build: switch MPC node image push to skopeo with --preserve-digests#2780
build: switch MPC node image push to skopeo with --preserve-digests#2780barakeinav1 wants to merge 3 commits intomainfrom
Conversation
Use skopeo copy --preserve-digests for MPC node and node-gcp images, matching the pattern already used for launcher images. This ensures manifest digests are preserved when pushing to Docker Hub. Also adds skopeo to required commands when --push is used and outputs the manifest digest after push. Closes #2778 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Reviewed the diff. No critical issues found. The changes correctly mirror the existing skopeo pattern used for launcher images, adding proper temp dir cleanup and manifest digest output. ✅ Approved |
There was a problem hiding this comment.
Pull request overview
Updates the image build/push helper script to push MPC node images via skopeo copy --preserve-digests, aligning the node push flow with the launcher images so manifest digests are deterministic and can be reported.
Changes:
- Replace
docker tag && docker pushformpc-nodeandmpc-node-gcpwithskopeo copy --preserve-digestsvia a temporarydir:transport. - Require
skopeowhen--pushis used. - Compute and print manifest digests for node images after a push.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
deployment/build-images.sh
Outdated
| temp_dir=$(mktemp -d) | ||
| skopeo copy --all --dest-compress docker-daemon:$NODE_IMAGE_NAME:latest dir:$temp_dir | ||
| skopeo copy --preserve-digests dir:$temp_dir docker://docker.io/nearone/$NODE_IMAGE_NAME:$image_tag |
There was a problem hiding this comment.
temp_dir is unquoted in the skopeo copy ... dir:$temp_dir arguments. If $TMPDIR contains spaces, mktemp -d can produce a path with spaces and these commands will break. Quote the whole transport argument (e.g., dir:"$temp_dir") to make this robust.
deployment/build-images.sh
Outdated
| temp_dir=$(mktemp -d) | ||
| skopeo copy --all --dest-compress docker-daemon:$NODE_IMAGE_NAME:latest dir:$temp_dir | ||
| skopeo copy --preserve-digests dir:$temp_dir docker://docker.io/nearone/$NODE_IMAGE_NAME:$image_tag | ||
| node_manifest_digest="sha256:$(sha256sum $temp_dir/manifest.json | cut -d' ' -f1)" | ||
| rm -rf "$temp_dir" |
There was a problem hiding this comment.
Temp dir cleanup only happens on the success path. With set -e, if a skopeo copy fails the script exits and leaves the mktemp -d directory behind. Consider registering a trap (or similar) to ensure $temp_dir is removed on errors as well.
deployment/build-images.sh
Outdated
| node_manifest_digest="sha256:$(sha256sum $temp_dir/manifest.json | cut -d' ' -f1)" | ||
| rm -rf "$temp_dir" |
There was a problem hiding this comment.
For safer deletion, prefer rm -rf -- "$temp_dir". Even when quoted, if a path starts with - it can be interpreted as an option by rm without the -- terminator.
deployment/build-images.sh
Outdated
| temp_dir=$(mktemp -d) | ||
| skopeo copy --all --dest-compress docker-daemon:$NODE_GCP_IMAGE_NAME:latest dir:$temp_dir | ||
| skopeo copy --preserve-digests dir:$temp_dir docker://docker.io/nearone/$NODE_GCP_IMAGE_NAME:$image_tag |
There was a problem hiding this comment.
Same quoting issue here: dir:$temp_dir is unquoted. If the temporary directory path contains spaces (e.g., from $TMPDIR), skopeo copy will fail. Quote the full transport argument.
deployment/build-images.sh
Outdated
| node_gcp_manifest_digest="sha256:$(sha256sum $temp_dir/manifest.json | cut -d' ' -f1)" | ||
| rm -rf "$temp_dir" |
There was a problem hiding this comment.
Same as above: use rm -rf -- "$temp_dir" to avoid rm treating a path starting with - as an option.
The build script now requires skopeo for --push. Add the install step to docker_build_node.yml and docker_build_node_gcp.yml, matching the pattern already used in other workflows.
- Quote all $temp_dir usages to handle paths with spaces - Use 'rm -rf --' to guard against paths starting with '-' - Add EXIT trap to clean up temp dir on failure (set -e exits)
|
All Copilot feedback addressed in |
|
PR title type suggestion: This PR primarily modifies GitHub Actions workflows, which are CI/CD pipeline changes. The type prefix should probably be Suggested title: |
|
PR title type suggestion: This PR modifies CI workflow files to change how Docker images are pushed. The type prefix should probably be Suggested title: |
|
PR title type suggestion: This PR primarily modifies GitHub Actions workflows (CI/CD configuration), so the prefix should probably be Suggested title: |
| rm -rf -- "$temp_dir" | ||
| trap - EXIT |
There was a problem hiding this comment.
why are these two needed? the first no needed because this will only run in CI
| temp_dir=$(mktemp -d) | ||
| trap 'rm -rf -- "$temp_dir"' EXIT | ||
| skopeo copy --all --dest-compress "docker-daemon:$NODE_GCP_IMAGE_NAME:latest" "dir:$temp_dir" | ||
| skopeo copy --preserve-digests "dir:$temp_dir" "docker://docker.io/nearone/$NODE_GCP_IMAGE_NAME:$image_tag" | ||
| node_gcp_manifest_digest="sha256:$(sha256sum "$temp_dir/manifest.json" | cut -d' ' -f1)" |
There was a problem hiding this comment.
nit: we could put this in a function
Summary
docker pushtoskopeo copy --preserve-digests, matching the pattern already used for launcher imagesskopeoto required commands when--pushis usedCloses #2778
Test plan
./deployment/build-images.sh --node --pushuses skopeo and outputs manifest digest