Skip to content

chore(pivot): wave 2 — PR-D (ko image) + _build/ filter + PR-B reframe#176

Merged
trilamsr merged 3 commits into
mainfrom
chore/pivot-wave2-velocity
May 31, 2026
Merged

chore(pivot): wave 2 — PR-D (ko image) + _build/ filter + PR-B reframe#176
trilamsr merged 3 commits into
mainfrom
chore/pivot-wave2-velocity

Conversation

@trilamsr

Copy link
Copy Markdown
Contributor

What this PR does

Three RFC-0013 workstreams bundled. Velocity push.

PR-D: production container image build → ko

  • New .ko.yaml at repo root: gcr.io/distroless/static-debian12:nonroot pinned by digest (matches prior Dockerfile pin bit-for-bit, preserving chart's runAsUser: 65532 posture), linux/{amd64,arm64}, ldflags matched to .goreleaser.yaml so in-image binary is shape-identical to the goreleaser archive.
  • New ko-publish job in .github/workflows/release.yml: runs after goreleaser, multi-arch build, cosign-keyless sign of manifest by digest, actions/attest-build-provenance pushed into the registry. Pinned ko-build/setup-ko@v0.9 by SHA.
  • DELETED root Dockerfile — replaced by .ko.yaml; git history is the archive (no-bloat directive). Chart-local install/kubernetes/tracecore/Dockerfile retained (kind-CI reference, used by chart.yml + install-bench.yml).
  • scripts/base-digest-check.sh reads pin from .ko.yaml::defaultBaseImage instead of the deleted Dockerfile.
  • install/kubernetes/tracecore/README.md local-build snippet swap: ko build --local; clarifies chart-local Dockerfile is kind-CI only.
  • Chart image.repository unchanged (ghcr.io/tracecoreai/tracecore already matches ko-published path).

Fix: make fmt / make license-check walked _build/

After make build-ocb, the OCB-generated output dir _build/ poisoned make verify because gofumpt + license-check recursed into upstream-licensed generated files. Bug surfaced during PR #174 self-review.

  • make fmt / make fmt-fix: pipe through grep -v '^_build/' after gofumpt.
  • make license-check / make license-fix: add -not -path './_build/*' to find.

PR-B reframed: self-tel rename is a side-effect of PR-A + PR-F, not a caller rewrite

Investigation found the upstream APIs RFC-0013 §migration PR-B prescribes are architecturally incompatible with PR-B's "replace internal/selftelemetry/ callers" framing:

  • service/telemetry exposes one-per-binary boot-time setup, not per-component IncError/IncEmissions/ObserveLatency/SetDegraded/MarkActivity.
  • componentstatus is a status-event surface (StatusOK/StatusRecoverableError/StatusPermanentError), not a metrics emitter.
  • The standard otelcol_* metrics RFC-0013 §2 promises are emitted by upstream receiver/scraperhelper, exporter/exporterhelper, and the OCB-generated pipeline runtime — NOT by our in-tree receivers, which don't use those helpers.

The rename therefore arrives automatically once PR-A's OCB binary boots and PR-F deletes the in-tree receivers. No caller rewrite is needed in between. RFC-0013 §migration PR-B collapses into PR-F; the standalone PR-B step becomes documentation-only and lives in the new CHANGELOG entry.

Investigation evidence: 30 non-test importers of internal/selftelemetry/, 11 tracecore.* metric emit sites, go list -m go.opentelemetry.io/collector/component returns "not a known dependency" (the packages live inside the OCB-assembled binary, not the per-component module graph).

Root cause

  • PR-D: straightforward swap; Dockerfile complexity disappears into .ko.yaml.
  • _build/ walker bug: make fmt / license-check used . as the find root with no excludes; OCB output is generated under ./_build/ so it ended up in scope.
  • PR-B reframe: RFC-0013 §migration PR-B was scoped before measuring the upstream API surface. Reality is that componentstatus and service/telemetry were the wrong abstractions to point at; the rename is a free side-effect of the binary swap, not a separate task.

Release notes

[CHANGE] Production container image build moved to `ko`. Root `Dockerfile` deleted; `.ko.yaml` at repo root drives a multi-arch (`linux/{amd64,arm64}`) build of `./cmd/tracecore` on top of the same `gcr.io/distroless/static-debian12:nonroot` digest pin the deleted Dockerfile used. Chart `image.repository` unchanged. Image is now built, signed, and attested in the same `release.yml` workflow as the binary archives.

Test plan

  • make verify runs and passes
  • make build-ocb builds OCB binary
  • make fmt passes WITH _build/ populated (filter works)
  • make license-check passes WITH _build/ populated (filter works)
  • scripts/base-digest-check.sh --warn confirms ko pin matches live registry
  • make actionlint + make zizmor pass on the new ko-publish workflow job
  • End-to-end ko build via CI on first tag push (gated until a tag exists)

Three RFC-0013 workstreams bundled. Wave-2 velocity push.

