Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions internal/embed/infrastructure/base/templates/llm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -303,14 +303,14 @@ spec:
- name: x402-buyer
# Pinned by sha256 digest (multi-arch manifest list, amd64+arm64)
# so the deployed sidecar is byte-for-byte identical across QA
# hosts. The :2e8a97e tag is preserved for human readability; the
# hosts. The :4c6ddeb tag is preserved for human readability; the
# digest is authoritative.
# Previous tag-only pin allowed the local-build path to silently
# reuse a 5-day-old `:latest` image and ate the release-smoke 503
# investigation: stale buyer serialized X-PAYMENT with empty
# authorization fields → facilitator /verify 400 → 503 cascade
# across flow-08/11/14/13. See internal/embed/embed_image_pin_test.go.
image: ghcr.io/obolnetwork/x402-buyer:2e8a97e@sha256:9a5de078a65561c7aa53c0a0eea2d8b15d59f037bca574b19d27506e5016171a
image: ghcr.io/obolnetwork/x402-buyer:4c6ddeb@sha256:ce447c7ed6dc74c4b3a5fccde3f830cafa6b2651d7ad198df6bd4c72d7e112ba
imagePullPolicy: IfNotPresent
# PSS Restricted + writable PVC. On fresh clusters the StorageClass
# asks local-path-provisioner for local PVs, so kubelet applies the
Expand Down
4 changes: 2 additions & 2 deletions internal/embed/infrastructure/base/templates/x402.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,7 @@ spec:
type: RuntimeDefault
containers:
- name: verifier
image: ghcr.io/obolnetwork/x402-verifier:2e8a97e@sha256:cb827c358454fe2242602f3e2d78afde28b59bac747538d4b22cbabbf8e49c44
image: ghcr.io/obolnetwork/x402-verifier:4c6ddeb@sha256:73190427fed2b650d9edec2f78bb9a3c8f1837738389128a931a51a842f9b70d
imagePullPolicy: IfNotPresent
# PSS Restricted: per-container hardening. Verifier is a Go binary
# reading two RO ConfigMaps; no writeable rootfs paths required.
Expand Down Expand Up @@ -364,7 +364,7 @@ spec:
# bug; b39bcaa (post-rc10 main) carries it, and also ships PR #590's
# actionable pending-registration status message.
# See TestServiceOfferControllerImage_CarriesSecretCreateOnlyFix.
image: ghcr.io/obolnetwork/serviceoffer-controller:2e8a97e@sha256:b4809c6e132c6da27e97955e1e806341b5e03e0a2ff05840843c9e0ddfbfe218
image: ghcr.io/obolnetwork/serviceoffer-controller:4c6ddeb@sha256:5ba1226a136d33ffdaca714fd825c5b1b8d86f777894e170bdcca19a74bb5d77
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
Expand Down
Loading