chore: testing cgr - do not approve

.github/workflows/auto-update.yaml

@@ -20,5 +20,5 @@ concurrency:
 
 jobs:
   auto-update:
-    uses: defenseunicorns/uds-common/.github/workflows/callable-auto-update.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7
+    uses: defenseunicorns/uds-common/.github/workflows/callable-auto-update.yaml@chainguard-creds # testing
     secrets: inherit # Inherits all secrets from the parent workflow.

.github/workflows/chainguard.yaml

@@ -0,0 +1,25 @@
+# Copyright 2024-2026 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+name: Test Chainguard Login
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  chainguard-login:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to Chainguard
+        uses: chainguard-dev/setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28 # v0.5.1
+        with:
+          identity: ${{ secrets.CHAINGUARD_IDENTITY }}
+
+      # - name: Pull a cgr.dev image to verify auth
+      #   run: docker pull cgr.dev/chainguard/static:latest

.github/workflows/commitlint.yaml

@@ -15,4 +15,4 @@ permissions:
 
 jobs:
   validate:
-    uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7
+    uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@chainguard-creds # testing

.github/workflows/lint.yaml

@@ -15,5 +15,5 @@ permissions:
 
 jobs:
   validate:
-    uses: defenseunicorns/uds-common/.github/workflows/callable-lint.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7
+    uses: defenseunicorns/uds-common/.github/workflows/callable-lint.yaml@chainguard-creds # testing
     secrets: inherit

.github/workflows/release.yaml

@@ -27,7 +27,7 @@ jobs:
         exclude:
           - flavor: registry1
             architecture: arm64
-    uses: defenseunicorns/uds-common/.github/workflows/callable-publish.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7
+    uses: defenseunicorns/uds-common/.github/workflows/callable-publish.yaml@chainguard-creds # testing
     with:
       flavor: ${{ matrix.flavor }}
       options: --set BASE_REPO="ghcr.io/uds-packages"

.github/workflows/scan.yaml

@@ -18,5 +18,5 @@ jobs:
       packages: read # Allows reading the content of the repository's packages.
       id-token: write # Allows authentication to Chainguard via OIDC.
       pull-requests: write # Allows writing the scan results comment to the pull request.
-    uses: defenseunicorns/uds-common/.github/workflows/callable-scan.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7
+    uses: defenseunicorns/uds-common/.github/workflows/callable-scan.yaml@chainguard-creds # testing
     secrets: inherit # Inherits all secrets from the parent workflow.

.github/workflows/scorecard.yaml

@@ -1,36 +1,36 @@
-# Copyright 2024 Defense Unicorns
-# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+# # Copyright 2024 Defense Unicorns
+# # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
-name: Scorecards supply-chain security
-on:
-  # Only the default branch is supported.
-  branch_protection_rule:
-  schedule:
-    - cron: '30 1 * * 6'
-  push:
-    branches: ["main"]
+# name: Scorecards supply-chain security
+# on:
+#   # Only the default branch is supported.
+#   branch_protection_rule:
+#   schedule:
+#     - cron: '30 1 * * 6'
+#   push:
+#     branches: ["main"]
 
-# Declare default permissions as read only.
-permissions: read-all
+# # Declare default permissions as read only.
+# permissions: read-all
 
-jobs:
-  validate:
-    permissions:
-      actions: read
-      attestations: read
-      checks: read
-      contents: read
-      deployments: read
-      discussions: read
-      issues: read
-      packages: read
-      pages: read
-      pull-requests: read
-      repository-projects: read
-      statuses: read
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Used to receive a badge.
-      id-token: write
-    uses: defenseunicorns/uds-common/.github/workflows/callable-scorecard.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7
-    secrets: inherit
+# jobs:
+#   validate:
+#     permissions:
+#       actions: read
+#       attestations: read
+#       checks: read
+#       contents: read
+#       deployments: read
+#       discussions: read
+#       issues: read
+#       packages: read
+#       pages: read
+#       pull-requests: read
+#       repository-projects: read
+#       statuses: read
+#       # Needed to upload the results to code-scanning dashboard.
+#       security-events: write
+#       # Used to receive a badge.
+#       id-token: write
+#     uses: defenseunicorns/uds-common/.github/workflows/callable-scorecard.yaml@chainguard-creds # testing
+#     secrets: inherit

.github/workflows/test.yaml

@@ -29,7 +29,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: test-flavor
-        uses: defenseunicorns/uds-common/.github/actions/test-flavor@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7
+        uses: defenseunicorns/uds-common/.github/actions/test-flavor@chainguard-creds # testing
         id: test-flavor
     outputs:
       upgrade-flavors: ${{ steps.test-flavor.outputs.upgrade-flavors }}
@@ -41,7 +41,7 @@ jobs:
       matrix:
         type: [install, upgrade]
         flavor: [upstream, registry1, unicorn]
-    uses: defenseunicorns/uds-common/.github/workflows/callable-test.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7
+    uses: defenseunicorns/uds-common/.github/workflows/callable-test.yaml@chainguard-creds # testing
     with:
       options: --set BASE_REPO="ghcr.io/uds-packages"
       upgrade-flavors: ${{ needs.check-flavor.outputs.upgrade-flavors }}

tasks.yaml

@@ -3,15 +3,15 @@
 
 includes:
   - test: ./tasks/test.yaml
-  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/create.yaml
-  - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/publish.yaml
-  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/lint.yaml
-  - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/pull.yaml
-  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/deploy.yaml
-  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/setup.yaml
-  - actions: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/actions.yaml
-  - badge: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/badge.yaml
-  - upgrade: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/upgrade.yaml
+  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/create.yaml
+  - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/publish.yaml
+  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/lint.yaml
+  - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/pull.yaml
+  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/deploy.yaml
+  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/setup.yaml
+  - actions: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/actions.yaml
+  - badge: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/badge.yaml
+  - upgrade: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/upgrade.yaml
 
 tasks:
   - name: default
@@ -20,7 +20,7 @@ tasks:
       - task: create-dev-package
       - task: setup:k3d-test-cluster
       - task: create-deploy-test-bundle
-
+#
   - name: create-dev-package
     description: Create the Postgres Operator package
     actions:
@@ -42,7 +42,7 @@ tasks:
       - task: create:test-bundle
       - task: deploy:test-bundle
 
-# CI will execute the following (via uds-common/.github/workflows/callable-[test|publish].yaml) so they need to be here with these names
+  # CI will execute the following (via uds-common/.github/workflows/callable-[test|publish].yaml) so they need to be here with these names
 
   - name: test-install
     description: Test the health of a Postgres Operator deployment

zarf.yaml

@@ -86,10 +86,10 @@ components:
         valuesFiles:
           - ./values/unicorn-config-values.yaml
     images:
-      - quay.io/rfcurated/zalando/postgres-operator:1.15-jammy-scratch-fips-rfcurated
+      - cgr.dev/defenseunicorns.com/postgres-operator:1.15.1
       - quay.io/rfcurated/zalando/postgres-operator/logical-backup:1.15-jammy-scratch-fips-rfcurated
-      - quay.io/rfcurated/zalando/pgbouncer:32-jammy-rfcurated
+      - cgr.dev/defenseunicorns.com/pgbouncer:1.25.1
       # Docker image that provides PostgreSQL and Patroni bundled together for PostgreSQL HA
-      - quay.io/rfcurated/zalando/spilo-17:4.0-p3-jammy-fips-rfcurated
+      - cgr.dev/defenseunicorns.com/spilo-17:4.1.2
       # Container image that provides the postgres-exporter sidecar to create a metrics endpoint
-      - quay.io/rfcurated/prometheuscommunity/postgres-exporter:0.19.1-jammy-scratch-bnt-fips-rfcurated
+      - cgr.dev/defenseunicorns.com/prometheus-postgres-exporter:0.19.1