From 3598d3435cf0f50ec436f78a714d93c41a208872 Mon Sep 17 00:00:00 2001
From: Alexandre Maurel <alexandre.maurel@gmail.com>
Date: Wed, 11 Mar 2026 07:30:38 +0100
Subject: [PATCH 1/3] Update tercen-rs to fix schema_ids retrieval via
 parentTaskId

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 Cargo.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Cargo.lock b/Cargo.lock
index 9d4bc05..70681b7 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3838,7 +3838,7 @@ dependencies = [
 [[package]]
 name = "tercen-rs"
 version = "0.1.0"
-source = "git+https://github.com/tercen/tercen-rs?branch=main#112126ec4cc68ccd754a2bc2127974f4b83f259a"
+source = "git+https://github.com/tercen/tercen-rs?branch=main#818fdf669ece4e1697ed2903fab4dd0aa7aef6ee"
 dependencies = [
  "base64",
  "futures",

From c96493427df126242d0bdf007cf8759433521de3 Mon Sep 17 00:00:00 2001
From: Alexandre Maurel <alexandre.maurel@gmail.com>
Date: Wed, 11 Mar 2026 08:33:17 +0100
Subject: [PATCH 2/3] Tag Docker image with commit SHA and branch name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CI now tags images with both the full commit SHA and the branch name.
Remove tag from operator.json container field — Tercen resolves the
tag from the install version (commit SHA, branch, or release tag).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 19 +++----------------
 operator.json            |  2 +-
 2 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c16f25b..ead6e3e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,12 +4,10 @@ on:
   push:
     branches: ['main', '*']
 
-# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
-# There are two jobs in this workflow: test (for Rust testing) and build-and-push-image (for Docker).
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -72,7 +70,6 @@ jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
     needs: test
-    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
     permissions:
       contents: read
       packages: write
@@ -84,7 +81,6 @@ jobs:
         with:
           submodules: recursive
 
-      # Uses the `docker/login-action` action to log in to the Container registry using the account and password that will publish the packages.
       - name: Log in to the Container registry
         uses: docker/login-action@v3.3.0
         with:
@@ -92,32 +88,23 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # This step uses docker/metadata-action to extract tags and labels that will be applied to the specified image.
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@v5.5.1
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      # Set up Docker Buildx for advanced build features
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      # Build and push the Docker image
       - name: Build and push Docker image
         id: push
         uses: docker/build-push-action@v6.7.0
         with:
           context: .
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           secrets: |
             gh_pat=${{ secrets.GH_PAT }}
 
-      # Generate artifact attestation
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v1
         with:
diff --git a/operator.json b/operator.json
index 83f5e6b..1b4fbcc 100644
--- a/operator.json
+++ b/operator.json
@@ -5,7 +5,7 @@
   "communicationProtocol": "grpc",
   "authors": ["Tercen"],
   "urls": ["https://github.com/tercen/ggrs_plot_operator"],
-  "container": "ghcr.io/tercen/ggrs_plot_operator:extract-tercen-rs",
+  "container": "ghcr.io/tercen/ggrs_plot_operator",
   "operatorSpec": {
     "kind": "OperatorSpec",
     "ontologyUri": "https://tercen.com/_ontology/tercen",

From 6007f12686f303f7d78a653325dcbf4d7a2e6b85 Mon Sep 17 00:00:00 2001
From: Alexandre Maurel <alexandre.maurel@gmail.com>
Date: Wed, 11 Mar 2026 08:53:10 +0100
Subject: [PATCH 3/3] Add short SHA Docker image tag for immutable install
 resolution

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ead6e3e..5698d0f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -91,6 +91,10 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Get short SHA
+        id: sha
+        run: echo "short=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+
       - name: Build and push Docker image
         id: push
         uses: docker/build-push-action@v6.7.0
@@ -99,6 +103,7 @@ jobs:
           push: true
           tags: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sha.outputs.short }}
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
           cache-from: type=gha
           cache-to: type=gha,mode=max