Skip to content

Make root OCI publication verified and atomic before moving latest #2627

Description

@devantler

🤖 Generated by the Codex Daily AI Engineer instance.

Problem

Production's root Flux OCIRepository tracks ghcr.io/devantler-tech/platform/manifests:latest every minute, but live spec.verify is null. The intended keyless Cosign policy is nested at spec.cluster.verify in ksail.prod.yaml; KSail v7.167 reads spec.workload.flux.verify, so the unknown field is silently ignored.

The production deploy currently moves mutable latest before signing and attesting it. With verification disabled, Flux can fetch an unsigned artifact immediately after push. Even after the verify config is corrected, Flux can fetch after signing but before provenance/SBOM attestations complete. The DR rebuild is coupled to the same defect: it pushes an unsigned artifact, lacks id-token: write, and its workflow identity is not in the intended allow-list, so simply moving verify would make a clean DR reconcile fail.

Live evidence on 2026-07-13: root source ref.tag=latest, interval=1m0s, spec.verify=null, Ready on the current main artifact. This is pre-existing and separate from the GHCR credential propagation fix in #2625.

Proposed direction

  • Move the Cosign configuration to the KSail-supported spec.workload.flux.verify path and add a rendered/live-shape regression that fails if root verification is absent.
  • Make publication atomic from Flux's perspective: publish to an immutable staging reference, sign and attest it, then promote/repoint latest; or suspend/repoint the root source with explicit failure recovery until the complete supply-chain bundle exists.
  • Give DR a valid signed-artifact path (id-token: write plus a narrowly allowed DR identity), or have DR consume an already signed immutable artifact instead of publishing unsigned bytes.
  • Prove normal merge-group, manual CD, failed delivery, and from-zero DR behavior.

Acceptance criteria

  • The live root OCIRepository has non-null Cosign verification with only the intended production identities.
  • Flux cannot observe a new artifact until signature and required attestations are complete.
  • Any failed push/sign/attest leaves the last verified artifact active.
  • DR can rebuild from zero without weakening verification and finishes on a signed, allowed artifact.
  • Static tests validate config nesting, workflow permissions/identity, and publication ordering.

Rough size: medium; coordinate the KSail config correction, publication transaction, and DR signer path in one rollout so no intermediate state breaks production or recovery.

Related: #2613, #2625

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions