Table of Contents Table of Contents The Stack at Rest The Pipeline: Tag, Build, Push, Sign 1. Build 2. Push 3. Sign 4. Deploy Handoff Signature Verification: Design and Current Reality Registry authentication (operational) Host-side cosign verification in the deploy script (operational) Container policy enforcement via policy.json (target state) The Runner in the Same User Context The Deploy Bridge: systemd Path Unit Rollback The Full Picture References I’ve written about Podman Quadlets, rootless production Podman, and Ansible-driven Quadlet deployments before. Those articles cover the steady state: containers running, systemd managing them, configuration under version control. What they don’t cover is the moment between git push and systemctl restart: the pipeline that builds the image, proves where it came from, and hands it off to the host. MastoSum is a FastAPI app I run that watches Mastodon hashtag streams, stores matching posts, and generates news-style summaries through LLMs…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.