Integrate CLIPV2 build pipeline #1463
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
This change ensures that image builds correctly handle insecure registries by disabling TLS verification when necessary. Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
Co-authored-by: luke <[email protected]>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
Reviewed changes from recent commits (found 5 issues).
5 issues found across 19 files
Prompt for AI agents (all 5 issues)
Understand the root cause of the following 5 issues and fix them.
<file name="pkg/worker/image.go">
<violation number="1" location="pkg/worker/image.go:329">
Rule violated: **Prevent Redundant Code Duplication**
The new credential-provider setup repeats the same SourceImageCreds parsing logic that you just added in createOCIImageWithProgress. Please extract this shared flow into a helper so both code paths reuse it and stay consistent with the Prevent Redundant Code Duplication guideline.</violation>
</file>
<file name="pkg/abstractions/image/image.go">
<violation number="1" location="pkg/abstractions/image/image.go:146">
Rule violated: **Prevent Redundant Code Duplication**
This block duplicates the credential-conversion logic already handled inside BuildOpts.setCustomImageBuildOptions. Because initializeBuildConfiguration ultimately calls that helper, the new code repeats the same work and any future change to credential handling must be updated in two places, violating the no-duplication guideline.</violation>
<violation number="2" location="pkg/abstractions/image/image.go:502">
Using context.Background() here (and on SetImageCredentialSecret just below) drops request cancellation, deadlines, and tracing metadata. Please keep the original ctx so secret persistence respects the caller’s lifecycle.</violation>
</file>
<file name="pkg/scheduler/scheduler.go">
<violation number="1" location="pkg/scheduler/scheduler.go:410">
Logging the decrypted OCI credentials exposes sensitive registry secrets in plaintext logs. Remove or redact the value before logging.</violation>
</file>
<file name="pkg/registry/credentials.go">
<violation number="1" location="pkg/registry/credentials.go:47">
ParseCredentialsFromEnv drops DOCKERHUB_USERNAME/DOCKERHUB_PASSWORD, so Docker Hub auth fails when credentials come from env. Please add these keys to knownCredKeys.</violation>
</file>
React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| // Attach credential provider for runtime layer loading | ||
| var credProvider clipCommon.RegistryCredentialProvider | ||
|
|
||
| if request.ImageCredentials != "" { |
There was a problem hiding this comment.
Rule violated: Prevent Redundant Code Duplication
The new credential-provider setup repeats the same SourceImageCreds parsing logic that you just added in createOCIImageWithProgress. Please extract this shared flow into a helper so both code paths reuse it and stay consistent with the Prevent Redundant Code Duplication guideline.
Prompt for AI agents
Address the following comment on pkg/worker/image.go at line 329:
<comment>The new credential-provider setup repeats the same SourceImageCreds parsing logic that you just added in createOCIImageWithProgress. Please extract this shared flow into a helper so both code paths reuse it and stay consistent with the Prevent Redundant Code Duplication guideline.</comment>
<file context>
@@ -325,33 +324,36 @@ func (c *ImageClient) PullLazy(ctx context.Context, request *types.ContainerRequ
- Msg("no image credentials provided, using default provider chain")
+ var credProvider clipCommon.RegistryCredentialProvider
+
+ if request.ImageCredentials != "" {
+ // Runtime container: credentials already in JSON format from secret
+ credProvider = c.createCredentialProvider(ctx, request.ImageCredentials, imageId)
</file context>
| buildOptions.ClipVersion = clipVersion | ||
|
|
||
| // Process credentials for custom base image (if provided) | ||
| if buildOptions.ExistingImageUri != "" && len(buildOptions.ExistingImageCreds) > 0 { |
There was a problem hiding this comment.
Rule violated: Prevent Redundant Code Duplication
This block duplicates the credential-conversion logic already handled inside BuildOpts.setCustomImageBuildOptions. Because initializeBuildConfiguration ultimately calls that helper, the new code repeats the same work and any future change to credential handling must be updated in two places, violating the no-duplication guideline.
Prompt for AI agents
Address the following comment on pkg/abstractions/image/image.go at line 146:
<comment>This block duplicates the credential-conversion logic already handled inside BuildOpts.setCustomImageBuildOptions. Because initializeBuildConfiguration ultimately calls that helper, the new code repeats the same work and any future change to credential handling must be updated in two places, violating the no-duplication guideline.</comment>
<file context>
@@ -138,9 +137,21 @@ func (is *RuncImageService) BuildImage(in *pb.BuildImageRequest, stream pb.Image
buildOptions.ClipVersion = clipVersion
+ // Process credentials for custom base image (if provided)
+ if buildOptions.ExistingImageUri != "" && len(buildOptions.ExistingImageCreds) > 0 {
+ baseImageCreds, err := reg.GetRegistryTokenForImage(buildOptions.ExistingImageUri, buildOptions.ExistingImageCreds)
+ if err != nil {
</file context>
| Str("image_id", request.ImageId). | ||
| Str("secret_name", secretName). | ||
| Int("credentials_length", len(secret.Value)). | ||
| Str("credentials", secret.Value). |
There was a problem hiding this comment.
Logging the decrypted OCI credentials exposes sensitive registry secrets in plaintext logs. Remove or redact the value before logging.
Prompt for AI agents
Address the following comment on pkg/scheduler/scheduler.go at line 410:
<comment>Logging the decrypted OCI credentials exposes sensitive registry secrets in plaintext logs. Remove or redact the value before logging.</comment>
<file context>
@@ -407,6 +407,7 @@ func (s *Scheduler) attachImageCredentials(request *types.ContainerRequest) erro
Str("image_id", request.ImageId).
Str("secret_name", secretName).
Int("credentials_length", len(secret.Value)).
+ Str("credentials", secret.Value).
Msg("attached OCI credentials")
</file context>
✅ Addressed in dce97cf
| Msg("about to upsert credential secret") | ||
|
|
||
| // Create or update secret | ||
| secret, err := is.upsertSecret(context.Background(), authInfo, secretName, secretValue, registry) |
There was a problem hiding this comment.
Using context.Background() here (and on SetImageCredentialSecret just below) drops request cancellation, deadlines, and tracing metadata. Please keep the original ctx so secret persistence respects the caller’s lifecycle.
Prompt for AI agents
Address the following comment on pkg/abstractions/image/image.go at line 502:
<comment>Using context.Background() here (and on SetImageCredentialSecret just below) drops request cancellation, deadlines, and tracing metadata. Please keep the original ctx so secret persistence respects the caller’s lifecycle.</comment>
<file context>
@@ -464,40 +488,32 @@ func (is *RuncImageService) createCredentialSecretIfNeeded(ctx context.Context,
+
// Create or update secret
- secret, err := is.upsertSecret(ctx, authInfo, secretName, secretValue, registry)
+ secret, err := is.upsertSecret(context.Background(), authInfo, secretName, secretValue, registry)
if err != nil {
return err
</file context>
Suggested change
| secret, err := is.upsertSecret(context.Background(), authInfo, secretName, secretValue, registry) | |
| secret, err := is.upsertSecret(ctx, authInfo, secretName, secretValue, registry) |
| "AZURE_CLIENT_SECRET": true, | ||
| "AZURE_TENANT_ID": true, | ||
| "DOCKER_USERNAME": true, | ||
| "DOCKER_PASSWORD": true, |
There was a problem hiding this comment.
ParseCredentialsFromEnv drops DOCKERHUB_USERNAME/DOCKERHUB_PASSWORD, so Docker Hub auth fails when credentials come from env. Please add these keys to knownCredKeys.
Prompt for AI agents
Address the following comment on pkg/registry/credentials.go at line 47:
<comment>ParseCredentialsFromEnv drops DOCKERHUB_USERNAME/DOCKERHUB_PASSWORD, so Docker Hub auth fails when credentials come from env. Please add these keys to knownCredKeys.</comment>
<file context>
@@ -0,0 +1,709 @@
+ "AZURE_CLIENT_SECRET": true,
+ "AZURE_TENANT_ID": true,
+ "DOCKER_USERNAME": true,
+ "DOCKER_PASSWORD": true,
+ "REGISTRY_USERNAME": true,
+ "REGISTRY_PASSWORD": true,
</file context>
This pull request contains changes generated by a Cursor Cloud Agent <a href="https://cursor.com/background-agent?bcId=bc-117aeeff-372b-49d1-ba26-00ff92edf74a"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-cursor-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in Cursor" src="https://cursor.com/open-in-cursor.svg"></picture></a> <a href="https://cursor.com/agents?id=bc-117aeeff-372b-49d1-ba26-00ff92edf74a"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-web-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web" src="https://cursor.com/open-in-web.svg"></picture></a> <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Fixed credential secret upsert to update by secret name (registry-based) instead of external ID. This prevents broken updates and duplicate secrets when building tagged images. - **Bug Fixes** - Use secretName in UpdateSecret to ensure registry-level secret reuse. - Added unit tests for create/update flows across tagged and untagged images. <sup>Written for commit 15dcafb. Summary will update automatically on new commits.</sup> <!-- End of auto-generated description by cubic. --> --------- Co-authored-by: Cursor Agent <[email protected]>
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This pull request contains changes generated by a Cursor Cloud Agent <a href="https://cursor.com/background-agent?bcId=bc-860eab4b-2467-49b3-b77a-e3ed0b0490bc"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-cursor-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in Cursor" src="https://cursor.com/open-in-cursor.svg"></picture></a> <a href="https://cursor.com/agents?id=bc-860eab4b-2467-49b3-b77a-e3ed0b0490bc"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-web-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web" src="https://cursor.com/open-in-web.svg"></picture></a> <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Use CLIP image metadata from the archive to build container specs and initial_config.json for v2 images, removing runtime skopeo inspections and speeding up startup. - **New Features** - Extract CLIP metadata on-demand from archives (ImageClient.GetCLIPImageMetadata) and use it directly (no conversion). - Derive OCI specs in Worker and write initial_config.json in RunCServer using CLIP metadata; if metadata is missing, fall back to the base spec (no skopeo); tests updated to cover this path. <sup>Written for commit b7aa3fb. Summary will update automatically on new commits.</sup> <!-- End of auto-generated description by cubic. --> --------- Co-authored-by: Cursor Agent <[email protected]> Co-authored-by: Luke Lombardi <[email protected]>
| Int("credentials_length", len(secret.Value)). | ||
| Str("credentials", secret.Value). | ||
| Msg("attached OCI credentials") | ||
|
|
There was a problem hiding this comment.
Bug: Plaintext logging of OCI credentials in attachImageCredentials
The attachImageCredentials function logs sensitive OCI credentials in plaintext, exposing authentication secrets in application logs and creating a security vulnerability.
|
|
||
| // Use keychain provider which handles ECR | ||
| keychain := common.NewKeychainProvider() | ||
| return keychain.GetCredentials(ctx, reg, scope) |
There was a problem hiding this comment.
Bug: Global env writes cause race condition in credentials
The CreateProviderFromEnv function uses os.Setenv for AWS credentials, which are process-global. This introduces a race condition where concurrent requests can overwrite credentials, leading to leakage or authentication failures.
There was a problem hiding this comment.
2 issues found across 7 files
Prompt for AI agents (all 2 issues)
Understand the root cause of the following 2 issues and fix them.
<file name="pkg/worker/runc_server.go">
<violation number="1" location="pkg/worker/runc_server.go:345">
Rule violated: **Prevent Redundant Code Duplication**
The new metadata-to-spec block duplicates the existing buildSpecFromCLIPMetadata logic (env/cwd/user/entrypoint/cmd) instead of reusing a shared helper, violating the Prevent Redundant Code Duplication guideline. Please extract or reuse the existing helper so metadata field handling stays consistent across workers.</violation>
</file>
<file name="pkg/worker/lifecycle.go">
<violation number="1" location="pkg/worker/lifecycle.go:406">
Rule violated: **Prevent Redundant Code Duplication**
buildSpecFromCLIPMetadata duplicates the CLIP metadata-to-spec mapping that already exists in writeInitialSpecFromImage; please extract a shared helper to avoid divergence across worker entrypoints.</violation>
</file>
React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| spec := s.baseConfigSpec | ||
|
|
||
| // Try to get CLIP metadata from archive (v2 images only) | ||
| clipMeta, ok := s.imageClient.GetCLIPImageMetadata(instance.Request.ImageId) |
There was a problem hiding this comment.
Rule violated: Prevent Redundant Code Duplication
The new metadata-to-spec block duplicates the existing buildSpecFromCLIPMetadata logic (env/cwd/user/entrypoint/cmd) instead of reusing a shared helper, violating the Prevent Redundant Code Duplication guideline. Please extract or reuse the existing helper so metadata field handling stays consistent across workers.
Prompt for AI agents
Address the following comment on pkg/worker/runc_server.go at line 345:
<comment>The new metadata-to-spec block duplicates the existing buildSpecFromCLIPMetadata logic (env/cwd/user/entrypoint/cmd) instead of reusing a shared helper, violating the Prevent Redundant Code Duplication guideline. Please extract or reuse the existing helper so metadata field handling stays consistent across workers.</comment>
<file context>
@@ -334,45 +334,36 @@ func (s *RunCServer) RunCArchive(req *pb.RunCArchiveRequest, stream pb.RunCServi
- // Fallback to legacy Env field if Config is not available
- spec.Process.Env = append(spec.Process.Env, imgMeta.Env...)
+ // Try to get CLIP metadata from archive (v2 images only)
+ clipMeta, ok := s.imageClient.GetCLIPImageMetadata(instance.Request.ImageId)
+ if ok {
+ log.Info().Str("image_id", instance.Request.ImageId).Msg("using v2 image metadata from clip archive for initial spec")
</file context>
|
|
||
| // buildSpecFromCLIPMetadata constructs an OCI spec from CLIP image metadata | ||
| // This is the primary path for v2 images with embedded metadata | ||
| func (s *Worker) buildSpecFromCLIPMetadata(clipMeta *clipCommon.ImageMetadata) *specs.Spec { |
There was a problem hiding this comment.
Rule violated: Prevent Redundant Code Duplication
buildSpecFromCLIPMetadata duplicates the CLIP metadata-to-spec mapping that already exists in writeInitialSpecFromImage; please extract a shared helper to avoid divergence across worker entrypoints.
Prompt for AI agents
Address the following comment on pkg/worker/lifecycle.go at line 406:
<comment>buildSpecFromCLIPMetadata duplicates the CLIP metadata-to-spec mapping that already exists in writeInitialSpecFromImage; please extract a shared helper to avoid divergence across worker entrypoints.</comment>
<file context>
@@ -381,85 +382,49 @@ func (s *Worker) readBundleConfig(request *types.ContainerRequest) (*specs.Spec,
-func (s *Worker) buildSpecFromImageMetadata(imgMeta *common.ImageMetadata) *specs.Spec {
+// buildSpecFromCLIPMetadata constructs an OCI spec from CLIP image metadata
+// This is the primary path for v2 images with embedded metadata
+func (s *Worker) buildSpecFromCLIPMetadata(clipMeta *clipCommon.ImageMetadata) *specs.Spec {
spec := specs.Spec{
Process: &specs.Process{
</file context>
This pull request contains changes generated by a Cursor Cloud Agent <a href="https://cursor.com/background-agent?bcId=bc-3d41463c-df2a-4c34-a418-71fe68a884e6"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-cursor-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in Cursor" src="https://cursor.com/open-in-cursor.svg"></picture></a> <a href="https://cursor.com/agents?id=bc-3d41463c-df2a-4c34-a418-71fe68a884e6"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-web-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web" src="https://cursor.com/open-in-web.svg"></picture></a> <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Fixes v2 CLIP image builds by adding auth for private base images and ensuring env vars and build secrets are correctly passed to Docker builds. - **Bug Fixes** - Use buildah --creds for both pull and bud when SourceImageCreds is provided (supports private registries). - Prevent build failures in multi-stage builds that require authenticated base images. - **New Features** - Render ENV lines from BuildOpts.EnvVars in generated Dockerfiles. - Declare BuildSecrets as ARG in Dockerfiles and pass them via --build-arg during build. - Apply env/secrets handling in both appendToDockerfile and RenderV2Dockerfile paths. <sup>Written for commit 0d823b9. Summary will update automatically on new commits.</sup> <!-- End of auto-generated description by cubic. --> --------- Co-authored-by: Cursor Agent <[email protected]> Co-authored-by: Luke Lombardi <[email protected]>
| Msg("attached OCI credentials") | ||
|
|
||
| return nil | ||
| } |
There was a problem hiding this comment.
Bug: Plaintext logging of sensitive OCI credentials vulnerabilities
The attachImageCredentials function logs OCI registry credentials in plaintext, including sensitive values like passwords or tokens. This exposes confidential information in the application logs, creating a security vulnerability.
|
|
||
| // Use keychain provider which handles ACR | ||
| keychain := common.NewKeychainProvider() | ||
| return keychain.GetCredentials(ctx, reg, scope) |
There was a problem hiding this comment.
Bug: Global env mutation risks credential leakage in parallel
The CreateProviderFromEnv function sets AWS, GCP, and Azure credentials using os.Setenv(). As environment variables are process-global, this introduces a race condition and potential credential leakage in concurrent or multi-tenant environments, allowing credentials from one request to leak to another.
There was a problem hiding this comment.
Reviewed changes from recent commits (found 1 issue).
1 issue found across 2 files
Prompt for AI agents (all 1 issues)
Understand the root cause of the following 1 issues and fix them.
<file name="pkg/worker/image.go">
<violation number="1" location="pkg/worker/image.go:729">
SourceImageCreds can arrive in JSON form (see createOCIImageWithProgress), but buildah --creds only accepts username[:password]. Passing the JSON string here breaks pulls when structured credentials are provided. Please deserialize and convert to a user:pass tuple (or use an authfile) before invoking buildah.</violation>
</file>
React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.
|
|
||
| // Add credentials if provided (in username:password format) | ||
| if request.BuildOptions.SourceImageCreds != "" { | ||
| pullArgs = append(pullArgs, "--creds", request.BuildOptions.SourceImageCreds) |
There was a problem hiding this comment.
SourceImageCreds can arrive in JSON form (see createOCIImageWithProgress), but buildah --creds only accepts username[:password]. Passing the JSON string here breaks pulls when structured credentials are provided. Please deserialize and convert to a user:pass tuple (or use an authfile) before invoking buildah.
Prompt for AI agents
Address the following comment on pkg/worker/image.go at line 729:
<comment>SourceImageCreds can arrive in JSON form (see createOCIImageWithProgress), but buildah --creds only accepts username[:password]. Passing the JSON string here breaks pulls when structured credentials are provided. Please deserialize and convert to a user:pass tuple (or use an authfile) before invoking buildah.</comment>
<file context>
@@ -723,6 +723,11 @@ func (c *ImageClient) BuildAndArchiveImage(ctx context.Context, outputLogger *sl
+
+ // Add credentials if provided (in username:password format)
+ if request.BuildOptions.SourceImageCreds != "" {
+ pullArgs = append(pullArgs, "--creds", request.BuildOptions.SourceImageCreds)
+ }
</file context>
This pull request contains changes generated by a Cursor Cloud Agent <a href="https://cursor.com/background-agent?bcId=bc-94a27bbc-9b24-4a95-b3ea-818af9a0cb49"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-cursor-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in Cursor" src="https://cursor.com/open-in-cursor.svg"></picture></a> <a href="https://cursor.com/agents?id=bc-94a27bbc-9b24-4a95-b3ea-818af9a0cb49"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/open-in-web-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web" src="https://cursor.com/open-in-web.svg"></picture></a> <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Ensure env vars and build secrets are correctly handled in CLIP V2 Dockerfile generation. Updates hasWorkToDo to trigger a build when env vars or secrets are present, with tests covering Dockerfile rendering, appending, and work detection. <sup>Written for commit d388193. Summary will update automatically on new commits.</sup> <!-- End of auto-generated description by cubic. --> Co-authored-by: Cursor Agent <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
![https://cursor.com/open-in-cursor-dark.svg"><source](https://cursor.com/open-in-cursor-dark.svg"><source){kind=link}
![https://cursor.com/open-in-cursor-light.svg"><img](https://cursor.com/open-in-cursor-light.svg"><img){kind=link}
![https://cursor.com/open-in-cursor.svg"></picture></a> <a](https://cursor.com/open-in-cursor.svg"></picture></a> <a){kind=link}
![https://cursor.com/open-in-web-dark.svg"><source](https://cursor.com/open-in-web-dark.svg"><source){kind=link}
![https://cursor.com/open-in-web-light.svg"><img](https://cursor.com/open-in-web-light.svg"><img){kind=link}
![https://cursor.com/open-in-web.svg"></picture></a](https://cursor.com/open-in-web.svg"></picture></a){kind=link}
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Integrates CLIP v2: builds images with buildah and publishes index-only .clip archives, skipping the runc build flow. Adds end-to-end OCI credentials for private layers so builds and workers can pull v2 image content securely.
New Features
Migration
Written for commit 8001876. Summary will update automatically on new commits.
Note
Integrates CLIP v2: buildah-based Dockerfile builds producing index-only archives with end-to-end OCI credentials, updated image IDs, worker/runtime support, and defaults
clipVersionto 2..clipviaCreateFromOCIImage; skip runc command execution for builds.pkg/registrycredential utilities and providers; convert user creds; create workspace secrets; persist on images; scheduler attachesimage_credentialsto requests; worker uses for lazy pulls./workspaceand/volumes.RuncImageService→ContainerImageService; verify/build flow updated for v2; proto/types addimage_credentials.clipVersion: 2; addbuildRegistryandbuildRegistryInsecure; enable blobcache; improved skopeo TLS for localhost.036_add_image_credential_fields; secret create/update signatures adjusted.Written by Cursor Bugbot for commit 8001876. This will update automatically on new commits. Configure here.