This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Thanks for taking this on. I do not think this closes #1343 yet.

Blocking issues:

1. Kubernetes E2E now preloads ghcr.io/nvidia/openshell/<component>:${{ github.sha }}-amd64, but it still runs tests with IMAGE_TAG: ${{ github.sha }}. e2e/with-kube-gateway.sh passes IMAGE_TAG to Helm as image.tag and supervisor.image.tag, so the chart asks for bare :SHA while kind only has :SHA-amd64 loaded. Since kind nodes do not have GHCR credentials, this can still fail or pull the wrong bare tag.

2. The bare :SHA race remains. After this change, single-arch Branch Kubernetes E2E and Branch E2E both run the merge job and publish the bare tag, while GPU Test also publishes the bare tag. That is still last-writer-wins across workflows; it just moves the bare write from the build job to the merge job.

3. The PR description says single-arch merge produces a manifest list, but the workflow uses docker buildx imagetools create --prefer-index=false. For a single source, buildx documents this as a carbon-copy path, so it likely publishes a single-platform image manifest, not a one-entry index/list.

What I would change:

• Do not let single-arch branch workflows publish the shared bare :SHA tag, or scope their bare tag by workflow.
• Update branch-kubernetes-e2e to pass IMAGE_TAG: ${{ github.sha }}-amd64 if it preloads the amd64 tag, or retag the preloaded images to the bare SHA before kind load and make sure no other workflow can overwrite it.
• Keep the release/dev multi-arch path publishing the bare SHA manifest, since release-tag.yml and release-dev.yml consume that tag and I do not see a release pipeline regression there.

Net: the release pipeline looks okay, but this PR should be revised before merge because the CI race is not actually removed and K8s E2E has a tag mismatch.

Thanks for taking this on. I do not think this closes #1343 yet.

Blocking issues:

1. Kubernetes E2E now preloads ghcr.io/nvidia/openshell/<component>:${{ github.sha }}-amd64, but it still runs tests with IMAGE_TAG: ${{ github.sha }}. e2e/with-kube-gateway.sh passes IMAGE_TAG to Helm as image.tag and supervisor.image.tag, so the chart asks for bare :SHA while kind only has :SHA-amd64 loaded. Since kind nodes do not have GHCR credentials, this can still fail or pull the wrong bare tag.
2. The bare :SHA race remains. After this change, single-arch Branch Kubernetes E2E and Branch E2E both run the merge job and publish the bare tag, while GPU Test also publishes the bare tag. That is still last-writer-wins across workflows; it just moves the bare write from the build job to the merge job.
3. The PR description says single-arch merge produces a manifest list, but the workflow uses docker buildx imagetools create --prefer-index=false. For a single source, buildx documents this as a carbon-copy path, so it likely publishes a single-platform image manifest, not a one-entry index/list.

What I would change:

• Do not let single-arch branch workflows publish the shared bare :SHA tag, or scope their bare tag by workflow.
• Update branch-kubernetes-e2e to pass IMAGE_TAG: ${{ github.sha }}-amd64 if it preloads the amd64 tag, or retag the preloaded images to the bare SHA before kind load and make sure no other workflow can overwrite it.
• Keep the release/dev multi-arch path publishing the bare SHA manifest, since release-tag.yml and release-dev.yml consume that tag and I do not see a release pipeline regression there.

Net: the release pipeline looks okay, but this PR should be revised before merge because the CI race is not actually removed and K8s E2E has a tag mismatch.

Thx! Kind tag mismatch, Bare:SHA and --prefer-index=false on single source are done.
And release pipeline is untouched. I hope it will be merged now.