cluster-autoscaler:0.28.0 returned no Docker-Content-Digest header (empty), indicating the image isn’t published or the tag is wrong. Verify that 0.28.0 is pushed to GHCR and update the pinned sha256 accordingly, or revert the tag.
packages/apps/kubernetes/images/cluster-autoscaler.tag:1packages/apps/http-cache/images/nginx-cache.tag (1)
1-1: Confirm manifest type and multi-arch intent
The manifest forcozystack/nginx-cache:0.7.0is a single-arch image (mediaTypeapplication/vnd.docker.distribution.manifest.v2+json) and matches the pinned digestsha256:b7633717cd7449c0042ae92d8ca9b36e4d69566561f5c7d44e21058e7d05c6d5. If multi-arch support is required, please publish a manifest list including variants (e.g., linux/amd64, linux/arm64); otherwise confirm this deliberate single-arch rebuild.packages/extra/seaweedfs/images/objectstorage-sidecar.tag (1)
1-1: LGTM: tag and digest both updated to v0.36.0-alpha.1.Change is consistent with the release bump and remains fully pinned.
packages/system/kubeovn-webhook/values.yaml (1)
3-3: Confirm runtime compatibility between kubeovn-webhook and the deployed KubeOVN core version.With kubeovn core reportedly at v1.14.5, ensure this wrapper image v0.36.0-alpha.1 embeds or targets the matching KubeOVN APIs. Also verify the digest maps to the intended build.
packages/system/cozystack-controller/values.yaml (1)
5-5: Version string consistent. All occurrences across values.yaml and image tags (including .tag files) use exactly v0.36.0-alpha.1; no mismatches detected. Confirm release notes reference the same version.packages/core/installer/values.yaml (1)
2-2: Installer image digest verifiedPinned digest sha256:5087325981ee293fb420e86a101c2211c4d68b37da8230e2d52e448c9578b6c5 matches ghcr.io/cozystack/cozystack/installer:v0.36.0-alpha.1.
packages/system/objectstorage-controller/values.yaml (1)
3-3: Verify objectstorage-controller digest matches v0.36.0-alpha.1
The HTTP HEAD request against GHCR returned noDocker-Content-Digest. Please confirm the digest for tagv0.36.0-alpha.1, e.g.docker pull ghcr.io/cozystack/cozystack/objectstorage-controller:v0.36.0-alpha.1 docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/cozystack/cozystack/objectstorage-controller:v0.36.0-alpha.1to ensure the digest in values.yaml stays in sync.
packages/apps/kubernetes/images/kubevirt-cloud-provider.tag (1)
1-1: Verify kubevirt-cloud-provider 0.28.0 digest
Unable to automatically resolve thesha256for tag 0.28.0—please manually run a registry inspect (e.g.curl -sSLI -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://ghcr.io/v2/cozystack/cozystack/kubevirt-cloud-provider/manifests/0.28.0 | grep Docker-Content-Digest) or useskopeo inspectto fetch the actual digest. Update the file if it’s changed, and consider adding a CI check to enforce tag⇆digest consistency going forward.packages/extra/bootbox/images/matchbox.tag (1)
1-1: LGTM: pinned tag+digest looks correct.No issues spotted for the release bump.
packages/system/dashboard/values.yaml (2)
40-41: LGTM: kubeapps-apis tag+digest updated together.
22-23: Sanity check passed: no lingering v0.35.x tags found repository-wide.
| @@ -1 +1 @@ | |||
| ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:084c6e1665762cae38bac235c79c00d4ec61b5e73ad46ebf7eed596b2c5fcd0a | |||
| ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:33c2b810f542c53ad2a04f544749542dbf2a47f072b254cbcd5facc5ecc83bf4 | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Re-pinned digest for v0.5.0 — validate digest and platforms.
Same guidance: ensure the new digest truly backs v0.5.0 and includes required architectures.
Script:
🏁 Script executed:
#!/bin/bash
set -euo pipefail
IMAGE_REPO="cozystack/cozystack/s3manager"
TAG="v0.5.0"
PINNED_DIGEST="sha256:33c2b810f542c53ad2a04f544749542dbf2a47f072b254cbcd5facc5ecc83bf4"
token() {
curl -s "https://ghcr.io/token?service=ghcr.io&scope=repository:${IMAGE_REPO}:pull" | jq -r .token
}
DIGEST=$(curl -sI -H "Authorization: Bearer $(token)" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
"https://ghcr.io/v2/${IMAGE_REPO}/manifests/${TAG}" | tr -d '\r' | awk -F': ' '/^Docker-Content-Digest:/ {print $2}')
echo "Pinned: $PINNED_DIGEST"
echo "Tag digest: $DIGEST"
test "$DIGEST" = "$PINNED_DIGEST" || { echo "Digest mismatch"; exit 1; }
curl -s -H "Authorization: Bearer $(token)" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
"https://ghcr.io/v2/${IMAGE_REPO}/manifests/${TAG}" | jq -r '.manifests[].platform | "\(.os)/\(.architecture)"'Length of output: 958
🏁 Script executed:
#!/usr/bin/env bash
set -euo pipefail
IMAGE_REPO="cozystack/cozystack/s3manager"
TAG="v0.5.0"
PINNED_DIGEST="sha256:33c2b810f542c53ad2a04f544749542dbf2a47f072b254cbcd5facc5ecc83bf4"
# Retrieve registry token
TOKEN=$(curl -s "https://ghcr.io/token?service=ghcr.io&scope=repository:${IMAGE_REPO}:pull" | jq -r .token)
# Fetch digest from response headers
DIGEST=$(curl -s -D - -o /dev/null \
-H "Authorization: Bearer ${TOKEN}" \
-H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
"https://ghcr.io/v2/${IMAGE_REPO}/manifests/${TAG}" \
| grep -i '^Docker-Content-Digest:' | awk '{print $2}')
echo "Pinned: ${PINNED_DIGEST}"
echo "Tag digest: ${DIGEST}"
test "${DIGEST}" = "${PINNED_DIGEST}" || { echo "Digest mismatch"; exit 1; }
# List supported platforms
curl -s \
-H "Authorization: Bearer ${TOKEN}" \
-H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
"https://ghcr.io/v2/${IMAGE_REPO}/manifests/${TAG}" \
| jq -r '.manifests[].platform | "\(.os)/\(.architecture)"'Length of output: 1328
🏁 Script executed:
#!/usr/bin/env bash
set -euo pipefail
IMAGE_REPO="cozystack/cozystack/s3manager"
TAG="v0.5.0"
PINNED_DIGEST="sha256:33c2b810f542c53ad2a04f544749542dbf2a47f072b254cbcd5facc5ecc83bf4"
# Retrieve registry token
TOKEN=$(curl -s "https://ghcr.io/token?service=ghcr.io&scope=repository:${IMAGE_REPO}:pull" | jq -r .token)
# Fetch and clean digest from headers
DIGEST=$(curl -s -D - -o /dev/null \
-H "Authorization: Bearer ${TOKEN}" \
-H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
"https://ghcr.io/v2/${IMAGE_REPO}/manifests/${TAG}" \
| grep -i '^Docker-Content-Digest:' \
| awk '{print $2}' \
| tr -d '\r')
echo "Pinned digest: ${PINNED_DIGEST}"
echo "Registry digest: ${DIGEST}"
[ "${DIGEST}" = "${PINNED_DIGEST}" ] && echo "Digest matches" || { echo "Digest mismatch"; exit 1; }
echo "Supported platforms:"
curl -s \
-H "Authorization: Bearer ${TOKEN}" \
-H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
"https://ghcr.io/v2/${IMAGE_REPO}/manifests/${TAG}" \
| jq -r '.manifests[].platform | "\(.os)/\(.architecture)"'Length of output: 1763
Ensure multi-arch support for s3manager v0.5.0
The pinned digest (sha256:33c2b8…) matches the v0.5.0 tag, but the registry returned a single-arch manifest (no .manifests array). Publish a manifest list covering all required architectures (e.g. linux/amd64, linux/arm64) and repin the digest once that’s available.
🤖 Prompt for AI Agents
In packages/system/bucket/images/s3manager.tag around line 1, the pinned image
digest references ghcr.io/cozystack/cozystack/s3manager:v0.5.0@sha256:33c2b8…
which points to a single-arch manifest; update by publishing a
multi-architecture manifest list for v0.5.0 including required platforms (e.g.
linux/amd64 and linux/arm64), then retag/repush and replace the digest in this
file with the new manifest-list digest so the tag resolves to a multi-arch
image.
| @@ -1,5 +1,5 @@ | |||
| cozystackController: | |||
| image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.35.2@sha256:6052c5119485f3349aabde1950eedc847571cc8eefc62bc3bb3b3ac8202ea234 | |||
| image: ghcr.io/cozystack/cozystack/cozystack-controller:v0.36.0-alpha.1@sha256:a9edc1ac27b6a2315cb48984c1af3f48e8596b6f37c1327b2174a6743225b28f | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Verify tag↔digest match for cozystack-controller image.
Good to see the image pinned with a digest. Please confirm the digest actually corresponds to tag v0.36.0-alpha.1 in GHCR.
Run:
🏁 Script executed:
#!/bin/bash
set -euo pipefail
repo="cozystack/cozystack/cozystack-controller"
tag="v0.36.0-alpha.1"
expected="sha256:a9edc1ac27b6a2315cb48984c1af3f48e8596b6f37c1327b2174a6743225b28f"
token="$(curl -fsSL "https://ghcr.io/token?service=ghcr.io&scope=repository:${repo}:pull" | jq -r .token)"
digest="$(
curl -fsSLI -H "Authorization: Bearer ${token}" \
-H 'Accept: application/vnd.oci.image.manifest.v1+json, application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.index.v1+json' \
"https://ghcr.io/v2/${repo}/manifests/${tag}" | tr -d '\r' | awk -F': ' '/Docker-Content-Digest/ {print $2}' | tail -1
)"
echo "Resolved digest: ${digest}"
test "${digest}" = "${expected}" && echo "OK: digest matches" || { echo "MISMATCH"; exit 1; }Length of output: 1011
🏁 Script executed:
#!/bin/bash
set -euo pipefail
repo="cozystack/cozystack/cozystack-controller"
tag="v0.36.0-alpha.1"
expected="sha256:a9edc1ac27b6a2315cb48984c1af3f48e8596b6f37c1327b2174a6743225b28f"
# Fetch an OCI token for GHCR
token="$(curl -fsSL "https://ghcr.io/token?service=ghcr.io&scope=repository:${repo}:pull" | jq -r .token)"
# Retrieve the manifest JSON for the specified tag
manifest="$(curl -fsSL \
-H "Authorization: Bearer ${token}" \
-H "Accept: application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json" \
"https://ghcr.io/v2/${repo}/manifests/${tag}")"
# Extract the digest: if it's a single manifest, use .config.digest; if it's an index, pick linux/amd64
digest="$(printf '%s\n' "$manifest" | jq -r '
if .config? then
.config.digest
elif .manifests? then
.manifests[] | select(.platform.os=="linux" and .platform.architecture=="amd64") | .digest
else
empty
end
')"
echo "Resolved digest: $digest"
if [ "$digest" = "$expected" ]; then
echo "OK: digest matches"
else
echo "MISMATCH: expected $expected"
exit 1
fiLength of output: 3048
Update cozystack-controller image digest for v0.36.0-alpha.1
The digest pinned in packages/system/cozystack-controller/values.yaml (sha256:a9edc1ac27b6…b28f) does not match the actual manifest digest (sha256:0c2f96add17a…8404); please correct it to the resolved value.
🤖 Prompt for AI Agents
In packages/system/cozystack-controller/values.yaml at line 2, the image digest
is incorrect; replace the current digest
(sha256:a9edc1ac27b6a2315cb48984c1af3f48e8596b6f37c1327b2174a6743225b28f) with
the resolved manifest digest (sha256:0c2f96add17a…8404) so the image reference
matches the actual registry manifest for v0.36.0-alpha.1; ensure the tag and
repository remain unchanged and save the updated file.
| @@ -76,7 +76,7 @@ data: | |||
| "kubeappsNamespace": {{ .Release.Namespace | quote }}, | |||
| "helmGlobalNamespace": {{ include "kubeapps.helmGlobalPackagingNamespace" . | quote }}, | |||
| "carvelGlobalNamespace": {{ .Values.kubeappsapis.pluginConfig.kappController.packages.v1alpha1.globalPackagingNamespace | quote }}, | |||
| "appVersion": "v0.35.2", | |||
| "appVersion": "v0.36.0-alpha.1", | |||
There was a problem hiding this comment.
🛠️ Refactor suggestion
Avoid hardcoding appVersion; derive from the chart to prevent drift.
Hardcoding "v0.36.0-alpha.1" risks skew vs. labels/images. Prefer .Chart.AppVersion (or the same helper you use for labels) so the UI always reflects the released chart version.
Apply:
- "appVersion": "v0.36.0-alpha.1",
+ "appVersion": {{ .Chart.AppVersion | quote }},If .Chart.AppVersion isn’t set in Chart.yaml, set it or use the same helper as Line 12: include "common.images.version" ( dict "imageRoot" .Values.dashboard.image "chart" .Chart ).
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "appVersion": "v0.36.0-alpha.1", | |
| "appVersion": {{ .Chart.AppVersion | quote }}, |
🤖 Prompt for AI Agents
In packages/system/dashboard/charts/kubeapps/templates/dashboard/configmap.yaml
around line 79, the appVersion is hardcoded as "v0.36.0-alpha.1"; replace the
literal with a template reference so it derives from the chart (e.g. use
.Chart.AppVersion or, if you use the same helper as labels, call the helper
include "common.images.version" with the dict { "imageRoot":
.Values.dashboard.image, "chart": .Chart }); if .Chart.AppVersion is not present
add it to Chart.yaml or prefer the helper to ensure the UI always reflects the
released chart version.
| tag: v0.36.0-alpha.1 | ||
| digest: "sha256:54906b3d2492c8603a347a5938b6db36e5ed5c4149111cae1804ac9110361947" |
There was a problem hiding this comment.
