gitLayer now returns the commit it checked out (dereferencing annotated
tags). build records it, the clone URL, and the ref name as
me.kontain.git.{commit,source,ref} annotations on the checkout layer's
manifest descriptor, so the commit a :branch / :tag / :latest pull
resolved to is visible from the image manifest. The test now also checks
gitLayer's returned commit matches what resolveRef resolved.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The layer's entries were root-owned, but cgr.dev/chainguard/git runs as
uid 65532, so `git fetch`/`git commit` inside the checkout failed with
"Permission denied" creating .git/FETCH_HEAD. Stamp the base image's
runtime uid/gid onto every layer entry, and explicitly emit the
checkout's parent directories (git/, git/<repo>/, git/<repo>/.git/) so
the image extractor doesn't auto-create them root-owned.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
git.kontain.me used to clone+checkout a repo onto Cloud Run's tmpfs (memory)
and then tar the result. Now it fetches the packfile into an in-memory git dir,
walks the requested commit's tree, and streams each blob straight into the
layer tar. Only the packfile bytes (plus go-git's delta cache) are buffered, so
memory no longer scales with the size of the checked-out worktree.
The shipped .git directory is preserved (with core.bare unset and a generated
index) so the git CLI still works inside the checkout. Object SHAs change since
the tar is rebuilt differently, but the contents are the same.
https://claude.ai/code/session_01Jfhuuwb5haNaasc9hs53jw