Strip io.buildpacks.stack.id before push and verify after#1881
Merged
Conversation
Build the release image to a local OCI layout, strip the io.buildpacks.stack.id label there, then copy out to each Docker Hub tag. After publishing, inspect every tag on both platforms and fail the job if the label is still present, so a silent regctl mod failure can no longer ship.
josegonzalez
added a commit
that referenced
this pull request
May 22, 2026
- #1880 @josegonzalez: Replace docker-copyedit with regctl for image retagging - #1881 @josegonzalez: Strip io.buildpacks.stack.id before push and verify after - #1882 @dependabot: chore(deps): bump puma from 8.0.0 to 8.0.1 in /buildpacks/buildpack-ruby/tests/ruby-sinatra - #1883 @dokku-bot: Update nodejs to version v343 - #1885 @josegonzalez: Retry docker pull in post-install on timeout - #1886 @dokku-bot: Update nodejs to version v344 - #1887 @dependabot: chore(deps): bump gunicorn from 25.3.0 to 26.0.0 in /buildpacks/buildpack-python/tests/python-flask - #1888 @dependabot: chore(deps): bump gunicorn from 25.3.0 to 26.0.0 in /buildpacks/buildpack-python/tests/python-django - #1889 @dependabot: chore(deps): bump gunicorn from 25.3.0 to 26.0.0 in /buildpacks/buildpack-multi/tests/multi - #1890 @dokku-bot: Update nodejs to version v345 - #1893 @dokku-bot: Update nodejs to version v346 - #1894 @dokku-bot: Update python to version v344 - #1895 @dokku-bot: Update nodejs to version v347 - #1896 @dokku-bot: Update go to version v229 - #1897 @josegonzalez: Upgrade scala test app to play 3.0.10 - #1898 @dokku-bot: Update php to version v288 - #1899 @dependabot: chore(deps-dev): bump heroku/heroku-buildpack-php from 287 to 288 in /buildpacks/buildpack-php/tests/php - #1900 @dokku-bot: Update nodejs to version v348 - #1902 @dokku-bot: Update ruby to version v358 - #1903 @dependabot: chore(deps-dev): bump heroku/heroku-buildpack-php from 288 to 289 in /buildpacks/buildpack-php/tests/php - #1904 @dokku-bot: Update php to version v289 - #1905 @dependabot: chore(deps): bump twig/twig from 3.24.0 to 3.26.0 in /buildpacks/buildpack-php/tests/php - #1906 @dokku-bot: Update nodejs to version v349 - #1907 @dependabot: chore(deps): bump slim/slim from 4.15.1 to 4.15.2 in /buildpacks/buildpack-php/tests/php - #1908 @dependabot: chore(deps-dev): bump heroku/heroku-buildpack-php from 289 to 290 in /buildpacks/buildpack-php/tests/php - #1909 @dokku-bot: Update nodejs to version v350 - #1910 @dokku-bot: Update php to version v290
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The previous release shipped images that still carried the
io.buildpacks.stack.idlabel because the post-pushregctl image modstep failed silently and nothing in CI checked the result. This is a follow-up to #1880 (which closed #1879): it moves the label strip to before any Docker Hub push and adds an explicit verification gate after publish, so a silent failure can no longer ship.