Move to the signed OCI/ECR sifter (sifter-build v1), superseding the v2 migration#7
Draft
danl-aisi wants to merge 1 commit into
Draft
Move to the signed OCI/ECR sifter (sifter-build v1), superseding the v2 migration#7danl-aisi wants to merge 1 commit into
danl-aisi wants to merge 1 commit into
Conversation
Supersedes the sifter v2 migration (#4). No app code changes — sifter v1's API is unchanged; only the distribution was renamed and the OCI/ECR backend added. Registry guidance moves from S3 to the signed OCI/ECR registry.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Move to the signed OCI/ECR sifter (v1 + signing), not sifter v2
Point isambard-containers at the sifter distribution that is actually shipping:
the v1 sifter with the OCI/ECR registry backend + cosign signing, released under
the renamed distribution
sifter-build(import package and CLI staysifter). This supersedes #4 (the sifter v2 migration), which is parked — v2is the longer-term successor, and this is the fast path to a signed registry now.
Because sifter v1's public API is unchanged (the port only renamed the
distribution and added the OCI/ECR backend), no application code changes are
needed —
serve.py,run_benchmark.py, and the demos keep using the samefind_latest_container/resolve_container/get_jobsAPI. The change is:pyproject.toml: depend onsifter-buildinstead ofsifter(same importname), sourced from the sifter repo.
sifter.yaml/README: registry guidance is now the signed OCI/ECR registry(
SIFTER_REGISTRIES) rather than S3; the registry is selected by environment,so nothing in the manifest hardcodes it.
uv.lock: regenerated.Verified on an Isambard login node:
sifter-buildinstalls, the tools importagainst it, and push/pull to the real ECR registry round-trips with cosign
sign-on-push and verify-on-pull (fail-closed on a bad/absent signature).
For review
dan/oci-ecr-signing); the[tool.uv.sources]git ref points at that branch. Once it merges, drop thebranch=so it tracks the default branch.called
sifter-build).🤖 Generated with Claude Code