fix: auto-cleanup targets newly pulled images instead of old ones

[Aureliolo]

Summary

• pullAndPersist saved new VerifiedDigests to disk but didn't return them to the caller. updateContainerImages built updatedState with the new ImageTag but stale digests, so collectCurrentImageIDs resolved old image IDs as "current". Both keep sets pointed at old images, leaving the just-pulled (in-use) images as cleanup candidates -- causing synthorg update to try removing the images it just pulled (all skipped with "in use").
• Return digest pins from pullAndPersist so the caller propagates them into updatedState before auto-cleanup runs.

Test plan

• go -C cli vet ./... passes
• go -C cli test ./... passes
• go -C cli build succeeds
• Run synthorg update with auto_cleanup: true -- verify new images are kept and only genuinely old images are removed

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2f727de1-0a9f-4573-ae6f-23854c503f5f

📥 Commits

Reviewing files that changed from the base of the PR and between 70f1c97 and 2967aa3.

📒 Files selected for processing (1)

• cli/cmd/update.go

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: CLI Test (windows-latest)
• GitHub Check: CLI Test (macos-latest)
• GitHub Check: Dependency Review
• GitHub Check: Analyze (python)

🧰 Additional context used

📓 Path-based instructions (1)

cli/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Go CLI: golangci-lint + go vet checked in pre-commit hooks and CI (conditional on cli/**/*.go changes)

Files:

• cli/cmd/update.go

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Dependabot: auto-updates Docker image digests and versions daily.

🔇 Additional comments (3)

cli/cmd/update.go (3)

322-327: LGTM! Correctly propagates the updated state with new digests.

This fix addresses the root cause: previously the caller built updatedState locally with stale digests, causing autoCleanupOldImages to identify old images as "current" via collectCurrentImageIDs. Now the caller receives the persisted state with correct VerifiedDigests directly from pullAndPersist.

---

390-391: Good refactor: returning the persisted state eliminates duplicated state construction.

The updated signature and documentation clearly communicate that callers receive the canonical persisted state, preventing the previous bug where state was constructed inconsistently in multiple places.

---

420-437: Correct control flow: error paths return original state, success returns persisted state.

The error handling is sound:

• On verification/pull/save failure, rollback restores compose.yml and returning the original state maintains consistency (caller discards it anyway since it returns the error).
• On success, the returned updatedState contains the VerifiedDigests from digestPins (line 432), which is the critical fix ensuring collectCurrentImageIDs resolves to newly pulled images rather than stale ones.

---

Walkthrough

The pullAndPersist function in cli/cmd/update.go now returns (config.State, error) instead of only error. On failure paths that trigger rollback it returns the original incoming state paired with the error; on success it returns an updatedState containing the new ImageTag and VerifiedDigests. updateContainerImages no longer constructs updatedState locally and forwards the state returned by pullAndPersist into postPullActions.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: fixing auto-cleanup to target old images instead of newly pulled ones, which directly addresses the bug documented in the PR description.
Description check	✅ Passed	The description clearly explains the bug, root cause, and solution, demonstrating strong correlation with the changeset's scope and intent.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 40.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 2967aa3.

Ensure that dependencies are being submitted on PR branches. Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.

Scanned Files

None

[gemini-code-assist]

Code Review

This pull request updates the pullAndPersist function to return verified digest pins, which are then stored in the application state. The review suggests refactoring the function to return the entire config.State object instead of just the digest pins, which would centralize state construction and simplify the calling code in updateContainerImages.

[gemini-code-assist]

Instead of returning just digestPins, consider returning the entire updatedState (config.State) from this function. This would encapsulate the state creation logic within pullAndPersist and prevent the caller (updateContainerImages) from needing to reconstruct the state, reducing code duplication.

The function signature would become func pullAndPersist(...) (config.State, error). Then, updateContainerImages could be simplified:

// in updateContainerImages
updatedState, err := pullAndPersist(ctx, cmd, info, state, tag, safeDir, preserveCompose)
if err != nil {
    return err
}
return postPullActions(cmd, info, safeDir, state, updatedState, previousIDs)

This would make the code more maintainable by ensuring that the logic for creating the updated state lives in only one place.