Files
Charon/docs/plans/docker_compose_ci_fix_summary.md
GitHub Actions 60c3336725 COMMIT_MESSAGE_START
fix(docker): update GeoLite2-Country.mmdb checksum + automation

Fixes critical Docker build failure caused by upstream GeoLite2 database
update without corresponding Dockerfile checksum update.

**Root Cause:**
- GeoLite2-Country.mmdb file updated upstream
- Dockerfile still referenced old SHA256 checksum
- Build aborted at checksum verification (line 352)
- Cascade "blob not found" errors for all COPY commands

**Changes:**
- Update Dockerfile ARG GEOLITE2_COUNTRY_SHA256 to current value
- Add automated weekly checksum update workflow (.github/workflows/update-geolite2.yml)
- Implement error handling: retry logic, format validation, failure notifications
- Document rollback decision matrix with 10 failure scenarios
- Create comprehensive maintenance guide (docs/maintenance/geolite2-checksum-update.md)
- Update CHANGELOG.md and README.md with maintenance references

**Verification:**
- Checksum verified against current upstream file: 436135ee...
- Pre-commit hooks: PASSED (EOF/whitespace auto-fixed)
- Trivy security scan: PASSED (no critical/high issues)
- Dockerfile syntax: VALID
- GitHub Actions YAML: VALID
- No hardcoded secrets or injection vulnerabilities

**Automation Features:**
- Weekly scheduled checks (Monday 2 AM UTC)
- Auto-PR creation when checksum changes
- GitHub issue creation on workflow failure
- Comprehensive error handling and retry logic

**Impact:**
- Unblocks all CI/CD Docker image builds
- Enables publishing to GHCR/Docker Hub
- Prevents future checksum failures via automation
- Zero application code changes (no regression risk)

**Documentation:**
- Implementation plan: docs/plans/geolite2_checksum_fix_spec.md
- QA report: docs/reports/qa_geolite2_checksum_fix.md
- Maintenance guide: docs/maintenance/geolite2-checksum-update.md

**Supervisor Recommendations Implemented:**
- #1: Checksum freshness verification before update
- #3: Rollback decision criteria (10 scenarios)
- #4: Automated workflow error handling

Resolves: https://github.com/Wikid82/Charon/actions/runs/21584236523/job/62188372617
COMMIT_MESSAGE_END
2026-02-02 13:31:56 +00:00

2.2 KiB

Docker Compose CI Fix - Quick Reference

Document: Full Remediation Plan Status: Ready for Implementation Priority: CRITICAL


Problem

E2E tests failing with:

charon-app Error pull access denied for sha256, repository does not exist

Root Cause

The workflow passes bare SHA256 digest to Docker Compose:

CHARON_E2E_IMAGE_DIGEST: sha256:057a9998...

Docker tries to pull from a repository named "sha256" (doesn't exist).

Solution

Use the local tag that already exists after docker load:

Change 1: Workflow

File: .github/workflows/e2e-tests.yml (line 158)

- CHARON_E2E_IMAGE_DIGEST: ${{ needs.build.outputs.image_digest }}
+ # Use local tag for pre-built image (loaded from artifact)
+ CHARON_E2E_IMAGE: charon:e2e-test

Change 2: Compose File

File: .docker/compose/docker-compose.playwright-ci.yml (lines 31-37)

- # CI default (digest-pinned via workflow output):
- # CHARON_E2E_IMAGE_DIGEST=ghcr.io/wikid82/charon:nightly@sha256:<digest>
- # Local override (tag-based):
+ # CI default: Uses pre-built image loaded from artifact
+ # Set via workflow: CHARON_E2E_IMAGE=charon:e2e-test
+ # Local development: Uses locally built image
+ # Override with: CHARON_E2E_IMAGE=charon:local-dev
- image: ${CHARON_E2E_IMAGE_DIGEST:-${CHARON_E2E_IMAGE:-charon:e2e-test}}
+ image: ${CHARON_E2E_IMAGE:-charon:e2e-test}

Why This Works

Step Current (Broken) Fixed
Build Tags as charon:e2e-test Same
Load Image available as charon:e2e-test Same
Compose Tries to use sha256:... Uses charon:e2e-test

Verification

# After changes, run locally:
export CHARON_E2E_IMAGE=charon:e2e-test
docker compose -f .docker/compose/docker-compose.playwright-ci.yml config | grep "image:"

# Should output:
# image: charon:e2e-test

Testing

  1. Create PR with both changes
  2. Monitor e2e-tests.yml workflow
  3. Verify "Start test environment" step succeeds
  4. Confirm health check passes

See docker_compose_ci_fix.md for full analysis and implementation details.