build(notify): publish helper 2.0.0 immutably#116
Conversation
Bind helper 2.0.0 images and binaries to an owner-dispatched tag and verified source commit. Publish version-only artifacts with checksums, rootfs SBOMs, attestations, exact-digest resume safety, and supported-host rollback/forward-recovery proof. Keep public retries read-only, scheduled scans digest-bound, and candidate logs free of configured sensitive values.
Default Docker installs to 2.0.0, resolve successful pulls to immutable local image IDs, and fail instead of reusing stale tags. Require exactly one canonical release checksum before installing any binary. Update operator guidance and dry-run guards for every fail-closed path.
Document immutable artifacts, compatibility, helper-first upgrade, rollback, forward recovery, monitoring, and abort criteria. Keep product upload, download, and roundtrip evidence unset and record the immutable 1.8.0 rollback logging boundary.
|
Warning Review limit reached
Next review available in: 32 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThe PR strengthens notify 2.0.0 publication safety, immutable image and binary release handling, checksum enforcement, runtime packaging verification, security scanning, and documentation of rollout evidence. ChangesNotify publication and rollout
Estimated code review effort: 5 (Critical) | ~120 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 7✅ Passed checks (7 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/docker.yml:
- Around line 796-801: Update the release verification block after extracting
body in the workflow to validate the complete deterministic release body, rather
than only its title and two substrings. Ensure the expected body preserves
compatibility limits and does not present publication as upload, download, or
roundtrip evidence; fail verification when any required evidence-boundary
statement is missing or altered.
- Around line 190-198: Update .github/workflows/docker.yml lines 190-198 to
export the finalized public-release state from the release validation block, and
make image and attestation jobs fail on missing or mismatched artifacts without
pushing or creating anything. Update .github/scripts/notify-publish-safety.rb
lines 362-371 to assert that every publication write step is unreachable when
the release is public.
In @.github/workflows/security.yml:
- Around line 129-131: Update the digest validation in the security workflow to
require exactly one extracted index_digest record before exporting it. Reject
missing, duplicate, multiline, or non-canonical values, and only append the
validated digest to GITHUB_OUTPUT; preserve the existing dependency-integrity
checks.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 33e57a9b-57b7-47fc-a9ae-d1652f80577d
📒 Files selected for processing (15)
.github/scripts/notify-publish-safety.rb.github/workflows/docker.yml.github/workflows/security.ymldocs/helper-publication-rollout.mddocs/helper-runtime-packaging-readiness.mddocs/relay-spec.mddocs/troubleshooting.mdnotify/Dockerfilenotify/README.mdnotify/docker-compose.ymlnotify/release.jsonnotify/scripts/install.shnotify/scripts/tests/install-dry-run-test.shnotify/tests/runtime-packaging/run-linux-host.shnotify/tests/runtime-packaging/run.sh
📜 Review details
🧰 Additional context used
📓 Path-based instructions (9)
**/*
⚙️ CodeRabbit configuration file
**/*: VaultSync syncs private Obsidian notes through Syncthing. Treat data loss,
privacy leaks, security regressions, and broken sync behavior as high priority.
Do not nitpick formatting unless it affects maintainability, correctness, or public API clarity.
Flag any accidental logging, telemetry, crash reporting, or network transfer of note contents,
vault paths, filenames with private context, API keys, APNs tokens, relay keys, or security-scoped bookmark data.
Files:
notify/release.jsonnotify/docker-compose.ymldocs/troubleshooting.mdnotify/Dockerfiledocs/relay-spec.mdnotify/scripts/tests/install-dry-run-test.shnotify/README.mddocs/helper-publication-rollout.mddocs/helper-runtime-packaging-readiness.mdnotify/tests/runtime-packaging/run-linux-host.shnotify/tests/runtime-packaging/run.shnotify/scripts/install.sh
notify/docker-compose.yml
⚙️ CodeRabbit configuration file
notify/docker-compose.yml: Check that deployment examples do not hard-code real secrets and that environment variables,
restart policy, health checks, and network exposure are reasonable for self-hosted users.
Files:
notify/docker-compose.yml
**/*.{md,sh,go,swift}
📄 CodeRabbit inference engine (README.md)
Keep Relay-side request observation and wake-ups received on the iPhone as separate diagnostics evidence; one must not be treated as proof of the other.
Files:
docs/troubleshooting.mddocs/relay-spec.mdnotify/scripts/tests/install-dry-run-test.shnotify/README.mddocs/helper-publication-rollout.mddocs/helper-runtime-packaging-readiness.mdnotify/tests/runtime-packaging/run-linux-host.shnotify/tests/runtime-packaging/run.shnotify/scripts/install.sh
**/*.md
⚙️ CodeRabbit configuration file
**/*.md: Review public documentation for technical accuracy, privacy/security claims, App Store-facing wording,
setup correctness, and consistency with the free app plus optional Cloud Relay subscription model.
Files:
docs/troubleshooting.mddocs/relay-spec.mdnotify/README.mddocs/helper-publication-rollout.mddocs/helper-runtime-packaging-readiness.md
notify/Dockerfile
⚙️ CodeRabbit configuration file
notify/Dockerfile: Check container security, minimal runtime surface, non-root execution where practical,
HEALTHCHECK behavior, reproducible builds, and safe handling of runtime secrets.
Files:
notify/Dockerfile
notify/**/*.{sh,go}
📄 CodeRabbit inference engine (README.md)
The optional notify sidecar must support server-side wake-up requests and must not receive notes, file or folder names, or vault structure.
Files:
notify/scripts/tests/install-dry-run-test.shnotify/tests/runtime-packaging/run-linux-host.shnotify/tests/runtime-packaging/run.shnotify/scripts/install.sh
docs/**/helper-publication-rollout.md
📄 CodeRabbit inference engine (docs/helper-runtime-packaging-readiness.md)
Do not claim public helper publication, registry digests, rollout state, or release evidence from source text; establish them only through the owner-gated workflow and evidence defined in
helper-publication-rollout.md.
Files:
docs/helper-publication-rollout.md
.github/workflows/**/*.yml
⚙️ CodeRabbit configuration file
.github/workflows/**/*.yml: Review CI for correct Go test tags, Xcode/iOS simulator assumptions, secret scoping,
dependency integrity, permissions, Docker publishing safety, and unnecessary privilege escalation.
Files:
.github/workflows/security.yml.github/workflows/docker.yml
notify/scripts/install.sh
📄 CodeRabbit inference engine (README.md)
The notify installer must locate the Syncthing configuration, set required permissions, start the helper, support non-standard configuration paths through SYNCTHING_CONFIG, and provide a --dry-run mode that makes no changes.
Files:
notify/scripts/install.sh
🧠 Learnings (1)
📓 Common learnings
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:08:45.390Z
Learning: Publication alone must not be presented as evidence of app upload, download, roundtrip, Relay delivery, APNs delivery, iOS background execution, customer installation success, or user-vault progress.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:08:45.390Z
Learning: The next app milestone remains blocked until the public helper release and the complete helper-first rollback/forward-recovery workflow succeed.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:08:56.072Z
Learning: Publication, registry digests, SBOM/vulnerability results, public artifact availability, and helper-first rollback evidence must be read from the exact release and workflow named by the publication manifest, never inferred from the source-readiness document.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:10.381Z
Learning: The system must not claim upload, download, or correlated roundtrip success without a separately approved correlated helper contract and runtime milestone.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: After applying a troubleshooting fix, retry from the app to confirm the issue is resolved.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: Use the installation-specific commands for Docker, systemd, launchd, Docker Compose, or Windows when diagnosing `vaultsync-notify`.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: Treat HTTP 429 from the relay trigger endpoint as a successful reachability result; an inactive subscription is an app-side provisioning issue, not a server failure.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: Peer-state warnings from `--doctor` must not fail the doctor or health check; legitimately offline peers are not setup errors, and `--healthcheck` must skip peer-state diagnostics.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: A green relay health check proves reachability only; updated `Last Trigger Received` is required to confirm wake-up delivery.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: `vaultsync-notify` should read the Syncthing API key from `config.xml`; manually supplied `SYNCTHING_API_KEY` overrides auto-detection and must match the current key if used.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: Run the helper as the user owning Syncthing's mode-0600 `config.xml`, or configure the container's appropriate `PUID`/`PGID` or user mapping.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: When diagnosing relay connectivity, verify internet access, `RELAY_URL`, egress rules, relay health, and a subsequent trigger receipt.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: For pending shares, verify the iOS Device ID is shared by desktop Syncthing, that Syncthing is online and unpaused, and refresh or re-share if necessary.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: Silent push wake-ups require a valid APNs token and provisioned device, but do not require notification permission; retry APNs registration and provisioning when needed.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: Connect VaultSync to the Obsidian folder containing `.obsidian`, then rescan and verify detected vaults or pending shares.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: VaultSync must not move, recreate, or delete vault folders automatically; recovery from moved, replaced, or deleted folders requires the user's manual decision.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: Renew security-scoped bookmark access by reconnecting to the Obsidian folder and rescanning when a vault becomes inaccessible.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: Do not promise reliable iPhone-to-server background synchronization; iOS background execution is system-controlled, so users should open VaultSync for foreground syncing.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: When a required Syncthing device is disconnected, verify it is online and reachable, confirm its device ID, and re-add it only if the ID changed.
Learnt from: CR
Repo: psimaker/vaultsync
Timestamp: 2026-07-14T09:09:18.617Z
Learning: When filing an issue, capture VaultSync and iOS versions, Sync Issues and relay diagnostics, doctor output, and relevant helper logs.
🪛 zizmor (1.26.1)
.github/workflows/docker.yml
[info] 472-472: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🔇 Additional comments (15)
.github/scripts/notify-publish-safety.rb (1)
4-20: LGTM!Also applies to: 29-42, 53-73, 102-112, 126-132, 145-180, 196-206, 218-236, 249-252, 261-331, 341-342
.github/workflows/docker.yml (1)
10-18: LGTM!Also applies to: 33-43, 54-54, 102-189, 199-290, 305-342, 394-476, 526-795, 802-951
.github/workflows/security.yml (1)
106-128: LGTM!Also applies to: 133-146
docs/helper-runtime-packaging-readiness.md (1)
3-9: LGTM!Also applies to: 244-247
docs/relay-spec.md (1)
3-3: LGTM!notify/scripts/tests/install-dry-run-test.sh (1)
116-126: LGTM!Also applies to: 185-200
notify/tests/runtime-packaging/run-linux-host.sh (1)
7-11: LGTM!Also applies to: 27-27, 44-106, 170-190, 223-223, 243-251, 261-284
notify/tests/runtime-packaging/run.sh (1)
6-6: LGTM!Also applies to: 49-49, 140-165, 180-180, 195-212, 224-225
docs/helper-publication-rollout.md (1)
1-195: LGTM!docs/troubleshooting.md (1)
98-98: LGTM!notify/Dockerfile (1)
11-20: LGTM!notify/README.md (1)
75-75: LGTM!Also applies to: 94-94, 227-227
notify/docker-compose.yml (1)
19-19: LGTM!notify/release.json (1)
1-31: LGTM!notify/scripts/install.sh (1)
38-38: LGTM!Also applies to: 221-238, 256-256, 271-271, 333-358
Carry finalized release state into image, attestation, and release staging so public retries fail closed without mutation. Compare complete deterministic release notes, require one canonical scheduled-scan digest, and pin security workflow actions. Keep validated workflow values out of direct shell expressions and enforce every guard in the publication safety policy.
Summary
notify-v2.0.0source, image, binary, checksum, SBOM, manifest, and rollout-evidence contractlatestmutation and no asset replacementWhy
Helper runtime and packaging readiness are merged, but no Helper 2.0 artifact or helper-first rollout exists yet. This PR adds the reviewable publication and rollout gate. It does not create a tag, image, binary, release, deployment, pairing, namespace, or app transfer during PR review or merge.
Security and privacy
origin/mainancestrylatest, use--clobber, delete a release, rewrite a tag, or change repository security settingsCompatibility and existing users
Trigger v1 and Relay v1 remain wire-compatible. Existing installations are not pulled, restarted, paired, trusted, or reconfigured. Diagnostics remains dormant unless an operator explicitly supplies the supported host-bind configuration; no namespace is created automatically. Docker Host-Bind on standard Linux with rootful Docker remains the only supported diagnostics packaging row.
Local evidence
go test ./... -count=1,go test -race ./... -count=1,go vet ./..., andgovulncheck ./...: passnotify/tests/runtime-packaging/run.sh: old → new → old → new pass on clean head; credential bytes and TLS pin preserved; candidate sensitive-log assertion passnotify/tests/m4-docker/run.sh: pass--version, and without/bin/shThe required rootful-Linux installer proof and all PR security/review checks remain CI gates. Exact public-image rollout evidence is intentionally unavailable until the merged commit is tagged and the owner-gated workflow succeeds.
Rollback and retention
Rollback is fixed to
notify-v1.8.0, commite4f9e3088d7b7bc47943ff59db73de369c16c543, image indexsha256:6e2b333dd16633d93c5104a72a2b133f4e0d95166757ee081930626e08858154. Credentials and synchronized content are preserved across rollback and must be revalidated on forward recovery. Backups, versions, conflicts, remote history, and tombstones may retain opaque artifacts; cleanup remains digest-directed and evidence-orthogonal.Evidence boundary
VaultSync 2.0 remains NO-GO. Product upload, download, and correlated-roundtrip evidence remain unset. Helper signatures prove authorship and binding, not transport route, byte provenance, future delivery, or global health.