Merge pull request 'chore(zot): pin operator image to zot v0.2.42 (Sam & Pi)' (#107) from chore/zot-0.2.42-pin into main

Reviewed-on: #107
2026-06-22 07:27:08 +02:00 · 2026-06-22 07:27:08 +02:00 · 2d000f06e7
commit 2d000f06e7
parent 90de50f5e9 2af8a65cae
5 changed files with 22 additions and 22 deletions
--- a/build.cfg
+++ b/build.cfg
@ -113,7 +113,7 @@ COLIBRI_COST_MODE="${COLIBRI_COST_MODE:-smart}"
 # COLIBRI_STAGE_AGENT=NO stages the daemon without the agent (debug builds).
 # Pin a tag for reproducible images; the agent has no FreeBSD release, so the
 # build host compiles it: (cd $ZOT_REPO && git checkout $ZOT_VERSION &&
-#   ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}" && VERSION="${ZOT_BUILD_VERSION#v}" make build)
+#   ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" && VERSION="${ZOT_BUILD_VERSION#v}" make build)
 COLIBRI_STAGE_AGENT="${COLIBRI_STAGE_AGENT:-YES}"
 # Development-only local fake-agent binary. Auto mode includes it for dev
 # builds and omits it from release/prod images; override with YES/NO for
@ -125,7 +125,7 @@ if [ "${COLIBRI_STAGE_TEST_AGENT}" = "auto" ]; then
        *) COLIBRI_STAGE_TEST_AGENT="YES" ;;
    esac
 fi
-ZOT_VERSION="${ZOT_VERSION:-v0.2.29}"
+ZOT_VERSION="${ZOT_VERSION:-v0.2.42}"
 ZOT_REPO="${ZOT_REPO:-/home/clawdie/ai/zot}"
 ZOT_ARTIFACT_DIR="${ZOT_ARTIFACT_DIR:-}"
 # Optional: bake the operator's DeepSeek key into the agent's auth.json (0600).
--- a/docs/LIVE-COLIBRI-REBUILD.md
+++ b/docs/LIVE-COLIBRI-REBUILD.md
@ -195,8 +195,8 @@ if [ ! -d zot-build/.git ]; then
 fi
 cd zot-build
 git fetch --prune origin
-git checkout v0.2.29          # the zot tag this image ships (see build-manifest.json)
-ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}"
+git checkout v0.2.42          # the zot tag this image ships (see build-manifest.json)
+ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}"
 VERSION="${ZOT_BUILD_VERSION#v}" make build
 ./bin/zot --version
 ```
--- a/docs/RELEASE-0.11.0-HANDOFF.md
+++ b/docs/RELEASE-0.11.0-HANDOFF.md
@ -12,7 +12,7 @@ this build happens on FreeBSD.
 | clawdie-iso | `7f55770` | v0.11.0 | `ISO_VERSION=0.11.0`                        |
 | colibri     | `b626082` | v0.11.0 | MIT; 230 tests green; fmt + clippy clean    |
 | clawdie-ai  | `393b0c7` | —       | clean on forge main                         |
-| zot         | `1a24a20` | —       | agent (front door); pinned by `ZOT_VERSION` |
+| zot         | `821f51a` | v0.2.42 | agent (front door); pinned by `ZOT_VERSION` |

 Locally-runnable gates pass on colibri + clawdie-iso (fmt, `CARGO_CRATES` and
 agent-jail drift checks, markdown). CI Actions are **dormant** (no runner) — gates
--- a/docs/RELEASE-BUILD-RUNBOOK.md
+++ b/docs/RELEASE-BUILD-RUNBOOK.md
@ -1,6 +1,6 @@
 # Release Build Runbook

-**Current target:** `0.10.0` ("Operator Image") · **Channel:** `release`
+**Current target:** `0.11.0` ("Operator Image") · **Channel:** `release`

 How to cut a reproducible, publishable operator image from merged sources. This
 is the `BUILD_CHANNEL=release` path — distinct from the everyday
@ -20,11 +20,11 @@ use `BUILD_CHANNEL=dev` and skip the pinning discipline below.
  commits are then written to `build-manifest.json`, so the image can be rebuilt
  from that record.
 - **Own product version.** `ISO_VERSION` is an explicit product number
-  (`0.10.0`), not a component's. Component versions are provenance, not identity.
+  (`0.11.0`), not a component's. Component versions are provenance, not identity.
 - **Fits the stick.** The build aborts before shipping if the live filesystem
  has less than `IMAGE_MIN_FREE_MB` (default 1024) free.

-Output: `tmp/output/clawdie-quindecim-0.10.0.img` (`quindecim` = FreeBSD 15).
+Output: `tmp/output/clawdie-quindecim-0.11.0.img` (`quindecim` = FreeBSD 15).

 ---

@ -68,7 +68,7 @@ Any output from `status --porcelain` (modified _or_ untracked) will fail the
 release gate. Clean it before continuing — do not `.gitignore` your way past it.

 > `zot` ships at a pinned tag. Check out the tag you intend to release
-> (`ZOT_VERSION`, default `v0.2.29`) so the recorded commit is the tag's commit.
+> (`ZOT_VERSION`, default `v0.2.42`) so the recorded commit is the tag's commit.

 ---

@ -83,10 +83,10 @@ cargo clippy --workspace --all-targets -- -D warnings

 # zot agent binary (native FreeBSD build)
 cd ../zot
-git checkout v0.2.29                          # the release tag
-ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}"
+git checkout v0.2.42                          # the release tag
+ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}"
 VERSION="${ZOT_BUILD_VERSION#v}" make build
-./bin/zot --version                            # expect: zot 0.2.29
+./bin/zot --version                            # expect: zot 0.2.42

 cd ../clawdie-iso
 ```
@ -115,11 +115,11 @@ ls -l ../colibri/target/release/colibri-daemon \

 ```sh
 cd ../clawdie-iso
-sudo env BUILD_CHANNEL=release ISO_VERSION=0.10.0 \
+sudo env BUILD_CHANNEL=release ISO_VERSION=0.11.0 \
  ./build.sh --clawdie-ref main
 ```

- `ISO_VERSION=0.10.0` — also the `build.cfg` default; an empty/`auto` value
+- `ISO_VERSION=0.11.0` — also the `build.cfg` default; an empty/`auto` value
  fails fast.
 - `--clawdie-ref main` bundles current `clawdie-ai` main (its commit is recorded
  as provenance). Use `--clawdie-version X.Y.Z` instead to pin a clawdie-ai tag.
@ -129,13 +129,13 @@ sudo env BUILD_CHANNEL=release ISO_VERSION=0.10.0 \

 What you should see, in order:

-1. **Banner** — `ISO : 0.10.0-release (zot v0.2.29)`.
+1. **Banner** — `ISO : 0.11.0-release (zot v0.2.42)`.
 2. **Release gate** — silent on success; on failure it lists each modified repo
   and exits. (Fix the tree; don't switch to `dev` for a real release.)
 3. **Preflight** — confirms the colibri binaries and `zot/bin/zot` exist.
 4. **Image space report** — `df`/`du` of the live filesystem, then
   `Free space OK (… MB, floor 1024 MB)` — or an abort if it won't fit.
-5. **Output** — `Done : tmp/output/clawdie-quindecim-0.10.0.img`.
+5. **Output** — `Done : tmp/output/clawdie-quindecim-0.11.0.img`.

 ---

@ -147,7 +147,7 @@ cat tmp/output/build-manifest.json        # or USB_SHARE copy

 Confirm:

- `"iso_version": "0.10.0"`, `"version_scheme": "product"`,
+- `"iso_version": "0.11.0"`, `"version_scheme": "product"`,
  `"build_channel": "release"`.
 - `zot_commit`, `colibri_commit`, `clawdie_ai_commit`, `iso_repo_commit` are all
  real SHAs (not `unknown`).
@ -184,7 +184,7 @@ If anything fails out of the box, this is not the cut — fix, rebuild, and the
 Follow `skills/iso-publish/SKILL.md`: compress to `.xz`, write the `.sha256`, and
 the publish manifest, then `scripts/publish.sh` to the CMS downloads jail.
 `FLASHING.md` is the operator-facing flashing guide (already references the
-`0.10.0` artifact name).
+`0.11.0` artifact name).

 ---

@ -192,7 +192,7 @@ the publish manifest, then `scripts/publish.sh` to the CMS downloads jail.

 - [ ] All four repos clean (`git status --porcelain` empty) and on the release ref.
 - [ ] `cargo test --workspace` + `cargo clippy -D warnings` green on colibri.
- [ ] `BUILD_CHANNEL=release ISO_VERSION=0.10.0 ./build.sh` completes; gate passed,
+- [ ] `BUILD_CHANNEL=release ISO_VERSION=0.11.0 ./build.sh` completes; gate passed,
      preflight passed, free-space check passed.
 - [ ] `build-manifest.json`: channel `release`, all commits real, all
      `*_modified` `false`.
@ -203,7 +203,7 @@ the publish manifest, then `scripts/publish.sh` to the CMS downloads jail.

 ## Notes / gotchas

- **Future cuts:** bump `ISO_VERSION` in `build.cfg` (e.g. `0.10.1`, `1.0.0`).
+- **Future cuts:** bump `ISO_VERSION` in `build.cfg` (e.g. `0.11.1`, `1.0.0`).
  Everything else here is unchanged.
 - **`dev` vs `release`:** `dev` skips the clean-tree gate — fine for proving a
  change, never for a published artifact.
--- a/scripts/stage-zot-iso.sh
+++ b/scripts/stage-zot-iso.sh
@ -4,7 +4,7 @@
 # zot is the agent-harness consolidation target (one static Go binary). It has no
 # FreeBSD release, so build it on the host first and point ZOT_ARTIFACT_DIR here:
 #   (cd ../zot && git checkout "$ZOT_VERSION" \
-#       && ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.29}" \
+#       && ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" \
 #       && VERSION="${ZOT_BUILD_VERSION#v}" make build)
 #
 # Credentials: zot resolves provider keys as --api-key -> provider env var ->
@ -36,7 +36,7 @@ ZOT_HOME="${OP_HOME}/${ZOT_HOME_REL}"

 if [ ! -x "${BIN_SRC}" ]; then
    echo "missing executable zot artifact: ${BIN_SRC}" >&2
-    echo "hint: (cd \$ZOT_REPO && ZOT_BUILD_VERSION=\"\${ZOT_VERSION:-v0.2.29}\" && VERSION=\"\${ZOT_BUILD_VERSION#v}\" make build)" >&2
+    echo "hint: (cd \$ZOT_REPO && ZOT_BUILD_VERSION=\"\${ZOT_VERSION:-v0.2.42}\" && VERSION=\"\${ZOT_BUILD_VERSION#v}\" make build)" >&2
    exit 66
 fi