Skip to content

feat: private fuzzer container builds with cosign signing and OCI attribution#21812

Merged
randyquaye merged 1 commit into
nextfrom
rq/fuzzers-pvt
Mar 23, 2026
Merged

feat: private fuzzer container builds with cosign signing and OCI attribution#21812
randyquaye merged 1 commit into
nextfrom
rq/fuzzers-pvt

Conversation

@randyquaye

@randyquaye randyquaye commented Mar 19, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • Add Dockerfile.private for both fuzzing-container and avm-fuzzing-container that clone from the private repo using BuildKit secrets (--mount=type=secret). The token never persists in any image layer.
  • Add CI workflows (fuzzing-docker-build-private.yml, fuzzing-docker-avm-build-private.yml) gated to AztecProtocol/aztec-packages-private via if: github.repository checks. Uses GITHUB_TOKEN directly since the workflow runs inside the private repo.
  • Add repo guards to existing public workflows so they only run in AztecProtocol/aztec-packages.
  • Add OCI labels (com.aztec.source-repo, source-branch, commit, visibility) to all container builds for orchestrator attribution via skopeo inspect / docker inspect.
  • Add cosign keyless signing (GitHub OIDC) to all four workflows. Public containers log to Rekor transparency log; private containers use --tlog-upload=false to avoid leaking repo metadata. Action pinned to SHA, cosign binary pinned to v3.0.5.

Container mapping

Repo Workflow Image Visibility
aztec-packages fuzzing-docker-build.yml fuzzing-container public
aztec-packages fuzzing-docker-avm-build.yml avm-fuzzing-container public
aztec-packages-private fuzzing-docker-build-private.yml fuzzing-container-private private
aztec-packages-private fuzzing-docker-avm-build-private.yml avm-fuzzing-container-private private

TODO

  • Verify GHCR package visibility is private after first push (should be org default — confirm in GitHub UI)

Note

The public/private workflow pairs could be combined into single workflows with conditional build steps to reduce duplication — left as a future improvement.

Test plan

  • Verify public workflows still trigger on aztec-packages pushes to next
  • Verify public workflows show as skipped in aztec-packages-private
  • Verify private workflows build and push with GITHUB_TOKEN in aztec-packages-private
  • Verify docker inspect on pushed images shows correct OCI labels
  • Verify cosign verify passes for signed images

@randyquaye randyquaye requested a review from charlielye as a code owner March 19, 2026 20:48
@randyquaye randyquaye force-pushed the rq/fuzzers-pvt branch 2 times, most recently from 9f30328 to 8a204af Compare March 19, 2026 22:24
@randyquaye randyquaye requested a review from Rumata888 March 20, 2026 13:55
@randyquaye randyquaye requested a review from ludamad March 23, 2026 15:26
@critesjosh critesjosh mentioned this pull request Mar 23, 2026
Merged
2 tasks
github-merge-queue Bot pushed a commit that referenced this pull request Mar 23, 2026
@critesjosh
fix: pin typescript and harden lockfile check in docs examples CI (#2…
8cf313d 
…1909)

## Summary

- Pin `typescript@^5.3.3` in docs examples validation to match
`yarn-project`. The unpinned `yarn add -D typescript` started pulling
TypeScript 6.0, which changed JSON import type inference and made
existing `@ts-expect-error` directives unused (TS2578 errors), breaking
`example_swap` type-checking.
- Use git state (`git show HEAD:...`) instead of filesystem state (`-s`)
for yarn.lock emptiness check. When `example_swap` fails, GNU parallel's
`--halt now,fail=1` kills other jobs mid-`yarn add` before cleanup traps
run, leaving lockfiles dirty on disk. On retry, the check found dirty
filesystem state and reported the misleading `token_bridge/yarn.lock is
not empty` error.

## Context

Multiple unrelated PRs (#21865, #21907, #21812) are failing with:
```
ERROR: token_bridge/yarn.lock is not empty. These files must be committed empty.
```

Root cause chain:
1. `yarn add -D typescript` (unpinned) pulls TS 6.0, released today
2. TS 6.0 improved JSON import type inference, making `@ts-expect-error`
directives unused → TS2578 errors in `example_swap`
3. `example_swap` fails → `--halt now,fail=1` kills `token_bridge`
mid-`yarn add` → cleanup trap never runs
4. Retry finds dirty `token_bridge/yarn.lock` on filesystem → misleading
error

## Test plan

- [ ] CI passes on this PR (docs examples validation succeeds)
- [ ] Verify `example_swap` and `token_bridge` type-check cleanly with
pinned TS 5.x

🤖 Generated with [Claude Code](https://claude.com/claude-code)
@randyquaye randyquaye enabled auto-merge March 23, 2026 20:32
@randyquaye randyquaye added this pull request to the merge queue Mar 23, 2026
Merged via the queue into next with commit 992de62 Mar 23, 2026
19 checks passed
@randyquaye randyquaye deleted the rq/fuzzers-pvt branch March 23, 2026 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ludamad ludamad ludamad approved these changes

@Rumata888 Rumata888 Rumata888 approved these changes

@charlielye charlielye Awaiting requested review from charlielye charlielye is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@randyquaye @ludamad @Rumata888