Plan for cleaning up legacy images on docker.io/stellar/stellar-cli

[leighmcculloch]

What problem does your feature solve?

The docker.io/stellar/stellar-cli Docker Hub repository contains images that were published before this repo's pipeline existed. Those legacy images were not produced by the current builds.json-driven, digest-pinned pipeline, so they don't share its provenance, reproducibility, or pinning guarantees.

Leaving them in place creates a few problems:

• Users (and SEP-58 verifiers) can pull tags that look official but were not produced by the documented pipeline.
• The published tag/digest list no longer matches what builds.json says we publish, making the repo's source of truth misleading.
• Ad-hoc/test pushes during pipeline development pollute the same namespace users consume from.

What would you like to see?

A plan with the following rough shape — exact details to be worked out in the issue/PR:

1. Inventory every tag and digest currently on docker.io/stellar/stellar-cli and classify each as:
   • produced by the current pipeline (matches an entry in builds.json), or
   • legacy / not produced by the current pipeline.
2. Remove (or otherwise retire — e.g. deprecate, hide, retag-and-archive) any images not produced by the current pipeline. Decide whether deletion is acceptable or whether we need a deprecation window first, given that downstream users and SEP-58 bldimg references may pin those digests.
3. Stop using stellar/stellar-cli as a test target. Pick a separate Docker Hub repo (e.g. stellar/stellar-cli-test or similar) for pipeline development and CI dry-runs, so the user-facing repo only ever receives pipeline-produced releases.
4. Document the policy in this repo's README so future maintainers don't re-pollute the production namespace.

[fnando]

Given the amount of tags we have, I say we should remove them all and publish 26.0.0, 25.2.0, 25.1.0, and latest. This is likely what they're pinning to anyway.

$ curl -s "https://hub.docker.com/v2/repositories/stellar/stellar-cli/tags?page_size=100" | jq '.results[].name'
"latest"
"25.1.0-rust-1.90.0-slim-bookworm"
"26.0.0"
"25.2.0"
"ce7e312c90bf14ba133f3d20b7fa96c7f72b2d3e"
"ee3115b93b9c11b7a4d090f676f35736d3d86172"
"036113300d376891d729856253c9ec10e20d1816"

[leighmcculloch]

"ce7e312c90bf14ba133f3d20b7fa96c7f72b2d3e"
"ee3115b93b9c11b7a4d090f676f35736d3d86172"
"036113300d376891d729856253c9ec10e20d1816"

What are these tags? I don't think we need separate commit tags for the cli, we can combine commit and cli version into a single tag.

Are you saying don't publish anything other than 26.0.0, 25.2.0, 25.1.0, and latest? How will we distinguish a different rust and cli pair?

How about just publishing the following. We can introduce other labels as needed, but latest and then specifics are probably all we need as a bare minimum to allow for the freedom of publishing others?

"latest"
"--rust-"

e.g.:

"latest"
"26.0.0-ee3115b93b9c11b7a4d090f676f35736d3d86172-rust1.95.1-slim-trixie"
"26.0.0-ee3115b93b9c11b7a4d090f676f35736d3d86172-rust1.95.0-slim-trixie"
"25.1.0-ce7e312c90bf14ba133f3d20b7fa96c7f72b2d3e-rust1.90.0-slim-bookworm"

[fnando]

To document the tags that we'll publish based on an internal discussion:

:latest (movable)
:<stellar cli version> (movable)
:<stellar-cli>-<rev>-rust<rust version>-<distro> (multi-arch)
:<stellar-cli>-<rev>-rust<rust version>-<distro>-<arch>

These are most for non-SEP-58 usage, as the recommended is pinning to image@sha256:<hash>.