Skip to content

fix(deploy): synchronize production GHCR pull auth#2625

Draft
devantler wants to merge 16 commits into
mainfrom
codex/fix-ghcr-credential-refresh-2613
Draft

fix(deploy): synchronize production GHCR pull auth#2625
devantler wants to merge 16 commits into
mainfrom
codex/fix-ghcr-credential-refresh-2613

Conversation

@devantler

@devantler devantler commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

🤖 Generated by the Codex Daily AI Engineer instance.

Summary

  • make the Git/SOPS Docker config authoritative for every production pull path: root Flux, tenant workloads, Kyverno verification, and Talos hosts
  • fail closed unless the credential performs real registry reads for all seven exact private targets
  • synchronize stale Talos nodes workers-first with RegistryAuthConfig → exact image pull → verified revision, then synchronize and verify the Kubernetes/OpenBao fan-out
  • keep the Actions GHCR_TOKEN only for publication/signing while constrained KSail lifecycle commands use the SOPS pull credential
  • carry a non-secret SOPS-ciphertext revision through Talos machine config so token-only rotations refresh future Cluster Autoscaler templates
  • preserve explicit DR bootstrap handling, add regression/CI coverage, and update every production recovery path

Root cause

There were two related credential paths with different failure modes.

First, the deploy pushed and reconciled before refreshing root Flux pull auth. flux-system/ksail-registry-credentials is KSail-managed and remained stale; KSail redacts credential-only changes from its structural diff (devantler-tech/ksail#6107). The root OCIRepository therefore returned GHCR DENIED, blocking the artifact containing the updated SOPS seed and deadlocking variables-base → PushSecret → OpenBao → ExternalSecret.

Second, Talos host registry auth and ksail.prod.yaml still consumed the separate Actions GHCR_TOKEN. That publication token was denied for private KSail pulls on a newly autoscaled node, producing GHCR HTTP 403 and ImagePullBackOff for the uncached operator image. A pod imagePullSecret cannot repair this path because Talos performs first-party signature/artifact resolution with host registry auth. Credential redaction also meant a later token-only rotation would not refresh the autoscaler machine template without a visible revision input.

Fix

scripts/run-ksail-prod-with-pull-auth.sh now constrains production KSail commands and derives lifecycle username/token from stringData.ghcr_dockerconfigjson. workload push deliberately preserves the separate Actions actor/write token. A SHA-256 of the committed SOPS ciphertext—not decrypted auth—is passed as the desired Talos/autoscaler revision.

Before Kubernetes credential mutation, scripts/refresh-flux-ghcr-auth.sh validates every exact private package. It lists every Kubernetes Node, rejects empty/ambiguous/duplicate InternalIPs, skips nodes already verified at the current ciphertext revision, and processes stale workers before control planes. Each stale node receives a file-backed Talos v1.13 RegistryAuthConfig patch in no-reboot mode, must pull the exact live KSail operator image (or the exact declared version during DR bootstrap), and only then receives a separate verified-revision annotation. Talos output is captured in mode-0600 temporary files so a failing command cannot echo the credential into Actions logs.

The existing bridge then stages variables-base, force-syncs the PushSecret and all three ExternalSecrets, canonical-compares every materialized Docker config with Git/SOPS, and finally merge-patches root Flux auth. Normal mode fails closed on partial fan-out; explicit DR bootstrap mode repairs root auth before ESO exists and requires a full verification pass after Flux converges. Both production jobs install the pinned Talos CLI before the first mutating bridge.

Safety

  • only the encrypted Docker-config scalar is hashed; plaintext input is rejected
  • decrypted auth, Basic/Bearer material, registry responses, Talos output, and Kubernetes patches stay in mode-restricted temporary files
  • no plaintext token or derived base64 enters argv or normal logs; shell tracing is disabled
  • a token-exchange HTTP 200 is insufficient: every package must pass an authenticated manifest GET
  • desired machine-template state is distinct from post-pull verified node state, so a fresh node cannot falsely claim proof
  • updates are serial, workers-first, no-reboot, and stop on the first failed auth, pull, or revision write

Validation

  • PYTHONDONTWRITEBYTECODE=1 python3 -m unittest discover -s scripts/tests -p 'test_*.py' — 66 passed
  • regressions cover SOPS/auth variants, ciphertext rotation, arbitrary-command rejection, secret-output suppression, exact package/image binding, DR without an operator Deployment, desired-vs-verified state, current-node Talos skip, workers-first ordering, malformed node inventory, and stop-on-first-failure
  • Bash syntax + ShellCheck, Actionlint, composite/workflow YAML parse, naming, embedded JSON, and zizmor — passed/no findings
  • Talos v1.13.5 render + talosctl validate — prod/cloud and local/container control-plane + worker configs passed
  • ksail workload validate and ksail --config ksail.prod.yaml workload validate — 109 kustomizations / 541 YAML files each
  • 44/44 Python functions carry docstrings
  • live ./scripts/refresh-flux-ghcr-auth.sh --check-only — all seven exact private package reads passed

