From 81d0fdc4b2e9f3ca8f2ff971443c56f04ead3040 Mon Sep 17 00:00:00 2001
From: Ryan VanGundy <ryan.vangundy+rmvangun@gmail.com>
Date: Fri, 25 Jul 2025 21:38:05 -0400
Subject: [PATCH] ci(release): Pin latest core semver on release

Pinned releases now automatically pin themselves to the latest semver from the core repository. This mechanism assumes that significant changes to core will always be released before releasing a new version of the CLI. Furthermore, pinned combinations should be tested via integration tests.
---
 .github/workflows/ci.yaml        | 13 +++++++++++++
 .goreleaser.yaml                 |  1 +
 pkg/constants/constants.go       | 15 ++++++++++++++-
 pkg/pipelines/init.go            |  5 +++--
 pkg/template/jsonnet_template.go |  2 +-
 5 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 482652559..d8ac16aef 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -174,6 +174,19 @@ jobs:
           fi
         shell: bash
 
+      - name: Fetch latest core version
+        id: core_version
+        run: |
+          # Fetch the latest release tag from windsorcli/core
+          LATEST_TAG=$(curl -s "https://api.github.com/repos/windsorcli/core/releases/latest" | jq -r '.tag_name')
+          if [ "$LATEST_TAG" = "null" ] || [ -z "$LATEST_TAG" ]; then
+            echo "Warning: Could not fetch latest core version, using fallback"
+            LATEST_TAG="latest"
+          fi
+          echo "Found latest core version: $LATEST_TAG"
+          echo "PINNED_BLUEPRINT_URL=oci://ghcr.io/windsorcli/core:$LATEST_TAG" >> $GITHUB_ENV
+        shell: bash
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
         with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 5a69e94d2..a1ec37e39 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -25,6 +25,7 @@ builds:
       - "-X 'github.com/{{ .Env.GITHUB_REPOSITORY }}/cmd.version={{ .Version }}'"
       - "-X 'github.com/{{ .Env.GITHUB_REPOSITORY }}/pkg/secrets.version={{ .Version }}'"
       - "-X 'github.com/{{ .Env.GITHUB_REPOSITORY }}/cmd.commitSHA={{ .Env.GITHUB_SHA }}'"
+      - "-X 'github.com/{{ .Env.GITHUB_REPOSITORY }}/pkg/constants.PinnedBlueprintURL={{ .Env.PINNED_BLUEPRINT_URL }}'"
 
 # Archive configuration
 archives:
diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
index 915b1c53e..57146c7e5 100644
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@@ -100,5 +100,18 @@ const (
 
 // Default OCI blueprint settings
 const (
-	DEFAULT_OCI_BLUEPRINT_URL = "oci://ghcr.io/windsorcli/core:v0.5.0"
+	DEFAULT_OCI_BLUEPRINT_URL = "oci://ghcr.io/windsorcli/core:latest"
 )
+
+// Build-time variable for pinned blueprint URL (set via ldflags)
+var PinnedBlueprintURL = ""
+
+// GetEffectiveBlueprintURL returns the pinned blueprint URL if set at build time,
+// otherwise returns the default blueprint URL. This allows for different behavior
+// between development builds (using :latest) and release builds (using pinned versions).
+func GetEffectiveBlueprintURL() string {
+	if PinnedBlueprintURL != "" {
+		return PinnedBlueprintURL
+	}
+	return DEFAULT_OCI_BLUEPRINT_URL
+}
diff --git a/pkg/pipelines/init.go b/pkg/pipelines/init.go
index 778184d25..e45bc7874 100644
--- a/pkg/pipelines/init.go
+++ b/pkg/pipelines/init.go
@@ -460,7 +460,8 @@ func (p *InitPipeline) prepareTemplateData(ctx context.Context) (map[string][]by
 	}
 
 	if p.artifactBuilder != nil {
-		ociInfo, err := artifact.ParseOCIReference(constants.DEFAULT_OCI_BLUEPRINT_URL)
+		effectiveBlueprintURL := constants.GetEffectiveBlueprintURL()
+		ociInfo, err := artifact.ParseOCIReference(effectiveBlueprintURL)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse default blueprint reference: %w", err)
 		}
@@ -468,7 +469,7 @@ func (p *InitPipeline) prepareTemplateData(ctx context.Context) (map[string][]by
 		if err != nil {
 			return nil, fmt.Errorf("failed to get template data from default blueprint: %w", err)
 		}
-		p.fallbackBlueprintURL = constants.DEFAULT_OCI_BLUEPRINT_URL
+		p.fallbackBlueprintURL = effectiveBlueprintURL
 		return templateData, nil
 	}
 
diff --git a/pkg/template/jsonnet_template.go b/pkg/template/jsonnet_template.go
index 223e9543f..12d3a25ae 100644
--- a/pkg/template/jsonnet_template.go
+++ b/pkg/template/jsonnet_template.go
@@ -114,7 +114,7 @@ func (t *JsonnetTemplate) processJsonnetTemplate(templateContent string) (map[st
 	vm := t.shims.NewJsonnetVM()
 	vm.ExtCode("helpers", t.buildHelperLibrary())
 	vm.ExtCode("context", string(contextJSON))
-	vm.ExtCode("ociUrl", fmt.Sprintf("%q", constants.DEFAULT_OCI_BLUEPRINT_URL))
+	vm.ExtCode("ociUrl", fmt.Sprintf("%q", constants.GetEffectiveBlueprintURL()))
 
 	result, err := vm.EvaluateAnonymousSnippet("template.jsonnet", templateContent)
 	if err != nil {