Merge pull request #8 from techofourown/codex/catalog-index-publication-20260317

fix: publish contract-indexed catalog rows

Author: johnbenac

.github/workflows/ci.yml

@@ -15,6 +15,8 @@ jobs:
       - uses: oras-project/setup-oras@v1
       - name: Validate script syntax
         run: bash -n scripts/render-catalog-bundle.sh scripts/check-catalog-bundle-smoke.sh scripts/check-image-refs-exist.sh scripts/check-publish-workflow.sh
+      - name: Validate catalog-row helper syntax
+        run: python3 -m py_compile scripts/render-catalog-rows.py
       - name: Validate publish workflow invariants
         run: bash scripts/check-publish-workflow.sh
       - name: Validate and render catalog bundle

.github/workflows/publish-catalog-bundle.yml

@@ -9,6 +9,10 @@ on:
       - refresh-from-upstream-image-publish
   workflow_dispatch:
 
+concurrency:
+  group: publish-application-catalog-${{ github.repository }}
+  cancel-in-progress: false
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -26,15 +30,51 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Publish bundle
         run: |
+          set -euo pipefail
           REF="ghcr.io/techofourown/sw-ourbox-catalog-hello-world:latest"
+          CATALOG_REF="ghcr.io/techofourown/sw-ourbox-catalog-hello-world:catalog-amd64"
+          CATALOG_ARTIFACT_TYPE="application/vnd.techofourown.ourbox.application-catalog.catalog.v1"
           IMMUTABLE_TAG="sha-${GITHUB_SHA}-run-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
           IMMUTABLE_REF="ghcr.io/techofourown/sw-ourbox-catalog-hello-world:${IMMUTABLE_TAG}"
+          VERSION_TAG="main-${GITHUB_SHA::12}"
+          CREATED="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
           oras push \
             --artifact-type application/vnd.techofourown.ourbox.application-catalog.v1.tar+gzip \
             "${IMMUTABLE_REF}" \
             dist/application-catalog-bundle.tar.gz:application/vnd.techofourown.ourbox.application-catalog.v1.tar+gzip
           DIGEST="$(oras resolve "${IMMUTABLE_REF}")"
+          EXISTING_CATALOG=""
+          rm -rf dist/catalog-existing
+          if oras pull "${CATALOG_REF}" -o dist/catalog-existing >"${RUNNER_TEMP}/catalog-pull.out" 2>"${RUNNER_TEMP}/catalog-pull.err"; then
+            EXISTING_CATALOG="$(find dist/catalog-existing -maxdepth 4 -type f -name 'catalog.tsv' | head -n 1 || true)"
+          elif grep -Eiq 'MANIFEST_UNKNOWN|NAME_UNKNOWN|not found|404' "${RUNNER_TEMP}/catalog-pull.err"; then
+            echo "No existing catalog index found at ${CATALOG_REF}; creating a new catalog.tsv"
+          else
+            echo "Failed to pull existing catalog index ${CATALOG_REF}" >&2
+            cat "${RUNNER_TEMP}/catalog-pull.err" >&2
+            exit 1
+          fi
+          python3 scripts/render-catalog-rows.py \
+            --catalog-json catalog/catalog.json \
+            --profile-env catalog/profile.env \
+            --images-lock dist/images.lock.json \
+            --existing-catalog "${EXISTING_CATALOG}" \
+            --out-catalog dist/catalog.tsv \
+            --channel stable \
+            --tag "${IMMUTABLE_TAG}" \
+            --created "${CREATED}" \
+            --version "${VERSION_TAG}" \
+            --revision "${GITHUB_SHA}" \
+            --arch amd64 \
+            --artifact-digest "${DIGEST}" \
+            --pinned-ref "ghcr.io/techofourown/sw-ourbox-catalog-hello-world@${DIGEST}"
+          oras push \
+            --artifact-type "${CATALOG_ARTIFACT_TYPE}" \
+            "${CATALOG_REF}" \
+            dist/catalog.tsv:text/tab-separated-values
           oras tag "${IMMUTABLE_REF}" latest >/dev/null
+          oras tag "${IMMUTABLE_REF}" stable >/dev/null
+          oras tag "${IMMUTABLE_REF}" "${VERSION_TAG}" >/dev/null
           LATEST_DIGEST="$(oras resolve "${REF}")"
           [[ "${LATEST_DIGEST}" == "${DIGEST}" ]] || {
             echo "latest tag did not resolve to the published immutable digest" >&2
@@ -71,5 +111,6 @@ jobs:
           path: |
             dist/application-catalog-bundle.tar.gz
             dist/application-catalog-bundle.tar.gz.sha256
+            dist/catalog.tsv
             dist/images.lock.json
             dist/catalog-bundle.publish-record.json

README.md

@@ -19,6 +19,11 @@ selected by the installer and expanded into a concrete application set.
 - `ghcr.io/techofourown/sw-ourbox-apps-hello-world/hello-world:latest`
 - `ghcr.io/techofourown/sw-ourbox-apps-chat/ourbox-chat:latest`
 
+This repo also publishes installer-browsable catalog rows at
+`ghcr.io/techofourown/sw-ourbox-catalog-hello-world:catalog-amd64`. Those rows
+let host-side installers resolve the newest stable bundle whose
+`OURBOX_PLATFORM_CONTRACT_DIGEST` matches the selected OS payload contract.
+
 ## Repository layout
 
 - [catalog/catalog.json](/techofourown/sw-ourbox-catalog-hello-world/catalog/catalog.json)

catalog/catalog.json

@@ -13,7 +13,7 @@
       "id": "hello-world",
       "app_uid": "techofourown/hello-world",
       "display_name": "Hello World",
-      "description": "A tiny hello-world application used to prove multi-repository catalog consumption.",
+      "description": "Small hello-world app sourced from a second sw-ourbox-apps repo.",
       "renderer": "hello-world",
       "service_name": "hello-world",
       "service_port": 80,

scripts/check-catalog-bundle-smoke.sh

@@ -17,6 +17,8 @@ need_cmd python3
 need_cmd tar
 need_cmd sha256sum
 
+python3 -m py_compile "${ROOT}/scripts/render-catalog-rows.py"
+
 python3 - <<'PY' "${ROOT}/catalog/catalog.json" "${ROOT}/catalog/image-sources.json" "${ROOT}/catalog/profile.env"
 import json
 import re
@@ -179,4 +181,46 @@ for image in images_lock["images"]:
         raise SystemExit(f"generated image lock used_by mismatch for {image['name']}")
 PY
 
+python3 "${ROOT}/scripts/render-catalog-rows.py" \
+  --catalog-json "${ROOT}/catalog/catalog.json" \
+  --profile-env "${ROOT}/catalog/profile.env" \
+  --images-lock "${ROOT}/dist/images.lock.json" \
+  --out-catalog "${TMP_ROOT}/catalog.tsv" \
+  --channel stable \
+  --tag "sha-test-run-1" \
+  --created "2026-03-17T00:00:00Z" \
+  --version "main-deadbeefcafe" \
+  --revision "deadbeefcafedeadbeefcafedeadbeefcafedead" \
+  --arch amd64 \
+  --artifact-digest "sha256:1111111111111111111111111111111111111111111111111111111111111111" \
+  --pinned-ref "ghcr.io/example/sw-ourbox-catalog-hello-world@sha256:1111111111111111111111111111111111111111111111111111111111111111"
+
+python3 - <<'PY' "${TMP_ROOT}/catalog.tsv"
+import csv
+import sys
+from pathlib import Path
+
+rows = list(csv.DictReader(Path(sys.argv[1]).open("r", encoding="utf-8"), delimiter="\t"))
+if len(rows) != 1:
+    raise SystemExit(f"expected one rendered catalog row, got {len(rows)}")
+row = rows[0]
+expected = {
+    "channel": "stable",
+    "tag": "sha-test-run-1",
+    "created": "2026-03-17T00:00:00Z",
+    "version": "main-deadbeefcafe",
+    "revision": "deadbeefcafedeadbeefcafedeadbeefcafedead",
+    "arch": "amd64",
+    "platform_contract_digest": "sha256:636af2d46d04b086366e97184d4e257d6c6e7dc75f070758d032cdd3cd4ff976",
+    "platform_profile": "hello-world",
+    "artifact_digest": "sha256:1111111111111111111111111111111111111111111111111111111111111111",
+    "pinned_ref": "ghcr.io/example/sw-ourbox-catalog-hello-world@sha256:1111111111111111111111111111111111111111111111111111111111111111",
+}
+for key, expected_value in expected.items():
+    if row.get(key) != expected_value:
+        raise SystemExit(f"unexpected {key}: {row.get(key)!r}")
+if len(str(row.get("platform_images_lock_sha256", ""))) != 64:
+    raise SystemExit(f"unexpected platform_images_lock_sha256: {row.get('platform_images_lock_sha256')!r}")
+PY
+
 printf '[%s] catalog bundle smoke passed\n' "$(date -Is)"

scripts/check-publish-workflow.sh

@@ -12,11 +12,16 @@ workflow = Path(sys.argv[1]).read_text(encoding="utf-8")
 lines = {line.strip() for line in workflow.splitlines()}
 required = [
     'IMMUTABLE_TAG="sha-${GITHUB_SHA}-run-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"',
+    'VERSION_TAG="main-${GITHUB_SHA::12}"',
     '"${IMMUTABLE_REF}" \\',
     'DIGEST="$(oras resolve "${IMMUTABLE_REF}")"',
     'oras tag "${IMMUTABLE_REF}" latest >/dev/null',
+    'oras tag "${IMMUTABLE_REF}" stable >/dev/null',
+    'oras tag "${IMMUTABLE_REF}" "${VERSION_TAG}" >/dev/null',
     'LATEST_DIGEST="$(oras resolve "${REF}")"',
     '[[ "${LATEST_DIGEST}" == "${DIGEST}" ]] || {',
+    'python3 scripts/render-catalog-rows.py \\',
+    'dist/catalog.tsv:text/tab-separated-values',
 ]
 banned = [
     'DIGEST="$(oras resolve "${REF}")"',

scripts/render-catalog-rows.py

@@ -0,0 +1,170 @@
+#!/usr/bin/env python3
+from __future__ import annotations
+
+import argparse
+import csv
+import hashlib
+import json
+import re
+from pathlib import Path
+
+PINNED_REF_RE = re.compile(r"^[^\s]+@sha256:[0-9a-f]{64}$")
+DIGEST_RE = re.compile(r"^sha256:[0-9a-f]{64}$")
+TIMESTAMP_RE = re.compile(r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$")
+HEADER = [
+    "channel",
+    "tag",
+    "created",
+    "version",
+    "revision",
+    "arch",
+    "platform_contract_digest",
+    "platform_profile",
+    "platform_images_lock_sha256",
+    "artifact_digest",
+    "pinned_ref",
+]
+
+
+def load_env(path: Path) -> dict[str, str]:
+    data: dict[str, str] = {}
+    for raw_line in path.read_text(encoding="utf-8").splitlines():
+        line = raw_line.strip()
+        if not line or line.startswith("#"):
+            continue
+        key, value = line.split("=", 1)
+        data[key] = value
+    return data
+
+
+def sha256_file(path: Path) -> str:
+    return hashlib.sha256(path.read_bytes()).hexdigest()
+
+
+def load_existing_rows(path: Path | None) -> list[dict[str, str]]:
+    if path is None or not path.is_file():
+        return []
+    with path.open("r", encoding="utf-8", newline="") as handle:
+        reader = csv.DictReader(handle, delimiter="\t")
+        if reader.fieldnames != HEADER:
+            raise SystemExit(f"{path} does not declare the expected catalog.tsv header")
+        return [{key: str(value or "").strip() for key, value in row.items()} for row in reader]
+
+
+def render_row(
+    *,
+    channel: str,
+    immutable_tag: str,
+    created: str,
+    version: str,
+    revision: str,
+    arch: str,
+    platform_contract_digest: str,
+    platform_profile: str,
+    images_lock_sha256: str,
+    artifact_digest: str,
+    pinned_ref: str,
+) -> dict[str, str]:
+    if not channel:
+        raise SystemExit("channel must be non-empty")
+    if not immutable_tag:
+        raise SystemExit("tag must be non-empty")
+    if not TIMESTAMP_RE.fullmatch(created):
+        raise SystemExit(f"created must be an RFC3339 UTC timestamp with Z suffix: {created!r}")
+    if not version:
+        raise SystemExit("version must be non-empty")
+    if not revision:
+        raise SystemExit("revision must be non-empty")
+    if not arch:
+        raise SystemExit("arch must be non-empty")
+    if not DIGEST_RE.fullmatch(platform_contract_digest):
+        raise SystemExit("platform contract digest must be sha256-pinned")
+    if not platform_profile:
+        raise SystemExit("platform profile must be non-empty")
+    if not re.fullmatch(r"[0-9a-f]{64}", images_lock_sha256):
+        raise SystemExit("images lock sha256 must be a plain 64-character hex digest")
+    if not DIGEST_RE.fullmatch(artifact_digest):
+        raise SystemExit("artifact digest must be sha256-pinned")
+    if not PINNED_REF_RE.fullmatch(pinned_ref):
+        raise SystemExit("pinned ref must be digest-pinned")
+
+    return {
+        "channel": channel,
+        "tag": immutable_tag,
+        "created": created,
+        "version": version,
+        "revision": revision,
+        "arch": arch,
+        "platform_contract_digest": platform_contract_digest,
+        "platform_profile": platform_profile,
+        "platform_images_lock_sha256": images_lock_sha256,
+        "artifact_digest": artifact_digest,
+        "pinned_ref": pinned_ref,
+    }
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(description="Render installer-browsable catalog rows for an application catalog repo.")
+    parser.add_argument("--catalog-json", required=True)
+    parser.add_argument("--profile-env", required=True)
+    parser.add_argument("--images-lock", required=True)
+    parser.add_argument("--existing-catalog")
+    parser.add_argument("--out-catalog", required=True)
+    parser.add_argument("--channel", default="stable")
+    parser.add_argument("--tag", required=True)
+    parser.add_argument("--created", required=True)
+    parser.add_argument("--version", required=True)
+    parser.add_argument("--revision", required=True)
+    parser.add_argument("--arch", required=True)
+    parser.add_argument("--artifact-digest", required=True)
+    parser.add_argument("--pinned-ref", required=True)
+    args = parser.parse_args()
+
+    catalog_json = Path(args.catalog_json).resolve()
+    profile_env = Path(args.profile_env).resolve()
+    images_lock = Path(args.images_lock).resolve()
+    existing_catalog = Path(args.existing_catalog).resolve() if args.existing_catalog else None
+    out_catalog = Path(args.out_catalog).resolve()
+
+    catalog = json.loads(catalog_json.read_text(encoding="utf-8"))
+    profile = load_env(profile_env)
+    catalog_id = str(catalog.get("catalog_id", "")).strip()
+    if not catalog_id:
+        raise SystemExit(f"{catalog_json} must declare catalog_id")
+    if str(profile.get("OURBOX_APPLICATION_CATALOG_ID", "")).strip() != catalog_id:
+        raise SystemExit(f"{profile_env} OURBOX_APPLICATION_CATALOG_ID does not match {catalog_id!r}")
+
+    existing_rows = load_existing_rows(existing_catalog)
+    new_row = render_row(
+        channel=str(args.channel).strip(),
+        immutable_tag=str(args.tag).strip(),
+        created=str(args.created).strip(),
+        version=str(args.version).strip(),
+        revision=str(args.revision).strip(),
+        arch=str(args.arch).strip(),
+        platform_contract_digest=str(profile.get("OURBOX_PLATFORM_CONTRACT_DIGEST", "")).strip(),
+        platform_profile=catalog_id,
+        images_lock_sha256=sha256_file(images_lock),
+        artifact_digest=str(args.artifact_digest).strip(),
+        pinned_ref=str(args.pinned_ref).strip(),
+    )
+
+    merged_rows = [
+        row
+        for row in existing_rows
+        if not (row.get("channel") == new_row["channel"] and row.get("tag") == new_row["tag"])
+    ]
+    merged_rows.append(new_row)
+    merged_rows.sort(key=lambda row: row["created"], reverse=True)
+
+    out_catalog.parent.mkdir(parents=True, exist_ok=True)
+    with out_catalog.open("w", encoding="utf-8", newline="") as handle:
+        writer = csv.DictWriter(handle, fieldnames=HEADER, delimiter="\t", lineterminator="\n")
+        writer.writeheader()
+        for row in merged_rows:
+            writer.writerow(row)
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())