chore(publish): pin docker base image refs

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-4652 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
kitchen-sink	❌ Build Failed (View Logs)	Web	Apr 14, 2026 at 11:44 pm
website	😴 Sleeping (View Logs)	Web	Apr 14, 2026 at 9:52 pm
ladle	❌ Build Failed (View Logs)	Web	Apr 14, 2026 at 9:35 pm
frontend-cloud	❌ Build Failed (View Logs)	Web	Apr 14, 2026 at 9:35 pm
frontend-inspector	❌ Build Failed (View Logs)	Web	Apr 14, 2026 at 9:35 pm
mcp-hub	✅ Success (View Logs)	Web	Apr 14, 2026 at 9:34 pm

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• fix(rivetkit): update config to match envoys & remove manager references #4663
• chore(publish): pin docker base image refs #4652 👈 (View in Graphite)
• chore(engine): publish engine bases in ci #4649 : 2 other dependent PRs (#4650 , #4654 )
• chore: lockfile lefthook #4647
• fix(rivetkit): surface native sqlite kv errors to callers #4645
• fix(rivetkit): prevent sleep races during disconnect and db work #4644
• fix(rivetkit): isolate engine envoys and propagate startup failures #4643
• test(rivetkit): remove wasm sqlite-only fixtures and coverage #4642
• chore(sqlite-vfs): remove wasm sqlite packages and workspace wiring #4641
• chore(rivetkit): remove wasm sqlite runtime #4614
• fix(sqlite-native): restore native startup kv preload #4639
• fix(sqlite-native): delete metadata before chunk range #4638
• fix(sqlite-native): keep truncate cache coherent #4637
• fix(sqlite-vfs): use delete range for truncate cleanup #4636
• fix(sqlite-native): restore kv error hook #4635
• perf(sqlite-native): avoid cloning cached read chunks #4634
• perf(sqlite-native): gate kv operation labels #4633
• perf(sqlite-native): reuse read cache for partial writes #4632
• perf(sqlite-native): remove delete file existence probe #4631
• fix(sqlite-native): gate native read cache behind env var #4630
• fix(pegboard): isolate runner config dc lookup failures #4625 : 1 other dependent PR (#4626 )
• docs(pegboard): note runner config upsert split write risk #4624
• fix(pegboard): unpack global runner config keys correctly #4623
• fix(pegboard-gateway): enforce tunnel message state #4622
• fix(pegboard-runner): clear terminal tunnel routes #4621
• fix(pegboard): skip protocol version keys in runner pool backfill #4620
• fix(pegboard): create missing normal runner configs #4619
• fix(epoxy): reuse cached optimistic value #4618
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: chore(publish): pin docker base image refs

Overview

This PR refactors Docker base image pinning from a centralized BASE_TAG env variable in the CI workflow to hardcoded SHA tags directly in each Dockerfile. It also removes the per-commit engine-base-images CI job and adds automation to build-push.sh that updates all pinned tags when running all --push.

---

Positive Changes

• Better traceability: Tags are now co-located with the FROM lines that use them, no more hunting through the workflow file to find which tag is active.
• Automation improvement: pin_consumer_dockerfiles() replaces a manual "update BASE_TAG in the workflow" step. Developers cannot forget to update one Dockerfile while updating another.
• Verification in update_from_line: The function checks that the pattern exists before replacing and that the replacement took effect afterward. Good defensive approach.

---

Issues and Concerns

1. Two different tags in the initial state

Builder-base images (builder-base-linux-gnu, etc.) are pinned to 0e33ceb98, while engine images (engine-base-builder, engine-base-runtime-*) are pinned to a36b881. After running build-push.sh all --push, both sets would be unified under one tag. The divergent starting state is worth a comment explaining why, or it will confuse contributors who look at the Dockerfiles side by side.

2. pin_consumer_dockerfiles uses a single TAG for all images

The function stamps the same $TAG onto both builder-base and engine-base images. This is only safe when the two sets are always published together (which all --push enforces). A comment in the script documenting this assumption would help prevent accidental misuse.

3. CLAUDE.md is now stale

CLAUDE.md still says "engine bases are published per commit in publish.yaml". The per-commit engine-base-images CI job has been removed, so this needs updating to reflect the new build-push.sh all --push workflow.

4. Perl dependency assumption

update_from_line uses perl -0pi -e. Fine on macOS/Linux CI, but may trip up contributors on minimal Docker-based dev environments or Windows without WSL. sed would be more portable, though this is minor.

5. No dry-run support for pin_consumer_dockerfiles

The function only runs when PUSH=true. A developer doing a local build without --push cannot test the pinning step without actually pushing.

---

Minor Nits

• The BASE_TAG doc line removal in linux-x64-gnu.Dockerfile is correct and clean.
• The engine-base-images job removal is a meaningful CI speedup -- previously every push triggered 3 extra base image builds.

---

Summary

Solid, well-motivated change. Two actionable items:

1. Update CLAUDE.md to remove the stale "engine bases are published per commit" statement and update the base image rebuild instructions to reflect the new workflow.
2. Add a brief comment near the divergent tags (or in pin_consumer_dockerfiles) explaining that both image families share a tag after running all --push, and that the current state reflects two separate historical pins.

[github-actions]

Preview packages published to npm

Install with:

npm install rivetkit@pr-4652

All packages published as 0.0.0-pr.4652.130bc98 with tag pr-4652.

Engine binary is shipped via @rivetkit/engine-cli on linux-x64-musl, linux-arm64-musl, darwin-x64, and darwin-arm64. Windows users should use the release installer or set RIVET_ENGINE_BINARY.

Docker images:

docker pull rivetdev/engine:slim-130bc98
docker pull rivetdev/engine:full-130bc98

Individual packages

npm install rivetkit@pr-4652
npm install @rivetkit/react@pr-4652
npm install @rivetkit/rivetkit-native@pr-4652
npm install @rivetkit/workflow-engine@pr-4652