docs: clarify docker artifact-type registry requirement#183
Merged
AlexKantor87 merged 2 commits intomainfrom Apr 28, 2026
Merged
docs: clarify docker artifact-type registry requirement#183AlexKantor87 merged 2 commits intomainfrom
AlexKantor87 merged 2 commits intomainfrom
Conversation
Customer hit "repo digest unavailable" in CI after kosli attest artifact with --artifact-type=docker. The constraint that the image must have been pushed to or pulled from a registry was only implicit in the existing copy. Add a Warning callout on the artifacts page covering the constraint and alternatives, plus a dedicated troubleshooting page for the error message. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
Preview deployment for your docs. Learn more about Mintlify Previews.
|
6 tasks
Source-dir fingerprinting only works as an end-to-end identity if the runtime side also fingerprints the source dir. Standard Kosli runtime reporters (K8s, ECS, Lambda, S3, etc.) fingerprint the running image, so a dir-fingerprinted attestation never links to runtime — the attested artifact and the running artifact end up as separate rows in Kosli with no provenance trail between them. Push and oci are the only safe answers for users running standard docker workflows hitting this error. Drop dir from the alternatives in both the artifacts page Warning and the troubleshooting page. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tooky
approved these changes
Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A customer hit
Error: repo digest unavailable for the image, has it been pushed to or pulled from a registry?after runningkosli attest artifact ... --artifact-type=dockerin GitHub Actions, where the image had been built but never pushed. The same command appeared to work locally (because the image had been pushed at some earlier point and the digest was cached on the machine).The registry requirement for
--artifact-type=dockeris currently implicit. The closest the docs come is the line "for docker images that are pulled on the machine" on the Artifacts page, which is easy to read past after a freshdocker build. The actual constraint, that the image must have a registry-derived digest, is only stated in the error message itself.This PR makes that constraint explicit:
<Warning>callout togetting_started/artifacts.mdimmediately after the artifact-type bullet list, covering the constraint and four alternatives (push,oci,dir,--fingerprint).troubleshooting/repo_digest_unavailable.mdso the error message itself is googleable and gives users a clear set of fixes.config/navigation.json.I did not edit
client_reference/kosli_attest_artifact.mdbecause it is regenerated bykosli docs --mintlifyfrom the CLI source. A follow-up againstkosli-dev/clicould improve the inline help text for--artifact-typeto mention the registry requirement; happy to do that as a separate PR if useful.mint broken-linkserrors out on a pre-existing parse issue inhelm/k8s_reporter.md:161that is unrelated to this change, so I have not run it cleanly. Cross-references between the new troubleshooting page, the navigation entry, and the link from the artifacts page have been verified manually.Test plan
<Warning>callout displays on/getting_started/artifacts/troubleshooting/repo_digest_unavailable🤖 Generated with Claude Code