The existing TBD-A6 + TBD-A20 system catches drift between Chart.yaml,
bootstrap-kit pin, and blueprint.yaml spec.version AFTER chart-publish
commits land on main, but it cannot detect the "chart bumped but never
published" failure mode: the bootstrap-kit pin points at a chart
version that GHCR never received because blueprint-release.yaml
failed (e.g. TBD-A20 YAML scanner break, race with TBD-A20 lockstep,
runner cancellation, transient GHCR push 5xx).
Concrete observed failure (2026-05-18/19): bp-catalyst-platform 1.4.180
and 1.4.181 were "lost" during the TBD-A20 scanner break window
(21:04Z → 22:07Z). The pin sync audit reported chart=pin=1.4.181 PASS
while ghcr.io/openova-io/bp-catalyst-platform:1.4.181 did NOT exist
until A58 manually re-fired the workflow via dispatch. Fresh
Sovereigns silently fell back to the last working tag.
What this adds
- scripts/check-bootstrap-kit-pin-sync.sh gains `--check-ghcr` (and
optional `--ghcr-org <org>`). For every chart pinned in the kit, it
lists ghcr.io/<org>/<chart> tags via `gh api
/orgs/<org>/packages/container/<chart>/versions --paginate`, then
asserts the pinned version appears. Exits 1 on any missing tag.
- A per-chart tag cache avoids redundant paginations.
- .github/workflows/test-bootstrap-kit.yaml `pin-sync-audit` job now
passes `--check-ghcr` on `push` to main + `workflow_dispatch`
(PR mode stays `--changed-only` and skips GHCR — PRs cannot publish
to GHCR anyway). The job stays `continue-on-error: true` under the
same observational umbrella as the existing post-merge full sweep
so a transient API blip cannot red-flag every chart bump; the
missing-tag list still surfaces on the run summary for operator
attention.
- Job grants `packages: read` so the workflow GITHUB_TOKEN can list
private package versions.
Verification (origin/main snapshot, 2026-05-19)
- Full sweep default: 50/50 chart→pin pairs OK, no GHCR check.
- Full sweep `--check-ghcr`: 50/50 pairs OK AND 50/50 GHCR tags
present — PASS exit 0.
- Negative test: with products/catalyst/chart/Chart.yaml + slot 13
both set to a non-existent 99.99.99, the script exits 1 with
`GHCR MISS bp-catalyst-platform:99.99.99 — tag NOT FOUND` and the
remediation hint pointing at `gh workflow run
blueprint-release.yaml`.
- `--changed-only --base origin/main` against a no-change tree: clean
exit 0 with the existing "nothing to check" message.
Refs #1872, #1864, #1856.
Closes#1872
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
8bfdb80311