feat: accept devantler-tech/actions cosign subjects during the publish-workflow repoint#2399
Conversation
…sh-workflow repoint The publish-manifests/publish-app reusable workflows are moving from reusable-workflows into actions (actions#425); cosign OIDC subjects are the signing workflow's path, so each artifact verifier must accept the new path BEFORE its producer repoints, or verification breaks at the next tag. Both subjects accepted during the transition; drop the old entries once actions-signed artifacts have shipped. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThree Flux OCIRepository manifests were updated to expand or replace the ChangesOIDC subject allowlist migration
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@k8s/bases/apps/ascoachingogvaner/oci-repository.yaml`:
- Around line 25-26: The OIDC subject matcher for the `publish-app.yaml`
workflow is too broad because `@.+` accepts any ref from
`devantler-tech/actions`. Tighten the regex in the `oci-repository.yaml` trust
policy so the `subject` in the `issuer`/`subject` rule only matches the intended
tag or branch ref for `publish-app.yaml`, using the existing matcher block as
the place to update.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 70e67deb-0781-430c-8de6-c8cdb1411c2b
📒 Files selected for processing (3)
k8s/bases/apps/ascoachingogvaner/oci-repository.yamlk8s/bases/apps/github-config/oci-repository.yamlk8s/bases/apps/wedding-app/oci-repository.yaml
📜 Review details
⏰ Context from checks skipped due to timeout. (3)
- GitHub Check: 🧪 Validate Manifests
- GitHub Check: Analyze (python)
- GitHub Check: Analyze (python)
🧰 Additional context used
📓 Path-based instructions (3)
k8s/bases/**/*.yaml
📄 CodeRabbit inference engine (AGENTS.md)
Do not modify resources under
k8s/bases/directly from overlays; use Kustomizepatches:in overlays instead.
Files:
k8s/bases/apps/wedding-app/oci-repository.yamlk8s/bases/apps/github-config/oci-repository.yamlk8s/bases/apps/ascoachingogvaner/oci-repository.yaml
k8s/**/*.yaml
📄 CodeRabbit inference engine (AGENTS.md)
Use one Kubernetes resource per file, except for the explicitly whitelisted vendored operator bundles.
Files:
k8s/bases/apps/wedding-app/oci-repository.yamlk8s/bases/apps/github-config/oci-repository.yamlk8s/bases/apps/ascoachingogvaner/oci-repository.yaml
k8s/**/*.{yaml,yml}
📄 CodeRabbit inference engine (AGENTS.md)
Name component-folder files after the resource Kind in kebab-case, and use
‹kind›-‹purpose›.yamlwhen a folder contains more than one resource of the same Kind.
Files:
k8s/bases/apps/wedding-app/oci-repository.yamlk8s/bases/apps/github-config/oci-repository.yamlk8s/bases/apps/ascoachingogvaner/oci-repository.yaml
🧠 Learnings (1)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.
Applied to files:
k8s/bases/apps/wedding-app/oci-repository.yamlk8s/bases/apps/github-config/oci-repository.yamlk8s/bases/apps/ascoachingogvaner/oci-repository.yaml
🔇 Additional comments (2)
k8s/bases/apps/wedding-app/oci-repository.yaml (1)
25-26: 🔒 Security & PrivacyNo change needed here; the broader
@.+subject is intentional during the workflow migration and can be removed once the old signer is retired.k8s/bases/apps/github-config/oci-repository.yaml (1)
38-39: 🔒 Security & PrivacyClarify the trusted ref scope for
devantler-tech/actions@.+accepts any branch or tag forpublish-manifests.yaml; if this workflow should only be trusted from a fixed ref, pin it here.
|
🎉 This PR is included in version 1.95.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Why
Deployed artifacts are verified against where they were signed. Our signing workflows are moving homes (actions#425) — if a repo moves before the platform trusts the new home, its next release is rejected and its deployment stops.
What
Trusts artifacts signed from both the old and new home during the migration (org-config, wedding-app, AS Coaching). A follow-up drops the old home once everything has moved.