Skip to content

Publish versioned TimeboardApp images to GHCR#29

Draft
paulkakell wants to merge 27 commits into
mainfrom
agent/ghcr-container-publishing
Draft

Publish versioned TimeboardApp images to GHCR#29
paulkakell wants to merge 27 commits into
mainfrom
agent/ghcr-container-publishing

Conversation

@paulkakell

@paulkakell paulkakell commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Summary

Publish validated, versioned TimeboardApp container images to GitHub Container Registry and make Docker Compose pull the registry image instead of building locally.

Root cause addressed

Production and demo stacks shared the Compose service alias timeboardapp on the proxy network. The attempted follow-up changed the YAML map key to ${CONTAINER_NAME:-timeboardapp}, but Compose interpolation is not a dependable way to create a dynamic service-map key.

This PR uses the stable service name app and registers each stack's unique CONTAINER_NAME as its proxy-facing alias. Production can use timeboardapp; demo can use timeboardapp-demo.

Changes

  • Bump version from 00.12.03 to 00.13.00.
  • Replace Compose build: . with ghcr.io/paulkakell/timeboardapp:00.13.00.
  • Add configurable TIMEBOARDAPP_IMAGE and TIMEBOARDAPP_TAG values.
  • Add unique CONTAINER_NAME aliases on both external Docker networks.
  • Replace the local-only image workflow with tests, static analysis, dependency audit, Compose validation, image build, and live health-check gates.
  • Publish linux/amd64 and linux/arm64 images with version, SHA, and latest tags.
  • Add OCI labels, provenance, and SBOM publication.
  • Add .dockerignore protection for secrets, data, logs, databases, tests, reports, and repository metadata.
  • Replace python-jose[cryptography] with PyJWT for HS256 tokens, removing the transitive ecdsa dependency affected by PYSEC-2026-1325 / CVE-2024-23342.
  • Add deployment, JWT-compatibility, invalid-token, and dependency-selection regression tests.
  • Update README, getting-started, deployment, architecture, changelog, release notes, and validation report.

Deployment impact

The application, API payloads, database, settings format, /data layout, and existing HS256 tokens remain backward compatible. There are no schema changes.

The Compose service name changes to app. Existing automation must use commands such as:

docker compose exec app ...
docker compose logs -f app

For the initial migration, preserve the production and demo /data directories and run:

docker compose down --remove-orphans
docker compose pull
docker compose up -d

Recommended shared-network Nginx Proxy Manager upstreams:

timeboard.bitterhost.com -> timeboardapp:8888
demo.timeboardapp.com    -> timeboardapp-demo:8888

Do not use the shared app alias as a proxy target.

Security review

  • Validation job has contents: read only.
  • Publish job adds only packages: write.
  • GHCR authentication uses the ephemeral repository GITHUB_TOKEN.
  • Bandit medium/high checks and pip-audit gate publication.
  • Initial dependency audit identified ecdsa 0.19.2 / PYSEC-2026-1325; the dependency was removed rather than ignored.
  • Final dependency audit: No known vulnerabilities found.
  • JWT decoding retains a fixed HS256 allow-list, existing-token compatibility, and HTTP 401 behavior for malformed tokens.
  • Images include OCI metadata, provenance, and SBOM attestations.
  • Deployment hosts should use package-read credentials if the GHCR package remains private.

Validation — passed

Final PR head: 6783fbd54cc972aa8af7f0870fe7aec1c3ab0dc3
Workflow: CI and GHCR Image, run 29182379078 / run number 64

  • 57 passed, 15 warnings in pytest
  • Python compilation passed
  • Bandit medium/high scan passed
  • pip check passed
  • pip-audit passed with no known vulnerabilities
  • docker compose config passed
  • clean Docker image build passed
  • live /healthz container smoke test passed and returned version 00.13.00

The 15 warnings are documented, pre-existing deprecation warnings and are non-blocking for this release. Full evidence and follow-up notes are recorded in VALIDATION_REPORT_00.13.00.md.

The publish job is intentionally skipped for pull requests. It runs after the same validation succeeds on main or a matching version tag.

Rollback

Pin TIMEBOARDAPP_TAG to a prior release or sha-<commit> image tag. For the initial migration from the locally built image, retain the old local image until 00.13.00 is accepted. No database rollback is required.

Release artifacts after merge

  • ghcr.io/paulkakell/timeboardapp:00.13.00
  • ghcr.io/paulkakell/timeboardapp:sha-<commit>
  • ghcr.io/paulkakell/timeboardapp:latest

Platforms: linux/amd64, linux/arm64.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant