Update push artifact's --revision to RFC-0005

Signed-off-by: Hidde Beydals <hello@hidde.co>
2026-02-08 00:37:27 +00:00 · 2023-02-17 12:26:31 +01:00 · 2023-02-17 12:26:31 +01:00 · 0f7b903ace
commit 0f7b903ace
parent 71d59e36cc
5 changed files with 23 additions and 23 deletions
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -183,7 +183,7 @@ jobs:
          /tmp/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
            --path="./manifests" \
            --source="${{ github.repositoryUrl }}" \
-            --revision="${{ github.ref }}/${{ github.sha }}"
+            --revision="${{ github.ref }}@sha1:${{ github.sha }}"
          /tmp/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
            --tag latest
          /tmp/flux list artifacts oci://localhost:5000/fluxcd/flux
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -120,7 +120,7 @@ jobs:
          oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
-          --revision="${{ github.ref_name }}/${{ github.sha }}"
+          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
      - name: Push manifests to DockerHub
        run: |
          mkdir -p ./docker.io/flux-system
@ -132,7 +132,7 @@ jobs:
          oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
          --path="./flux-system" \
          --source=${{ github.repositoryUrl }} \
-          --revision="${{ github.ref_name }}/${{ github.sha }}"
+          --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
      - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
      - name: Sign manifests
        env:
--- a/action/README.md
+++ b/action/README.md
@ -132,7 +132,7 @@ jobs:
          flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
            --path="./deploy" \
            --source="$(git config --get remote.origin.url)" \
-            --revision="$(git branch --show-current)/$(git rev-parse HEAD)"
+            --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
      - name: Deploy manifests to staging
        run: |
          flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
@ -180,7 +180,7 @@ jobs:
          $OCI_REPO:$(git rev-parse --short HEAD) \
          --path="./manifests" \
          --source="$(git config --get remote.origin.url)" \
-          --revision="$(git branch --show-current)/$(git rev-parse HEAD)" |\
+          --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" |\
          jq -r '. | .repository + "@" + .digest')

          cosign sign $digest_url
--- a/cmd/flux/push_artifact.go
+++ b/cmd/flux/push_artifact.go
@ -41,13 +41,13 @@ The command can read the credentials from '~/.docker/config.json' but they can a
  flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
 	--path="./path/to/local/manifests" \
 	--source="$(git config --get remote.origin.url)" \
-	--revision="$(git branch --show-current)/$(git rev-parse HEAD)"
+	--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"

  # Push and sign artifact with cosign
  digest_url = $(flux push artifact \
 	oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
 	--source="$(git config --get remote.origin.url)" \
-	--revision="$(git branch --show-current)/$(git rev-parse HEAD)" \
+	--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \
 	--path="./path/to/local/manifest.yaml" \
 	--output json | \
 	jq -r '. | .repository + "@" + .digest')
@ -56,21 +56,21 @@ The command can read the credentials from '~/.docker/config.json' but they can a
  # Push manifests passed into stdin to GHCR
  kustomize build . | flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) -p - \ 
    --source="$(git config --get remote.origin.url)" \
-    --revision="$(git branch --show-current)/$(git rev-parse HEAD)"
+    --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"

  # Push single manifest file to GHCR using the short Git SHA as the OCI artifact tag
  echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
  flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
 	--path="./path/to/local/manifest.yaml" \
 	--source="$(git config --get remote.origin.url)" \
-	--revision="$(git branch --show-current)/$(git rev-parse HEAD)"
+	--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"

  # Push manifests to Docker Hub using the Git tag as the OCI artifact tag
  echo $DOCKER_PAT | docker login --username flux --password-stdin
  flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
 	--path="./path/to/local/manifests" \
 	--source="$(git config --get remote.origin.url)" \
-	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"
+	--revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)"

  # Login directly to the registry provider
  # You might need to export the following variable if you use local config files for AWS:
@ -78,14 +78,14 @@ The command can read the credentials from '~/.docker/config.json' but they can a
  flux push artifact oci://<account>.dkr.ecr.<region>.amazonaws.com/foo:v1:$(git tag --points-at HEAD) \
 	--path="./path/to/local/manifests" \
 	--source="$(git config --get remote.origin.url)" \
-	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" \
+	--revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \
 	--provider aws

  # Or pass credentials directly
  flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
 	--path="./path/to/local/manifests" \
 	--source="$(git config --get remote.origin.url)" \
-	--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" \
+	--revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \
 	--creds flux:$DOCKER_PAT
 `,
 	RunE: pushArtifactCmdRun,
@ -112,7 +112,7 @@ func newPushArtifactFlags() pushArtifactFlags {
 func init() {
 	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.path, "path", "", "path to the directory where the Kubernetes manifests are located")
 	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.source, "source", "", "the source address, e.g. the Git URL")
-	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.revision, "revision", "", "the source revision in the format '<branch|tag>/<commit-sha>'")
+	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.revision, "revision", "", "the source revision in the format '<branch|tag>@sha1:<commit-sha>'")
 	pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
 	pushArtifactCmd.Flags().Var(&pushArtifactArgs.provider, "provider", pushArtifactArgs.provider.Description())
 	pushArtifactCmd.Flags().StringSliceVar(&pushArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
--- a/rfcs/0003-kubernetes-oci/README.md
+++ b/rfcs/0003-kubernetes-oci/README.md
@ -47,7 +47,7 @@ and push the archive to a container registry as an OCI artifact.
 ```sh
 flux push artifact oci://docker.io/org/app-config:v1.0.0 \
  --source="$(git config --get remote.origin.url)" \
-  --revision="$(git rev-parse HEAD)" \
+  --revision="sha1:$(git rev-parse HEAD)" \
  --path="./deploy"
 ```

@ -65,7 +65,7 @@ The source and revision are added to the OCI artifact as Open Containers standar
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "annotations": {
    "org.opencontainers.image.created": "2023-02-10T09:06:09Z",
-    "org.opencontainers.image.revision": "6ea3e5b4da159fcb4a1288f072d34c3315644bcc",
+    "org.opencontainers.image.revision": "sha1:6ea3e5b4da159fcb4a1288f072d34c3315644bcc",
    "org.opencontainers.image.source": "https://github.com/fluxcd/flux2"
  }
 }
@ -288,7 +288,7 @@ Then push the Kubernetes manifests to GHCR:
 ```sh
 flux push artifact oci://ghcr.io/org/my-app-config:v1.0.0 \
 	--source="$(git config --get remote.origin.url)" \
-	--revision="$(git rev-parse HEAD)"\
+	--revision="sha1:$(git rev-parse HEAD)"\
 	--path="./deploy"
 ```

@ -309,8 +309,8 @@ List the artifacts and their metadata with:
 ```console
 $ flux list artifacts oci://ghcr.io/org/my-app-config
 ARTIFACT                                DIGEST                                                                 	SOURCE                                          REVISION                                      
-ghcr.io/org/my-app-config:latest   	sha256:45b95019d30af335137977a369ad56e9ea9e9c75bb01afb081a629ba789b890c	https://github.com/org/my-app-config.git   	20b3a674391df53f05e59a33554973d1cbd4d549	
-ghcr.io/org/my-app-config:v1.0.0	sha256:45b95019d30af335137977a369ad56e9ea9e9c75bb01afb081a629ba789b890c	https://github.com/org/my-app-config.git	3f45e72f0d3457e91e3c530c346d86969f9f4034	
+ghcr.io/org/my-app-config:latest   	sha256:45b95019d30af335137977a369ad56e9ea9e9c75bb01afb081a629ba789b890c	https://github.com/org/my-app-config.git   	sha1:20b3a674391df53f05e59a33554973d1cbd4d549	
+ghcr.io/org/my-app-config:v1.0.0	sha256:45b95019d30af335137977a369ad56e9ea9e9c75bb01afb081a629ba789b890c	https://github.com/org/my-app-config.git	sha1:3f45e72f0d3457e91e3c530c346d86969f9f4034	
 ```

 #### Story 2
@ -402,7 +402,7 @@ The Flux CLI will produce OCI artifacts with the following format:
  ],
  "annotations": {
    "org.opencontainers.image.created": "2023-02-10T09:06:09Z",
-    "org.opencontainers.image.revision": "6ea3e5b4da159fcb4a1288f072d34c3315644bcc",
+    "org.opencontainers.image.revision": "sha1:6ea3e5b4da159fcb4a1288f072d34c3315644bcc",
    "org.opencontainers.image.source": "https://github.com/fluxcd/flux2"
  }
 }
@ -436,21 +436,21 @@ status:
    lastUpdateTime: "2022-06-22T09:14:21Z"
    metadata:
      org.opencontainers.image.created: "2023-02-10T09:06:09Z"
-      org.opencontainers.image.revision: b3b00fe35424a45d373bf4c7214178bc36fd7872
+      org.opencontainers.image.revision: sha1:b3b00fe35424a45d373bf4c7214178bc36fd7872
      org.opencontainers.image.source: https://github.com/stefanprodan/podinfo.git
    path: ocirepository/oci/podinfo/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de.tar.gz
-    revision: 3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de
+    revision: sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de
    size: 1105
    url: http://source-controller.flux-system.svc.cluster.local./ocirepository/oci/podinfo/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de.tar.gz
  conditions:
  - lastTransitionTime: "2022-06-22T09:14:21Z"
-    message: stored artifact for revision '3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
+    message: stored artifact for revision 'sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
    observedGeneration: 1
    reason: Succeeded
    status: "True"
    type: Ready
  - lastTransitionTime: "2022-06-22T09:14:21Z"
-    message: stored artifact for revision '3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
+    message: stored artifact for revision 'sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
    observedGeneration: 1
    reason: Succeeded
    status: "True"