Closed
Conversation
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | major | `v7` → `v8` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v6` → `v7` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v8`](https://redirect.github.com/actions/download-artifact/compare/v7...v8) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v7...v8) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v7`](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40My4wIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…t to b8fe93b (#1133) This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/projectbluefin/common | digest | `5decea8` → `b8fe93b` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zOC4xIiwidXBkYXRlZEluVmVyIjoiNDMuMzguMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [anchore/sbom-action](https://redirect.github.com/anchore/sbom-action) ([changelog](https://redirect.github.com/anchore/sbom-action/compare/28d71544de8eaf1b958d335707167c5f783590ad..17ae1740179002c89186b61233e0f892c3118b11)) | action | digest | `28d7154` → `17ae174` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zOC4xIiwidXBkYXRlZEluVmVyIjoiNDMuMzguMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…est to 7dca424 (#1131) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `001a05c` → `7dca424` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [x] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zMS45IiwidXBkYXRlZEluVmVyIjoiNDMuMzEuOSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
## Summary
This PR ensures SBOMs are only generated on the `lts` production branch,
not on `main` branch or pull requests.
## Problem
The `build-dx-hwe.yml` workflow had inconsistent SBOM generation logic
compared to all other build workflows:
- **build-dx-hwe.yml**: Generated SBOMs on main branch (incorrect)
- **All other workflows**: Only generated SBOMs on lts branch (correct)
## Solution
Aligned `build-dx-hwe.yml` SBOM logic with the other 4 workflows:
```yaml
sbom: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/lts' }}
```
## Impact
After this change, SBOMs will **only** be generated when:
- ✅ Event is NOT a pull request
- ✅ Branch is `lts` (production branch)
- ❌ Branch is `main` (testing branch) - **NO SBOMs**
- ❌ Pull requests to any branch - **NO SBOMs**
## Testing
- [ ] Syntax validation passes
- [ ] Logic matches other workflows:
- build-regular.yml ✅
- build-regular-hwe.yml ✅
- build-dx.yml ✅
- build-gdx.yml ✅
- build-dx-hwe.yml ⚠️ (fixed by this PR)
## Summary This reverts commit 16aa2b3 (PR #1140) to restore the original SBOM generation behavior. ## Reason for Revert The previous PR was merged without proper review. Opening this revert so the change can be properly reviewed by Copilot and maintainers before proceeding. ## What This Revert Does Restores the original SBOM generation logic in all workflow files: - `build-dx-hwe.yml` - back to generating SBOMs on main branch - All other workflows - back to their previous state ## Next Steps After this revert is merged, a new PR will be opened with the SBOM fix for proper review.
## Summary This PR ensures SBOMs are only generated on the `lts` production branch, not on `main` branch or pull requests. ## Problem The `build-dx-hwe.yml` workflow currently generates SBOMs on all non-PR builds, including the `main` branch. This is inconsistent with the other build workflows which only generate SBOMs on the `lts` production branch. ### Current State | Workflow | SBOM Generation Logic | Generates on main? | |----------|----------------------|-------------------| | build-regular.yml | `github.event_name != 'pull_request' && github.ref == 'refs/heads/lts'` | ❌ No | | build-regular-hwe.yml | `github.event_name != 'pull_request' && github.ref == 'refs/heads/lts'` | ❌ No | | build-dx.yml | `github.event_name != 'pull_request' && github.ref == 'refs/heads/lts'` | ❌ No | | build-gdx.yml | `github.event_name != 'pull_request' && github.ref == 'refs/heads/lts'` | ❌ No | | **build-dx-hwe.yml** | `github.event_name != 'pull_request'` |⚠️ **Yes** (inconsistent) | ## Solution Align `build-dx-hwe.yml` with the other workflows: ```yaml sbom: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/lts' }} ``` ## Impact After this change, SBOMs will **only** be generated when: - ✅ Event is NOT a pull request - ✅ Branch is `lts` (production branch per `reusable-build-image.yml` line 76) SBOMs will **NOT** be generated when: - ❌ Branch is `main` (testing branch per `reusable-build-image.yml` line 77) - ❌ Event is a pull request ## Testing - [x] Syntax validation: Change aligns with existing pattern in 4 other workflows - [x] Logic verified: All 5 workflows will have identical SBOM generation logic - [x] Conventional commit format used ## Checklist - [x] Change is minimal and surgical - [x] Conventional commit message used - [x] AI attribution included in commit footer
## Summary This prevents automatic builds/publishes on lts branch from pull app promotions while maintaining the ability to manually trigger releases. ## Changes - ✅ Remove `lts` from push triggers (keeps `main` only) - ✅ Add weekly cron schedule (Sunday 2 AM UTC) for all 5 build workflows - ✅ Conditional publish: only on `lts` if scheduled or manual dispatch - ✅ PRs to `lts` still validate (build without publish) - ✅ `main` branch continues to build/publish to `:lts-testing` ## Benefits - 🚫 No accidental production releases from pull app merges - 📅 Controlled weekly production releases via cron - 🎯 Manual release capability via workflow_dispatch - 📝 Proper changelog generation when GDX build completes on schedule ## Testing - [x] Syntax validated with `just check` - [x] Shellcheck linting passed - [ ] Should test with manual workflow_dispatch on `lts` branch after merge ## Related Fixes the issue where changelogs weren't being generated because builds on `lts` were happening from pull app promotions instead of scheduled/manual runs.
