From 15c1a11acf46518a907ba28aef7241f4ca51f4fb Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Mon, 9 Feb 2026 17:12:05 +0100 Subject: [PATCH 1/6] ci: push test image tagged pr- on pull requests --- .github/workflows/test_image.yaml | 67 +++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/.github/workflows/test_image.yaml b/.github/workflows/test_image.yaml index 9dac66b..b2f6964 100644 --- a/.github/workflows/test_image.yaml +++ b/.github/workflows/test_image.yaml @@ -17,8 +17,12 @@ jobs: test_build: name: Test Build (${{ matrix.arch }}) runs-on: ubuntu-latest + defaults: + run: + shell: nix develop --command bash {0} permissions: contents: read # required for actions/checkout + packages: write # required for pushing to GHCR strategy: max-parallel: 1 matrix: @@ -67,3 +71,66 @@ jobs: sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }} stop-on-failed-policy-eval: true stop-on-processing-error: true + + - name: Log in to GitHub Container Registry + run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u "${{ github.actor }}" --password-stdin + + - name: Push image by digest + env: + REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server + run: | + skopeo copy --digestfile /tmp/digest \ + docker-archive:result \ + docker://$REGISTRY --format oci + + mkdir -p /tmp/digests + cp /tmp/digest /tmp/digests/${{ matrix.arch }} + + - name: Upload digest + uses: actions/upload-artifact@v5 + with: + name: digests-${{ matrix.arch }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + push_pr_image: + name: Push PR image to GitHub Packages + runs-on: ubuntu-latest + needs: [test_build] + if: github.event_name == 'pull_request' + permissions: + contents: read + packages: write + env: + REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server + steps: + - name: Download digests + uses: actions/download-artifact@v6 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create manifest list and push + env: + PR_NUMBER: ${{ github.event.pull_request.number }} + working-directory: /tmp/digests + run: | + docker buildx imagetools create --tag $REGISTRY:pr-${PR_NUMBER} \ + $(printf "$REGISTRY@%s " $(cat *)) + + - name: Inspect image + env: + PR_NUMBER: ${{ github.event.pull_request.number }} + run: docker buildx imagetools inspect $REGISTRY:pr-${PR_NUMBER} From d02911e9a8d56a9d58f86ddf84a796a188b1f74e Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Tue, 10 Feb 2026 10:06:22 +0100 Subject: [PATCH 2/6] ci: unify PR workflows and fix multi-arch image push Merge test.yaml and test_image.yaml into pull-request-ci.yaml with sequential jobs to avoid Nix cache rate limits. Push test images tagged pr- on pull requests. Fix digest file concatenation bug in both pull-request-ci and publish workflows. --- .github/workflows/publish.yaml | 2 + .../{test_image.yaml => pull-request-ci.yaml} | 45 ++++++++++++++++--- .github/workflows/test.yaml | 45 ------------------- 3 files changed, 41 insertions(+), 51 deletions(-) rename .github/workflows/{test_image.yaml => pull-request-ci.yaml} (74%) delete mode 100644 .github/workflows/test.yaml diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index ba54425..a966594 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -63,6 +63,7 @@ jobs: contents: read packages: write strategy: + max-parallel: 1 matrix: include: - arch: amd64 @@ -102,6 +103,7 @@ jobs: mkdir -p /tmp/digests cp /tmp/digest /tmp/digests/${{ matrix.arch }} + echo >> /tmp/digests/${{ matrix.arch }} - name: Upload digest uses: actions/upload-artifact@v5 diff --git a/.github/workflows/test_image.yaml b/.github/workflows/pull-request-ci.yaml similarity index 74% rename from .github/workflows/test_image.yaml rename to .github/workflows/pull-request-ci.yaml index b2f6964..8286181 100644 --- a/.github/workflows/test_image.yaml +++ b/.github/workflows/pull-request-ci.yaml @@ -1,5 +1,5 @@ --- -name: Test Image Build +name: Pull Request CI on: pull_request: @@ -10,13 +10,45 @@ on: workflow_dispatch: concurrency: - group: "test-image-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + group: "pr-ci-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" cancel-in-progress: true jobs: - test_build: - name: Test Build (${{ matrix.arch }}) + build-and-test: + name: Build and Test runs-on: ubuntu-latest + defaults: + run: + shell: nix develop --command bash {0} + steps: + - name: Check out the repo + uses: actions/checkout@v5 + + - name: Install Nix + # Pinned to v21 commit SHA for supply-chain safety. + # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git + uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 + + - name: Enable Nix cache + # Pinned to v13 commit SHA for supply-chain safety. + # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git + uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 + with: + use-flakehub: false + + - name: Build + run: go build ./... + + - name: Run Checks + run: just check + env: + SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }} + SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }} + + test-image: + name: Test Image (${{ matrix.arch }}) + runs-on: ubuntu-latest + needs: [build-and-test] defaults: run: shell: nix develop --command bash {0} @@ -85,6 +117,7 @@ jobs: mkdir -p /tmp/digests cp /tmp/digest /tmp/digests/${{ matrix.arch }} + echo >> /tmp/digests/${{ matrix.arch }} - name: Upload digest uses: actions/upload-artifact@v5 @@ -94,10 +127,10 @@ jobs: if-no-files-found: error retention-days: 1 - push_pr_image: + push-pr-image: name: Push PR image to GitHub Packages runs-on: ubuntu-latest - needs: [test_build] + needs: [test-image] if: github.event_name == 'pull_request' permissions: contents: read diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml deleted file mode 100644 index 882f907..0000000 --- a/.github/workflows/test.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: Test - -on: - pull_request: - branches: - - main - - master - workflow_call: - workflow_dispatch: - -concurrency: - group: "tests-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" - cancel-in-progress: true - -jobs: - build-and-test: - name: Build and Test - runs-on: ubuntu-latest - defaults: - run: - shell: nix develop --command bash {0} - steps: - - name: Check out the repo - uses: actions/checkout@v4 - - - name: Install nix - # Pinned to v21 commit SHA for supply-chain safety. - # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21 - - - name: Enable Nix cache - # Pinned to v13 commit SHA for supply-chain safety. - # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 - with: - use-flakehub: false - - - name: Build - run: go build ./... - - - name: Run Checks - run: just check - env: - SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }} - SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }} From f45b0beb826d943cf297e7fd36158af6ccd1d35e Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Tue, 10 Feb 2026 10:28:35 +0100 Subject: [PATCH 3/6] chore: bump version to 1.0.2 --- package.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.nix b/package.nix index a2c073c..4b647ef 100644 --- a/package.nix +++ b/package.nix @@ -1,7 +1,7 @@ { buildGo124Module, versionCheckHook }: buildGo124Module (finalAttrs: { pname = "sysdig-mcp-server"; - version = "1.0.1"; + version = "1.0.2"; src = ./.; # This hash is automatically re-calculated with `just rehash-package-nix`. This is automatically called as well by `just update`. vendorHash = "sha256-qMgFlDqzmtpxNOFCX9TsE4sjz0ZdvTJ5Q5IpA8lzG8g="; From 28d5a2180ab3bcb3f68a48d92afc9fe57bc86a44 Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Tue, 10 Feb 2026 11:11:50 +0100 Subject: [PATCH 4/6] ci: push images by digest only, never overwrite :latest Replace skopeo copy (which defaults to :latest) with docker/build-push-action using push-by-digest=true in both pull-request-ci and publish workflows. --- .github/workflows/publish.yaml | 37 ++++++++++++++++++-------- .github/workflows/pull-request-ci.yaml | 36 ++++++++++++++++++------- 2 files changed, 52 insertions(+), 21 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index a966594..e601066 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -67,8 +67,10 @@ jobs: matrix: include: - arch: amd64 + platform: linux/amd64 nix_package: sysdig-mcp-server-image-amd64 - arch: arm64 + platform: linux/arm64 nix_package: sysdig-mcp-server-image-aarch64 steps: - name: Check out the repo @@ -89,21 +91,34 @@ jobs: - name: Build image run: nix build .#${{ matrix.nix_package }} -o result + - name: Convert to OCI layout + run: skopeo copy docker-archive:result oci:/tmp/oci-image:latest + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Log in to GitHub Container Registry - run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u "${{ github.actor }}" --password-stdin + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Push image by digest id: push - env: - REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server - run: | - skopeo copy --digestfile /tmp/digest \ - docker-archive:result \ - docker://$REGISTRY --format oci + uses: docker/build-push-action@v6 + with: + file: /dev/null + build-contexts: | + base=oci-layout:///tmp/oci-image + platforms: ${{ matrix.platform }} + outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true + - name: Export digest + run: | mkdir -p /tmp/digests - cp /tmp/digest /tmp/digests/${{ matrix.arch }} - echo >> /tmp/digests/${{ matrix.arch }} + digest="${{ steps.push.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" - name: Upload digest uses: actions/upload-artifact@v5 @@ -146,10 +161,10 @@ jobs: working-directory: /tmp/digests run: | docker buildx imagetools create --tag $REGISTRY:${VERSION} \ - $(printf "$REGISTRY@%s " $(cat *)) + $(printf "$REGISTRY@sha256:%s " *) docker buildx imagetools create --tag $REGISTRY:latest \ - $(printf "$REGISTRY@%s " $(cat *)) + $(printf "$REGISTRY@sha256:%s " *) - name: Inspect image env: diff --git a/.github/workflows/pull-request-ci.yaml b/.github/workflows/pull-request-ci.yaml index 8286181..ec7bae6 100644 --- a/.github/workflows/pull-request-ci.yaml +++ b/.github/workflows/pull-request-ci.yaml @@ -60,8 +60,10 @@ jobs: matrix: include: - arch: amd64 + platform: linux/amd64 nix_package: sysdig-mcp-server-image-amd64 - arch: arm64 + platform: linux/arm64 nix_package: sysdig-mcp-server-image-aarch64 steps: - name: Check out the repo @@ -104,20 +106,34 @@ jobs: stop-on-failed-policy-eval: true stop-on-processing-error: true + - name: Convert to OCI layout + run: skopeo copy docker-archive:result oci:/tmp/oci-image:latest + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Log in to GitHub Container Registry - run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u "${{ github.actor }}" --password-stdin + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Push image by digest - env: - REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server - run: | - skopeo copy --digestfile /tmp/digest \ - docker-archive:result \ - docker://$REGISTRY --format oci + id: push + uses: docker/build-push-action@v6 + with: + file: /dev/null + build-contexts: | + base=oci-layout:///tmp/oci-image + platforms: ${{ matrix.platform }} + outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true + - name: Export digest + run: | mkdir -p /tmp/digests - cp /tmp/digest /tmp/digests/${{ matrix.arch }} - echo >> /tmp/digests/${{ matrix.arch }} + digest="${{ steps.push.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" - name: Upload digest uses: actions/upload-artifact@v5 @@ -161,7 +177,7 @@ jobs: working-directory: /tmp/digests run: | docker buildx imagetools create --tag $REGISTRY:pr-${PR_NUMBER} \ - $(printf "$REGISTRY@%s " $(cat *)) + $(printf "$REGISTRY@sha256:%s " *) - name: Inspect image env: From f3896dd1b319a50c3449b5208921df589b180f92 Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Tue, 10 Feb 2026 11:23:47 +0100 Subject: [PATCH 5/6] fix(ci): use Dockerfile with FROM base instead of /dev/null --- .github/workflows/publish.yaml | 6 ++++-- .github/workflows/pull-request-ci.yaml | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index e601066..150d819 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -92,7 +92,9 @@ jobs: run: nix build .#${{ matrix.nix_package }} -o result - name: Convert to OCI layout - run: skopeo copy docker-archive:result oci:/tmp/oci-image:latest + run: | + skopeo copy docker-archive:result oci:/tmp/oci-image:latest + echo "FROM base" > /tmp/Dockerfile.push - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -108,7 +110,7 @@ jobs: id: push uses: docker/build-push-action@v6 with: - file: /dev/null + file: /tmp/Dockerfile.push build-contexts: | base=oci-layout:///tmp/oci-image platforms: ${{ matrix.platform }} diff --git a/.github/workflows/pull-request-ci.yaml b/.github/workflows/pull-request-ci.yaml index ec7bae6..d254ffe 100644 --- a/.github/workflows/pull-request-ci.yaml +++ b/.github/workflows/pull-request-ci.yaml @@ -107,7 +107,9 @@ jobs: stop-on-processing-error: true - name: Convert to OCI layout - run: skopeo copy docker-archive:result oci:/tmp/oci-image:latest + run: | + skopeo copy docker-archive:result oci:/tmp/oci-image:latest + echo "FROM base" > /tmp/Dockerfile.push - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -123,7 +125,7 @@ jobs: id: push uses: docker/build-push-action@v6 with: - file: /dev/null + file: /tmp/Dockerfile.push build-contexts: | base=oci-layout:///tmp/oci-image platforms: ${{ matrix.platform }} From 1f51affeb353b842038553488816c5c080c9818b Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Tue, 10 Feb 2026 11:44:46 +0100 Subject: [PATCH 6/6] fix(ci): disable provenance attestation to avoid unknown/unknown manifest --- .github/workflows/publish.yaml | 1 + .github/workflows/pull-request-ci.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 150d819..6684632 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -114,6 +114,7 @@ jobs: build-contexts: | base=oci-layout:///tmp/oci-image platforms: ${{ matrix.platform }} + provenance: false outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true - name: Export digest diff --git a/.github/workflows/pull-request-ci.yaml b/.github/workflows/pull-request-ci.yaml index d254ffe..1e4aa79 100644 --- a/.github/workflows/pull-request-ci.yaml +++ b/.github/workflows/pull-request-ci.yaml @@ -129,6 +129,7 @@ jobs: build-contexts: | base=oci-layout:///tmp/oci-image platforms: ${{ matrix.platform }} + provenance: false outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true - name: Export digest