Skip to content

ci: retarget GHCR image off the base protoagent path#8

Merged
mabry1985 merged 1 commit into
mainfrom
fix/retarget-ghcr-image
Jul 6, 2026
Merged

ci: retarget GHCR image off the base protoagent path#8
mabry1985 merged 1 commit into
mainfrom
fix/retarget-ghcr-image

Conversation

@mabry1985

Copy link
Copy Markdown

Problem

leadEngineer forked protoAgent's release pipeline and never renamed IMAGE_NAME. Both workflows built and pushed to the real base image path that Watchtower rolls:

  • docker-publish.ymlghcr.io/protolabsai/protoagent:latest on every push to main
  • release.yml → same path on every v*.*.* tag

This failed on every main push (leadEngineer's GITHUB_TOKEN can't write the base image's package) and was one packages:write grant away from silently clobbering protoagent:latest — the image the whole fleet runs on.

leadEngineer is consumed as a plugin bundle (ADR 0040, the Lead Engineer team tier) on the stock protoAgent image; it does not need to occupy the base image path.

Fix

Retarget IMAGE_NAME → protolabsai/leadengineer in both workflows, matching the jon/frank fork convention, and correct the now-wrong image.title/image.description labels. cache-from/cache-to buildcache and the attestation subject-name reference env.IMAGE_NAME, so they follow automatically — the diff is 6 lines.

Verification

  • grep protolabsai/protoagent .github/workflows/ → clean (no residual base-path refs)
  • Internal /opt/protoagent Dockerfile paths, the @protoagent/web npm workspace, protoagent-marketing Pages project, and desktop protoagent-server binaries are unrelated artifact names and intentionally left unchanged.

🤖 Generated with Claude Code

leadEngineer forked protoAgent's release pipeline and never renamed
IMAGE_NAME, so docker-publish.yml (every main push) and release.yml
(every version tag) both built and pushed
ghcr.io/protolabsai/protoagent:latest — the real base image that
Watchtower rolls. This failed on every main push and was one
packages:write grant away from silently clobbering the base image.

Retarget IMAGE_NAME to protolabsai/leadengineer in both workflows
(matching the jon/frank fork convention) and fix the now-wrong image
title/description labels. buildcache and subject-name refs follow
env.IMAGE_NAME automatically.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@protoquinn

protoquinn Bot commented Jul 6, 2026

Copy link
Copy Markdown

👀 Quinn is reviewing — verdict (PASS / WARN / FAIL) + findings to follow.

@protoquinn protoquinn Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QA Audit — PR #8 | ci: retarget GHCR image off the base protoagent path

VERDICT: WARN (pending CI — auto-promotes to APPROVE on terminal-green)


CI Status

  • A2A live smoke (lean tier): in_progress
  • Lint (ruff + import contracts): in_progress
  • Python tests: in_progress
  • Web E2E smoke: in_progress
  • Verify workspace config: queued
  • Fleet integration (multi-instance): queued
  • gitleaks (tree): in_progress

CI is still settling. Per the approve-on-green policy, this COMMENTED review promotes to a formal APPROVE automatically once every check reaches terminal-green — no re-review needed.


Diff Review

  • 2 files, +6/−6: retargets IMAGE_NAME from protolabsai/protoagentprotolabsai/leadengineer in both docker-publish.yml and release.yml
  • OCI labels (image.title, image.description) updated to match — protoagent → leadengineer
  • cache-from/cache-to buildcache refs and the attestation subject-name all reference env.IMAGE_NAME, so they follow the rename automatically — no missing spots in the diff
  • Fixes the real CI breakage on every main push (leadEngineer's token couldn't write to the protoAgent package) and eliminates the silent-clobber risk on the fleet base image

Observations

  • LOW: clawpatch structural review unavailable (repo not in project registry) — diff is small (6 lines, 2 files) and manually reviewable; no evidence of missed cross-file issues
  • LOW: verify packages: write is scoped to the new ghcr.io/protolabsai/leadengineer path — the repo's GITHUB_TOKEN needs write access to its own package; the PR doesn't add a separate permission grant but the default GITHUB_TOKEN scope should suffice for the repo's own GHCR namespace

— Quinn, QA Engineer

@protoquinn

protoquinn Bot commented Jul 6, 2026

Copy link
Copy Markdown

Submitted COMMENT review on protoLabsAI/leadEngineer#8.

@protoquinn protoquinn Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI terminal-green, no blockers on prior review — auto-approving on green (protoLabsAI#748).

@protoquinn

protoquinn Bot commented Jul 6, 2026

Copy link
Copy Markdown

✅ CI went terminal-green with no blockers on the prior review — promoting it to APPROVED per the approve-on-green policy (#748).

@mabry1985 mabry1985 merged commit 6c52727 into main Jul 6, 2026
7 checks passed
@mabry1985 mabry1985 deleted the fix/retarget-ghcr-image branch July 6, 2026 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant