From 56ee186ee75bea0305df4d3f28011247abcd7836 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ois=C3=ADn=20Kyne?= Date: Wed, 1 Jul 2026 03:30:52 +0100 Subject: [PATCH] chore: images --- internal/embed/infrastructure/base/templates/llm.yaml | 4 ++-- internal/embed/infrastructure/base/templates/x402.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/embed/infrastructure/base/templates/llm.yaml b/internal/embed/infrastructure/base/templates/llm.yaml index 0becfd48..d01d9f0d 100644 --- a/internal/embed/infrastructure/base/templates/llm.yaml +++ b/internal/embed/infrastructure/base/templates/llm.yaml @@ -303,14 +303,14 @@ spec: - name: x402-buyer # Pinned by sha256 digest (multi-arch manifest list, amd64+arm64) # so the deployed sidecar is byte-for-byte identical across QA - # hosts. The :2e8a97e tag is preserved for human readability; the + # hosts. The :4c6ddeb tag is preserved for human readability; the # digest is authoritative. # Previous tag-only pin allowed the local-build path to silently # reuse a 5-day-old `:latest` image and ate the release-smoke 503 # investigation: stale buyer serialized X-PAYMENT with empty # authorization fields → facilitator /verify 400 → 503 cascade # across flow-08/11/14/13. See internal/embed/embed_image_pin_test.go. - image: ghcr.io/obolnetwork/x402-buyer:2e8a97e@sha256:9a5de078a65561c7aa53c0a0eea2d8b15d59f037bca574b19d27506e5016171a + image: ghcr.io/obolnetwork/x402-buyer:4c6ddeb@sha256:ce447c7ed6dc74c4b3a5fccde3f830cafa6b2651d7ad198df6bd4c72d7e112ba imagePullPolicy: IfNotPresent # PSS Restricted + writable PVC. On fresh clusters the StorageClass # asks local-path-provisioner for local PVs, so kubelet applies the diff --git a/internal/embed/infrastructure/base/templates/x402.yaml b/internal/embed/infrastructure/base/templates/x402.yaml index 2121518d..d87ea650 100644 --- a/internal/embed/infrastructure/base/templates/x402.yaml +++ b/internal/embed/infrastructure/base/templates/x402.yaml @@ -262,7 +262,7 @@ spec: type: RuntimeDefault containers: - name: verifier - image: ghcr.io/obolnetwork/x402-verifier:2e8a97e@sha256:cb827c358454fe2242602f3e2d78afde28b59bac747538d4b22cbabbf8e49c44 + image: ghcr.io/obolnetwork/x402-verifier:4c6ddeb@sha256:73190427fed2b650d9edec2f78bb9a3c8f1837738389128a931a51a842f9b70d imagePullPolicy: IfNotPresent # PSS Restricted: per-container hardening. Verifier is a Go binary # reading two RO ConfigMaps; no writeable rootfs paths required. @@ -364,7 +364,7 @@ spec: # bug; b39bcaa (post-rc10 main) carries it, and also ships PR #590's # actionable pending-registration status message. # See TestServiceOfferControllerImage_CarriesSecretCreateOnlyFix. - image: ghcr.io/obolnetwork/serviceoffer-controller:2e8a97e@sha256:b4809c6e132c6da27e97955e1e806341b5e03e0a2ff05840843c9e0ddfbfe218 + image: ghcr.io/obolnetwork/serviceoffer-controller:4c6ddeb@sha256:5ba1226a136d33ffdaca714fd825c5b1b8d86f777894e170bdcca19a74bb5d77 imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false