TBD-A6: every chart-publishing wave in the 2026-05-17/18 session required
a SEPARATE manual collector PR to bump the bootstrap-kit pin so Sovereigns
would actually install the freshly published OCI artifact. Without the
pin bump, the chart at e.g. bp-catalyst-platform:1.4.166 gets published
to GHCR but clusters/_template/bootstrap-kit/13-bp-catalyst-platform.yaml
still pins `version: 1.4.165` and fresh Sovereigns silently install the
OLD artifact.
Manual collector PRs eliminated by this hook (sample from one session):
#1676 chart 1.4.162 -> 1.4.163 (Wave 16 collector)
#1687 chart 1.4.163 -> 1.4.164 (Wave 17 collector)
#1694 bp-guacamole 0.1.21 -> 0.1.22 (TBD-G6)
#1695 chart 1.4.164 -> 1.4.165 (Wave 18 collector)
#1698 chart 1.4.165 -> 1.4.166 (TBD-E8)
#1700 bp-guacamole 0.1.22 -> 0.1.23 (TBD-G4 phase 2)
#1706 bp-self-sovereign-cutover 0.1.29 -> 0.1.30 (TBD-C18)
#1707 chart 1.4.166 -> 1.4.167 (Wave 24 collector)
The fix lives in .github/workflows/blueprint-release.yaml — the single
workflow that publishes every chart's OCI artifact. After a successful
push + cosign sign + SBOM attest, a new "Auto-bump bootstrap-kit pin"
step:
1. Reads ${{ steps.chart.outputs.name }} (e.g. `bp-newapi`).
2. Greps clusters/_template/bootstrap-kit/*.yaml for the canonical
` chart: <name>` line (6-space indent matches every existing
slot's HelmRelease.spec.chart.spec.chart shape).
3. If a matching slot file is found, sed-replaces the slot's
` version: <old>` with `version: <new>` and commits +
pushes back to main as hatiyildiz <noreply>.
4. If no slot file matches, the chart is an opt-in Application
Blueprint (e.g. bp-vllm, bp-temporal) and the step gracefully
no-ops.
5. Conflict-tolerant retry up to 3 times with idempotent
reset-and-rewrite for the parallel matrix case (multiple charts
bumped in the same push).
The bot-author commit does NOT re-trigger workflows (GitHub Actions
GITHUB_TOKEN convention), so the chain converges in ONE pass:
chart bump -> blueprint-release -> publish artifact -> bump pin.
No loop.
A regression test (scripts/check-bootstrap-kit-pin-sync.sh) asserts
the convergence contract: every Chart.yaml in platform/* or products/*
whose chart name is pinned in clusters/_template/bootstrap-kit/ MUST
have the same version on both sides. The .github/workflows/test-
bootstrap-kit.yaml workflow now runs this audit:
- On `pull_request`: `--changed-only --base <pr-base>` so a PR is
only blocked on chart->pin pairs IT modified. This avoids forcing
pre-existing drifts (13 charts as of 2026-05-18, validated via a
full sweep against origin/main) to be fixed before any unrelated
PR can land. The auto-bump hook will heal those drifts on the
next bump of each lagging chart.
- On `push` and `workflow_dispatch`: full sweep so post-merge
drift is observable on the run summary.
Why blueprint-release.yaml is the right insertion point (not each
build-bp-<name>.yaml or services-build.yaml or catalyst-build.yaml):
- It runs after EVERY chart publish, regardless of upstream trigger.
- It already has the canonical chart name + version in
${{ steps.chart.outputs.name }} + ${{ steps.chart.outputs.version }}.
- One file changed, one hook covers all 51 bootstrap-kit slots
plus future additions.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
16eb117c5f