…est to d4ef607 (#1139) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `7dca424` → `d4ef607` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40Ni42IiwidXBkYXRlZEluVmVyIjoiNDMuNDYuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…1068 (#1135) This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/ublue-os/brew | digest | `3efdc1a` → `ca91068` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40Ni4zIiwidXBkYXRlZEluVmVyIjoiNDMuNDYuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…est to d4ef607 (#1145) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `7dca424` → `d4ef607` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled because a matching PR was automerged previously. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40Ni42IiwidXBkYXRlZEluVmVyIjoiNDMuNDYuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…t to cbe78e6 (#1146) This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/projectbluefin/common | digest | `b8fe93b` → `cbe78e6` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40Ny4wIiwidXBkYXRlZEluVmVyIjoiNDMuNDcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
## Summary
This PR fixes accidental production tag publishes from pull bot PRs to
the `lts` branch by implementing a dispatcher pattern for scheduled
releases.
### Changes Made
1. **Created dispatcher workflow** (`scheduled-lts-release.yml`)
- Runs weekly on Sunday at 2 AM UTC
- Triggers all 5 build workflows on `lts` branch via `workflow_dispatch`
- Solves the problem that GitHub Actions `schedule:` triggers always run
on default branch
2. **Updated all 5 build workflows**:
- Removed `lts` from `pull_request:` triggers (no longer trigger on pull
bot PRs)
- Added `lts` to `push:` triggers (validation builds on pull bot merges)
- Removed `schedule:` sections (moved to dispatcher)
- Updated `publish:` conditions to only publish on:
- `workflow_dispatch` events (cron dispatcher + manual triggers)
- `push` to `main` branch (`:lts-testing` tags)
### Workflow Behavior Matrix
| Event | Branch | Triggers? | Publishes? | Tags |
|-------|--------|-----------|------------|------|
| PR to main | `main` | ✅ | ❌ | none |
| Merge to main | `main` | ✅ | ✅ | `:lts-testing` |
| PR to lts | `lts` | ❌ | ❌ | none |
| Merge to lts | `lts` | ✅ | ❌ | none (validation only) |
| Cron Sun 2am | `main` | ✅ | ❌ | none (dispatcher) |
| Dispatcher | `lts` | ✅ | ✅ | `:lts` (production) |
| Manual dispatch | `lts` | ✅ | ✅ | `:lts` |
### Problem Fixed
**Before:** Pull bot PRs to `lts` triggered all 5 build workflows and
published production tags (`:lts`, `:lts.YYYYMMDD`)
**After:** Pull bot PRs to `lts` do NOT trigger workflows. Production
tags only publish via:
- Weekly cron schedule (Sunday 2 AM UTC)
- Manual `workflow_dispatch` on `lts` branch
**Evidence of bug:** PR #1144 (pull bot) triggered runs:
- #22586907105 (Build Bluefin LTS)
- #22586905020 (Build Bluefin LTS DX)
- #22586905071 (Build Bluefin LTS GDX)
All published production tags from PR event instead of scheduled event.
### Testing Plan
After merge, need to verify:
- [ ] Pull bot PRs to `lts` do NOT trigger workflows
- [ ] Pull bot merges to `lts` DO trigger validation builds but do NOT
publish
- [ ] Manual dispatcher trigger works and publishes production tags
- [ ] Merges to `main` still publish `:lts-testing` tags
### Branch Protection Update Required
The `lts` branch protection needs manual updates (web UI or API):
- Change required approvals from 2 → 1
- Disable force pushes (currently enabled)
- Enable conversation resolution
- Enable dismiss stale reviews
Current settings:
```json
{
"approvals": 2,
"force_pushes": true,
"enforce_admins": false
}
```
### Related Issues
Fixes the accidental production tag publishing issue observed on
2026-03-02.
### Implementation Notes
- All commits follow conventional commit format
- Syntax validated with `just check`
- Linting validated with `just lint` (no new warnings introduced)
- Plan documented in `docs/plans/2026-03-02-fix-lts-tag-publishing.md`
…orkflow (#1152) ## Summary This PR implements a comprehensive 3-layer defense to prevent branch pollution caused by AI agents accidentally merging `lts` → `main`. ### Problem AI agents see branch divergence between `main` and `lts` and attempt to "sync" by merging in the wrong direction (`lts` → `main`), causing old commits to pollute the git history. ### Solution: 3-Layer Defense **Layer 1: Manual Promotion Workflow** - Replace automatic Pull app with manual GitHub Actions workflow - Created `.github/workflows/promote-to-lts.yml` (manual `workflow_dispatch` only) - Deleted `.github/pull.yml` (automatic pull app config) - Operators manually trigger promotions when ready **Layer 2: Renovate Restriction** - Updated `.github/renovate.json5` to only target `main` branch - Prevents Renovate from creating PRs against `lts` - All dependency updates flow through `main` → testing → promotion **Layer 3: Validation Build Triggers** (Critical Fix) - Added `lts` to push triggers in all 5 build workflows - Fixes missing implementation from commit 8ed6d20 - Enables validation builds when promotion PRs merge to `lts` - Builds trigger but **DO NOT publish** (cron-only publishing preserved) ### Workflow Behavior After This PR | Event | Branch | Triggers? | Publishes? | Tags | |-------|--------|-----------|------------|------| | PR to main | main | ✅ | ❌ | none | | Merge to main | main | ✅ | ✅ | `:lts-testing` | | PR to lts | lts | ❌ | ❌ | none | | **Merge to lts** | **lts** | **✅** | **❌** | **validation only** | | Cron Sun 2am | main | ✅ (dispatcher) | ❌ | none | | Dispatcher trigger | lts | ✅ | ✅ | `:lts` (production) | ### Decoupled Promotion & Release **Promotion** (manual): 1. Operator triggers `promote-to-lts.yml` workflow 2. PR auto-created from `main` → `lts` 3. Operator reviews and merges 4. Validation builds trigger (no publish) **Release** (separate): 1. Sunday cron OR manual trigger 2. `scheduled-lts-release.yml` dispatches builds on `lts` 3. Production images published to ghcr.io with `:lts` tags ### Changes Made ``` 8 files changed, 70 insertions(+), 16 deletions(-) ``` - ✅ Deleted `.github/pull.yml` - ✅ Created `.github/workflows/promote-to-lts.yml` - ✅ Updated `.github/renovate.json5` (added `baseBranches: ["main"]`) - ✅ Modified 5 build workflows (added `lts` to push triggers) ### Testing - ✅ `just check` passed - ✅ `just lint` passed (no new warnings) - 📋 After merge: Test promotion workflow creates PR correctly - 📋 After merge: Test validation builds trigger on lts merge (no publish) ### Post-Merge Actions - [ ] Manually uninstall Pull app from repository settings (user will handle) - [ ] Test promotion workflow via Actions → "Promote Main to LTS" - [ ] Verify validation builds trigger without publishing ### Related Fixes the branch pollution issue and completes the missing implementation from commit 8ed6d20. Plan documented at: `docs/plans/2026-03-02-fix-branch-pollution.md`
…t to 786c4d1 (#1149) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | cgr.dev/chainguard/wolfi-base | container | digest | `9925d30` → `786c4d1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4zIiwidXBkYXRlZEluVmVyIjoiNDMuNDguMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…/caffeine digest to 98b3b4f (#1148) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [system_files/usr/share/gnome-shell/extensions/tmp/caffeine](https://redirect.github.com/eonpatapon/gnome-shell-extension-caffeine.git) ([changelog](https://redirect.github.com/eonpatapon/gnome-shell-extension-caffeine.git/compare/07643c383db62dfcbb0485f344d063389644f2f9..98b3b4f60247d61b8d93acdd6055d5b41adbbb24)) | digest | `07643c3` → `98b3b4f` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4yIiwidXBkYXRlZEluVmVyIjoiNDMuNDguMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…#1154) ## Summary Fixes a critical bug where merges to `main` branch were accidentally pushing container images to the production `:lts` tag instead of the testing `:lts-testing` tag. ## Problem The manifest generation step (line 372) had incorrect conditional logic: - **Build step (line 161)**: Simple condition `if [ "${REF_NAME}" != "${PRODUCTION_BRANCH}" ]` - adds `-testing` for all non-production branches ✅ - **Manifest step (line 372)**: Complex condition that only added `-testing` for PRs/merge groups - omitted pushes to main ❌ This caused: - Build step creates image tagged `lts-testing` ✅ - Manifest step pushes manifest with tag `lts` ❌ - **Result**: Production tag gets polluted with testing builds! ## Solution - Line 372: Changed from complex condition to simple `if [ "${REF_NAME}" != "${PRODUCTION_BRANCH}" ]` to match build step logic - Line 375: Fixed `CENTOS_VERSION_SUFFIX` to append suffix instead of replacing (preserves `-hwe` when present) ## Evidence - Bug introduced in commit `0566080` (PR #1101) which fixed the build step but forgot the manifest step - Registry shows `:lts-testing` tags exist but haven't been updated since Feb 22 (builds were cancelled) - Production `:lts` tags show recent activity through Mar 2 ## Verification - ✅ `just check && just lint` passes - ✅ Test script confirms push to main will now tag as `lts-testing` not `lts`
## Summary - **Fix tag pollution from main branch merges**: The manifest step had complex conditional logic that omitted pushes to `main`, causing `:lts` production tags to be overwritten by testing builds. Aligns manifest step with build step logic. - **Fix `Push Manifest` and `sign` failing on lts push events**: Both steps used `github.event_name != 'pull_request'` which fired even when `publish=false`, causing `image not known` errors. Now gated on `inputs.publish`. - **Remove duplicate `schedule:` from all 5 build workflows**: The dispatcher (`scheduled-lts-release.yml`) owns the weekly cron. The stale entries were triggering 10 extra no-op builds on `main` every Sunday on top of the 5 dispatcher runs on `lts`. - **Simplify `promote-to-lts.yml`**: Replace the checkout+merge+intermediate-branch approach (which reintroduced merge commit pollution) with a single `gh pr create --base lts --head main` call. Drops `contents: write` permission. --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This is what we are currently fetching : [zram-generator.conf.html](https://github.com/user-attachments/files/25826175/zram-generator.conf.html) </br> (No zram in a brand new, up-to-date VM) <img width="1229" height="738" alt="image" src="https://github.com/user-attachments/assets/7e061422-9b9a-483c-872c-a439b5fb2ee4" /> This means zram has been completely disabled in LTS for about a month.
