try to verify contents of the images via a label

Scartography · Scartography · commit d856d130def5 · 2026-01-13T12:26:11.000+01:00
diff --git a/.github/workflows/_image-factory.yml b/.github/workflows/_image-factory.yml
@@ -26,8 +26,14 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       run-build: ${{ steps.check.outputs.run }}
+      core-sha: ${{ steps.stamp.outputs.core }}
+      eo-sha: ${{ steps.stamp.outputs.eo }}
+      hub-sha: ${{ steps.stamp.outputs.hub }}
+      cli-sha: ${{ steps.stamp.outputs.cli }}
+      expected-manifest: ${{ steps.stamp.outputs.manifest }}
     steps:
       - uses: actions/checkout@v4
+
       - id: check
         run: |
           if [[ "${{ github.event_name }}" == "repository_dispatch" ]]; then
@@ -38,6 +44,25 @@ jobs:
             else echo "run=false" >> $GITHUB_OUTPUT; fi
           else echo "run=true" >> $GITHUB_OUTPUT; fi
 
+      - id: stamp
+        run: |
+          CORE="${{ inputs.repo-core-ref || (github.event.client_payload.source_repo == 'mapchete' && github.event.client_payload.sha) || 'main' }}"
+          EO="${{ inputs.repo-eo-ref || (github.event.client_payload.source_repo == 'mapchete-eo' && github.event.client_payload.sha) || 'main' }}"
+          HUB="${{ inputs.repo-hub-ref || (github.event.client_payload.source_repo == 'mapchete-hub' && github.event.client_payload.sha) || 'main' }}"
+          CLI="${{ inputs.repo-cli-ref || (github.event.client_payload.source_repo == 'mapchete-hub-cli' && github.event.client_payload.sha) || 'main' }}"
+          
+          if [[ "${{ inputs.image-name }}" == "mapchete" ]]; then
+            MANIFEST="${CORE}|${EO}|${HUB}|none"
+          else
+            MANIFEST="none|none|${HUB}|${CLI}"
+          fi
+          
+          echo "manifest=$MANIFEST" >> $GITHUB_OUTPUT
+          echo "core=$CORE" >> $GITHUB_OUTPUT
+          echo "eo=$EO" >> $GITHUB_OUTPUT
+          echo "hub=$HUB" >> $GITHUB_OUTPUT
+          echo "cli=$CLI" >> $GITHUB_OUTPUT
+
   build:
     needs: prepare
     if: needs.prepare.outputs.run-build == 'true'
@@ -59,30 +84,67 @@ jobs:
           load: true
           tags: local-test-image:latest
           build-args: |
-            REPO_CORE_REF=${{ inputs.repo-core-ref || (github.event.client_payload.source_repo == 'mapchete' && github.event.client_payload.sha) || 'main' }}
-            REPO_EO_REF=${{ inputs.repo-eo-ref || (github.event.client_payload.source_repo == 'mapchete-eo' && github.event.client_payload.sha) || 'main' }}
-            REPO_HUB_REF=${{ inputs.repo-hub-ref || (github.event.client_payload.source_repo == 'mapchete-hub' && github.event.client_payload.sha) || 'main' }}
-            REPO_CLI_REF=${{ inputs.repo-cli-ref || (github.event.client_payload.source_repo == 'mapchete-hub-cli' && github.event.client_payload.sha) || 'main' }}
+            REPO_CORE_REF=${{ needs.prepare.outputs.core-sha }}
+            REPO_EO_REF=${{ needs.prepare.outputs.eo-sha }}
+            REPO_HUB_REF=${{ needs.prepare.outputs.hub-sha }}
+            REPO_CLI_REF=${{ needs.prepare.outputs.cli-sha }}
+
+      - name: Verify Build & Sync Check
+        id: uv_check
+        run: |
+          # 1. Verify Git Sync Integrity
+          ACTUAL_MANIFEST=$(docker run --rm local-test-image:latest cat /app/build_manifest)
+          EXPECTED_MANIFEST="${{ needs.prepare.outputs.expected-manifest }}"
+          if [ "$ACTUAL_MANIFEST" != "$EXPECTED_MANIFEST" ]; then
+            echo "❌ Git SHA Mismatch! CI expected $EXPECTED_MANIFEST but Docker built $ACTUAL_MANIFEST"
+            exit 1
+          fi
+
+          # 2. Extract UV Fingerprint
+          UV_HASH=$(docker run --rm local-test-image:latest cat /app/uv_fingerprint)
+          echo "uv-hash=$UV_HASH" >> $GITHUB_OUTPUT
+
+          # 3. Compare with Remote Registry Label
+          REMOTE_TAG="dev"
+          if [[ "${{ github.event_name }}" == "repository_dispatch" && "${{ github.event.client_payload.image_tag }}" == "latest" ]]; then REMOTE_TAG="latest"; fi
+          
+          REMOTE_HASH=$(docker manifest inspect ghcr.io/mapchete/${{ inputs.image-name }}:$REMOTE_TAG 2>/dev/null | jq -r '.config.labels["org.mapchete.uv_lock_hash"]' || echo "none")
+          
+          if [[ "$UV_HASH" == "$REMOTE_HASH" && "${{ github.ref_type }}" != "tag" ]]; then
+            echo "changed=false" >> $GITHUB_OUTPUT
+            echo "✅ Content Match: $UV_HASH matches registry. Skipping push."
+          else
+            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "🚀 Content Change: New fingerprint $UV_HASH"
+          fi
 