Live recovery evidence

The full bridge completed successfully against production. All nine Talos nodes accepted the Git/SOPS host auth, proved the exact private KSail image pull, and now carry the current verified revision. The KSail operator rollout is healthy, all six OCIRepositories report Ready=True, and no pod is in ErrImagePull or ImagePullBackOff.

Separate follow-up

Review also exposed a pre-existing supply-chain defect: root Cosign configuration is misnested, live root verification is null, and DR publishes unsigned. Atomic verified publication plus the coordinated DR signer correction remains isolated in #2627.

Fixes #2624
Fixes #2628
Part of #2613

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

@devantler I'll review the changes now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The change adds a Git/SOPS-based GHCR credential bridge that validates registry access, updates Flux and consumer secrets, synchronizes Talos registry authentication, and supports incomplete bootstrap states. Production and DR workflows now stage, verify, and reassert credentials around publishing, reconciliation, cluster updates, and restoration. KSail lifecycle commands use the pull-auth wrapper, while CI tests and documentation cover the new sequencing.

Possibly related issues

Possibly related PRs

  • devantler-tech/platform#2332 — Adds the provider-upjet-unifi wiring whose private image reference is explicitly covered by the new GHCR preflight tests.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The changes address #2624 and #2628 by refreshing root Flux auth, reasserting after updates, and deriving Talos auth from Git/SOPS.
Out of Scope Changes check ✅ Passed No clearly unrelated code changes stand out; the edits stay within deploy, credential bridge, Talos, CI, and documentation scope.
Docstring Coverage ✅ Passed Docstring coverage is 98.15% which is sufficient. The required threshold is 80.00%.
Title check ✅ Passed The title succinctly describes the main deploy change: synchronizing production GHCR pull authentication.
Description check ✅ Passed The description clearly matches the PR's GHCR auth synchronization, Talos, DR, and CI updates.

Comment @coderabbitai help to get the list of available commands.

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance. CodeRabbit explicitly rate-limited the primary review request for 58 minutes, so this is the documented fallback lane.

@codex review for secret handling, fail-closed behavior, and GitHub Actions ordering

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1c5922e573

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/refresh-flux-ghcr-auth.sh Outdated
Comment thread .github/actions/deploy-prod/action.yml Outdated
Comment thread scripts/refresh-flux-ghcr-auth.sh Outdated
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance. CodeRabbit remains in its recorded cooldown, so Codex is the single current-head review lane after commit 43c6694 addressed all three prior P2 findings.

@codex review for secret handling, pre-publish fail-closed ordering, and shared package authorization

@chatgpt-codex-connector

Copy link
Copy Markdown

Review Summary

Testing / Checks

  • python3 -m unittest discover -s scripts/tests -p 'test_*.py'
  • bash -n scripts/refresh-flux-ghcr-auth.sh
  • python3 - <<'PY' ... deploy action ordering assertion ... PY
  • git status --short — clean after removing generated pycache and restoring the pre-existing tracked pyc file.

View task →

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance. CodeRabbit remains in its recorded cooldown, so Codex is the single current-head review lane after the five-package registry-read and DR-ordering hardening at commit 06c5e81.

@codex review for GHCR auth protocol correctness, secret safety, fail-closed behavior, and deploy/DR ordering

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 06c5e81e4f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/actions/deploy-prod/action.yml Outdated
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance. CodeRabbit remains in its recorded cooldown, so Codex is the single current-head lane after commit 4e96c32 fixed the prior P1 and exact-head CI returned green.

@codex review for final-auth gating, GHCR secret safety, and deploy/DR ordering

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

Current head 4e96c32e still adds a new Python validator test, conflicting with #2623's no-first-party-Python acceptance criterion and the Go/Bash scripting direction established on #2622. A Bash replacement should preserve the updated five-package manifest reads and DR ordering, bind each fake bearer token to its requested repository scope, accept access_token, and fail closed on HTTP 200 without a token. I prepared and validated that port locally (11 cases plus Bash syntax, ShellCheck, and Actionlint), but held the push because this branch advanced twice during the work; please keep the next update fast-forward/collision-safe.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4e96c32e84

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/refresh-flux-ghcr-auth.sh Outdated
Comment thread .github/actions/deploy-prod/action.yml Outdated
Comment thread scripts/refresh-flux-ghcr-auth.sh Outdated
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

@devantler I'll review the changes now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b70d68842d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/refresh-flux-ghcr-auth.sh Outdated
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@codex review for GHCR transaction ordering, failure atomicity, and fresh-DR behavior

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9dd1eec0eb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/actions/deploy-prod/action.yml Outdated
Comment thread scripts/refresh-flux-ghcr-auth.sh Outdated
Comment thread scripts/refresh-flux-ghcr-auth.sh
Comment thread scripts/refresh-flux-ghcr-auth.sh Outdated
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@coderabbitai review

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Codex Daily AI Engineer

@codex review for GHCR credential bridge safety, production deployment ordering, and DR recovery ordering

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 677a958b8e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/refresh-flux-ghcr-auth.sh Outdated
Comment thread docs/dr/runbook.md Outdated
@devantler devantler changed the title fix(deploy): refresh Flux GHCR auth before reconcile fix(deploy): synchronize production GHCR pull auth Jul 14, 2026
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@codex review for production GHCR auth correctness, secret handling, Talos node rotation, and DR ordering

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@codex review for production GHCR auth correctness, partial-fan-out atomicity, Talos node rotation, secret handling, and DR ordering

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Delightful!

Reviewed commit: 33ed9a8864

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@coderabbitai review

Fallback reason: the exact-head Codex request produced no review artifact or thread after more than 16 minutes, beyond the established response window on this PR.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@devantler I'll review the changes now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/ci.yaml (1)

44-50: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Trigger validation when the tested DR runbook changes.

scripts/tests/test_refresh_flux_ghcr_auth.py lines 1331–1354 validate ordering in docs/dr/runbook.md, but this filter omits that file. A runbook-only regression therefore bypasses the test.

Proposed fix
               - 'scripts/tests/test_refresh_flux_ghcr_auth.py'
+              - 'docs/dr/runbook.md'
               - '.github/actions/deploy-prod/**'

As per coding guidelines, “validate before every pull request.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yaml around lines 44 - 50, Update the path filter for
the relevant CI test entry to include docs/dr/runbook.md alongside the existing
scripts/tests/test_refresh_flux_ghcr_auth.py and DR workflow paths, so changes
to the tested runbook trigger validation.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dr-rebuild.yaml:
- Around line 411-417: Update the reassert_flux_ghcr_after_restore step
condition so it runs when inputs.restore is true even if an earlier restore step
failed, while still skipping execution when the workflow is cancelled. Use an
explicit status check such as !cancelled() alongside inputs.restore.

In `@docs/dr/runbook.md`:
- Around line 51-57: Update the manual production lifecycle prerequisite in the
runbook to explicitly state that workload reconcile requires a usable SOPS Age
key, because the wrapper decrypts pull credentials for non-push commands. Keep
the existing wrapper-only command guidance and credential requirements intact.

In `@scripts/refresh-flux-ghcr-auth.sh`:
- Around line 507-508: Update the explicit bootstrap flow around
patch_variables_base and patch_root_secret to patch the root secret before
staging fan-out, then reassert patch_root_secret after patch_variables_base
completes. Preserve the existing failure handling while ensuring root Flux
authentication is repaired both before and after fan-out staging.

In `@scripts/tests/test_refresh_flux_ghcr_auth.py`:
- Around line 155-158: Update the failure messages in the fake Talos auth and
pull operation branches to omit $EXPECTED_PULL_TOKEN, so neither branch exposes
the fixture token while preserving the existing failure behavior and exit code.

---

Outside diff comments:
In @.github/workflows/ci.yaml:
- Around line 44-50: Update the path filter for the relevant CI test entry to
include docs/dr/runbook.md alongside the existing
scripts/tests/test_refresh_flux_ghcr_auth.py and DR workflow paths, so changes
to the tested runbook trigger validation.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f3cbf3ca-a4fe-4ff2-926b-eff4c44b6518

📥 Commits

Reviewing files that changed from the base of the PR and between 00141e5 and 33ed9a8.

📒 Files selected for processing (13)
  • .github/actions/deploy-prod/action.yml
  • .github/workflows/ci.yaml
  • .github/workflows/dr-rebuild.yaml
  • AGENTS.md
  • docs/dr/crypto-custody.md
  • docs/dr/runbook.md
  • ksail.prod.yaml
  • scripts/ghcr-auth-lib.sh
  • scripts/refresh-flux-ghcr-auth.sh
  • scripts/run-ksail-prod-with-pull-auth.sh
  • scripts/tests/test_refresh_flux_ghcr_auth.py
  • talos/cluster/authenticate-ghcr-pulls.yaml
  • talos/cluster/mark-ghcr-pull-revision.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (6)
**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Use one Kubernetes resource per YAML file, except explicitly whitelisted vendored operator bundles.

Files:

  • talos/cluster/mark-ghcr-pull-revision.yaml
  • ksail.prod.yaml
  • talos/cluster/authenticate-ghcr-pulls.yaml
talos{,-local}/**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Talos machine-config patches must contain one YAML document per file and use intent-describing verb-purpose.yaml names.

Files:

  • talos/cluster/mark-ghcr-pull-revision.yaml
  • talos/cluster/authenticate-ghcr-pulls.yaml
**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

Use static validation only for maintenance; never start or mutate a cluster for routine validation.

Files:

  • talos/cluster/mark-ghcr-pull-revision.yaml
  • ksail.prod.yaml
  • talos/cluster/authenticate-ghcr-pulls.yaml
talos/**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Validate Talos changes with the repository's validate-talos checks, including rendering all patches and running talosctl validate.

Files:

  • talos/cluster/mark-ghcr-pull-revision.yaml
  • talos/cluster/authenticate-ghcr-pulls.yaml
**/*

📄 CodeRabbit inference engine (AGENTS.md)

**/*: Use Conventional Commit messages and create pull requests as drafts; keep changes small and focused.
Never push directly to main; validate before every pull request and never merge external pull requests or unreviewed drafts.

Files:

  • talos/cluster/mark-ghcr-pull-revision.yaml
  • ksail.prod.yaml
  • docs/dr/crypto-custody.md
  • talos/cluster/authenticate-ghcr-pulls.yaml
  • scripts/ghcr-auth-lib.sh
  • scripts/run-ksail-prod-with-pull-auth.sh
  • docs/dr/runbook.md
  • AGENTS.md
  • scripts/refresh-flux-ghcr-auth.sh
  • scripts/tests/test_refresh_flux_ghcr_auth.py
ksail*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Do not modify ksail.prod.yaml; production cluster configuration changes affect live infrastructure.

Files:

  • ksail.prod.yaml
🪛 ast-grep (0.44.1)
scripts/tests/test_refresh_flux_ghcr_auth.py

[info] 484-486: use jsonify instead of json.dumps for JSON output
Context: json.dumps(
{"stringData": {"ghcr_dockerconfigjson": ciphertext}}
)
Note: [CWE-116] Improper Encoding or Escaping of Output.

(use-jsonify)


[info] 518-518: use jsonify instead of json.dumps for JSON output
Context: json.dumps(config)
Note: [CWE-116] Improper Encoding or Escaping of Output.

(use-jsonify)


[error] 609-616: Command coming from incoming request
Context: subprocess.run(
[str(KSAIL_PULL_WRAPPER), *command],
cwd=ROOT,
env=environment,
text=True,
capture_output=True,
check=False,
)
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

(subprocess-from-request)


[info] 582-582: use jsonify instead of json.dumps for JSON output
Context: json.dumps(config)
Note: [CWE-116] Improper Encoding or Escaping of Output.

(use-jsonify)


[info] 794-794: use jsonify instead of json.dumps for JSON output
Context: json.dumps(inventory)
Note: [CWE-116] Improper Encoding or Escaping of Output.

(use-jsonify)


[info] 914-916: use jsonify instead of json.dumps for JSON output
Context: json.dumps(
self._valid_config(), sort_keys=True, separators=(",", ":")
)
Note: [CWE-116] Improper Encoding or Escaping of Output.

(use-jsonify)

🪛 Ruff (0.15.21)
scripts/tests/test_refresh_flux_ghcr_auth.py

[warning] 502-502: Consider moving this statement to an else block

(TRY300)


[error] 610-610: subprocess call: check for execution of untrusted input

(S603)


[error] 857-857: Possible hardcoded password assigned to argument: "GHCR_TOKEN"

(S106)

🔇 Additional comments (14)
scripts/ghcr-auth-lib.sh (1)

1-73: LGTM!

scripts/refresh-flux-ghcr-auth.sh (2)

9-14: LGTM!

Also applies to: 37-80, 141-506, 509-524


82-139: 🩺 Stability & Availability

No change needed — the annotation update is already excluded by annotated_resource_version; the loop only succeeds after a later object change and Ready=True.

			> Likely an incorrect or invalid review comment.
scripts/run-ksail-prod-with-pull-auth.sh (1)

1-59: LGTM!

docs/dr/crypto-custody.md (1)

123-124: LGTM!

docs/dr/runbook.md (1)

73-73: LGTM!

Also applies to: 112-112, 167-193, 430-430, 453-453, 508-584

ksail.prod.yaml (1)

139-140: 🎯 Functional Correctness

ksail.prod.yaml is a protected file per repo guidelines — this diff modifies it.

The coding guidelines for ksail*.yaml state changes to ksail.prod.yaml should not be made because they affect live infrastructure, and AGENTS.md itself lists ksail.prod.yaml under "Protected — never modify." This PR's core change touches Line 140 of that exact file. If this is an intentional, reviewed exception (required to wire in the credential bridge), it should be called out explicitly (e.g., in the PR description/AGENTS.md) rather than silently violating the stated policy — otherwise automated tooling/agents following AGENTS.md may flag or revert this in the future.

As per coding guidelines, ksail*.yaml: "Do not modify ksail.prod.yaml; production cluster configuration changes affect live infrastructure."

Source: Coding guidelines

talos/cluster/authenticate-ghcr-pulls.yaml (1)

40-44: RegistryAuthConfig migration looks correct.

Verified RegistryAuthConfig is a valid standalone Talos v1alpha1 config document with this exact apiVersion/kind/name/username/password shape, matching the schema used by the companion refresh-flux-ghcr-auth.sh generator for existing nodes.

talos/cluster/mark-ghcr-pull-revision.yaml (1)

12-14: Design and naming look correct.

The desired/verified revision-annotation split is well-reasoned and documented; naming and single-document structure comply with the Talos patch-file guideline.

AGENTS.md (1)

146-151: LGTM!

Also applies to: 163-176, 177-195, 329-336

.github/actions/deploy-prod/action.yml (1)

22-22: LGTM!

Also applies to: 53-65, 142-150, 164-164, 309-322, 345-365

.github/workflows/dr-rebuild.yaml (1)

88-170: LGTM!

scripts/tests/test_refresh_flux_ghcr_auth.py (1)

6-154: LGTM!

Also applies to: 159-196, 201-1421

.github/workflows/ci.yaml (1)

74-86: LGTM!

Also applies to: 253-262

Comment thread .github/workflows/dr-rebuild.yaml
Comment thread docs/dr/runbook.md Outdated
Comment thread scripts/refresh-flux-ghcr-auth.sh
Comment thread scripts/tests/test_refresh_flux_ghcr_auth.py
@devantler

devantler commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

Resolved the CodeRabbit outside-diff CI-filter finding in 7d5c338: docs/dr/runbook.md now participates in the k8s change filter, so the DR ordering regression runs on runbook-only changes. Revalidated with 62 unit tests, actionlint, ShellCheck, and zizmor.

@devantler

devantler commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@coderabbitai review

Please perform an incremental exact-head review of 7d5c338 after the four resolved findings and the documented adversarial-test refutation.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@devantler I'll perform an incremental review of the changes at commit 7d5c338 now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@devantler I'll perform an incremental review of the changes at commit 7d5c338 now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@codex review

Fallback reason: CodeRabbit returned the explicit exact-head status "Review rate limit exceeded" after accepting the incremental request. Please review commit 7d5c338.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7d5c338665

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread ksail.prod.yaml Outdated
Comment thread .github/workflows/dr-rebuild.yaml
Comment thread scripts/refresh-flux-ghcr-auth.sh
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@codex review

CodeRabbit's incremental review lane is still rate-limited. Please review exact head bd60925 after the protected-config fix and the documented recovery/publisher refutations.

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@coderabbitai review

The Codex reviewer produced no artifact after a 20-minute polling window, so this is the single permitted fallback lane. Please review exact head bd60925.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@devantler I'll review the changes at commit bd60925 now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bd609251ad

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/refresh-flux-ghcr-auth.sh
Comment thread scripts/refresh-flux-ghcr-auth.sh
Comment thread .github/workflows/ci.yaml
Comment thread scripts/tests/test_refresh_flux_ghcr_auth.py Outdated
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@codex review

Please review exact head a1711f5 after the CI filter and Renovate-safe test fixes. The two namespace findings were refuted with live kubectl v1.36.2 evidence and their threads are resolved. All required CI is green.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a1711f5078

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/refresh-flux-ghcr-auth.sh
Comment thread scripts/refresh-flux-ghcr-auth.sh
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Codex Daily AI Engineer instance.

@codex review

Please review exact head 2fa3576 after the yq prerequisite fix and Talos endpoint-proxy clarification. All 66 tests and required CI checks are green; every existing thread is resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 🫴 Ready

Development

Successfully merging this pull request may close these issues.

Refresh Talos GHCR auth from Git/SOPS pull credential Refresh root Flux GHCR auth before reconciliation

1 participant