Skip to content

chore(ci): deterministic universe pin for ghcr.io/hanzoai/kms#18

Open
zeekay wants to merge 1 commit into
mainfrom
chore/deterministic-universe
Open

chore(ci): deterministic universe pin for ghcr.io/hanzoai/kms#18
zeekay wants to merge 1 commit into
mainfrom
chore/deterministic-universe

Conversation

@zeekay

@zeekay zeekay commented Jun 28, 2026

Copy link
Copy Markdown
Member

What

The hanzo KMS fork is already the DRY option (b): a thin wrapper over canonical luxfi/kms (go.mod imports github.com/luxfi/kms v1.11.7), with CI that already publishes ghcr.io/hanzoai/kms:

  • .github/workflows/build.yml -> per-commit ghcr.io/hanzoai/kms via reusable hanzoai/.github/.github/workflows/docker-build.yml@main
  • .github/workflows/release.yml -> on semver tags, multi-arch ghcr.io/hanzoai/kms:vX.Y.Z + :X.Y.Z + :latest, and dispatches hanzoai/universe to bump the pin

So no new fork mechanism or CI is needed. The live DOCR one-off (registry.digitalocean.com/hanzo/kms:web-1.11.0) is already superseded — hanzoai/universe infra/k8s/kms/deployment.yaml pins the GHCR image, not DOCR.

This PR makes the source tree deterministic so a real tag can be cut:

  • go.sum: reconcile luxfi/zap v0.8.1 content hash after an upstream tag re-publish. The prior brand-scrub go.sum fix covered luxfi/age + luxfi/kms but missed zap, so go build failed with a checksum mismatch (SECURITY ERROR). Fixed by recording the authoritative origin hash; the /go.mod hash is unchanged (content re-tag, not API change).
  • go.mod: correct the stale upstream-pin comment to match the require block (keys v1.2.0, kms v1.11.7).
  • VERSION: 2.5.2 -> 2.5.5 (next patch carrying the luxfi/kms v1.11.7 bump; latest tag was v2.5.4), so VERSION, the next git tag, and the published GHCR image all agree.
  • LLM.md: document the release pipeline + canonical universe pin (only doc updated, per repo rules).

Verification

go build ./cmd/kmsd ./cmd/kms ./cmd/kms-fetch   # exit 0
go mod verify                                    # all modules verified

Universe pin

After tag v2.5.5 is cut and release.yml publishes, the universe manifest should pin:

ghcr.io/hanzoai/kms:2.5.5

The hanzo KMS fork is already a thin wrapper over canonical luxfi/kms
(go.mod imports luxfi/kms v1.11.7) with CI that publishes
ghcr.io/hanzoai/kms via .github/workflows/{build,release}.yml. The live
DOCR one-off (registry.digitalocean.com/hanzo/kms:web-1.11.0) is
superseded — the universe canonical kms deployment already pins the GHCR
image. This change makes the source tree deterministic so a real tag can
be cut:

- go.sum: reconcile luxfi/zap v0.8.1 content hash after an upstream
  re-tag (the prior brand-scrub go.sum fix covered luxfi/age + luxfi/kms
  but missed zap, breaking `go build` with a checksum mismatch).
- go.mod: correct the stale upstream-pin comment (keys v1.2.0,
  kms v1.11.7) to match the require block — comment must not drift.
- VERSION: 2.5.2 -> 2.5.5, the next patch carrying the luxfi/kms v1.11.7
  bump, so VERSION, the next git tag, and the published GHCR image all
  agree (latest tag was v2.5.4).
- LLM.md: document the release pipeline and the canonical universe pin.

Build green: go build ./cmd/{kmsd,kms,kms-fetch}, go mod verify all pass.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants