validatedpatterns · mbaldessari · May 28, 2026 · Apr 17, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -62,7 +62,7 @@ jobs:
           buildah push "${CONTAINER}-${TARGETARCH}" "docker-archive:/tmp/image-${TARGETARCH}.tar:${CONTAINER}-${TARGETARCH}"
 
       - name: Upload image artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: image-${{ matrix.targetarch }}-${{ github.run_id }}
           path: /tmp/image-${{ matrix.targetarch }}.tar
@@ -116,7 +116,7 @@ jobs:
           echo "digest=$DIGEST" >> "$GITHUB_OUTPUT"
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
         with:
           cosign-release: "v2.2.4"
 

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -23,4 +23,4 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
diff --git a/Makefile b/Makefile
@@ -11,6 +11,8 @@ PATTERN_CATALOG_DOCKERFILE ?= pattern-ui-catalog.Dockerfile
 .PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-40s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+	@echo ""
+	@echo "Override catalog destination with: make UPLOADREGISTRY=quay.io/rhn_support_mbaldess VERSION=partnertest pattern-ui-catalog-build"
 
 ##@ Pattern Catalog
 

diff --git a/README.md b/README.md
@@ -189,8 +189,8 @@ oc create configmap patterns-operator-config \
   --from-literal=catalog.image=quay.io/my-org/pattern-ui-catalog:1.0.0
 ```
 
-The operator picks up the change on its next reconciliation loop and performs a
-rolling update of the catalog deployment.
+The operator manager pod needs to be deleted for the change to be picked up.
+After that the UI will point to the new catalog.
 
 ## Authenticated container registries
 

diff --git a/catalog.schema.json b/catalog.schema.json
@@ -21,6 +21,12 @@
       "type": "string",
       "description": "Description shown in the catalog UI"
     },
+    "catalog_logo": {
+      "type": "string",
+      "description": "URL or filename of the logo image displayed on the catalog page. If a filename it just needs adding to the catalog/ folder",
+      "format": "uri",
+      "default": "https://validatedpatterns.io/images/logo.png"
+    },
     "patterns": {
       "type": "array",
       "description": "List of pattern identifiers included in the catalog",

diff --git a/catalog/catalog.yaml b/catalog/catalog.yaml
@@ -1,6 +1,7 @@
-generated_at: "2026-04-16T11:34:50Z"
+generated_at: "2026-05-28T09:09:10Z"
 generator_version: "1.0"
 catalog_description: '(Tech-Preview) Additional patterns can be found here: <a href="https://validatedpatterns.io">validatedpatterns.io</a>'
+catalog_logo: "https://validatedpatterns.io/images/logo.png"
 patterns:
   - ansible-edge-gitops
   - layered-zero-trust

diff --git a/catalog/hypershift/pattern.yaml b/catalog/hypershift/pattern.yaml
@@ -40,4 +40,4 @@ external_requirements:
   s3_bucket: true
 org: validatedpatterns-sandbox
 spoke: null
-clustergroupname: prod
+clustergroupname: staging
diff --git a/catalog/hypershift/values-secret.yaml.template b/catalog/hypershift/values-secret.yaml.template
@@ -19,6 +19,14 @@ secrets:
     fields:
     - name: credentials 
       path: ~/.aws/credentials
+
+  - name: hypershift-iam
+    vaultPrefixes:
+    - hub
+    fields:
+    - name: role-arn
+      value: "arn:aws:iam:accNumber::role/hypershift_cli_role"
+
 #  Begin groupsync/oauth config
 #  - name: oauthCreds
 #    fields:

diff --git a/catalog/layered-zero-trust/values-secret.yaml.template b/catalog/layered-zero-trust/values-secret.yaml.template
@@ -16,7 +16,8 @@ version: "2.0"
 # Infrastructure Secrets (hub/infra/*):
 #   hub/infra/keycloak/   - Keycloak infrastructure secrets
 #   hub/infra/rhtpa/      - RHTPA infrastructure secrets
-#   hub/infra/quay/       - Quay registry credentials
+#   hub/infra/quay/       - Built-in Quay registry credentials (auto-generated)
+#   hub/infra/registry/   - BYO container registry credentials (user-provided)
 #   hub/infra/users/      - User credentials managed by IdP
 #
 # Framework Secrets:
@@ -84,6 +85,17 @@ secrets:
   #    onMissingValue: generate
   #    vaultPolicy: alphaNumericPolicy
 
+  # qtodo-oidc-entraid — Microsoft Entra ID (Azure AD) OIDC for QTodo
+  # This secret supplies the client secret for the Entra app registration
+  # that backs app.oidc.clientId. The value is read from a local file at 'path'
+  # Create the client secret in Azure Portal and store it in that file
+  #- name: qtodo-oidc-entraid
+  #  vaultPrefixes:
+  #  - apps/qtodo
+  #  fields:
+  #  - name: client-secret
+  #    path: ~/.azure/ztvp-entraid-secret
+
   - name: qtodo-truststore
     vaultPrefixes:
     - apps/qtodo
@@ -151,6 +163,17 @@ secrets:
       onMissingValue: generate
       vaultPolicy: alphaNumericPolicy
 
+  # Microsoft Entra ID (Azure AD) OIDC for RHTPA
+  # This secret supplies the client secret for the Entra app registration
+  # that backs zeroTrust.oidc.clients.cli The value is read from a local file at 'path'
+  # Create the client secret in Azure Portal and store it in that file
+  #- name: rhtpa-oidc-cli
+  #  vaultPrefixes:
+  #  - hub/infra/rhtpa
+  #  fields:
+  #  - name: client-secret
+  #    path: ~/.azure/ztvp-entraid-secret
+
   # ===========================================================================
   # USER CREDENTIALS (hub/infra/users/)
   # User passwords managed by Keycloak for application access
@@ -174,33 +197,37 @@ secrets:
       vaultPolicy: alphaNumericPolicy
 
   # ===========================================================================
-  # QUAY INFRASTRUCTURE SECRETS (hub/infra/quay/)
-  # Registry credentials for Quay
-  # Policy: hub-infra-quay-secret (read access to hub/infra/quay/*)
+  # BUILT-IN QUAY REGISTRY SECRETS (hub/infra/quay/)
+  # Auto-generated credentials for built-in Quay registry
+  # Used by: Quay user provisioner job, supply-chain pipeline (when quay.enabled=true)
+  # Policy: hub-supply-chain-jwt-secret (read access to hub/infra/quay/*)
   # ===========================================================================
   - name: quay-users
     vaultPrefixes:
     - hub/infra/quay
     fields:
-    - name: quay-admin-password
-      onMissingValue: generate
-      vaultPolicy: validatedPatternDefaultPolicy
     - name: quay-user-password
       onMissingValue: generate
       vaultPolicy: validatedPatternDefaultPolicy
 
-  # External Registry Credentials (e.g., Quay.io, Docker Hub, GHCR)
-  # Reserved for future use with container signing workflows
-  # Uncomment and provide your credentials when needed
-  #- name: external-registry
+  # ===========================================================================
+  # BYO REGISTRY SECRETS (hub/infra/registry/)
+  # Only needed for Option 2 (BYO/external registry, e.g. quay.io, ghcr.io).
+  # NOT needed for Option 1 (built-in Quay uses quay-users secret) or
+  # Option 3 (embedded OpenShift registry with token refresher writes to Vault
+  # automatically -- see docs/supply-chain.md).
+  # Used by: supply-chain pipeline (push), qtodo (pull) when registry enabled
+  # Policy: hub-supply-chain-jwt-secret (read access to hub/infra/registry/*)
+  #
+  # Uncomment and replace REPLACE_WITH_REGISTRY_TOKEN with your registry
+  # token/password in your local ~/values-secret-layered-zero-trust.yaml.
+  # ===========================================================================
+  #- name: registry-user
   #  vaultPrefixes:
-  #  - hub/infra
+  #  - hub/infra/registry
   #  fields:
-  #  - name: username
-  #    value: "your-registry-username"  # Replace with your username
-  #    onMissingValue: error
-  #  - name: password
-  #    value: "your-registry-token"     # Replace with your token/password
+  #  - name: registry-password
+  #    value: "REPLACE_WITH_REGISTRY_TOKEN"
   #    onMissingValue: error
 
   # ===========================================================================

diff --git a/generate-catalog.sh b/generate-catalog.sh
@@ -14,6 +14,7 @@ ORGS=(${ORGS[@]:-"validatedpatterns" "validatedpatterns-sandbox"})
 TOPIC=${TOPIC:-"ui-catalog-enabled"}
 GENERATOR_VERSION="1.0"
 CATALOG_DIR="catalog"
+CATALOG_LOGO="https://validatedpatterns.io/images/logo.png"
 
 # Normalize a single pattern-metadata.yaml (JSON from yq) into catalog schema.
 # Reads JSON on stdin, writes normalized JSON on stdout.
@@ -140,6 +141,7 @@ CATALOG_DESCRIPTION=${CATALOG_DESCRIPTION:-'(Tech-Preview) Additional patterns c
     echo "generated_at: \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\""
     echo "generator_version: \"${GENERATOR_VERSION}\""
     echo "catalog_description: '${CATALOG_DESCRIPTION}'"
+    echo "catalog_logo: \"${CATALOG_LOGO}\""
     echo "patterns:"
     for name in "${pattern_names[@]}"; do
         echo "  - ${name}"