defenseunicorns · chance-coleman · May 20, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
@@ -23,7 +23,7 @@ The action performs the following steps:
      The action applies specific labels based on which versions are out of sync:
      - `waiting on upstream`: If package.json version is behind both/either image versions (indicates a Pepr release issue)
      - `waiting on ironbank`: If Ironbank image is behind package.json
-     - `waiting on unicorn`: If Unicorn image is behind package.json
+      - `waiting on unicorn`: If Unicorn image is behind package.json
      - Multiple `waiting on` labels can be applied if multiple images are behind
    - **Support Dependencies**: For support dependency updates, the action adds the `needs-review` label and sets `should_process` to `false` to prevent excessive IAC runs.
 
@@ -33,7 +33,7 @@ The action performs the following steps:
    - It compares the extracted data using the `compareImagesAndCharts.ts` script.
    - Based on the comparison, it applies appropriate labels to the PR:
      - `waiting on ironbank`: If a registry1 image is behind
-     - `waiting on rapidfort`: If a rapidfort image is behind
+      - `waiting on unicorn`: If a Unicorn image is behind
      - `helm-chart-only`: If a PR only contains a helm chart update
      - `needs-review`: If PR is NOT waiting on image updates
      - `major-helm-update`: If the PR contains a major chart version bump
@@ -72,7 +72,7 @@ The TypeScript scripts are thoroughly tested using Jest:
 - **compareImagesAndCharts.test.ts**: Tests the comparison of images and charts, including:
   - Helm chart updates (both regular and major)
   - Image updates (including major updates)
-  - Waiting conditions for Ironbank and Rapidfort images
+   - Waiting conditions for Ironbank and Unicorn images
   - Missing or empty extract files
   - Invalid version formats
 

@@ -1,4 +1,4 @@
-# Copyright 2024 Defense Unicorns
+# Copyright 2024-2026 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 name: renovate-readiness
@@ -134,15 +134,6 @@ runs:
               gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on unicorn"
             else
               gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true
-            fi
-          fi
-
-          exit 1
-        else
-          echo "All Pepr versions are in sync. Ready for review."
-          gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on upstream" || true
-          gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on ironbank" || true
-          gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true
           gh pr edit ${{ github.event.pull_request.number }} --add-label "needs-review"
         fi
 
@@ -229,7 +220,7 @@ runs:
         echo "labels=$LABELS" >> $GITHUB_OUTPUT
 
         # Check if waiting on labels are present, or this is a helm chart update only
-        if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on rapidfort"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then
+          if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on unicorn"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then
           echo "waiting=true" >> $GITHUB_OUTPUT
         else
           echo "waiting=false" >> $GITHUB_OUTPUT
@@ -251,7 +242,7 @@ runs:
           echo "Current labels: $CURRENT_LABELS"
 
           # Define the managed labels we care about
-          MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on unicorn" "waiting on rapidfort" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update")
+          MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on unicorn" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update")
 
           # Remove labels that are currently on the PR but not in the new set
           for LABEL in "${MANAGED_LABELS[@]}"; do

@@ -17,12 +17,8 @@ inputs:
     description: "IRON_BANK_ROBOT_PASSWORD"
     required: false
     default: ''
-  rapidfortUsername:
-    description: "RAPIDFORT_USERNAME"
-    required: false
-    default: ''
-  rapidfortPassword:
-    description: "RAPIDFORT_PASSWORD"
+  chainguardIdentity:
+    description: "ID for Chainguard Identity"
     required: false
     default: ''
   installUv:
@@ -69,10 +65,8 @@ runs:
         echo "MARU_AUTH=\"{\"raw.githubusercontent.com\": \"${{ inputs.ghToken }}\"}\"" >> "$GITHUB_ENV"
       shell: bash
 
-    - name: Rapidfort Login
-      if: ${{ inputs.rapidfortUsername != '' && inputs.rapidfortPassword != '' }}
-      shell: bash
-      env:
-        RAPIDFORT_USERNAME: ${{ inputs.rapidfortUsername }}
-        RAPIDFORT_PASSWORD: ${{ inputs.rapidfortPassword }}
-      run: echo "${{ env.RAPIDFORT_PASSWORD }}" | uds zarf tools registry login -u "${{ env.RAPIDFORT_USERNAME }}" --password-stdin quay.io
+    - name: Chainguard Login
+      if: ${{ inputs.chainguardIdentity != '' }}
+      uses: chainguard-dev/setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28 # v0.5.1
+      with:
+        identity: ${{ inputs.chainguardIdentity }}
@@ -1,5 +1,5 @@
 #!/bin/bash
-# Copyright 2024 Defense Unicorns
+# Copyright 2024-2026 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 info() {
@@ -63,6 +63,17 @@ rm -rf ./yq
 
 pre_userdata
 
+# Allow CNI plugins and their bundled libraries to be opened/executed by fapolicyd.
+# fapolicyd starts before cloud-init runs this script, so we must recompile rules and restart.
+# Guard: fapolicyd is RHEL-specific; skip on distros where it is absent or disabled.
+if command -v fagenrules >/dev/null 2>&1; then
+  mkdir -p /etc/fapolicyd/rules.d
+  cat > /etc/fapolicyd/rules.d/20-cni-allow.rules << 'EOF'
+allow perm=any all : dir=/opt/cni/bin/
+EOF
+  fagenrules && systemctl restart fapolicyd
+fi
+
 # If no bootstrap IP is provided then start RKE2 as single node/bootstrap
 if [[ "${BOOTSTRAP_IP}" == "" ]]; then
     bootstrap_ip=$(ip route get $(ip route show 0.0.0.0/0 | grep -oP 'via \K\S+') | grep -oP 'src \K\S+')

@@ -52,8 +52,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
           installK3d: 'true'
 
       - name: Run UDS Core Private PKI Test

@@ -41,8 +41,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
           installK3d: 'true'
 
       - name: (Snapshot) Get snapshot version using git commit short sha and date
@@ -123,8 +122,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
           installK3d: 'true'
 
       - name: Test and Publish Core Package Layer

@@ -146,8 +146,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
-          rapidfortUsername: ${{ secrets.RAPIDFORT_USERNAME }}
-          rapidfortPassword: ${{ secrets.RAPIDFORT_PASSWORD }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
 
       - name: Check multi-arch images
         uses: ./.github/actions/check-multiarch

@@ -69,8 +69,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
 
       - name: Setup Tofu
         uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0

@@ -66,8 +66,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
 
       - name: Setup Tofu
         uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0

@@ -52,8 +52,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
           installK3d: 'true'
 
       - name: Run UDS Core Install HA Test

@@ -70,8 +70,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (matrix.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
 
       - name: Setup Tofu
         uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0

@@ -44,7 +44,7 @@ jobs:
   test:
     # Use the 8 core runner for full-core or 4 core runner (with larger disk) for func layers tests
     runs-on: "${{ inputs.package == 'all' && 'uds-ubuntu-big-boy-8-core' || 'uds-ubuntu-big-boy-4-core'}}"
-    # Increase the timeout for longer upgrades - temporarily increased to 60 for longer upgrade from cgr -> rf
+    # Increase the timeout for longer upgrades
     timeout-minutes: ${{ inputs.test_type == 'upgrade' && 60 || 30 }}
     name: Test
     env:
@@ -60,8 +60,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           registry1Username: ${{ (inputs.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
           registry1Password: ${{ (inputs.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
-          rapidfortUsername: ${{ (inputs.flavor == 'unicorn') && secrets.RAPIDFORT_USERNAME || '' }}
-          rapidfortPassword: ${{ (inputs.flavor == 'unicorn') && secrets.RAPIDFORT_PASSWORD || '' }}
+          chainguardIdentity: ${{ (inputs.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}
           installK3d: 'true'
 
       - name: Test a single layer package

@@ -101,6 +101,18 @@ done
 
 See [Istio's platform requirements](https://istio.io/latest/docs/ops/deployment/platform-requirements/) for the full upstream list.
 
+> [!NOTE]
+> **Unicorn flavor on RHEL 9 with fapolicyd:** The unicorn flavor uses FIPS-compliant CNI images that write `libcrypto.so.3` into `/opt/cni/bin/.cgr/` at runtime. If fapolicyd is running in enforcing mode, it will block access to this file because it is not RPM-managed, preventing istio-cni from starting. Add the following rule to allow access, then recompile and restart fapolicyd:
+>
+> ```bash
+> mkdir -p /etc/fapolicyd/rules.d
+> cat > /etc/fapolicyd/rules.d/20-cni-allow.rules << 'EOF'
+> allow perm=any all : dir=/opt/cni/bin/
+> EOF
+> fagenrules
+> systemctl restart fapolicyd
+> ```
+
 ## Falco requirements
 
 UDS Core uses [Falco](https://falco.org/)'s [Modern eBPF Probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe), which has the following requirements:

@@ -38,10 +38,12 @@ trap "rm -f $TEMP_IMAGES $TEMP_MISSING" EXIT
 
 echo "Scanning $SRC_DIR for unicorn and registry1 images..."
 
-# Extract all quay.io/rfcurated/ (unicorn) and registry1.dso.mil/ironbank/ (registry1) images
-find "$SRC_DIR" -name "zarf.yaml" -type f -exec grep -hE "quay.io/rfcurated/|registry1.dso.mil/ironbank/" {} \; | \
+# Extract all cgr.dev/defenseunicorns.com/ (unicorn) and registry1.dso.mil/ironbank/ (registry1) images
+find "$SRC_DIR" -name "zarf.yaml" -type f -exec grep -hE "cgr.dev/defenseunicorns.com/|registry1.dso.mil/ironbank/" {} \; | \
     sed 's/^[[:space:]]*-[[:space:]]*//' | \
+    sed 's/#.*//' | \
     sed 's/"//g' | \
+    sed 's/[[:space:]]*$//' | \
     sort -u > "$TEMP_IMAGES"
 
 TOTAL=$(wc -l < "$TEMP_IMAGES")

@@ -44,7 +44,7 @@ This script will:
 The scripts can apply the following labels to PRs:
 
 - `waiting on ironbank`: If a registry1 image is behind
-- `waiting on rapidfort`: If a rapidfort image is behind
+- `waiting on unicorn`: If a Unicorn image is behind
 - `helm-chart-only`: If a PR only contains a helm chart update
 - `needs-review`: If PR is NOT waiting on image updates
 - `major-helm-update`: If the PR contains a major chart version bump