From a9493e1ae711705238ba5cb5a17d28ea999e335e Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 4 Jul 2026 16:17:11 +0200 Subject: [PATCH] fix(talos): accept the actions publish-app identity at node image verification The shared publish-app.yaml workflow moved from reusable-workflows into actions (actions#425); the Talos ImageVerificationConfig catch-all still pinned the old identity, so every newly published app image fails node-level pull verification (ImagePullBackOff). Alternate both identities, same transition as the Flux OCIRepository verify blocks and verify-app-images. Co-Authored-By: Claude Fable 5 --- talos/cluster/image-verification.yaml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/talos/cluster/image-verification.yaml b/talos/cluster/image-verification.yaml index 06c4ea3b1..c3e39bf8c 100644 --- a/talos/cluster/image-verification.yaml +++ b/talos/cluster/image-verification.yaml @@ -13,9 +13,11 @@ # ksail's OWN release pipeline (devantler-tech/ksail .github/workflows/ # cd.yaml; see that repo's GoReleaser `docker_signs` step). # 2. the app images (wedding-app, ascoachingogvaner, …) are signed by the -# shared reusable workflow reusable-workflows/.github/workflows/ -# publish-app.yaml — the SAME identity their Flux OCIRepository verify -# blocks already pin. +# shared publish-app.yaml workflow — now in devantler-tech/actions +# (moved from reusable-workflows, actions#425); both identities stay +# accepted until every app has published a fresh actions-signed image — +# the SAME transition alternation their Flux OCIRepository verify blocks +# and the verify-app-images ImageValidatingPolicy already pin. # Talos evaluates rules in order, first match wins, so the specific ksail rule # MUST precede the ghcr.io/devantler-tech/* catch-all. # @@ -60,8 +62,16 @@ rules: keyless: issuer: https://token.actions.githubusercontent.com subjectRegex: ^https://github\.com/devantler-tech/provider-upjet-[a-z0-9-]+/\.github/workflows/publish-provider-package\.yml@.+$ - # First-party APP images signed by reusable-workflows/publish-app.yaml. + # First-party APP images signed by the shared publish-app.yaml workflow. + # publish-app.yaml moved from devantler-tech/reusable-workflows into + # devantler-tech/actions (actions#425): images published after the move + # carry the actions identity, which this rule's old reusable-workflows-only + # regex rejected at the node pull layer (ImagePullBackOff on every new app + # release). Accept BOTH identities until every app has published a fresh + # actions-signed image, then narrow to actions-only — the same transition + # alternation as the apps' Flux OCIRepository verify blocks and the + # verify-app-images ImageValidatingPolicy. - image: ghcr.io/devantler-tech/* keyless: issuer: https://token.actions.githubusercontent.com - subjectRegex: ^https://github\.com/devantler-tech/reusable-workflows/\.github/workflows/publish-app\.yaml@.+$ + subjectRegex: ^https://github\.com/devantler-tech/(actions|reusable-workflows)/\.github/workflows/publish-app\.yaml@.+$