       - name: Integration Tests
-        if: inputs.image-name == 'mapchete'
+        if: steps.uv_check.outputs.changed == 'true'
+        id: tests
         run: |
-          docker run --rm \
-            -e AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} \
-            -e AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }} \
-            -e CDSE_S3_ACCESS_KEY=${{ secrets.CDSE_S3_ACCESS_KEY }} \
-            -e CDSE_S3_SECRET_KEY=${{ secrets.CDSE_S3_SECRET_KEY }} \
-            -e AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
-            local-test-image:latest \
-            /bin/bash -c "cd deps/mapchete-eo && uv pip install -e .[test] && uv run pytest"
+          if docker run --rm local-test-image:latest ls -d deps/mapchete-eo/tests >/dev/null 2>&1; then
+            echo "found=true" >> $GITHUB_OUTPUT
+            docker run --rm \
+              -e AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} \
+              -e AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }} \
+              -e CDSE_S3_ACCESS_KEY=${{ secrets.CDSE_S3_ACCESS_KEY }} \
+              -e CDSE_S3_SECRET_KEY=${{ secrets.CDSE_S3_SECRET_KEY }} \
+              -e AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
+              local-test-image:latest \
+              /bin/bash -c "cd deps/mapchete-eo && uv pip install -e .[test] && uv run pytest"
+          else
+            echo "found=false" >> $GITHUB_OUTPUT
+          fi
 
       - uses: docker/login-action@v3
+        if: steps.uv_check.outputs.changed == 'true'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - id: meta
+        if: steps.uv_check.outputs.changed == 'true'
         uses: docker/metadata-action@v5
         with:
           images: ghcr.io/mapchete/${{ inputs.image-name }}
@@ -91,45 +153,32 @@ jobs:
           tags: |
             type=raw,value=${{ inputs.image-tag }},enable=${{ inputs.image-tag != '' }}
             type=ref,event=tag
-            
-            # BUILD LATEST:
-            # - Only on push to main or 'latest' dispatch
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || (github.event_name == 'repository_dispatch' && github.event.client_payload.image_tag == 'latest') }}
-            
-            # BUILD DEV:
-            # - On PRs
-            # - On push to main
-            # - On 'dev' dispatch
-            # - On 'latest' dispatch (as requested)
             type=raw,value=dev,enable=${{ github.event_name == 'pull_request' || github.ref == 'refs/heads/main' || (github.event_name == 'repository_dispatch' && (github.event.client_payload.image_tag == 'dev' || github.event.client_payload.image_tag == 'latest')) }}
-            
             type=ref,event=pr
 
       - id: push
+        if: steps.uv_check.outputs.changed == 'true'
         uses: docker/build-push-action@v5
         with:
           context: ${{ inputs.image-name }}/
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
-            REPO_CORE_REF=${{ inputs.repo-core-ref || (github.event.client_payload.source_repo == 'mapchete' && github.event.client_payload.sha) || 'main' }}
-            REPO_EO_REF=${{ inputs.repo-eo-ref || (github.event.client_payload.source_repo == 'mapchete-eo' && github.event.client_payload.sha) || 'main' }}
-            REPO_HUB_REF=${{ inputs.repo-hub-ref || (github.event.client_payload.source_repo == 'mapchete-hub' && github.event.client_payload.sha) || 'main' }}
-            REPO_CLI_REF=${{ inputs.repo-cli-ref || (github.event.client_payload.source_repo == 'mapchete-hub-cli' && github.event.client_payload.sha) || 'main' }}
+            REPO_CORE_REF=${{ needs.prepare.outputs.core-sha }}
+            REPO_EO_REF=${{ needs.prepare.outputs.eo-sha }}
+            REPO_HUB_REF=${{ needs.prepare.outputs.hub-sha }}
+            REPO_CLI_REF=${{ needs.prepare.outputs.cli-sha }}
+            IMAGE_FINGERPRINT=${{ steps.uv_check.outputs.uv-hash }}
 
       - uses: actions/attest-build-provenance@v2
-        if: steps.push.outputs.digest != ''
+        if: steps.uv_check.outputs.changed == 'true' && steps.push.outputs.digest != ''
         with:
           subject-name: ghcr.io/mapchete/${{ inputs.image-name }}
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
 
-      - name: Update Version File
-        if: github.event_name == 'repository_dispatch' && github.event.client_payload.type == 'version'
-        run: |
-          echo "${{ github.event.client_payload.source_repo }}: ${{ github.event.client_payload.image_tag }}" > ${{ inputs.image-name }}/VERSION.txt
-
       - name: Create or Update Pull Request
         if: github.event_name == 'repository_dispatch' && github.event.client_payload.type == 'version'
         uses: peter-evans/create-pull-request@v6
@@ -141,6 +190,8 @@ jobs:
           body: |
             Automated update triggered by `${{ github.event.client_payload.source_repo }}`.
             - **New Version:** `${{ github.event.client_payload.image_tag }}`
+            - **UV Environment Hash:** `${{ steps.uv_check.outputs.uv-hash }}`
+            - **Sync Integrity Check:** PASSED ✅
           base: main
           delete-branch: true
           assignees: "scartography"
diff --git a/mapchete/Dockerfile b/mapchete/Dockerfile
@@ -29,14 +29,28 @@ RUN uv init --name factory-build --lib . && \
     uv lock && \
     uv sync --frozen --no-dev
 
+# Generate the fingerprint based on the resolved lockfile
+RUN sha256sum uv.lock | cut -d' ' -f1 > /app/uv_fingerprint
+# Also keep the manifest for the CI sync check
+RUN CORE_SHA=$(git -C deps/mapchete rev-parse HEAD 2>/dev/null || echo "none") && \
+    EO_SHA=$(git -C deps/mapchete-eo rev-parse HEAD 2>/dev/null || echo "none") && \
+    HUB_SHA=$(git -C deps/mapchete-hub rev-parse HEAD 2>/dev/null || echo "none") && \
+    echo "${CORE_SHA}|${EO_SHA}|${HUB_SHA}}" > /app/build_manifest
+
 FROM ghcr.io/osgeo/gdal:ubuntu-small-3.12.0
 
+ARG IMAGE_FINGERPRINT=unknown
+
 WORKDIR /app
 COPY --from=builder /app/.venv /app/.venv
 COPY --from=builder /app/deps /app/deps
 COPY . .
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 
+COPY --from=builder /app/uv_fingerprint /app/uv_fingerprint
+COPY --from=builder /app/build_manifest /app/build_manifest
+LABEL org.mapchete.uv_lock_hash=$IMAGE_FINGERPRINT
+
 ENV PATH="/app/.venv/bin:$PATH"
 
 CMD ["mapchete", "--help"]
diff --git a/mhub-cli-full/Dockerfile b/mhub-cli-full/Dockerfile
@@ -18,12 +18,25 @@ RUN uv init --name factory-build --lib . && \
     uv lock && \
     uv sync --frozen --no-dev
 
+# Generate the fingerprint based on the resolved lockfile
+RUN sha256sum uv.lock | cut -d' ' -f1 > /app/uv_fingerprint
+# Also keep the manifest for the CI sync check
+RUN mkdir -p /app && \
+    CLI_SHA=$(git -C deps/mapchete-hub-cli rev-parse HEAD 2>/dev/null || echo "none") && \
+    echo "${CLI_SHA}" > /app/build_manifest    
+
 FROM ghcr.io/osgeo/gdal:ubuntu-small-3.12.0
 
+ARG IMAGE_FINGERPRINT=unknown
+
 WORKDIR /app
 COPY --from=builder /app/.venv /app/.venv
 COPY --from=builder /app/deps /app/deps
 COPY . .
 
+COPY --from=builder /app/uv_fingerprint /app/uv_fingerprint
+COPY --from=builder /app/build_manifest /app/build_manifest
+LABEL org.mapchete.image_fingerprint=$IMAGE_FINGERPRINT
+
 ENV PATH="/app/.venv/bin:$PATH"
 ENTRYPOINT ["mhub"]
diff --git a/mhub-cli-light/Dockerfile b/mhub-cli-light/Dockerfile
@@ -18,12 +18,25 @@ RUN uv init --name factory-build --lib . && \
     uv lock && \
     uv sync --frozen --no-dev
 
+# Generate the fingerprint based on the resolved lockfile
+RUN sha256sum uv.lock | cut -d' ' -f1 > /app/uv_fingerprint
+# Also keep the manifest for the CI sync check
+RUN mkdir -p /app && \
+    CLI_SHA=$(git -C deps/mapchete-hub-cli rev-parse HEAD 2>/dev/null || echo "none") && \
+    echo "${CLI_SHA}" > /app/build_manifest    
+
 FROM ghcr.io/osgeo/gdal:ubuntu-small-3.12.0
 
+ARG IMAGE_FINGERPRINT=unknown
+
 WORKDIR /app
 COPY --from=builder /app/.venv /app/.venv
 COPY --from=builder /app/deps /app/deps
 COPY . .
 
+COPY --from=builder /app/uv_fingerprint /app/uv_fingerprint
+COPY --from=builder /app/build_manifest /app/build_manifest
+LABEL org.mapchete.image_fingerprint=$IMAGE_FINGERPRINT
+
 ENV PATH="/app/.venv/bin:$PATH"
 ENTRYPOINT ["mhub"]
