joakimp/opencode-devbox
Public Access
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: filter __pycache__ and macOS metadata from base hash compute
Validate / docs-check (push) Successful in 14s
Details
Validate / base-change-warning (push) Successful in 18s
Details
Validate / validate-omos (push) Successful in 4m34s
Details
Validate / validate-omos-with-pi (push) Successful in 4m57s
Details
Validate / validate-with-pi (push) Successful in 6m9s
Details
Validate / validate-base (push) Successful in 14m48s
Details

Browse Source 
Defensive against local-vs-CI hash divergence. `find rootfs -type f`
includes gitignored junk like rootfs/__pycache__/*.pyc and macOS
.DS_Store/._AppleDouble files, which CI's clean checkout never sees.

This bit us during v1.15.4 debugging when a stale generate-config.cpython-314.pyc
on the local rootfs/ produced base-3605aa6b6ab1 while CI computed
base-35ee5fe7861a. Took meaningful time to track down because git status
doesn't surface gitignored files.

Verified: same filter applied to current clean tree still produces
35ee5fe7861a (the published v1.15.4b base digest).
This commit is contained in:
Joakim Persson
2026-05-20 22:45:27 +02:00
parent 8f2c9f5112
commit b6e4d89a2c
2 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/README.md
+10 -1
View File
@@ -81,11 +81,20 @@ content:
```sh ```sh
{ {
cat Dockerfile.base cat Dockerfile.base
find rootfs -type f -print0 | sort -z | xargs -0 cat find rootfs -type f \
! -path '*/__pycache__/*' \
! -name '*.pyc' \
! -name '.DS_Store' \
! -name '._*' \
-print0 | sort -z | xargs -0 cat
cat entrypoint.sh entrypoint-user.sh cat entrypoint.sh entrypoint-user.sh
} | sha256sum | cut -c1-12 } | sha256sum | cut -c1-12
``` ```
Junk filters keep the local recompute reproducible against CI's clean
checkout — `__pycache__/*.pyc` and macOS metadata files (`.DS_Store`,
`._AppleDouble`) are gitignored but still walked by `find -type f`.
The 12-character truncated hash becomes `base-<hash>`. Probe Docker Hub The 12-character truncated hash becomes `base-<hash>`. Probe Docker Hub
for this tag via `docker manifest inspect`: for this tag via `docker manifest inspect`:
.gitea/workflows/docker-publish-split.yml
+10 -1
View File
@@ -63,10 +63,19 @@ jobs:
run: | run: |
# Hash inputs that determine the base image's contents. # Hash inputs that determine the base image's contents.
# Order is fixed via `find -print0 | sort -z` for reproducibility. # Order is fixed via `find -print0 | sort -z` for reproducibility.
# Junk filters: __pycache__/*.pyc and macOS metadata (.DS_Store,
# ._AppleDouble) are gitignored locally but still picked up by
# `find rootfs -type f`, which would diverge the local hash from
# CI's clean checkout. Exclude them defensively here.
HASH=$( HASH=$(
{ {
cat Dockerfile.base cat Dockerfile.base
find rootfs -type f -print0 2>/dev/null | sort -z | xargs -0 cat 2>/dev/null find rootfs -type f \
! -path '*/__pycache__/*' \
! -name '*.pyc' \
! -name '.DS_Store' \
! -name '._*' \
-print0 2>/dev/null | sort -z | xargs -0 cat 2>/dev/null
cat entrypoint.sh entrypoint-user.sh cat entrypoint.sh entrypoint-user.sh
} | sha256sum | cut -c1-12 } | sha256sum | cut -c1-12
) )