…h-to-dock@micxgx.gmail.com digest to 0f21b6b (#1165) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [system_files/usr/share/gnome-shell/extensions/dash-to-dock@micxgx.gmail.com](https://redirect.github.com/micheleg/dash-to-dock.git) ([changelog](https://redirect.github.com/micheleg/dash-to-dock.git/compare/ffadcc425c9863a59b08ad604987564db7bbacc3..0f21b6b9baf504d6e6972e9ea8041240ceadfdc9)) | digest | `ffadcc4` → `0f21b6b` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
## Summary Two fixes to improve automation on the `main` branch and LTS release schedule. ### Fix Renovate automerge rules (`.github/renovate.json5`) The previous `packageRules` had gaps — GitHub Actions digest/version updates and the Justfile `regex` manager were not covered by any `automerge: true` rule, causing those PRs to require manual queue entry even after approval. Replaces 3 fragmented rules with 2 clean ones: - All `digest`/`pin`/`pinDigest` updates get `automerge: true` across all managers - GitHub Actions `minor`/`patch` version bumps also get `automerge: true` ### Reschedule LTS release cron Changes the weekly LTS build trigger from Sunday 2 AM UTC to Tuesday 6 AM UTC (1 AM EST / 2 AM EDT). --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This has been an ever-growing pain in the past few weeks especially. Users sometimes were hit with random timeouts that no one could ever figure out the cause for. This means that search results for bazaar will only appear in the shell when it has been explicitly started by the user beforehand. Best to disable it and leave the option to enable it if desired. We can revisit this later when we have found a better solution to this. Aurora has done this since a couple weeks and hasn't received a single report since then. One user claimed that our auto updates are possibly interfering with this. We still need to investigate that. Will likely fix/address: ublue-os/bluefin#4263 kolunmi/bazaar#1005 #928
…a44f (#1169) This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/ublue-os/brew | digest | `ca91068` → `2eca44f` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4zIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> Co-authored-by: Jorge O. Castro <jorge.castro@gmail.com>
…onnect@andyholmes.github.io digest to ed2f3a1 (#1168) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [system_files/usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io](https://redirect.github.com/GSConnect/gnome-shell-extension-gsconnect.git) ([changelog](https://redirect.github.com/GSConnect/gnome-shell-extension-gsconnect.git/compare/3724ff6156897dba246133f86349070ec4453c25..ed2f3a101d73582b3f81f6d171a637e7369f4597)) | digest | `3724ff6` → `ed2f3a1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [docker/metadata-action](https://redirect.github.com/docker/metadata-action) | action | major | `v5` → `v6` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Release Notes <details> <summary>docker/metadata-action (docker/metadata-action)</summary> ### [`v6`](https://redirect.github.com/docker/metadata-action/compare/v5...v6) [Compare Source](https://redirect.github.com/docker/metadata-action/compare/v5...v6) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…/caffeine digest to 873a1b0 (#1166) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [system_files/usr/share/gnome-shell/extensions/tmp/caffeine](https://redirect.github.com/eonpatapon/gnome-shell-extension-caffeine.git) ([changelog](https://redirect.github.com/eonpatapon/gnome-shell-extension-caffeine.git/compare/98b3b4f60247d61b8d93acdd6055d5b41adbbb24..873a1b03cd4e0eeda2932e02d9b9d72a4d47f6a7)) | digest | `98b3b4f` → `873a1b0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS42IiwidXBkYXRlZEluVmVyIjoiNDMuNTUuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> Co-authored-by: Jorge O. Castro <jorge.castro@gmail.com>
…t to b9a75b6 (#1164) This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/projectbluefin/common | digest | `cbe78e6` → `b9a75b6` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…est to 923014b (#1162) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `d4ef607` → `923014b` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNDkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> Co-authored-by: Jorge O. Castro <jorge.castro@gmail.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-node](https://redirect.github.com/actions/setup-node) ([changelog](https://redirect.github.com/actions/setup-node/compare/6044e13b5dc448c55e2357c09f80417699197238..53b83947a5a98c8d113130e565377fae1a50d02f)) | action | digest | `6044e13` → `53b8394` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Mi4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTIuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…est to d1a9fbd (#1173) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `923014b` → `d1a9fbd` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4zIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
github-actions
bot
added
the
promotion
github-actions
bot
added
the
promotion
dosubot
bot
added
size:XXL
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [anchore/sbom-action](https://redirect.github.com/anchore/sbom-action) ([changelog](https://redirect.github.com/anchore/sbom-action/compare/17ae1740179002c89186b61233e0f892c3118b11..57aae528053a48a3f6235f2d9461b05fbcb7366d)) | action | digest | `17ae174` → `57aae52` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42MC4zIiwidXBkYXRlZEluVmVyIjoiNDMuNjAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
|
Related Documentation 3 document(s) may need updating based on files changed in this PR: bluefin Bluefin Newsletter 2.0View Suggested Changes@@ -1,7 +1,7 @@
## Recent Completed Work
| Date Completed | Task | Overview | Impact |
|---|---|---|---|
-| 2026-03-02 | Prevent Branch Pollution with Manual LTS Promotion | A comprehensive three-layer defense was implemented to prevent branch pollution. **Layer 1:** The automated Pull app (`.github/pull.yml`) was removed and replaced with a manual `.github/workflows/promote-to-lts.yml` workflow triggered via workflow_dispatch, requiring manual operator approval for promotions. **Layer 2:** Renovate configuration updated with `baseBranchPatterns: ["main"]` to restrict automated PRs to the main branch only, preventing dependency updates on lts. **Layer 3:** Added `lts` to push triggers in 5 build workflows (build-dx-hwe.yml, build-dx.yml, build-gdx.yml, build-regular-hwe.yml, build-regular.yml) to enable validation builds that catch accidental merges. | Protects production lts branch from automated updates and prevents reverse merges. Ensures controlled, deliberate promotions from main to lts via explicit human action. Validation builds provide safety net against accidental merges without publishing. [Details](https://github.com/ublue-os/bluefin-lts/pull/1152) |
+| 2026-03-02 | Prevent Branch Pollution with Manual LTS Promotion | A comprehensive defense system was implemented to prevent branch pollution and ensure controlled production releases. **Layer 1: Manual Promotion** — The automated Pull app (`.github/pull.yml`) was removed and replaced with `.github/workflows/promote-to-lts.yml`, triggered manually via workflow_dispatch, requiring explicit operator approval for all main → lts promotions. **Layer 2: Renovate Restriction** — Renovate configuration updated with `baseBranchPatterns: ["main"]` to restrict all automated dependency PRs to the main branch only, preventing direct updates to lts. **Layer 3: Validation Builds** — Added `lts` to push triggers in 5 build workflows to enable validation-only builds that catch accidental merges without publishing. **Layer 4: Scheduled Dispatcher** — Added `.github/workflows/scheduled-lts-release.yml`, a centralized dispatcher running weekly on Tuesday at 6 AM UTC that triggers all 5 build workflows on the lts branch. Individual workflows no longer have schedule triggers. **Publish Logic** — Workflows now publish only from main on push events or from main/lts on workflow_dispatch; lts push events trigger validation-only builds. **SBOM Generation** — SBOM generation is lts-branch-only with continue-on-error for reliability. | Protects production lts branch from automated updates, prevents reverse merges, and ensures controlled promotions via explicit human action. Weekly automated releases simplify production deployment. Validation builds provide a safety net against accidental merges. [Details](https://github.com/ublue-os/bluefin-lts/pull/1152) |
| 2026-02-12 | Simplify Renovate Automerge Configuration | Renovate automerge configuration refactored from an allowlist approach to a universal pattern-based approach. All digest/pin/pinDigest updates across all managers (Dockerfile, GitHub Actions, regex/Justfile) are enabled for automerge, replacing fragmented per-container rules. GitHub Actions minor/patch version bumps also automerge. NVIDIA driver digests remain manual for compatibility review. | Reduces manual PR review for all dependency digest updates with simpler, more comprehensive automation rules. Improves security posture and reduces maintenance overhead. [Details](https://github.com/ublue-os/bluefin-lts/pull/1105) |
| 2026-01-31 | Add ibus-chewing to Bluefin LTS for zh_TW | The ibus-chewing input method is now included in Bluefin LTS, matching the default for the zh_TW locale in Bluefin Stable. This resolves issues where Chewing was configured but not available when installing from older ISOs, and improves the Traditional Chinese typing experience out of the box. | Ensures consistent and functional Traditional Chinese input for zh_TW users on both Stable and LTS. Reduces manual configuration and improves i18n parity. [Details](https://github.com/ublue-os/bluefin-lts/pull/1076) |
| 2025-12-16 | Reintroduce Renovate Automation | The Renovate dependency automation was restored. The `.github/renovate.json5` configuration was updated to include `ghcr.io/projectbluefin/common` in the automerge dependencies, ensuring that updates to this key dependency are now automatically merged. | Keeps dependencies up to date with less manual intervention, improving security and reliability. [Details](https://github.com/ublue-os/bluefin/pull/3853) |
@@ -24,7 +24,7 @@
## Summary Table
| Date | Change Summary |
|------------|---------------|
-| 2026-03-02 | Renovate restricted to main branch; Pull app replaced with manual promotion workflow; validation builds added to lts branch |
+| 2026-03-02 | Renovate restricted to main branch; Pull app replaced with manual promotion workflow; scheduled weekly dispatcher added; validation builds added to lts branch; SBOM generation lts-only |
| 2026-02-12 | Renovate automerge refactored from allowlist to universal pattern-based rules covering all digest/pin updates |
| 2026-01-31 | ibus-chewing input method added to Bluefin LTS for zh_TW locale parity |
| 2025-12-16 | Renovate automation restored for `ghcr.io/projectbluefin/common` |Custom Image Build SystemView Suggested Changes@@ -118,6 +118,10 @@
- [validate-justfiles.yml](https://github.com/projectbluefin/finpilot/blob/f2240c52b1c188a52009fe0d1dffefefd8e86d2a/.github/workflows/validate-justfiles.yml): Validates just file syntax
- [validate-shellcheck.yml](https://github.com/projectbluefin/finpilot/blob/f2240c52b1c188a52009fe0d1dffefefd8e86d2a/.github/workflows/validate-shellcheck.yml): Runs shellcheck on build scripts
+**Bluefin Workflow Architecture:**
+- [scheduled-lts-release.yml](https://github.com/ublue-os/bluefin-lts/blob/lts/.github/workflows/scheduled-lts-release.yml): Centralized dispatcher that runs weekly (Tuesday 6 AM UTC) and triggers all five build workflows via workflow_dispatch on the lts branch
+- [promote-to-lts.yml](https://github.com/ublue-os/bluefin-lts/blob/lts/.github/workflows/promote-to-lts.yml): Manual workflow for creating pull requests to promote changes from main to lts branch
+
## Kernel and Driver Integration (akmods)
### akmods Infrastructure
@@ -212,10 +216,12 @@
[The reusable workflow system uses a two-job structure](https://github.com/ublue-os/main/blob/5ef6bb2adf95dd36b4d428e643a88ad510b7b988/.github/workflows/reusable-build.yml): [the check-build-required job determines if builds are needed](https://github.com/ublue-os/main/blob/5ef6bb2adf95dd36b4d428e643a88ad510b7b988/.github/workflows/reusable-build.yml#L24-L137), and [the build_ublue job executes the actual build pipeline](https://github.com/ublue-os/main/blob/5ef6bb2adf95dd36b4d428e643a88ad510b7b988/.github/workflows/reusable-build.yml#L138-L263).
-[Intelligent build triggers use digest-based version tracking](https://github.com/ublue-os/main/blob/5ef6bb2adf95dd36b4d428e643a88ad510b7b988/.github/workflows/reusable-build.yml#L74-L107) that compares SHA256 hashes between branches to determine if builds are required, triggering automatically when:
-- [Base image digests change (Fedora upstream updates)](https://github.com/ublue-os/main/blob/5ef6bb2adf95dd36b4d428e643a88ad510b7b988/.github/workflows/reusable-build.yml#L86-L89)
-- [Akmods digests change (kernel module updates)](https://github.com/ublue-os/main/blob/5ef6bb2adf95dd36b4d428e643a88ad510b7b988/.github/workflows/reusable-build.yml#L91-L94)
-- [Source file modifications (code or configuration changes)](https://github.com/ublue-os/main/blob/5ef6bb2adf95dd36b4d428e643a88ad510b7b988/.github/workflows/reusable-build.yml#L109-L136)
+**Intelligent build triggers** use digest-based version tracking that compares SHA256 hashes between branches to determine if builds are required, triggering automatically when:
+- Base image digests change (Fedora upstream updates)
+- Akmods digests change (kernel module updates)
+- Source file modifications (code or configuration changes)
+
+**Centralized scheduling** - Individual build workflows (build-regular.yml, build-dx.yml, build-gdx.yml, build-regular-hwe.yml, build-dx-hwe.yml) no longer have schedule triggers. Instead, the [scheduled-lts-release.yml workflow](https://github.com/ublue-os/bluefin-lts/blob/lts/.github/workflows/scheduled-lts-release.yml) runs weekly on Tuesday at 6 AM UTC and dispatches all five build workflows via workflow_dispatch on the lts branch. Pull request triggers remain active only on the main branch, as the lts branch has been removed from pull_request triggers.
### Renovate Bot Integration
@@ -264,15 +270,15 @@
### Container Registry Integration
-[Images are pushed to ghcr.io with retry logic after validation](https://github.com/ublue-os/bluefin/blob/3f18fcfb4b16d8ae005cef071395c0132672ebce/.github/workflows/reusable-build.yml#L181-L197). Organizations can publish to private registries (Harbor, Artifactory, self-hosted container registry) by configuring registry credentials in CI/CD systems.
+Images are pushed to ghcr.io with retry logic after validation. The publish condition has been updated: `(github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main')`. This means workflow_dispatch events can publish from either main or lts branches, while push events only publish from main. Organizations can publish to private registries (Harbor, Artifactory, self-hosted container registry) by configuring registry credentials in CI/CD systems.
### Image Versioning and Tagging
-[Image versions follow the format: stream-fedora_version.YYYYMMDD[.point]](https://github.com/ublue-os/bluefin/blob/1a5c8d9e5aaf38c7b10f35d7162f5f36d9f883f7/Justfile#L156-L171). Custom images should adopt similar versioning schemes to enable reproducibility and easy referencing.
+[Image versions follow the format: stream-fedora_version.YYYYMMDD[.point]](https://github.com/ublue-os/bluefin/blob/1a5c8d9e5aaf38c7b10f35d7162f5f36d9f883f7/Justfile#L156-L171). The manifest job applies a `-testing` suffix to images built from non-production branches, with the tag suffix logic updated to append to any existing centos_version_suffix (e.g., `-hwe-testing` for HWE builds on non-production branches). Custom images should adopt similar versioning schemes to enable reproducibility and easy referencing.
### SBOM Generation
-SBOM (Software Bill of Materials) generation using Syft provides supply chain transparency. [The system uses Syft to scan container images and generate SBOMs](https://github.com/ublue-os/bluefin/blob/1a5c8d9e5aaf38c7b10f35d7162f5f36d9f883f7/.github/workflows/reusable-build.yml#L85-L111), which are attached as attestations to signed images.
+SBOM (Software Bill of Materials) generation using Syft provides supply chain transparency. SBOM generation now only occurs on the lts branch and has `continue-on-error: true` enabled to prevent attestation failures from blocking builds. The sbom input parameter has been removed from reusable-build-image.yml, with SBOM generation automatically triggered for lts branch builds when publishing is enabled. SBOMs are attached as attestations to signed images.
## Extending and Customizing Bluefin
@@ -361,6 +367,8 @@
| `build_files/base/03-install-kernel-akmods.sh` | Kernel and driver installation | Bash |
| `build_files/base/04-packages.sh` | Package installation logic | Bash |
| `.github/workflows/reusable-build.yml` | CI/CD build pipeline | YAML |
+| `.github/workflows/scheduled-lts-release.yml` | Centralized LTS build dispatcher | YAML |
+| `.github/workflows/promote-to-lts.yml` | Main to LTS promotion workflow | YAML |
| `build_files/shared/build.sh` | Main build orchestration | Bash |
| `build/10-build.sh` (finpilot) | Main finpilot build script | Bash |
| `build/copr-helpers.sh` (finpilot) | COPR repository helpers | Bash |Kernel Version ManagementView Suggested Changes@@ -6,7 +6,7 @@
The kernel management strategy differs significantly between release streams: [gts and stable streams use the coreos-stable flavor coordinated with Fedora CoreOS](https://github.com/ublue-os/bluefin/blob/c22e0cac0740d478c8c8d009f7a4e54250a9e3e5/Justfile#L116-L125), tracking kernels that arrive approximately [two weeks after landing in Fedora](https://github.com/ublue-os/bluefin/discussions/2709#discussioncomment-13605116), while [latest and beta streams use the main flavor with unpinned latest Fedora kernels](https://github.com/ublue-os/bluefin/blob/c22e0cac0740d478c8c8d009f7a4e54250a9e3e5/Justfile#L116-L125). [Kernel packages are persistently pinned using dnf5 versionlock](https://github.com/ublue-os/bluefin/blob/c22e0cac0740d478c8c8d009f7a4e54250a9e3e5/build_files/base/03-install-kernel-akmods.sh#L34) to maintain compatibility with pre-compiled kernel modules for NVIDIA drivers, ZFS, and other out-of-tree components.
-Bluefin LTS extends this model with [two kernel options: the standard lts tag uses the CentOS 6.12 kernel, while lts-hwe uses the CoreOS kernel with hardware enablement](https://app.dosu.dev/documents/317cf1da-6dda-45d0-bad4-5645878ac451). [Automated weekly releases occur on Sundays at 2 AM UTC](https://github.com/ublue-os/bluefin-lts/pull/1138), [managed through a centralized dispatcher workflow](https://github.com/ublue-os/bluefin-lts/pull/1147) that prevents accidental production releases from automated dependency updates.
+Bluefin LTS extends this model with [two kernel options: the standard lts tag uses the CentOS 6.12 kernel, while lts-hwe uses the CoreOS kernel with hardware enablement](https://app.dosu.dev/documents/317cf1da-6dda-45d0-bad4-5645878ac451). [Automated weekly releases occur on Tuesdays at 6 AM UTC](https://github.com/ublue-os/bluefin-lts/pull/1176), [managed through a centralized dispatcher workflow](https://github.com/ublue-os/bluefin-lts/pull/1176) that prevents accidental production releases from automated dependency updates.
## Release Streams and Kernel Coordination
@@ -164,20 +164,28 @@
**Dual-Branch Model:**
- **main branch**: [Continuous testing builds published to `:lts-testing` with every push](https://github.com/ublue-os/bluefin-lts/pull/1138)
-- **lts branch**: [Production releases only on scheduled runs or manual workflow_dispatch](https://github.com/ublue-os/bluefin-lts/pull/1138)
+- **lts branch**: [Push events trigger validation-only builds without publishing](https://github.com/ublue-os/bluefin-lts/pull/1176); production releases occur only via workflow_dispatch (scheduled or manual)
**Scheduling Architecture:**
-[All five build workflows use the cron schedule `'0 2 * * 0'` (Sunday 2 AM UTC)](https://github.com/ublue-os/bluefin-lts/pull/1138):
+[The scheduled-lts-release.yml dispatcher workflow runs on the cron schedule `'0 6 * * 2'` (Tuesday 6 AM UTC)](https://github.com/ublue-os/bluefin-lts/pull/1176) and triggers all five build workflows on the lts branch via workflow_dispatch:
- build-regular.yml
- build-dx.yml
- build-gdx.yml
- build-regular-hwe.yml
- build-dx-hwe.yml
-[Because GitHub Actions scheduled triggers always run on the default branch (main)](https://github.com/ublue-os/bluefin-lts/pull/1147), [a dedicated scheduled-lts-release.yml dispatcher workflow triggers all 5 build workflows on the lts branch](https://github.com/ublue-os/bluefin-lts/pull/1147).
-
-[The generate-release.yml workflow automatically generates changelogs and creates GitHub releases when the GDX build completes on schedule](https://github.com/ublue-os/bluefin-lts/pull/1138), ensuring proper release documentation.
+[Individual build workflows no longer contain schedule triggers](https://github.com/ublue-os/bluefin-lts/pull/1176); instead, scheduled-lts-release.yml serves as a centralized dispatcher. [This architecture ensures scheduled builds always execute on the lts branch regardless of the repository default branch](https://github.com/ublue-os/bluefin-lts/pull/1176).
+
+**Publishing Logic:**
+
+[Builds triggered via workflow_dispatch can publish from both main and lts branches, while push events only publish from main](https://github.com/ublue-os/bluefin-lts/pull/1176). [Push events to lts run validation builds without publishing, preventing accidental production releases from direct commits](https://github.com/ublue-os/bluefin-lts/pull/1176).
+
+**Promotion Workflow:**
+
+[The promote-to-lts.yml workflow enables manual promotion of tested changes from main to lts](https://github.com/ublue-os/bluefin-lts/pull/1176). [This workflow creates pull requests for review, ensuring controlled promotion of changes to production](https://github.com/ublue-os/bluefin-lts/pull/1176).
+
+[The generate-release.yml workflow automatically generates changelogs and creates GitHub releases when the GDX build completes via workflow_dispatch](https://github.com/ublue-os/bluefin-lts/pull/1176), ensuring proper release documentation. [SBOM attestation is lts-branch-only with continue-on-error enabled](https://github.com/ublue-os/bluefin-lts/pull/1176).
### Image Versioning
Note: You must be authenticated to accept/decline updates. How did I do? Any feedback? |
…est to 9c0d148 (#1178) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `d1a9fbd` → `9c0d148` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42MC41IiwidXBkYXRlZEluVmVyIjoiNDMuNjAuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
…est to 226b06f (#1179) This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `9c0d148` → `226b06f` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42MC41IiwidXBkYXRlZEluVmVyIjoiNDMuNjAuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com>
## Problem The `promote-to-lts.yml` workflow has caused repeated git tree pollution on `lts`. After digging through the full history, here is the root cause chain: 1. **Circular history reference**: `ffa30fe` (`Merge branch 'lts' into main`) accidentally merged `lts` → `main`, embedding lts's pull-bot merge commits inside main's graph. 2. **lts has diverged**: 4 commits exist in `lts` that aren't in `main` (old pull-bot merges + the `2a780d2` emergency CI sync). 3. **Default merge commit strategy**: The previous `gh pr create --head main` approach created a PR that, when merged with GitHub's default button, produced a merge commit with two parents. That commit dragged main's full cross-contaminated history into `lts` on every promotion, deepening the diamond graph each time. 4. **No pre-flight guard**: Nothing prevented the workflow from running when `lts` was already in a diverged state. ## Solution Replace the PR creation step with a direct **squash push**: 1. **Pre-flight check** — `git rev-list origin/lts ^origin/main --count`. If > 0, fail immediately and list the divergent commits with instructions to land them in `main` first. 2. **`git merge --squash origin/main`** — collapses all pending main changes into a single staged changeset. No merge commit. No embedded history. 3. **One clean commit** pushed to `lts` per promotion event → linear history. The `workflow_dispatch` trigger is the human approval gate — a maintainer must explicitly trigger the workflow to promote. ## Why not keep the PR? Previous attempts: | Approach | Why it failed | |---|---| | Old Pull bot | Created `[pull]` merge commits; also ran in reverse | | Intermediate branch + PR | Merge commit still polluted `lts` on merge | | `gh pr create --head main` (last fix) | PR merged with default strategy = merge commit | | Direct file sync `2a780d2` | Added lts-unique commits, deepening divergence | A squash push is deterministic — the workflow controls the merge strategy, not the human clicking the merge button. ## Changes - `.github/workflows/promote-to-lts.yml`: Replace `gh pr create` with checkout + pre-flight + squash merge + push. Swap `pull-requests: write` → `contents: write`. - `AGENTS.md`: Update promotion flow description; add **NEVER commit directly to `lts`** rule. ##⚠️ Current state of lts `lts` currently has 4 commits not in `main`. The pre-flight check will **correctly block** the next promotion and print those commits. Resolution: the CI fixes from `2a780d2` are already in `main` as `6ec7dd5` — once the divergent commits are resolved and `git rev-list origin/lts ^origin/main` is empty, promotion will work cleanly. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Collaborator
|
Closing in favour of the new squash-push promotion workflow (PR #1177). Merging this PR would create a merge commit — exactly the history pollution the new workflow is designed to prevent. The promotion will be re-run via |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SummaryPromotion of tested changes from to production branch.IMPORTANT: This PR should ONLY contain commits from → . Never merge in the opposite direction.