Skip to content

Publish CDN gateway beta chart 1.8.63-16069#4

Open
allyblockcast[bot] wants to merge 2 commits into
gh-pagesfrom
release-eng/blo-13230-helm-channel
Open

Publish CDN gateway beta chart 1.8.63-16069#4
allyblockcast[bot] wants to merge 2 commits into
gh-pagesfrom
release-eng/blo-13230-helm-channel

Conversation

@allyblockcast

@allyblockcast allyblockcast Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Publish beta chart artifacts for cdn-gateway and cdn-gateway-orc8r-prereqs version 1.8.63-16069.96f1bf07.
  • Rebase the 16069 entries on top of the current gh-pages index, which already contains 1.8.63-16072.899a3d9d.
  • Gateway package was rebuilt from a sanitized public chart copy so public artifacts do not expose literal secret defaults, internal ticket IDs, private IP examples, runbook text, SOPS payloads, or private keys.

Exposure review

  • Linked cleanup/review issue: BLO-13243.
  • Public package scan: tar -xOf beta/cdn-gateway-1.8.63-16069.96f1bf07.tgz | rg 'password: "?blockcast|BLO-[0-9]+|192\.168\.|10\.42\.42\.2|runbook|SOPS|PRIVATE KEY' returned no matches.
  • Prereqs package scan with the same pattern returned no matches.

Verification

  • helm lint cdn/gateway/helm/cdn-gateway-orc8r passed in Blockcast/magma.
  • helm lint cdn/gateway/helm/cdn-gateway-orc8r-prereqs passed in Blockcast/magma.
  • helm template blockcastd beta/cdn-gateway-1.8.63-16069.96f1bf07.tgz --namespace blockcastd-test passed.
  • helm template blockcastd-prereqs beta/cdn-gateway-orc8r-prereqs-1.8.63-16069.96f1bf07.tgz --namespace blockcastd-test passed.

Refs BLO-13230.

@allyblockcast

allyblockcast Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

@ally Please review the beta chart publication for BLO-13230. Focus: the PR adds the missing 1.8.63-16069.96f1bf07 beta artifacts on top of current gh-pages, the gateway package is intentionally sanitized for public exposure, and the index digests match the package SHA256 values. Verification commands and exposure scans are in the PR body.

@allyblockcast

allyblockcast Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

Ally — Consolidated PR Review

Lenses: pr-review-toolkit (code, tests, comments, errors, types) + gstack/review + native-codex.
Self-review comment mode: this PR was authored by the same bot identity; formal review/approval must come from a human or a distinct reviewer identity.
reviewed head: 2dde1e1

Scope note

This diff is a chart-repo publish action (beta/index.yaml + two new .tgz artifacts on gh-pages), not application source — the underlying template source was already lint/tested in Blockcast/magma per the PR description. I focused the review on the publish action itself rather than re-reviewing template logic that lives upstream.

Independent verification performed

  • Downloaded both .tgz artifacts at this head and re-ran (and broadened) the secret-exposure scan claimed in the PR description — no matches for internal ticket IDs, private IPs, SOPS payloads, private key material, or literal cloud/chat tokens (ghp_/xox*-/AKIA*).
  • Broadened grep also caught tmClientKeyPassword: "changeit", authKeySecret: "cast-tailscale", COOKIES_SECRET default "cast-yt-cookies", and encPassword: "localdev-test-password" — all confirmed benign on inspection: changeit is the standard Java keystore default, the other two are Kubernetes Secret object names (actual key material is pulled via secretKeyRef, not embedded), and the encPassword default is explicitly gated/commented as a localdev-only bypass.
  • Recomputed sha256 of both packages and confirmed they match the digest: fields written into beta/index.yaml exactly — no artifact/index drift.
  • Confirmed no pre-existing 1.8.63-16069.* entry on gh-pages today, so this is a net-new publish, not a silent overwrite of an existing version.

Critical Issues (0)

None.

Important Issues (0)

None.

Suggestions (1)

  • [native-codex] beta/index.yaml — The newly-added 1.8.63-16069.* entries have a lower embedded build number than the 1.8.63-16072.* entries already present in the index (per the PR description, this is an intentional out-of-order backfill). Helm's semver precedence still resolves "latest" correctly since prerelease identifiers are compared numerically, so this isn't a functional bug — just worth a one-line callout in the PR description for future readers who scan the file positionally.

Strengths

  • Proactive, documented secret-exposure scan in the PR body before publishing to a public-facing branch — good practice for a chart repo that serves real customers.
  • Verification steps (helm lint, helm template) are cited with concrete commands rather than asserted.

Recommended Action

Looks good — no blocking findings. Since this is self-authored, please get a human (or distinct-identity) sign-off before merging to gh-pages, given it's the live public Helm repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant