fix(github-release): update aqua:fluxcd/flux2 to v2.7.5

[homebot-0]

This PR contains the following updates:

Package	Update	Change
aqua:fluxcd/flux2	patch	2.7.3 → 2.7.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

⚠️ Critical Infrastructure: This update affects core cluster components. Review changelog carefully.

🐾 Talos PETS: Patch version will be auto-merged after 1-day stabilization. In-place upgrade via talosctl.

🐄 Talos CATTLE: Major/minor version requires manual approval. Full VM rebuild via Terraform.

---

Release Notes

fluxcd/flux2 (aqua:fluxcd/flux2)

v2.7.5

Compare Source

Highlights

Flux v2.7.5 is a patch release that comes with fixes to helm-controller. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Fix HelmRelease history truncation when using the RetryOnFailure strategy.

⚠️ Note that signature verification for OCI artifacts in source-controller is not compatible with Cosign v3.
Flux users are advised to use Cosign v2.6 for signing Flux OCI artifacts and Helm charts, until support for Cosign v3 is added in Flux v2.8.

Components changelog

• helm-controller v1.4.5

CLI changelog

• [release/v2.7.x] Update toolkit components by @​fluxcdbot in #​5649

Full Changelog: fluxcd/flux2@v2.7.4...v2.7.5

v2.7.4

Compare Source

Highlights

Flux v2.7.4 is a patch release that comes with various fixes. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Add DisableConfigWatchers feature gate to all controllers for disabling the Secrets/ConfigMaps watchers
• Fix Workload Identity for Azure China Cloud in all controllers
• Update Helm Go SDK to v3.19.2 fixing schema validation issues in helm-controller
• Skip secret decryption for remote kustomize patches in kustomize-controller
• Improve post-build error reporting in kustomize-controller
• Add ArtifactGenerator to aggregated RBAC roles

⚠️ Note that signature verification for OCI artifacts in source-controller is not compatible with Cosign v3.
Flux users are advised to use Cosign v2.6 for signing Flux OCI artifacts and Helm charts, until support for Cosign v3 is added in Flux v2.8.

Components changelog

• source-controller v1.7.4
• kustomize-controller v1.7.3
• notification-controller v1.7.5
• helm-controller v1.4.4
• image-reflector-controller v1.0.4
• image-automation-controller v1.0.4
• source-watcher v2.0.3

CLI changelog

• [release/v2.7.x] ci: Include source-watcher in the e2e test suite by @​fluxcdbot in #​5615
• [release/v2.7.x] Add source.extensions.fluxcd.io group to aggregated RBAC roles by @​fluxcdbot in #​5628
• [release/v2.7.x] Fix panic on reconcile with source of ExternalArtifact kind by @​fluxcdbot in #​5631
• [release/v2.7.x] Upgrade k8s to 1.34.2, c-r to 0.22.4 and helm to 3.19.2 by @​fluxcdbot in #​5634
• [release/v2.7.x] diff: report if object is skipped by @​fluxcdbot in #​5635
• [release/v2.7.x] Update toolkit components by @​fluxcdbot in #​5640
• [release/v2.7.x] Allow option to skip tenant namespace creation by @​fluxcdbot in #​5642

Full Changelog: fluxcd/flux2@v2.7.3...v2.7.4

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Walkthrough

Bumps the flux2 tool version from 2.7.3 to 2.7.5 in .mise.toml. Single-line, non-functional change; no control-flow, API, or manifest structure modifications detected.

Changes

Cohort / File(s)	Summary
Version management ​.mise.toml	flux2 version updated: 2.7.3 → 2.7.5 (patch-level bump)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: updating the flux2 tool from 2.7.3 to 2.7.5 in the .mise.toml configuration file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/aqua-fluxcd-flux2-2.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[homebot-0]

ℹ️ SOPS Encryption Check

No SOPS files detected in this pull request.

Check	Status
SOPS files in PR	✅ None detected

No encryption validation required for this PR.

[homebot-0]

✅ Gitleaks Secret Scan Passed

No secrets detected in this pull request.

Check	Status
Secret patterns	✅ Clean
Sensitive files	✅ None detected

[jlengelbrecht]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.mise.toml:
- Line 17: Do not change the "aqua:fluxcd/flux2" entry to "2.7.5" yet; instead
revert or hold the version and perform pre-upgrade migration and compatibility
checks: run `flux migrate` on each cluster to convert deprecated CRD APIs
(v1beta1/v2beta1) before upgrading controllers, verify source-controller OCI
signature compatibility with your cosign version (downgrade to cosign v2.6 or
wait for flux v2.8 if you use cosign v3), and follow the Flux v2.7 upgrade guide
step-by-step to confirm API versions and controller compatibility prior to
updating the "aqua:fluxcd/flux2" version.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Flux v2.7.5 release notes upgrade procedure breaking changes

💡 Result:

Summary — what changed (breaking) in Flux v2.7.5 and how to upgrade

Key breaking / EOL items

• The deprecated toolkit APIs v1beta1 / v2beta1 were removed from the CRDs (source/kustomize/helm/image/notification v1beta1/v2beta1). You must migrate resources to the stable APIs before/when upgrading. [1][2]
• Signature verification for OCI artifacts in source-controller is not compatible with Cosign v3 (use Cosign v2.6 until v2.8 adds support). [1]
• (From the v2.7.0 minor release) some previously deprecated flags/features were removed (example: image-reflector-controller autologin flags removed — set ImageRepository.spec.provider instead). Review the v2.7 changelog for other API/flag removals and behavioral changes (Kustomization/HelmRelease readiness, new fields and feature-gates). [2]

Upgrade procedure (short)

• Read the Flux v2.7 upgrade guide and follow the "Upgrade Procedure for Flux v2.7+" step‑by‑step. [3]
• Unless you deploy controllers via Flux Operator, run flux migrate on each cluster to migrate CRs to the stable APIs before upgrading the controllers. [1][3]
• Update the flux CLI first, then upgrade controllers via your install method:
  • bootstrap Git: regenerate manifests with flux bootstrap and push;
  • bootstrap via flux CLI: rerun the same bootstrap command for each cluster;
  • Terraform: update provider and terraform apply;
  • kubectl: apply the latest install.yaml from the releases page. [3]
• After upgrade, run flux check and verify controller versions and health. [3]

Important links (read before upgrading)

• GitHub release notes v2.7.5 (includes upgrade note and fixes). [1]
• Flux v2.7 blog / changelog with breaking changes and feature list. [2]
• Flux upgrade docs / step-by-step procedure. [3]

Sources
[1] Flux v2.7.5 GitHub release (fluxcd/flux2).
[2] Flux blog — Announcing Flux 2.7 (release/changelog).
[3] Flux documentation — Upgrade procedure / Flux upgrade page.

---

🌐 Web query:

Flux 2.7 cosign OCI signature verification compatibility

💡 Result:

Short answer: Yes — Flux (including the 2.x source-controller used in Flux 2.7) supports verifying OCI artifact signatures produced by Sigstore cosign. You can verify both key-based and keyless (OIDC/Fulcio) cosign signatures for OCIRepository artifacts and for Helm charts stored as OCI artifacts. Configure spec.verify.provider: cosign and either point to a Secret with .pub keys (secretRef) or omit secretRef and use matchOIDCIdentity for keyless validation. Flux will set SourceVerified on success and refuse to fetch the artifact on verification failure. Examples and config fields are documented in the Flux docs. [1][2][3]

Sources:

• Flux OCIRepository / verification docs (cosign, secretRef, matchOIDCIdentity). [1]
• Flux cheatsheet & blog on signing/verifying OCI artifacts and Helm charts with cosign. [2][3]

References:
[1] https://fluxcd.io/flux/components/source/ocirepositories/
[2] https://fluxcd.io/flux/cheatsheets/oci-artifacts/
[3] https://fluxcd.io/blog/2022/10/prove-the-authenticity-of-oci-artifacts/

---

Do not bump Flux to v2.7.5 without explicit pre-upgrade migration and compatibility checks.

v2.7.5 is NOT a safe patch bump—it removes deprecated CRD APIs (v1beta1/v2beta1 across source/kustomize/helm/image/notification controllers). You must run flux migrate on each cluster to migrate all resources to stable APIs before upgrading controllers. Additionally, source-controller's OCI artifact signature verification is incompatible with Cosign v3; you must either downgrade to Cosign v2.6 or wait for v2.8. Review your current API versions, Cosign version, and follow the Flux v2.7 upgrade guide step-by-step before rollout.

🤖 Prompt for AI Agents

In @.mise.toml at line 17, Do not change the "aqua:fluxcd/flux2" entry to
"2.7.5" yet; instead revert or hold the version and perform pre-upgrade
migration and compatibility checks: run `flux migrate` on each cluster to
convert deprecated CRD APIs (v1beta1/v2beta1) before upgrading controllers,
verify source-controller OCI signature compatibility with your cosign version
(downgrade to cosign v2.6 or wait for flux v2.8 if you use cosign v3), and
follow the Flux v2.7 upgrade guide step-by-step to confirm API versions and
controller compatibility prior to updating the "aqua:fluxcd/flux2" version.