💡 Verification agent
❓ Verification inconclusive
Tag updated but digest unchanged—this likely pins the old image.
When both tag and digest are set, most templates prefer the digest, making the tag bump ineffective. Update the digest to the one for v0.36.0-alpha.1 or drop the digest to rely on the tag.
Suggested quick fix (remove digest to use the new tag immediately):
repository: dashboard
- tag: v0.36.0-alpha.1
- digest: "sha256:54906b3d2492c8603a347a5938b6db36e5ed5c4149111cae1804ac9110361947"
+ tag: v0.36.0-alpha.1Update or remove stale image digest
Tag bumped to v0.36.0-alpha.1 but digest remains sha256:54906b3d2492c8603a347a5938b6db36e5ed5c4149111cae1804ac9110361947, so Helm will still pull the old image. Either update the digest to match v0.36.0-alpha.1 or drop the digest: field to rely solely on the tag.
File: packages/system/dashboard/values.yaml lines 22–23
🤖 Prompt for AI Agents
In packages/system/dashboard/values.yaml around lines 22 to 23, the image tag
was updated to v0.36.0-alpha.1 but the digest field still points to
sha256:54906b3d..., causing Helm to keep pulling the old image; either update
the digest to the correct sha256 for v0.36.0-alpha.1 (replace the value with the
new image digest) or remove the entire digest: line so the deployment relies
only on the tag, then save and run a Helm dry-run/helm template to verify the
resolved image.
| @@ -1,3 +1,3 @@ | |||
| storageClass: replicated | |||
| csiDriver: | |||
| image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.27.0@sha256:c35987e8b37ad3b34a9a32fe6e80eee77b4c57b99090ca5cdbc3d16c25edb3b9 | |||
| image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.28.0@sha256:c35987e8b37ad3b34a9a32fe6e80eee77b4c57b99090ca5cdbc3d16c25edb3b9 | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Digest unchanged while tag bumped to 0.28.0 — verify supply-chain integrity.
Same digest across 0.27.0 → 0.28.0 is uncommon. Please confirm the manifest digest for tag 0.28.0 matches the pinned digest.
Run:
🏁 Script executed:
#!/bin/bash
set -euo pipefail
repo="cozystack/cozystack/kubevirt-csi-driver"
expect_028="sha256:c35987e8b37ad3b34a9a32fe6e80eee77b4c57b99090ca5cdbc3d16c25edb3b9"
get_digest() {
local ref="$1"
local tok
tok=$(curl -fsSL "https://ghcr.io/token?service=ghcr.io&scope=repository:${repo}:pull" | jq -r .token)
curl -fsSLI \
-H "Authorization: Bearer ${tok}" \
-H "Accept: application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json" \
"https://ghcr.io/v2/${repo}/manifests/${ref}" \
| awk -F': ' '/Docker-Content-Digest/ {print $2}' | tr -d $'\r'
}
got_028=$(get_digest "0.28.0")
echo "0.28.0 -> ${got_028}"
test "${got_028}" = "${expect_028}" || { echo "Mismatch for 0.28.0"; exit 1; }Length of output: 1050
🏁 Script executed:
#!/bin/bash
set -euo pipefail
repo="cozystack/cozystack/kubevirt-csi-driver"
tok=$(curl -fsSL "https://ghcr.io/token?service=ghcr.io&scope=repository:${repo}:pull" | jq -r .token)
manifest_json=$(curl -fsSL \
-H "Authorization: Bearer ${tok}" \
-H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
"https://ghcr.io/v2/${repo}/manifests/0.28.0")
echo "$manifest_json" | jq -r '.config.digest'Length of output: 2587
Update image digest in values.yaml to match 0.28.0 manifest
packages/system/kubevirt-csi-node/values.yaml:3 – replace
sha256:c35987e8b37ad3b34a9a32fe6e80eee77b4c57b99090ca5cdbc3d16c25edb3b9
with
sha256:90e44ea5a374b5ac919670bad5baaad35129be103a50b75f7596eb9ac67eae92
🤖 Prompt for AI Agents
In packages/system/kubevirt-csi-node/values.yaml around line 3, the image digest
is outdated; update the sha256 value to match the 0.28.0 manifest by replacing
sha256:c35987e8b37ad3b34a9a32fe6e80eee77b4c57b99090ca5cdbc3d16c25edb3b9 with
sha256:90e44ea5a374b5ac919670bad5baaad35129be103a50b75f7596eb9ac67eae92 so the
image reference references the correct digest for version 0.28.0.
This PR prepares the release
v0.36.0-alpha.1.Summary by CodeRabbit