Skip to content

Bump to lsc guest authorization support #155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eranco74 merged 1 commit into from
Aug 27, 2025
Merged

Bump to lsc guest authorization support #155

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Containerfile.assisted-chat
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# vim: set filetype=dockerfile
# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250826-913b5a6
FROM quay.io/lightspeed-core/lightspeed-stack@sha256:09d6e2222eb058d85bfdc4e1283b18cee086182a711d71e2c983f355af6dc7b7
# This is the digest of quay.io/lightspeed-core/lightspeed-stack:dev-20250827-3e2d883
FROM quay.io/lightspeed-core/lightspeed-stack@sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca
Comment on lines +2 to +3
Copy link

@coderabbitai coderabbitai bot Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Verify tag↔digest mapping (and signature) for supply-chain safety.
Please confirm the sha256 matches dev-20250827-3e2d883 and, if applicable, verify signatures.

🏁 Script executed:

#!/bin/bash
# Compare digest for the annotated tag vs pinned digest
TAG=dev-20250827-3e2d883
IMG=quay.io/lightspeed-core/lightspeed-stack
PIN=sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca

skopeo inspect docker://$IMG:$TAG | jq -r .Digest
echo "Pinned: $PIN"

# Optional: cosign verification (requires public key setup if used)
# cosign verify --key cosign.pub $IMG@${PIN}

Length of output: 521

I’ll fetch the manifest headers directly via the Docker Registry API to extract the digest for the dev-20250827-3e2d883 tag and compare it against the pinned value.

🏁 Script executed:

#!/bin/bash
TAG=dev-20250827-3e2d883
REPO=lightspeed-core/lightspeed-stack

# Query the manifest for the tag and extract the Docker-Content-Digest header
curl -sI \
  -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
  https://quay.io/v2/${REPO}/manifests/${TAG} \
  | grep -i Docker-Content-Digest

echo "Expected: sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca"

Length of output: 527

Digest Mismatch Detected – Action Required

The manifest digest returned by Quay for tag dev-20250827-3e2d883 does not match the pinned digest in your Containerfile. This discrepancy poses a supply-chain integrity risk and must be corrected before merging.

• File: Containerfile.assisted-chat (Lines 2–3)
• Queried registry digest for quay.io/lightspeed-core/lightspeed-stack:dev-20250827-3e2d883:
sha256:909aa6516dcb53c106f33419b0f0018a53a3b5942e07666018b795a036db35fb
• Pinned digest in Containerfile:
sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca

Please verify which digest is correct, update the @sha256: reference to match the registry’s value, and—if you’re using cosign or another signature tool—re-run signature verification against the updated digest.

🤖 Prompt for AI Agents 
In Containerfile.assisted-chat around lines 2–3, the pinned image digest
(sha256:0171ec44c1684e0eb2961366a0e0cfcf99be49f25a28248deccc38dceef068ca) does
not match the registry’s manifest digest
(sha256:909aa6516dcb53c106f33419b0f0018a53a3b5942e07666018b795a036db35fb);
update the FROM line to use the correct
@sha256:909aa6516dcb53c106f33419b0f0018a53a3b5942e07666018b795a036db35fb value,
then re-run your signature/cosign verification against that digest to ensure the
image is properly signed and the change is valid before merging.


RUN python3 -m ensurepip --default-pip && pip install --upgrade pip

Expand Down
2 changes: 1 addition & 1 deletion lightspeed-stack
Open in desktop
Submodule lightspeed-stack updated 13 files
+4 −3 .github/workflows/bandit.yaml
+4 −2 src/app/endpoints/query.py
+6 −4 src/app/endpoints/streaming_query.py
+4 −0 src/auth/interface.py
+5 −3 src/auth/jwk_token.py
+5 −0 src/authorization/resolvers.py
+1 −1 src/client.py
+3 −3 src/models/config.py
+1 −1 tests/unit/app/endpoints/test_models.py
+1 −1 tests/unit/app/endpoints/test_streaming_query.py
+5 −4 tests/unit/auth/test_jwk_token.py
+5 −5 tests/unit/models/test_config.py
+27 −27 uv.lock
5 changes: 4 additions & 1 deletion template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,6 @@ objects:
- delete_conversation
- feedback
- get_metrics
- info
# "nobody" is a made up role, doesn't do anything but just good for being explicit
# about what is not allowed by anyone
- role: nobody
Expand All @@ -199,6 +198,10 @@ objects:
- delete_other_conversations
- list_other_conversations
- read_other_conversations
# For k8s pod probes
- role: "*"
actions:
- info
mcp_servers:
- name: mcp::assisted
url: "${MCP_SERVER_URL}"
Expand Down