From 4cdb9d92dc5ecb9f10381188085fb1386c28c0d4 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Fri, 3 Jul 2026 07:16:38 +0200 Subject: [PATCH] fix: express the transitional signing subjects as one regex-alternated identity MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cosign's keyless attestation verification rejects more than one matchOIDCIdentity entry ('unsupported: multiple identities are not supported at this time'), so #2399's second entry broke verification for all three tenant OCIRepositories and froze the apps layer. Collapse the two entries into one whose subject regex alternates (reusable-workflows|actions) — same trust set, single identity. Co-Authored-By: Claude Fable 5 --- .../apps/ascoachingogvaner/oci-repository.yaml | 13 +++++++------ k8s/bases/apps/github-config/oci-repository.yaml | 15 ++++++++------- k8s/bases/apps/wedding-app/oci-repository.yaml | 13 +++++++------ 3 files changed, 22 insertions(+), 19 deletions(-) diff --git a/k8s/bases/apps/ascoachingogvaner/oci-repository.yaml b/k8s/bases/apps/ascoachingogvaner/oci-repository.yaml index d90dcc5e4..88c66ddee 100644 --- a/k8s/bases/apps/ascoachingogvaner/oci-repository.yaml +++ b/k8s/bases/apps/ascoachingogvaner/oci-repository.yaml @@ -16,11 +16,12 @@ spec: verify: provider: cosign matchOIDCIdentity: - - issuer: '^https://token\.actions\.githubusercontent\.com$' - subject: '^https://github\.com/devantler-tech/reusable-workflows/\.github/workflows/publish-app\.yaml@.+$' # publish-app.yaml is moving from devantler-tech/reusable-workflows into - # devantler-tech/actions (actions#425 consumer repoint); both subjects are - # accepted during the transition — drop the reusable-workflows entry once - # the first actions-signed artifact has been published and verified. + # devantler-tech/actions (actions#425 consumer repoint); both repo + # subjects are accepted via ONE regex-alternated entry — cosign's keyless + # attestation verification rejects MULTIPLE identity entries outright + # ("unsupported: multiple identities are not supported at this time"). + # Narrow the alternation to actions-only once the first actions-signed + # artifact has been published and verified. - issuer: '^https://token\.actions\.githubusercontent\.com$' - subject: '^https://github\.com/devantler-tech/actions/\.github/workflows/publish-app\.yaml@.+$' + subject: '^https://github\.com/devantler-tech/(reusable-workflows|actions)/\.github/workflows/publish-app\.yaml@.+$' diff --git a/k8s/bases/apps/github-config/oci-repository.yaml b/k8s/bases/apps/github-config/oci-repository.yaml index 03834f342..9125017e1 100644 --- a/k8s/bases/apps/github-config/oci-repository.yaml +++ b/k8s/bases/apps/github-config/oci-repository.yaml @@ -29,11 +29,12 @@ spec: # the cosign OIDC subject is the reusable workflow's path, NOT .github's # own cd.yaml — same convention as the publish-app.yaml-signed app # artifacts. The workflow is moving from devantler-tech/reusable-workflows - # into devantler-tech/actions (actions#425 consumer repoint); both - # subjects are accepted during the transition — drop the - # reusable-workflows entry once the first actions-signed artifact has - # been published and verified. + # into devantler-tech/actions (actions#425 consumer repoint); both repo + # subjects are accepted via ONE regex-alternated entry — cosign's keyless + # attestation verification rejects MULTIPLE identity entries outright + # ("unsupported: multiple identities are not supported at this time"), so + # the transition must be expressed inside a single subject regex. Narrow + # the alternation to actions-only once the first actions-signed artifact + # has been published and verified. - issuer: '^https://token\.actions\.githubusercontent\.com$' - subject: '^https://github\.com/devantler-tech/reusable-workflows/\.github/workflows/publish-manifests\.yaml@.+$' - - issuer: '^https://token\.actions\.githubusercontent\.com$' - subject: '^https://github\.com/devantler-tech/actions/\.github/workflows/publish-manifests\.yaml@.+$' + subject: '^https://github\.com/devantler-tech/(reusable-workflows|actions)/\.github/workflows/publish-manifests\.yaml@.+$' diff --git a/k8s/bases/apps/wedding-app/oci-repository.yaml b/k8s/bases/apps/wedding-app/oci-repository.yaml index 224e79cc3..e6af33828 100644 --- a/k8s/bases/apps/wedding-app/oci-repository.yaml +++ b/k8s/bases/apps/wedding-app/oci-repository.yaml @@ -16,11 +16,12 @@ spec: verify: provider: cosign matchOIDCIdentity: - - issuer: '^https://token\.actions\.githubusercontent\.com$' - subject: '^https://github\.com/devantler-tech/reusable-workflows/\.github/workflows/publish-app\.yaml@.+$' # publish-app.yaml is moving from devantler-tech/reusable-workflows into - # devantler-tech/actions (actions#425 consumer repoint); both subjects are - # accepted during the transition — drop the reusable-workflows entry once - # the first actions-signed artifact has been published and verified. + # devantler-tech/actions (actions#425 consumer repoint); both repo + # subjects are accepted via ONE regex-alternated entry — cosign's keyless + # attestation verification rejects MULTIPLE identity entries outright + # ("unsupported: multiple identities are not supported at this time"). + # Narrow the alternation to actions-only once the first actions-signed + # artifact has been published and verified. - issuer: '^https://token\.actions\.githubusercontent\.com$' - subject: '^https://github\.com/devantler-tech/actions/\.github/workflows/publish-app\.yaml@.+$' + subject: '^https://github\.com/devantler-tech/(reusable-workflows|actions)/\.github/workflows/publish-app\.yaml@.+$'