Skip to content

chore(deploy): pin musubi-core to v1.11.5 signed digest#397

Merged
ericmey merged 1 commit into
mainfrom
chore/auto-pin-v1.11.5
Jun 29, 2026
Merged

chore(deploy): pin musubi-core to v1.11.5 signed digest#397
ericmey merged 1 commit into
mainfrom
chore/auto-pin-v1.11.5

Conversation

@ericmey

@ericmey ericmey commented Jun 29, 2026

Copy link
Copy Markdown
Owner

chore(deploy): pin musubi-core to v1.11.5 signed digest

Automated by .github/workflows/auto-digest-bump.yml in response to the v1.11.5 release.

Supply-chain attestations

  • cosign keyless signature via GitHub OIDC
  • CycloneDX SBOM attached as a cosign attestation
  • Trivy vulnerability scan — 0 CRITICAL (gate in publish-core-image.yml)

Verify before deploy

cosign verify \
  --certificate-identity-regexp 'https://github.com/ericmey/musubi/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/ericmey/musubi-core@sha256:e2d26acd9dd32644d67b8cc5118eeb9945d5dd0b30decbdfb4b2f33b4818bef4

After merge

# From the ansible control host:
cd ~/musubi
git pull origin main
ANSIBLE_VAULT_PASSWORD_FILE=~/ansible/.vault_pass \
  ansible-playbook \
    -i deploy/ansible/inventory.yml \
    -e @~/.musubi-secrets/inventory-vars.yml \
    -e @~/.musubi-secrets/vault.yml \
    -e 'changed_services=["core","lifecycle-worker"]' \
    deploy/ansible/update.yml

No tracking Issue: auto-generated release digest pin.

Automated by .github/workflows/auto-digest-bump.yml in response
to the v1.11.5 release. The image has been cosign-signed,
SBOM-attested, and Trivy-scanned by publish-core-image.yml —
verify before deploy:

    cosign verify \
      --certificate-identity-regexp 'https://github.com/ericmey/musubi/.*' \
      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
      ghcr.io/ericmey/musubi-core@sha256:e2d26acd9dd32644d67b8cc5118eeb9945d5dd0b30decbdfb4b2f33b4818bef4

No tracking Issue: auto-generated release digest pin.
Copilot AI review requested due to automatic review settings June 29, 2026 23:28
@ericmey ericmey enabled auto-merge (squash) June 29, 2026 23:28

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the Ansible deployment configuration to the newly released musubi-core container image digest and updates the corresponding human-readable version tag, aligning runtime deployments with the signed/attested v1.11.5 release artifact.

Changes:

  • Update musubi_core_image to ghcr.io/ericmey/musubi-core@sha256:e2d26acd9dd32644d67b8cc5118eeb9945d5dd0b30decbdfb4b2f33b4818bef4.
  • Bump musubi_core_version from v1.11.4 to v1.11.5.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ericmey ericmey merged commit b087cb3 into main Jun 29, 2026
2 checks passed
@ericmey ericmey deleted the chore/auto-pin-v1.11.5 branch June 29, 2026 23:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants