Skip to content

chore(deploy): pin musubi-core to v1.10.2 signed digest#371

Merged
ericmey merged 1 commit into
mainfrom
chore/auto-pin-v1.10.2
May 18, 2026
Merged

chore(deploy): pin musubi-core to v1.10.2 signed digest#371
ericmey merged 1 commit into
mainfrom
chore/auto-pin-v1.10.2

Conversation

@ericmey
Copy link
Copy Markdown
Owner

@ericmey ericmey commented May 18, 2026

chore(deploy): pin musubi-core to v1.10.2 signed digest

Automated by .github/workflows/auto-digest-bump.yml in response to the v1.10.2 release.

Supply-chain attestations

  • cosign keyless signature via GitHub OIDC
  • CycloneDX SBOM attached as a cosign attestation
  • Trivy vulnerability scan — 0 CRITICAL (gate in publish-core-image.yml)

Verify before deploy

cosign verify \
  --certificate-identity-regexp 'https://github.com/ericmey/musubi/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/ericmey/musubi-core@sha256:66a6749c068d8a7f29fba69fb0d4e72b22cbab4cac307192fc071735361a42a1

After merge

# From the ansible control host:
cd ~/musubi
git pull origin main
ANSIBLE_VAULT_PASSWORD_FILE=~/ansible/.vault_pass \
  ansible-playbook \
    -i deploy/ansible/inventory.yml \
    -e @~/.musubi-secrets/inventory-vars.yml \
    -e @~/.musubi-secrets/vault.yml \
    -e 'changed_services=["core","lifecycle-worker"]' \
    deploy/ansible/update.yml

No tracking Issue: auto-generated release digest pin.

@github-actions
chore(deploy): pin musubi-core to v1.10.2 signed digest
687533e 
Automated by .github/workflows/auto-digest-bump.yml in response
to the v1.10.2 release. The image has been cosign-signed,
SBOM-attested, and Trivy-scanned by publish-core-image.yml —
verify before deploy:

    cosign verify \
      --certificate-identity-regexp 'https://github.com/ericmey/musubi/.*' \
      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
      ghcr.io/ericmey/musubi-core@sha256:66a6749c068d8a7f29fba69fb0d4e72b22cbab4cac307192fc071735361a42a1

No tracking Issue: auto-generated release digest pin.
Copilot AI review requested due to automatic review settings May 18, 2026 11:33
@ericmey ericmey enabled auto-merge (squash) May 18, 2026 11:33
Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the deployed Musubi Core container image to the immutable, cosign-signed digest corresponding to the v1.10.2 release, ensuring production deployments track the exact published artifact.

Changes:

  • Update musubi_core_image to the v1.10.2 GHCR digest.
  • Bump musubi_core_version to v1.10.2 to keep dashboards/spans aligned with the deployed image.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ericmey ericmey merged commit a082cf3 into main May 18, 2026
2 checks passed
@ericmey ericmey deleted the chore/auto-pin-v1.10.2 branch May 18, 2026 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ericmey