From 6ebb71ccf137a917826b6db5eb79808577ae9744 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 3 Jul 2026 03:37:37 +0200 Subject: [PATCH 1/2] ci: repoint reusable workflows to devantler-tech/actions v8.0.0 Part of devantler-tech/actions#425 (consumer migration off the legacy reusable-workflows repo). Co-Authored-By: Claude Fable 5 --- .github/workflows/cd.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index dbe4778..2d7f75e 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -35,6 +35,6 @@ jobs: # Renovate manages this pin, as it does for publish-app.yaml elsewhere. # The platform verifier matches `@.+$`, so the ref does not affect cosign # verification. - uses: devantler-tech/reusable-workflows/.github/workflows/publish-manifests.yaml@f974f62a8cb396130fa084d209ad1fc17e99b9fc # v5.6.1 + uses: devantler-tech/actions/.github/workflows/publish-manifests.yaml@061b345a7351b0caf23055caea63ccd08b75e20e # v8.0.0 with: oci-name: devantler-tech/github-config diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a61cfd9..0fc9722 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -13,6 +13,6 @@ permissions: jobs: release: - uses: devantler-tech/reusable-workflows/.github/workflows/create-release.yaml@c830916321473ec23bb612e41de963b9b01af897 # v5.6.6 + uses: devantler-tech/actions/.github/workflows/create-release.yaml@061b345a7351b0caf23055caea63ccd08b75e20e # v8.0.0 secrets: APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} From 27d4cbcbf3a2f1cbc34b569ef15c77bc6a4720e9 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 3 Jul 2026 04:05:56 +0200 Subject: [PATCH 2/2] docs(cd): update OIDC-subject note to the actions-hosted signing workflow CodeRabbit nitpick on this PR; also fixes the stale platform file pointer and records the platform-verifier-first merge ordering. Co-Authored-By: Claude Fable 5 --- .github/workflows/cd.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index 2d7f75e..ccc2b20 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -3,7 +3,7 @@ name: 🚀 CD # Publishes the org's declarative GitHub state (deploy/) as a cosign-signed OCI # artifact consumed by the platform cluster's `github-config` tenant. There is # NO container image here — only manifests — so it delegates to the shared -# manifests-only publish workflow in devantler-tech/reusable-workflows (the +# manifests-only publish workflow in devantler-tech/actions (the # manifests-only sibling of publish-app.yaml). # # The OCI path is `github-config` (not the repo name) because `.github` is an @@ -11,10 +11,12 @@ name: 🚀 CD # # Because signing runs INSIDE the reusable workflow, the cosign certificate # identity (OIDC subject) is that workflow's path — -# https://github.com/devantler-tech/reusable-workflows/.github/workflows/publish-manifests.yaml@ +# https://github.com/devantler-tech/actions/.github/workflows/publish-manifests.yaml@ # — NOT this repo's cd.yaml. The platform `github-config` OCIRepository's # verify.matchOIDCIdentity.subject must match that (see -# k8s/providers/hetzner/github/sync.yaml in devantler-tech/platform). +# k8s/bases/apps/github-config/oci-repository.yaml in devantler-tech/platform), +# so this repo's workflow-source swap MUST land only after the platform +# verifier accepts the devantler-tech/actions subject. on: push: