builder: protect LoadInstance with a mutex

CUE is not safe for concurrent access so we protect the main LoadInstance function with a mutex lock.
docs: app.holos.run/description not cli
2026-03-19 00:37:45 +00:00 · 2025-01-02 17:32:53 -08:00 · 2025-01-02 08:36:37 -08:00 · 2024-12-23 10:33:45 -08:00 · 2024-12-23 09:52:09 -08:00 · 2024-12-23 07:23:36 -08:00
6 changed files with 86 additions and 27 deletions
--- a/.github/workflows/container.yaml
+++ b/.github/workflows/container.yaml
@@ -40,22 +40,11 @@ jobs:
      - name: SHA
        id: sha
        run: echo "sha=$(/usr/bin/git log -1 --format='%H')" >> $GITHUB_OUTPUT
+
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: Login to quay.io
-        uses: docker/login-action@v3
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USER }}
-          password: ${{ secrets.QUAY_TOKEN }}
-      - name: Login to ghcr.io
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Fetch tags
        run: git fetch --prune --unshallow --tags
      - name: Set Tags
@@ -63,8 +52,14 @@ jobs:
        run: |
          echo "detail=$(/usr/bin/git describe --tags HEAD)" >> $GITHUB_OUTPUT
          echo "suffix=$(test -n "$(git status --porcelain)" && echo '-dirty' || echo '')" >> $GITHUB_OUTPUT
-      - name: Setup Cosign to sign container images
-        uses: sigstore/cosign-installer@v3.7.0
+          echo "tag=$(/usr/bin/git describe --tags HEAD)$(test -n "$(git status --porcelain)" && echo '-dirty' || echo '')" >> $GITHUB_OUTPUT
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push container images
        id: build-and-push
        uses: docker/build-push-action@v6
@@ -73,18 +68,76 @@ jobs:
          platforms: linux/amd64,linux/arm64
          push: true
          tags: |
-            ghcr.io/holos-run/holos:${{ steps.tags.outputs.detail }}${{ steps.tags.outputs.suffix }}
+            ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}
            ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
-            quay.io/holos-run/holos:${{ steps.tags.outputs.detail }}${{ steps.tags.outputs.suffix }}
-            quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+      - name: Setup Cosign to sign container images
+        uses: sigstore/cosign-installer@v3.7.0
      - name: Sign with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: |
-          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.tags.outputs.detail }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
          cosign sign --yes ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
-          cosign sign --yes quay.io/holos-run/holos:${{ steps.tags.outputs.detail }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          owner: ${{ github.repository_owner }}
+          app-id: ${{ vars.GORELEASER_APP_ID }}
+          private-key: ${{ secrets.GORELEASER_APP_PRIVATE_KEY }}
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+      - run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+      - name: Update holos-run/holos-action
+        env:
+          IMAGE: ghcr.io/holos-run/holos:v0.102.1
+          VERSION: ${{ steps.tags.outputs.tag }}
+          USER_ID: ${{ steps.get-user-id.outputs.user-id }}
+          TOKEN: ${{ steps.app-token.outputs.token }}
+        run: |
+          set -euo pipefail
+          git clone "https://github.com/holos-run/holos-action"
+          cd holos-action
+          git remote set-url origin https://${USER_ID}:${TOKEN}@github.com/holos-run/holos-action
+          docker pull --quiet "${IMAGE}"
+          docker run -v $(pwd):/app --workdir /app --rm "${IMAGE}"  \
+            holos cue export --out yaml action.cue -t "version=${VERSION}" > action.yml
+          git add action.yml
+          git commit -m "ci: update holos to ${VERSION} - https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" || (echo "No changes to commit"; exit 0)
+          git push origin HEAD:main HEAD:v0 HEAD:v1
+
+      - name: Login to quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USER }}
+          password: ${{ secrets.QUAY_TOKEN }}
+      - name: Push to quay.io
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          # docker push quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+          docker pull --quiet ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
+          docker tag ghcr.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST} \
+                     quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+          docker push quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}
+
+          docker pull --quiet ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+          docker tag ghcr.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST} \
+                     quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+          docker push quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}
+      - name: Sign quay.io image
+        env:
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          cosign sign --yes quay.io/holos-run/holos:${{ steps.tags.outputs.tag }}@${DIGEST}
          cosign sign --yes quay.io/holos-run/holos:${{ steps.sha.outputs.sha }}${{ steps.tags.outputs.suffix }}@${DIGEST}
+
    outputs:
-      sha: ${{ steps.sha.outputs.sha }}
+      tag: ${{ steps.tags.outputs.tag }}
      detail: ${{ steps.tags.outputs.detail }}
--- a/api/core/v1alpha5/types.go
+++ b/api/core/v1alpha5/types.go
@@ -263,7 +263,7 @@ type Metadata struct {
 	// Labels represents a resource selector.
 	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
 	// Annotations represents arbitrary non-identifying metadata.  For example
-	// holos uses the `cli.holos.run/description` annotation to log resources in a
+	// holos uses the `app.holos.run/description` annotation to log resources in a
 	// user customized way.
 	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
 }
@@ -320,7 +320,7 @@ type Component struct {
 	// resulting BuildPlan.
 	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
 	// Annotations represents arbitrary non-identifying metadata.  Use the
-	// `cli.holos.run/description` to customize the log message of each BuildPlan.
+	// `app.holos.run/description` to customize the log message of each BuildPlan.
 	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
 }

--- a/doc/md/api/core.md
+++ b/doc/md/api/core.md
@@ -188,7 +188,7 @@ type Component struct {
    // resulting BuildPlan.
    Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
    // Annotations represents arbitrary non-identifying metadata.  Use the
-    // `cli.holos.run/description` to customize the log message of each BuildPlan.
+    // `app.holos.run/description` to customize the log message of each BuildPlan.
    Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
 }
 ```
@@ -376,7 +376,7 @@ type Metadata struct {
    // Labels represents a resource selector.
    Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
    // Annotations represents arbitrary non-identifying metadata.  For example
-    // holos uses the `cli.holos.run/description` annotation to log resources in a
+    // holos uses the `app.holos.run/description` annotation to log resources in a
    // user customized way.
    Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
 }
--- a/internal/builder/instance.go
+++ b/internal/builder/instance.go
@@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"

 	"cuelang.org/go/cue"
 	"cuelang.org/go/cue/cuecontext"
@@ -19,6 +20,9 @@ import (
 	"github.com/holos-run/holos/internal/util"
 )

+// cue context and loading is not safe for concurrent use.
+var cueMutex sync.Mutex
+
 // ExtractYAML extracts yaml encoded data from file paths.  The data is unified
 // into one [cue.Value].  If a path element is a directory, all files in the
 // directory are loaded non-recursively.
@@ -67,6 +71,8 @@ func ExtractYAML(ctxt *cue.Context, filepaths []string) (cue.Value, error) {
 // extracted data values are unified with the platform configuration [cue.Value]
 // in the returned [Instance].
 func LoadInstance(path string, filepaths []string, tags []string) (*Instance, error) {
+	cueMutex.Lock()
+	defer cueMutex.Unlock()
 	root, leaf, err := util.FindRootLeaf(path)
 	if err != nil {
 		return nil, errors.Wrap(err)
--- a/internal/generate/platforms/cue.mod/gen/github.com/holos-run/holos/api/core/v1alpha5/types_go_gen.cue
+++ b/internal/generate/platforms/cue.mod/gen/github.com/holos-run/holos/api/core/v1alpha5/types_go_gen.cue
@@ -290,7 +290,7 @@ package core
 	labels?: {[string]: string} @go(Labels,map[string]string)

 	// Annotations represents arbitrary non-identifying metadata.  For example
-	// holos uses the `cli.holos.run/description` annotation to log resources in a
+	// holos uses the `app.holos.run/description` annotation to log resources in a
 	// user customized way.
 	annotations?: {[string]: string} @go(Annotations,map[string]string)
 }
@@ -355,7 +355,7 @@ package core
 	labels?: {[string]: string} @go(Labels,map[string]string)

 	// Annotations represents arbitrary non-identifying metadata.  Use the
-	// `cli.holos.run/description` to customize the log message of each BuildPlan.
+	// `app.holos.run/description` to customize the log message of each BuildPlan.
 	annotations?: {[string]: string} @go(Annotations,map[string]string)
 }

--- a/version/embedded/patch
+++ b/version/embedded/patch
@@ -1 +1 @@
-1
+3
Author	SHA1	Message	Date
Jeff McCune	8660826b05	builder: protect LoadInstance with a mutex CUE is not safe for concurrent access so we protect the main LoadInstance function with a mutex lock.	2025-01-02 17:32:53 -08:00
Jeff McCune	449df91e33	docs: app.holos.run/description not cli The core component documentation on the annotation used to configure the display line for each rendered component was incorrect.	2025-01-02 08:36:37 -08:00
Jeff McCune	ac59173b30	ci: update holos-run/holos-action version (try 3) Fix the use of digests when pulling and pushing images. Pull the image from ghcr.io before pushing it to quay.io	2024-12-23 10:33:45 -08:00
Jeff McCune	fb75e560fc	ci: update holos-run/holos-action version (try 2) When new container image versions are built, automatically update the holos-run/holos-action to use the new version. Users of the action automatically update by default as a result.	2024-12-23 09:52:09 -08:00
Jeff McCune	69a064e3ea	ci: update holos-run/holos-action version When new container image versions are built, automatically update the holos-run/holos-action to use the new version. Users of the action automatically update by default as a result.	2024-12-23 07:23:36 -08:00