Skip to content

Sync missing GHCR images#48

Open
welteki wants to merge 1 commit into
inlets:masterfrom
welteki:sync-missing-images
Open

Sync missing GHCR images#48
welteki wants to merge 1 commit into
inlets:masterfrom
welteki:sync-missing-images

Conversation

@welteki

@welteki welteki commented Jul 9, 2026

Copy link
Copy Markdown
Member

Description

Adds a sync-images workflow that copies missing image tags from ghcr.io/openfaasltd/inlets-pro to ghcr.io/inlets/inlets-pro. It runs nightly and can also be started manually.

The workflow uses crane ls to compare source and target tags, skips tags already present in the public package, copies only missing tags with crane cp, and writes copied tags plus an aggregate skipped count to the workflow summary. The source package is expected to be public; the workflow uses the repository GITHUB_TOKEN with packages: write to publish to the public package.

Manual sync

Run the workflow from GitHub Actions and set tag to a version, for example 0.11.14. This copies ghcr.io/openfaasltd/inlets-pro:0.11.14 to ghcr.io/inlets/inlets-pro:0.11.14 if it is missing. If the tag is already present, it is skipped and included in the skipped count. Leave tag empty to sync all missing tags.

Motivation and context

This is part of a series of changes to automate release publishing from the private inlets-pro repo and syncing those releases to the public inlets-pro repo.

How has this been tested

  • Dry-ran the sync logic locally with the public package as both source and target and an existing tag.
  • Tested the workflow end-to-end in a separate organization by syncing a public test image tag to a new GHCR package and verifying that the copied target image digest matched the source image digest.

@derek derek Bot added the no-dco label Jul 9, 2026
@derek

derek Bot commented Jul 9, 2026

Copy link
Copy Markdown

Thank you for your contribution. unfortunately, one or more of your commits are missing the required "Signed-off-by:" statement. Signing off is part of the Developer Certificate of Origin (DCO) which is used by this project.

Read the DCO and project contributing guide carefully, and amend your commits using the git CLI. Note that this does not require any cryptography, keys or special steps to be taken.

💡 Shall we fix this?

This will only take a few moments.

First, clone your fork and checkout this branch using the git CLI.

Next, set up your real name and email address:

git config --global user.name "Your Full Name"
git config --global user.email "you@domain.com"

Finally, run one of these commands to add the "Signed-off-by" line to your commits.

If you only have one commit so far then run: git commit --amend --signoff and then git push --force.
If you have multiple commits, watch this video.

Check that the message has been added properly by running "git log".

@reviewfn

This comment has been minimized.

@welteki welteki marked this pull request as draft July 9, 2026 13:01
@welteki welteki force-pushed the sync-missing-images branch from b7b5db4 to 9d60ebd Compare July 9, 2026 13:01
@derek derek Bot removed the no-dco label Jul 9, 2026
@welteki welteki force-pushed the sync-missing-images branch from 9d60ebd to 8b437e7 Compare July 9, 2026 13:02
@reviewfn

This comment has been minimized.

@reviewfn

This comment has been minimized.

@reviewfn

This comment has been minimized.

@welteki welteki force-pushed the sync-missing-images branch from 8b437e7 to 6e96300 Compare July 9, 2026 13:10
@reviewfn

This comment has been minimized.

@welteki welteki marked this pull request as ready for review July 9, 2026 13:46
Comment thread .github/workflows/sync-images.yml Outdated
TARGET_IMAGE: ghcr.io/inlets/inlets-pro
TAG: ${{ inputs.tag }}
run: |
set -euo pipefail

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something feels off/unmaintainable about this being inline.

I'd expect a script that can be independently tested with a SRC / DEST similar to how you define it above

@welteki welteki force-pushed the sync-missing-images branch from 6e96300 to 18c527b Compare July 9, 2026 15:11
@reviewfn

This comment has been minimized.

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
@welteki welteki force-pushed the sync-missing-images branch from 18c527b to 680b679 Compare July 9, 2026 15:16
@reviewfn

reviewfn Bot commented Jul 9, 2026

Copy link
Copy Markdown

AI Pull Request Overview

Disclaimer: This review was generated by automated AI and may contain errors. Do not trust its outputs without human verification.

Summary

  • Adds a scheduled and manually-triggered workflow to sync missing GHCR image tags.
  • Adds a Bash helper that compares source and target tags and copies absent tags with crane cp.
  • The main functional flow is straightforward and scoped to the intended images.
  • The workflow currently grants package write permissions to unpinned third-party code and a floating binary version.
  • The generated summary table omits skipped tags even though the workflow description says skipped tags are summarized.

Approval rating (1-10)

7/10. The sync logic is simple, but the writable workflow should pin external code before merging.

Summary per file

Summary per file
File path Summary
.github/workflows/sync-images.yml Adds scheduled/manual image sync workflow with GHCR write access.
hack/sync-images.sh Adds tag comparison and copy logic for missing images.

Overall Assessment

The PR implements the intended image backfill path with a small, understandable script. The main issue is operational security: the workflow gives packages: write to a job that executes an action from a mutable branch and installs crane using a mutable latest selector. That is avoidable for this kind of publishing workflow and should be tightened before relying on the nightly schedule.

Detailed Review

Detailed Review

Findings

Severity File Lines Issue
High .github/workflows/sync-images.yml 26-29 The workflow grants packages: write while executing alexellis/arkade-get@master and installing crane: latest. Both references are mutable, so a compromised or changed upstream branch/release path would run with permission to publish to ghcr.io/inlets/inlets-pro. Pin the action to a commit SHA and pin crane to a known version, or vendor/use a trusted setup path with a checksum before authenticating to GHCR.
Low hack/sync-images.sh 42-48 The summary table declares per-tag results but skipped tags are not emitted; they only affect the final count. This conflicts with the workflow description that it writes copied and skipped tags to the summary, and it makes manual runs with a specific already-present tag hard to audit. Add a row before continue, for example `echo "

AI agent details.

Agent processing time: 56.418s
Environment preparation time: 3.085s
Total time from webhook: 1m2.646s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants