Skip to content

chore(frontend): bump obol-stack-front-end v0.1.23 → v0.1.24 (digest-pinned)#482

Open
bussyjd wants to merge 1 commit into
mainfrom
chore/bump-frontend-v0.1.24-rc2
Open

chore(frontend): bump obol-stack-front-end v0.1.23 → v0.1.24 (digest-pinned)#482
bussyjd wants to merge 1 commit into
mainfrom
chore/bump-frontend-v0.1.24-rc2

Conversation

@bussyjd
Copy link
Copy Markdown
Collaborator

@bussyjd bussyjd commented May 12, 2026
edited
Loading

Summary

Bumps the frontend image pin from v0.1.23 (tag-only) to stable v0.1.24 with multi-arch digest:

obolnetwork/obol-stack-front-end:v0.1.24@sha256:d5abd6aebddcabf7b7fccd2f5e922cb6067c90dca808b306bd46db71b0010206

Single commit; combines the version bump with the supply-chain hardening that was previously staged in #468 (digest-pin at v0.1.23). #468 closed as superseded.

What v0.1.24 contains (frontend-side)

Cumulative since v0.1.23:

  • 12 Dependabot dep bumps integrated via frontend #310:
    • Runtime: next 16.2.4→16.2.6, react 19.2.5→19.2.6, @rainbow-me/rainbowkit 2.2.10→2.2.11, @copilotkit/{react-core,react-ui} 1.56.3→1.57.1
    • Dev: @typescript-eslint/{parser 8.59.2,eslint-plugin 8.59.1}, @next/eslint-plugin-next 16.2.6, eslint-config-next 16.2.6, @types/node 25.6.2
    • Infra: Dockerfile base node:22-alpinenode:26-alpine; actions/setup-node 6.3.0 → 6.4.0
  • frontend #292 feat(dashboard): storefront link + AgentRegistrationCard

Frontend release sequence: v0.1.24-rc1 (dep bumps only) → v0.1.24-rc2 (+ #292) → v0.1.24 (stable, same code as rc2, freshly-built Docker image).

Supply-chain review (frontend-side): GREEN

Audited via security subagent on both #310 (dep diff) and #292 (feature diff):

  • All workflow uses: SHA-pinned (verified actions/setup-node@v6.4.0 SHA matches the public tag)
  • Zero net-new transitive packages (4 chevrotain sub-deps consolidated, no additions)
  • All target versions ≥4 days old on npm (no race-to-hijack window)
  • No new install scripts; pre-existing ignored-build-script set unchanged
  • Peer-deps verified: Next 16.2 / React 19.2 / RainbowKit 2.2.11 / CopilotKit 1.57.1
  • node:26-alpine multi-arch OCI index verified on Docker Hub
  • PR fix: install script improvements #292: UI-only feature; new /api/agents/registration route consumes operator-controlled tunnelURL from in-cluster obol-stack-config ConfigMap (no SSRF/user-input surface); no dangerouslySetInnerHTML; consistent with existing /api/agents/* auth patterns

Multi-arch digest sha256:d5abd6…010206 is the OCI image index covering linux/amd64 + linux/arm64. Note: this is a different digest than v0.1.24-rc2 (sha256:cdcc8c…2ba4c) because the Docker images were rebuilt for the v0.1.24 tag — same git SHA, different binary digests (typical for non-reproducible Docker builds).

Why digest-pin

Mutable tag pins allow a registry-credential compromise to silently swap image contents under the same v0.1.24 tag on the next pull. The name:tag@digest format renders to a valid OCI reference via the obol-app chart's obol-app.image helper; the digest is authoritative at pull time, the tag stays for human readability.

Test plan

  • lint-test CI green
  • CodeQL (actions / go / javascript-typescript / python) green
  • After merge: obol stack up pulls the new digest and frontend pod becomes Ready
  • Roll into the next obol-stack RC at maintainer discretion

Not self-merging

Per feedback_main_merge_gates.md: requires flows-green (flow-11 + flow-14 receipts) AND a second human reviewer. Maintainer hand-off.

@bussyjd bussyjd mentioned this pull request May 12, 2026
Closed
4 tasks
@bussyjd bussyjd force-pushed the chore/bump-frontend-v0.1.24-rc2 branch from 00b85b6 to 16a6b3e Compare May 12, 2026 09:31
@bussyjd bussyjd changed the title chore(frontend): bump obol-stack-front-end v0.1.23 → v0.1.24-rc2 (digest-pinned) chore(frontend): bump obol-stack-front-end v0.1.23 → v0.1.24 (digest-pinned) May 12, 2026
@bussyjd
chore(frontend): bump obol-stack-front-end v0.1.23 → v0.1.24 (digest-…
6e1a93f 
…pinned)

Bumps the frontend image to the new stable v0.1.24 release and switches
the pin format from tag-only to tag+digest.

Image: obolnetwork/obol-stack-front-end:v0.1.24@sha256:d5abd6aebddcabf7b7fccd2f5e922cb6067c90dca808b306bd46db71b0010206

What v0.1.24 contains (cumulative since v0.1.23):
- 12 Dependabot dep bumps via frontend #310:
  - Runtime: next 16.2.6, react 19.2.6, @rainbow-me/rainbowkit 2.2.11,
    @copilotkit/{react-core,react-ui} 1.57.1
  - Dev: @typescript-eslint/{parser 8.59.2,eslint-plugin 8.59.1},
    @next/eslint-plugin-next 16.2.6, eslint-config-next 16.2.6,
    @types/node 25.6.2
  - Infra: Dockerfile node:22-alpine → node:26-alpine,
    actions/setup-node 6.3.0 → 6.4.0
- feat(dashboard): storefront link + AgentRegistrationCard (frontend #292)

Supply-chain review on the frontend dep diff: GREEN
- Zero net-new transitive packages (4 chevrotain sub-deps consolidated)
- All workflow uses: SHA-pinned (setup-node SHA verified against v6.4.0 tag)
- All target versions ≥4 days old on npm
- No new install scripts
- Peer-dep compatibility verified
- node:26-alpine multi-arch index verified on Docker Hub
- PR #292 new API route consumes operator-controlled tunnelURL from in-cluster
  ConfigMap (no SSRF/user-input surface); no dangerouslySetInnerHTML; consistent
  with existing /api/agents/* auth patterns
@bussyjd bussyjd force-pushed the chore/bump-frontend-v0.1.24-rc2 branch from 16a6b3e to 6e1a93f Compare May 12, 2026 09:34
@bussyjd bussyjd mentioned this pull request May 12, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bussyjd