fix(apps): express the cosign transition as one identity — Flux rejects multiple#2406
fix(apps): express the cosign transition as one identity — Flux rejects multiple#2406devantler wants to merge 1 commit into
Conversation
…ts multiple Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
📜 Recent review details🧰 Additional context used📓 Path-based instructions (3)k8s/bases/**/*.yaml📄 CodeRabbit inference engine (AGENTS.md)
Files:
k8s/**/*.yaml📄 CodeRabbit inference engine (AGENTS.md)
Files:
k8s/**/*.{yaml,yml}📄 CodeRabbit inference engine (AGENTS.md)
Files:
🧠 Learnings (2)📚 Learning: 2026-07-01T21:13:36.950ZApplied to files:
📚 Learning: 2026-07-03T03:44:11.507ZApplied to files:
🔇 Additional comments (3)
📝 WalkthroughWalkthroughThree Flux ChangesCosign OIDC identity consolidation
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Closing as a duplicate of #2404 — a parallel session root-caused the same breakage and shipped the identical fix (one alternation-regex identity per tenant OCIRepository) minutes earlier; #2404 is already CR-approved, promoted, and queued. Parallel-race rule: the first PR wins, the duplicate closes. |
Why
All three tenant artifact sources (wedding-app, ascoachingogvaner, github-config) stopped verifying on prod right after #2399: Flux's cosign verifier accepts exactly one signing identity, so the transitional second entry broke verification outright (
unsupported: multiple identities are not supported at this time). Theappslayer can no longer pull tenant updates, and this is failing merge-queue deploys (evicted #2400's first run).What
Collapses each pair of identities into one entry whose subject pattern accepts both the old and the new signing workflow — the same trust set #2399 intended, in a form Flux supports. The narrowing step (drop the old path once actions-signed artifacts verify) stays as planned; tightening the ref matcher stays tracked in #2402.
Merge-order note: land ASAP — the merge queue keeps evicting PRs on the failed apps health check until this applies.