60c3336725
fix(docker): update GeoLite2-Country.mmdb checksum + automation Fixes critical Docker build failure caused by upstream GeoLite2 database update without corresponding Dockerfile checksum update. **Root Cause:** - GeoLite2-Country.mmdb file updated upstream - Dockerfile still referenced old SHA256 checksum - Build aborted at checksum verification (line 352) - Cascade "blob not found" errors for all COPY commands **Changes:** - Update Dockerfile ARG GEOLITE2_COUNTRY_SHA256 to current value - Add automated weekly checksum update workflow (.github/workflows/update-geolite2.yml) - Implement error handling: retry logic, format validation, failure notifications - Document rollback decision matrix with 10 failure scenarios - Create comprehensive maintenance guide (docs/maintenance/geolite2-checksum-update.md) - Update CHANGELOG.md and README.md with maintenance references **Verification:** - Checksum verified against current upstream file: 436135ee... - Pre-commit hooks: PASSED (EOF/whitespace auto-fixed) - Trivy security scan: PASSED (no critical/high issues) - Dockerfile syntax: VALID - GitHub Actions YAML: VALID - No hardcoded secrets or injection vulnerabilities **Automation Features:** - Weekly scheduled checks (Monday 2 AM UTC) - Auto-PR creation when checksum changes - GitHub issue creation on workflow failure - Comprehensive error handling and retry logic **Impact:** - Unblocks all CI/CD Docker image builds - Enables publishing to GHCR/Docker Hub - Prevents future checksum failures via automation - Zero application code changes (no regression risk) **Documentation:** - Implementation plan: docs/plans/geolite2_checksum_fix_spec.md - QA report: docs/reports/qa_geolite2_checksum_fix.md - Maintenance guide: docs/maintenance/geolite2-checksum-update.md **Supervisor Recommendations Implemented:** - #1: Checksum freshness verification before update - #3: Rollback decision criteria (10 scenarios) - #4: Automated workflow error handling Resolves: https://github.com/Wikid82/Charon/actions/runs/21584236523/job/62188372617 COMMIT_MESSAGE_END
2.2 KiB
2.2 KiB
Docker Compose CI Fix - Quick Reference
Document: Full Remediation Plan Status: Ready for Implementation Priority: CRITICAL
Problem
E2E tests failing with:
charon-app Error pull access denied for sha256, repository does not exist
Root Cause
The workflow passes bare SHA256 digest to Docker Compose:
CHARON_E2E_IMAGE_DIGEST: sha256:057a9998...
Docker tries to pull from a repository named "sha256" (doesn't exist).
Solution
Use the local tag that already exists after docker load:
Change 1: Workflow
File: .github/workflows/e2e-tests.yml (line 158)
- CHARON_E2E_IMAGE_DIGEST: ${{ needs.build.outputs.image_digest }}
+ # Use local tag for pre-built image (loaded from artifact)
+ CHARON_E2E_IMAGE: charon:e2e-test
Change 2: Compose File
File: .docker/compose/docker-compose.playwright-ci.yml (lines 31-37)
- # CI default (digest-pinned via workflow output):
- # CHARON_E2E_IMAGE_DIGEST=ghcr.io/wikid82/charon:nightly@sha256:<digest>
- # Local override (tag-based):
+ # CI default: Uses pre-built image loaded from artifact
+ # Set via workflow: CHARON_E2E_IMAGE=charon:e2e-test
+ # Local development: Uses locally built image
+ # Override with: CHARON_E2E_IMAGE=charon:local-dev
- image: ${CHARON_E2E_IMAGE_DIGEST:-${CHARON_E2E_IMAGE:-charon:e2e-test}}
+ image: ${CHARON_E2E_IMAGE:-charon:e2e-test}
Why This Works
| Step | Current (Broken) | Fixed |
|---|---|---|
| Build | Tags as charon:e2e-test |
Same |
| Load | Image available as charon:e2e-test |
Same |
| Compose | Tries to use sha256:... ❌ |
Uses charon:e2e-test ✅ |
Verification
# After changes, run locally:
export CHARON_E2E_IMAGE=charon:e2e-test
docker compose -f .docker/compose/docker-compose.playwright-ci.yml config | grep "image:"
# Should output:
# image: charon:e2e-test
Testing
- Create PR with both changes
- Monitor
e2e-tests.ymlworkflow - Verify "Start test environment" step succeeds
- Confirm health check passes
See docker_compose_ci_fix.md for full analysis and implementation details.