Skip to content

ci: verify container image exists before publishing helm chart#2513

Closed
fseldow wants to merge 2 commits into
notaryproject:mainfrom
fseldow:fix/check-image-before-chart-push
Closed

ci: verify container image exists before publishing helm chart#2513
fseldow wants to merge 2 commits into
notaryproject:mainfrom
fseldow:fix/check-image-before-chart-push

Conversation

@fseldow
Copy link
Copy Markdown
Contributor

@fseldow fseldow commented May 11, 2026

Description

publish-charts.yml and publish-package.yml are both triggered by v* tags but run as independent workflows. This creates a race condition where the helm chart could be published before the container image is available on GHCR.

This PR adds an image existence check:

  • publish-charts.yml: Adds a retry loop (up to 30 min) that waits for ghcr.io/<org>/ratify-gatekeeper-provider:<version> to be available before publishing the chart.
  • publish-dev-assets.yml: Adds a verification step between the image build and helm push to confirm all images (crds, base, plugins) are accessible before packaging and pushing the chart.

Why

If a user installs the chart immediately after a release, they could hit ImagePullBackOff because the image hasn't finished building/pushing yet. This ensures the chart is only published after the image is confirmed available.

Changes

  • .github/workflows/publish-charts.yml: Added Verify container image exists step with retry logic
  • .github/workflows/publish-dev-assets.yml: Added Verify container images exist step before helm package

@fseldow
ci: verify container image exists before publishing helm chart
0ec4dc0 
Add image existence check to publish-charts.yml and publish-dev-assets.yml
workflows. Since publish-charts and publish-package are triggered independently
by the same v* tag, the chart could be published before the container image is
available. This adds a retry loop (up to 30 minutes) to wait for the image
before proceeding with chart publication.

Signed-off-by: Xinhe Li <xinhl@microsoft.com>
Copilot AI review requested due to automatic review settings May 11, 2026 10:15
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds safeguards to prevent Helm charts from being published before their referenced container images are available in GHCR, addressing a release-time race between independent workflows triggered by v* tags.

Changes:

  • Added a retrying GHCR image-existence check to publish-charts.yml before chart publication.
  • Added a GHCR image-existence verification step to publish-dev-assets.yml before chart packaging/push.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/publish-charts.yml Waits (with retry/backoff) for the release image to exist in GHCR before publishing charts.
.github/workflows/publish-dev-assets.yml Verifies dev images are accessible in GHCR before packaging and pushing the dev Helm chart.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/publish-charts.yml
Comment on lines +21 to +25
- name: Verify container image exists
run: |
VERSION=${GITHUB_REF#refs/tags/}
ORG_NAME=$(echo "$GITHUB_REPOSITORY" | cut -d'/' -f1)
IMAGE="ghcr.io/${ORG_NAME}/ratify-gatekeeper-provider:${VERSION}"
Comment thread .github/workflows/publish-dev-assets.yml Outdated
@codecov
Copy link
Copy Markdown

codecov Bot commented May 11, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.10%. Comparing base (dec8a6e) to head (ef08d05).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2513      +/-   ##
==========================================
- Coverage   77.15%   77.10%   -0.05%     
==========================================
  Files         105      105              
  Lines        4657     4657              
==========================================
- Hits         3593     3591       -2     
- Misses        916      917       +1     
- Partials      148      149       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fseldow
Potential fix for pull request finding
ef08d05 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Xinhe Li <xinhl@microsoft.com>
@fseldow fseldow closed this May 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

@binbin-li binbin-li Awaiting requested review from binbin-li binbin-li is a code owner

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@susanshi susanshi Awaiting requested review from susanshi susanshi is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fseldow