Skip to content

Container Image Versions

Jump to bottom
Yoom Lam edited this page Jul 6, 2023 · 16 revisions

Container images are built and published to GHCR -- see Deploying VRO. The images are tagged with an image tag, representing the version of the image. The image tag (or "image version" or "version") is:

  • the first 7 of commit hash when the image is built as part of Continuous Integration (CI CD Workflows),
  • or a semantic version string formatted as v1.2.3 when a release tag is created, typically for testing in LHDI environments,
  • or a semantic version string formatted as release-1.2.3 when a manual release tag is created, typically for deployment to prod LHDI.

See different image versions in the GitHub Container Repository. The latest image tag, always refers to the last published image, which may or may not be signed by SecRel.

The image_vars.src and image_versions.src files determine which versions of each container is used during deployment. These files should not be modified manually. The versions can be overridden by manually-specified versions in GitHub Action workflows (e.g., Update deployment).

Relevant ticket: Allow deployed containers to have different release versions #1725

Terminology:

  • pinning an image version = set the version for a particular container image so that:
    • the version number uses the format v*.*.* or release-*.*.*;
    • the image is not republished to GHCR and SecRel does not rescan the (same) image;
    • and the pinned version is used during LHDI deployments.
  • unpinning an image version = unset the version for a particular container image so that:
    • the version number is the first 7 of commit hash;
    • a new image is built and SecRel scans the new image;
    • and the new image is deployed to LHDI.

Pinning and unpinning is performed by image-version.sh, which updates image_versions.src and is automatically called when certain events are triggered. The result is that for images that don't change, they stay at their pinned versions. By looking at image_versions.src, it is apparent which images have not changed since the last release.

Pinning versions

When a release is created, image versions that are unpinned will become pinned to that specified release version.

Unpinning versions

When the codebase is changed (e.g., a PR is merged), if the container image has changed for image versions that are pinned, then it will be unpinned.

Clone this wiki locally