set image ref on create, validate digest

nicktrn · nicktrn · commit ffa725f621c7 · 2025-05-31T19:55:05.000+01:00
diff --git a/apps/webapp/app/v3/services/finalizeDeployment.server.ts b/apps/webapp/app/v3/services/finalizeDeployment.server.ts
@@ -60,6 +60,8 @@ export class FinalizeDeploymentService extends BaseService {
       throw new ServiceValidationError("Worker deployment is not in DEPLOYING status");
     }
 
+    const imageDigest = validatedImageDigest(body.imageDigest);
+
     // Link the deployment with the background worker
     const finalizedDeployment = await this._prisma.workerDeployment.update({
       where: {
@@ -69,9 +71,7 @@ export class FinalizeDeploymentService extends BaseService {
         status: "DEPLOYED",
         deployedAt: new Date(),
         // Only add the digest, if any
-        imageReference: body.imageDigest
-          ? `${deployment.imageReference}@${body.imageDigest}`
-          : undefined,
+        imageReference: imageDigest ? `${deployment.imageReference}@${imageDigest}` : undefined,
       },
     });
 
@@ -121,3 +121,16 @@ export class FinalizeDeploymentService extends BaseService {
     return finalizedDeployment;
   }
 }
+
+function validatedImageDigest(imageDigest?: string): string | undefined {
+  if (!imageDigest) {
+    return;
+  }
+
+  if (!/^sha256:[a-f0-9]{64}$/.test(imageDigest.trim())) {
+    logger.error("Invalid image digest", { imageDigest });
+    return;
+  }
+
+  return imageDigest.trim();
+}
diff --git a/apps/webapp/app/v3/services/finalizeDeploymentV2.server.ts b/apps/webapp/app/v3/services/finalizeDeploymentV2.server.ts
@@ -34,6 +34,7 @@ export class FinalizeDeploymentV2Service extends BaseService {
         version: true,
         externalBuildData: true,
         environment: true,
+        imageReference: true,
         worker: {
           select: {
             project: true,
@@ -87,13 +88,12 @@ export class FinalizeDeploymentV2Service extends BaseService {
       throw new ServiceValidationError("Missing depot token");
     }
 
-    const digest = body.imageDigest;
+    // All new deployments will set the image reference at creation time
+    if (!deployment.imageReference) {
+      throw new ServiceValidationError("Missing image reference");
+    }
 
-    logger.debug("Pushing image to registry", {
-      id,
-      deployment,
-      digest,
-    });
+    logger.debug("Pushing image to registry", { id, deployment, body });
 
     const pushResult = await executePushToRegistry(
       {
@@ -112,6 +112,7 @@ export class FinalizeDeploymentV2Service extends BaseService {
           version: deployment.version,
           environmentSlug: deployment.environment.slug,
           projectExternalRef: deployment.worker.project.externalRef,
+          imageReference: deployment.imageReference,
         },
       },
       writer
@@ -129,11 +130,7 @@ export class FinalizeDeploymentV2Service extends BaseService {
     });
 
     const finalizeService = new FinalizeDeploymentService();
-
-    const finalizedDeployment = await finalizeService.call(authenticatedEnv, id, {
-      skipPromotion: body.skipPromotion,
-      imageDigest: digest,
-    });
+    const finalizedDeployment = await finalizeService.call(authenticatedEnv, id, body);
 
     return finalizedDeployment;
   }
@@ -155,6 +152,7 @@ type ExecutePushToRegistryOptions = {
     version: string;
     environmentSlug: string;
     projectExternalRef: string;
+    imageReference: string;
   };
 };
 
@@ -180,11 +178,9 @@ async function executePushToRegistry(
     password: registry.password,
   });
 
-  const imageTag = `${registry.host}/${registry.namespace}/${deployment.projectExternalRef}:${deployment.version}.${deployment.environmentSlug}`;
+  const imageTag = deployment.imageReference;
 
   // Step 2: We need to run the depot push command
-  // DEPOT_TOKEN="<org token>" DEPOT_PROJECT_ID="<project id>" depot push <build id> -t registry.digitalocean.com/trigger-failover/proj_bzhdaqhlymtuhlrcgbqy:20250124.54.prod
-  // Step 4: Build and push the image
   const childProcess = execDepot(["push", depot.buildId, "-t", imageTag, "--progress", "plain"], {
     env: {
       NODE_ENV: process.env.NODE_ENV,
@@ -208,10 +204,7 @@ async function executePushToRegistry(
         const lines = text.split("\n").filter(Boolean);
 
         errors.push(...lines);
-        logger.debug(text, {
-          imageTag,
-          deployment,
-        });
+        logger.debug(text, { deployment });
 
         // Now we can write strings directly
         if (writer) {
diff --git a/apps/webapp/app/v3/services/initializeDeployment.server.ts b/apps/webapp/app/v3/services/initializeDeployment.server.ts
@@ -68,19 +68,11 @@ export class InitializeDeploymentService extends BaseService {
           })
         : undefined;
 
-      const imageRefParts = [
+      const imageRef = [
+        env.DEPLOY_REGISTRY_HOST,
         env.DEPLOY_REGISTRY_NAMESPACE,
         `${environment.project.externalRef}:${nextVersion}.${environment.slug}`,
-      ];
-
-      const isLocalBuild = !externalBuildData;
-
-      // Local builds require the registry host to be able to push the image
-      if (isLocalBuild) {
-        imageRefParts.unshift(env.DEPLOY_REGISTRY_HOST);
-      }
-
-      const imageRef = imageRefParts.join("/");
+      ].join("/");
 
       logger.debug("Creating deployment", {
         environmentId: environment.id,
