Six of my self-hosted services now auto-deploy with a tokenless provenance gate standing in front of them.
Watchtower handles same-tag digest updates fine, but it can't bump a pinned semver tag. That's how mcp-unifi quietly drifted two minor versions behind without me noticing. So I built a three-stage pipeline: a GitHub release bumps the public compose example, a gitignored override on the host pins the deployed tag, and a cron job on nix1 pulls, health-checks, and rolls back on failure with a Discord ping.
The part I'm happiest with is the gate. Before any new image deploys, the host runs cosign keyless verification against the SLSA build attestation, checking the certificate identity matches the exact release workflow in the exact repo it claims to come from. No GitHub token sits on the box at all. I proved it fails closed four ways: good digest passes, fake digest fails, an unsigned image fails, and a real attestation signed by the wrong repo fails on the certificate-identity check.
The deployed override files are now symlinks into a private GitOps repo, so every successful bump commits and pushes its own state. The history of what's running writes itself.
Silent on no-op, pings on events. The daily 'everything is fine' runs make zero noise. I only hear from it when something actually deploys or breaks.
