Skip to content

fix(docker): propagate OPENSHELL_IMAGE_TAG to cross-compile Dockerfiles#530

Merged
drew merged 1 commit intomainfrom
fix-stable-image-tag-in-dockerfiles
Mar 21, 2026
Merged

fix(docker): propagate OPENSHELL_IMAGE_TAG to cross-compile Dockerfiles#530
drew merged 1 commit intomainfrom
fix-stable-image-tag-in-dockerfiles

Conversation

@drew
Copy link
Collaborator

@drew drew commented Mar 21, 2026

Summary

Stable release binaries built via Docker cross-compilation (macOS CLI, Linux/macOS Python wheels) were baking DEFAULT_IMAGE_TAG = "dev" instead of the release semver. This caused these binaries to pull dev-tagged Docker images instead of the version-pinned stable images.

Related Issue

N/A (discovered via investigation)

Changes

  • Added ARG OPENSHELL_IMAGE_TAG to Dockerfile.cli-macos, Dockerfile.python-wheels, and Dockerfile.python-wheels-macos
  • The CI workflows and build scripts already pass OPENSHELL_IMAGE_TAG as a --build-arg, but without the ARG declaration in the Dockerfile, Docker silently drops it
  • Rust's option_env!("OPENSHELL_IMAGE_TAG") reads the env at compile time; without the ARG, it gets None and falls back to "dev"

Root Cause

crates/openshell-bootstrap/src/image.rs defines:

pub const DEFAULT_IMAGE_TAG: &str = match option_env!("OPENSHELL_IMAGE_TAG") {
    Some(tag) => tag,
    None => "dev",
};

Docker ARG values are available as env vars during RUN commands, but only if declared. The three affected Dockerfiles declared ARG OPENSHELL_CARGO_VERSION (for version patching) but not ARG OPENSHELL_IMAGE_TAG (for image tag baking).

Affected Artifacts

Build artifact Was affected? Build method
Linux CLI binary No Direct cargo build in CI container with env var set
macOS CLI binary Yes Dockerfile.cli-macos (missing ARG)
Linux Python wheels Yes Dockerfile.python-wheels (missing ARG)
macOS Python wheels Yes Dockerfile.python-wheels-macos (missing ARG)

Testing

  • mise run pre-commit passes (one unrelated test failure due to local port conflict)
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

The fix is a Dockerfile-only change with no runtime code changes. Verification requires a tagged release build to confirm the baked-in tag is correct.

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

@drew
fix(docker): propagate OPENSHELL_IMAGE_TAG to cross-compile Dockerfiles
15557e5 
Three Dockerfiles that cross-compile CLI binaries via Docker were missing
ARG OPENSHELL_IMAGE_TAG declarations. The CI workflows and build scripts
already pass this as a --build-arg, but without the ARG declaration Docker
silently drops it. This caused Rust's option_env!("OPENSHELL_IMAGE_TAG")
to resolve to None at compile time, falling back to "dev" for
DEFAULT_IMAGE_TAG in stable release binaries.

Affected artifacts:
- macOS CLI binary (Dockerfile.cli-macos)
- Linux Python wheels (Dockerfile.python-wheels)
- macOS Python wheels (Dockerfile.python-wheels-macos)

The Linux CLI binary was not affected because it builds directly in the
CI container where OPENSHELL_IMAGE_TAG is set as a real env var.
@drew drew requested a review from a team as a code owner March 21, 2026 17:46
@drew drew self-assigned this Mar 21, 2026
@drew drew merged commit 7186a77 into main Mar 21, 2026
10 checks passed
@drew drew deleted the fix-stable-image-tag-in-dockerfiles branch March 21, 2026 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@drew drew

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@drew