molecule-core

History

Hongming Wang 0de67cd379 feat(platform/admin): /admin/workspace-images/refresh + Docker SDK + GHCR auth The production-side end of the runtime CD chain. Operators (or the post- publish CI workflow) hit this after a runtime release to pull the latest workspace-template-* images from GHCR and recreate any running ws-* containers so they adopt the new image. Without this, freshly-published runtime sat in the registry but containers kept the old image until naturally cycled. Implementation notes: - Uses Docker SDK ImagePull rather than shelling out to docker CLI — the alpine platform container has no docker CLI installed. - ghcrAuthHeader() reads GHCR_USER + GHCR_TOKEN env, builds the base64- encoded JSON payload Docker engine expects in PullOptions.RegistryAuth. Both empty → public/cached images only; both set → private GHCR pulls. - Container matching uses ContainerInspect (NOT ContainerList) because ContainerList returns the resolved digest in .Image, not the human tag. Inspect surfaces .Config.Image which is what we need. - Provisioner.DefaultImagePlatform() exported so admin handler picks the same Apple-Silicon-needs-amd64 platform as the provisioner — single source of truth for the multi-arch override. Local-dev companion: scripts/refresh-workspace-images.sh runs on the host and inherits the host's docker keychain auth — alternate path for when GHCR_USER/TOKEN aren't set in the platform env. 🤖 Generated with [Claude Code](https://claude.com/claude-code)		2026-04-26 10:17:21 -07:00
..
auto-promote-staging.yml	ci: canary-verify graceful-skip + draft auto-promote staging→main	2026-04-22 22:39:23 +00:00
auto-tag-runtime.yml	feat(platform/admin): /admin/workspace-images/refresh + Docker SDK + GHCR auth	2026-04-26 10:17:21 -07:00
block-internal-paths.yml	ci(block-paths): fetch PR base SHA to fix shallow-clone diff failure	2026-04-24 12:01:53 +00:00
canary-staging.yml	ci(canary): inject E2E_OPENAI_API_KEY so A2A turn doesn't 500	2026-04-24 22:37:13 -07:00
canary-verify.yml	ci: canary-verify graceful-skip + draft auto-promote staging→main	2026-04-22 22:39:23 +00:00
check-merge-group-trigger.yml	ci: add linter that fails when required workflow lacks merge_group trigger	2026-04-24 00:33:05 -07:00
ci.yml	test(workspace): centralize pytest-cov config + 92% floor (closes #1817 )	2026-04-26 06:21:22 -07:00
codeql.yml	ci: add merge_group trigger to ci + codeql	2026-04-23 21:24:53 -07:00
e2e-api.yml	feat(ci): run E2E API smoke test on staging branch	2026-04-23 17:47:47 -07:00
e2e-staging-canvas.yml	feat(ci): run E2E Staging Canvas on staging branch pushes	2026-04-23 17:47:51 -07:00
e2e-staging-saas.yml	fix(e2e): increase hermes workspace wait from 20 to 30 min	2026-04-24 17:11:37 +00:00
e2e-staging-sanity.yml	fix(e2e): CP DELETE /cp/admin/tenants body uses 'confirm', not 'confirm_token'	2026-04-21 04:50:28 -07:00
promote-latest.yml	perf(ci): move all public-repo workflows to ubuntu-latest	2026-04-22 12:56:49 -07:00
publish-canvas-image.yml	perf(ci): move all public-repo workflows to ubuntu-latest	2026-04-22 12:56:49 -07:00
publish-runtime.yml	feat(platform/admin): /admin/workspace-images/refresh + Docker SDK + GHCR auth	2026-04-26 10:17:21 -07:00
publish-workspace-server-image.yml	ci(publish-image): also tag :staging-latest so CP auto-picks up new builds	2026-04-24 00:29:55 -07:00
redeploy-tenants-on-main.yml	ci(redeploy): fire post-main tenant fleet redeploy via CP admin endpoint	2026-04-24 14:34:28 -07:00
retarget-main-to-staging.yml	ci(retarget): handle 422 'duplicate PR' by closing redundant main-PR (closes #1884 )	2026-04-26 00:53:55 -07:00
runtime-pin-compat.yml	fix(ci): set WORKSPACE_ID for the runtime-pin smoke import	2026-04-26 01:59:56 -07:00
sweep-cf-orphans.yml	fix(ci): stop sweep-cf-orphans noise — drop merge_group + soft-skip when secrets unset	2026-04-26 08:05:53 -07:00
sweep-stale-e2e-orgs.yml	ci: hourly sweep of stale e2e-* orgs on staging	2026-04-24 23:07:57 -07:00
test-ops-scripts.yml	refactor(ops): apply simplify findings on #2027 PR	2026-04-26 00:28:15 -07:00