How to audit the "workload-version" of an application

As part of our work trying to be compliant with the upcoming EU regulation: Cyber Resilience Act (CRA) - we are looking for a way to audit versions of our many running applications.

The current version is easy, but doesn’t give the audit trail.

juju show-unit lxd-cluster/0 --format json | jq -r ‘.[“lxd-cluster/0”][“workload-version”]’ 5.21.3

This is part of the compliance topic which is required of us by regulations in the EU starting from September 2026.

I therefore look for a way to “audit” changes to the workload-version set by juju:

I thought that this information would be displayed with “juju show-status-log” for the model or application, but it seems it isn’t.

image698×368 102 KB

I would be very keen to understand what I would need to do to audit for changes to unit/application workload changes for our models such as we can use juju to gain compliance with audit for workload changes.

@manadart Do you know if there is some in-built-juju-way of getting an audit-log on the workload-version ?

This would be a killer feature for us that has to deal with tons of upgrades across many models.

Setting workload version writes a status document to the database, specifically for workload version, so we have a historical record.

One caveat is that setting the same version updates the timestamp rather than adding a new record, but we have the time-series data as it relates to changes.

The CLI allows retrieval of status history specific to the workload via:

juju show-status-log --type workload <unit>

But that is not the workload version history; only the status history.

In summary, there’s no interface to see the version history data, but we do have it. Would happily triage a request for the ability to view it.

I have opened up a proposal on this here : Proposal: expose workload-version changes in Juju audit/status history · Issue #22583 · juju/juju · GitHub