Container release runbook¶
Use this when verifying or troubleshooting Docker image publication.
Preconditions¶
- The repository package visibility allows publishing to GitHub Container Registry.
- The Docker workflow has
packages: writepermission on non-pull-request runs. - The release tag starts with
v, such asv0.2.0.
Normal release flow¶
- Publish the Python package release using the release runbook.
- Watch the
Dockerworkflow for the release tag. -
Confirm the workflow:
- lints
Dockerfileand.devcontainer/Dockerfile; - builds and runs the test image;
- builds and smoke-tests the runtime image;
- scans both images with Trivy and fails on critical vulnerabilities;
- publishes runtime and test images to GHCR;
- emits Buildx SBOM and provenance attestations.
- lints
-
Open the GHCR package page and confirm these images exist:
ghcr.io/ryancswallace/benchmatrix:vX.Y.Z;ghcr.io/ryancswallace/benchmatrix:latest;ghcr.io/ryancswallace/benchmatrix-test:vX.Y.Z;ghcr.io/ryancswallace/benchmatrix-test:latest.
-
Verify the runtime image from GHCR:
docker run --rm ghcr.io/ryancswallace/benchmatrix:vX.Y.ZThe command should print
BenchmarkCase. -
Verify the test image if the release changed packaging, dependencies, or test infrastructure:
docker run --rm ghcr.io/ryancswallace/benchmatrix-test:vX.Y.Z
Adjusting vulnerability policy¶
The Docker workflow currently fails on CRITICAL vulnerabilities and ignores
unfixed findings. To ratchet the policy, update the Trivy steps in
.github/workflows/docker.yml:
- change
severity: CRITICALtoseverity: HIGH,CRITICALto fail on high and critical vulnerabilities; - change
ignore-unfixed: truetoignore-unfixed: falseto include unfixed findings.
After changing the policy, run the Docker workflow on a pull request and confirm that findings are actionable before making the check required.
Failure handling¶
- Dockerfile lint failure: run
make docker-lint, fix the Dockerfile, and rerun. - Build failure: rebuild the devcontainer if needed, then run
make docker-checklocally when Docker is available. - Runtime smoke failure: inspect the image command and package installation layer.
- Critical vulnerability: run
make docker-scanlocally to reproduce, then update the base image or affected dependency. If no fix is available, document the risk before temporarily relaxing the policy. - Publish failure: confirm GHCR package permissions and workflow
packages: writepermissions.