# Upstream sources — bluesky-pds

| service | image | source repo | releases / changelog |
|---------|-------|-------------|----------------------|
| app | ghcr.io/bluesky-social/pds | https://github.com/bluesky-social/pds | git tags `vX.Y.Z` (no GitHub Releases objects — `releases/latest` 404s) |
| caddy | docker.io/caddy:2 | https://github.com/caddyserver/caddy | https://github.com/caddyserver/caddy/releases |

## Standing notes (researched 2026-06-11, bsky phase)

- **`:0.4` is a MOVING tag that now tracks upstream main, not the 0.4.x release line.**
  As of 2026-06-11, `ghcr.io/bluesky-social/pds:0.4` == `latest` (manifest digest
  `sha256:871194d2…`, created 2026-05-30) and contains `@atproto/pds` **0.5.1** on
  **Node v24.15.0** with the service restructured to run TypeScript directly:
  `CMD ["node", "--enable-source-maps", "index.ts"]`, `/app/index.ts` (NO `index.js`),
  plus a bundled `goat` CLI at /usr/local/bin/goat. This matches the current `main`
  Dockerfile (`FROM node:24.15-alpine3.23`, `COPY ./service`, CMD index.ts).
  Any recipe override that assumes `/app/index.js` crash-loops MODULE_NOT_FOUND on it.
- **Exact-version tags — two eras:**
  - **Through `0.4.219`** (old scheme, `FROM node:20.20`, CMD `index.js`): `@atproto/pds: 0.4.219`,
    WORKDIR `/app`, `/app/index.js` present, `dumb-init` at /usr/bin/dumb-init,
    `CMD ["node", "--enable-source-maps", "index.js"]`. Exact tags in this era:
    …0.4.135, 0.4.136, 0.4.138, 0.4.158, 0.4.169, 0.4.182, 0.4.188, 0.4.193, 0.4.204,
    0.4.208, 0.4.219.
  - **`0.4.5001` onward** (new scheme, `FROM node:24`, CMD `index.ts`): The unusual tag is the new
    PDS versioning format (`<base 0.4>.<minor><patch padded to 3>` = 50.01 → `5001`). This is
    `@atproto/pds` 0.5.1, Node v24, service restructured to run TypeScript directly (`index.ts`).
    Image built 2026-05-30, revision `eb46a2e`. Validated GREEN by cc-ci tests
    (health_check, goat_account, subdomain_tls) in upgrade PR #3 (2026-06-17).
    **The recipe's `entrypoint.sh.tmpl` must exec `index.ts` (not `index.js`) for this tag.**
    Note: (earlier versions of this file flagged `0.4.5001` as "anomalous/mis-tag" — that was
    incorrect; it is the new versioning scheme.)
- **Env interface stable across 0.4.x:** the recipe's env (PDS_HOSTNAME,
  PDS_DATA_DIRECTORY, PDS_BLOBSTORE_DISK_LOCATION, PDS_BLOB_UPLOAD_LIMIT,
  PDS_EMAIL_SMTP_URL, PDS_EMAIL_FROM_ADDRESS, PDS_INVITE_REQUIRED, LOG_ENABLED) and
  secret-fed vars (PDS_JWT_SECRET, PDS_ADMIN_PASSWORD,
  PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX) are the same set upstream's installer
  (`installer.sh` / compose.yaml on the pds repo) uses for 0.4.x. No migrations
  required for a same-series re-pin.
- **Pin guidance:** always pin an EXACT version tag (e.g. `0.4.219`); never `:0.4`
  or `latest` — upstream demonstrably republishes the minor tag with main builds.
  Health endpoint: `GET /xrpc/_health` on port 3000 (unchanged).