DarkHelm.org/plex-playlist
Public Access
4
0
Fork 0
Code Issues 62 Pull Requests 1 Actions 9 Packages Projects 1 Releases Wiki Activity

TASK: Implement digest-based artifact promotion gates #63

New Issue
Open
opened 2026-06-17 19:31:56 -04:00 by darkhelm · 0 comments
darkhelm commented 2026-06-17 19:31:56 -04:00
Owner
Copy Link

Summary

Enforce immutable digest-based promotion so only validated image digests are eligible for downstream deployment.

Problem

Tag-based flows can drift. Promotion must be bound to validated immutable digests.

Scope

  1. Capture backend and frontend digests at build/validation completion.
  2. Persist digest metadata in workflow outputs/artifacts.
  3. Gate promotion logic on validated digests only.
  4. Prevent post-validation rebuild in release path.

Out of Scope

  1. Environment-specific deployment details.
  2. Rollback automation UX.

Acceptance Criteria

  1. Promotion input references immutable digests.
  2. Workflow records digest provenance for each validated artifact.
  3. Promotion is blocked if digest provenance is missing or invalid.
  4. No rebuild step exists after validation success.

Dependencies

Issues:

  • Split CI tooling environment from deployable runtime images
  • Establish source-level fast-check lane
  • Add post-build black-box integration tests against runtime containers
  • Run browser E2E from dedicated runner image against runtime services

Definition of Done

Artifact promotion path is digest-locked and provenance-aware.

## Summary Enforce immutable digest-based promotion so only validated image digests are eligible for downstream deployment. ## Problem Tag-based flows can drift. Promotion must be bound to validated immutable digests. ## Scope 1. Capture backend and frontend digests at build/validation completion. 2. Persist digest metadata in workflow outputs/artifacts. 3. Gate promotion logic on validated digests only. 4. Prevent post-validation rebuild in release path. ## Out of Scope 1. Environment-specific deployment details. 2. Rollback automation UX. ## Acceptance Criteria 1. Promotion input references immutable digests. 2. Workflow records digest provenance for each validated artifact. 3. Promotion is blocked if digest provenance is missing or invalid. 4. No rebuild step exists after validation success. ## Dependencies Issues: - Split CI tooling environment from deployable runtime images - Establish source-level fast-check lane - Add post-build black-box integration tests against runtime containers - Run browser E2E from dedicated runner image against runtime services ## Definition of Done Artifact promotion path is digest-locked and provenance-aware.
darkhelm changed title from Implement digest-based artifact promotion gates to TASK: Implement digest-based artifact promotion gates 2026-06-18 11:55:51 -04:00
darkhelm added the ops label 2026-06-18 11:57:12 -04:00
darkhelm added this to the E10 - Separate deployable runtime images from CI milestone 2026-06-18 11:58:10 -04:00
darkhelm added this to the Main Project Board project 2026-06-18 11:59:02 -04:00
copilotcoder was assigned by darkhelm 2026-06-18 11:59:33 -04:00
darkhelm added the afkdevextask labels 2026-06-18 12:04:31 -04:00
darkhelm moved this to To Do in Main Project Board on 2026-06-19 09:23:59 -04:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
afk
Autonomous-friendly issue
 algorithm
Selection logic
 api
API contract
 backend
Backend related
 database
Database related
 devex
Developer experience
 docs
Documentation
 epic
Top-level planning item
 frontend
Frontend related
 hitl
Requires human-in-the-loop decision
 ingestion
Ingestion/sync
 ops
Operations
 performance
Performance
 realtime
Realtime/eventing
 release
Release readiness
 security
Security
 task
Implementation ticket
 testing
Testing
 ui
UI/UX
No Label afk devex ops task
Milestone
No items
No Milestone E10 - Separate deployable runtime images from CI
Projects
Clear projects
No project Main Project Board
Assignees
Clear assignees
copilotcoder darkhelm renovate-bot repository-bot
No Assignees copilotcoder
1 Participants
Notifications
Due Date
No due date set.
Blocks
#66 EPIC: Separate deployable runtime images from CI validation environments
DarkHelm.org/plex-playlist
Reference: DarkHelm.org/plex-playlist#63
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?