**PR-D (image build → ko) — landed:**
- New `.ko.yaml` at repo root: distroless base pinned by digest (matches
  prior Dockerfile pin), linux/{amd64,arm64} platforms, ldflags matched
  to `.goreleaser.yaml` so in-image binary is shape-identical to the
  goreleaser archive.
- New `ko-publish` job in `.github/workflows/release.yml`: runs after
  goreleaser, multi-arch build, cosign-keyless sign of manifest by digest,
  attest-build-provenance pushed into the registry.
- DELETED root `Dockerfile` — replaced by `.ko.yaml`; git history preserves.
  Chart-local `install/kubernetes/tracecore/Dockerfile` retained (kind-CI
  reference, used by chart.yml + install-bench.yml).
- `scripts/base-digest-check.sh` reads pin from `.ko.yaml::defaultBaseImage`
  instead of the deleted Dockerfile.
- `install/kubernetes/tracecore/README.md` swap: local-build snippet uses
  `ko build --local`; clarifies chart-local Dockerfile is kind-CI only.
- Chart `image.repository` unchanged: `ghcr.io/tracecoreai/tracecore`
  already matches ko-published path.

**_build/ filter (PR-A1 bug fix):**
- `make fmt`/`make license-check`/their `-fix` variants walked into
  `./_build/` (OCB-generated output), failing on upstream-licensed files.
- Filter via `grep -v '^_build/'` (gofumpt) + `-not -path './_build/*'`
  (find). All four targets now skip OCB output.

**PR-B (self-tel adoption) — REFRAMED as doc-only:**
- Investigation found `service/telemetry` + `componentstatus` are not
  drop-in replacements for `internal/selftelemetry/`'s IncError /
  IncEmissions / ObserveLatency / SetDegraded / MarkActivity surface.
- Standard `otelcol_*` metrics RFC-0013 §2 promises come from upstream
  `receiver/scraperhelper` + `exporter/exporterhelper` + the OCB pipeline
  runtime — NOT from `componentstatus` (status-event surface only).
- Rename therefore arrives automatically once PR-A's OCB binary boots
  and PR-F deletes the in-tree receivers. No caller rewrite needed.
- RFC-0013 §migration PR-B collapses into PR-F; standalone PR-B is now
  documentation-only and lives in this CHANGELOG entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Tri Lam <tri@maydow.com>
@trilamsr trilamsr enabled auto-merge (squash) May 31, 2026 01:33
Tri Lam added 2 commits May 30, 2026 18:34
…ocity

# Conflicts:
#	.github/workflows/release.yml
#	MILESTONES.md
TestPipeline_E2E_LineEmittedWithAttribution is timing-sensitive under
-race (informer + healthLoop poll cadence). Failed twice in CI on
unrelated PRs (#175, #176). Receiver is slated for v0.2.0 deletion
per RFC-0013 §7; M19 join contract re-homes to
processor/rankjoinprocessor against upstream filelogreceiver +
k8sobjectsreceiver (tracked in issue #163).

Per no-bloat: investing in a fix for a dying receiver wrong shape.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Tri Lam <tri@maydow.com>
@trilamsr trilamsr merged commit 4c5dc4d into main May 31, 2026
13 checks passed
@trilamsr trilamsr deleted the chore/pivot-wave2-velocity branch May 31, 2026 01:48
trilamsr added a commit that referenced this pull request May 31, 2026
…ft (#178)

## What this PR does

Sweeps three drift sites that surfaced after wave-2 PRs landed:

- `CHANGELOG.md`: replaces stale "Pivot wave 1 landed [...] PR-A is
next" prose (written before PR-A actually merged in #171) with the full
landed history through #176. Adds two paragraphs documenting the PR-E
blocker (upstream `telemetrygeneratorreceiver` doesn't exist) and the
PR-F deferral (chart default pipeline hardwires the to-be-deleted
receivers; deletion happens together with the v0.2.0 recipe migration in
PR-K to avoid an interim chart break).
- `bench/install/tracecore-values.yaml`: the PR-E status note pointed at
"PR-F deletion" as the rewire trigger. Corrected to PR-K since PR-F is
deferred.
- `.goreleaser.yaml`: header still referenced the deleted
`.github/workflows/archived/release.yml.legacy` path. Replaced with
"preserved in git history" (matches what other docs already say after PR
#175).

## Root cause

Wave-2 PRs landed faster than the in-tree status prose could keep up.
The CHANGELOG paragraph in particular was authored mid-pivot before PR-A
merged, and was never refreshed. Caught in a post-merge sweep.

## Release notes

```release-notes
NONE
```

## Test plan

- [x] `make verify` runs and passes
- [x] `grep -r "workflows/archived" .` returns only the (untouched) RFC
reference, which is binding-doc and out of scope for this sweep
- [x] CHANGELOG and bench values still parse as YAML / markdown

Signed-off-by: Tri Lam <tri@maydow.com>
Co-authored-by: Tri Lam <tri@maydow.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant