Tags

Tags give the ability to mark specific points in history as being important

  • v8.1.0

    848e3e64 · Merge branch 'feat/kmod-signing' into 'main' ·
    Release: v8.1.0 
    v8.1.0 — optional kmod module-signing secret plumbing

MOK_SIGNING_KEY_B64 convention on base-build-scratch kmod jobs: decode
to tmpfile, buildah --secret id=mok; consumers opt in via
RUN --mount=type=secret,id=mok. Non-breaking. For basef#19.

  • v8.0.0

    e2e7e790 · Merge branch 'feat/v8-fold-validate' into 'main' ·
    Release: v8.0.0 
    v8.0.0 — fold validate into instance promote

The validate component (mock exists-check + retag) is removed; instance
promote moves :latest and :stable together in one idempotent step.
Instances deliberately don't boot-smoke — basef's earned :stable is the
quality bar. Also: kickstart/summary clone literals bumped + release-check
guard; earned-stable.svg timing rot removed; README accuracy pass.
BREAKING: removes the validate component.

  • v7.0.0

    0d0fa939 · Merge branch 'feat/instance-validate-autogate' into 'main' ·
    Release: v7.0.0 
    v7.0.0 — instance + validate promote auto-gate on a path list

Extends the v6.0.0 base-build-scratch fix to instance and validate. Removes
instance.promote_job_rules and validate.job_rules; both gate internally on a
path list (instance reuses build_change_paths, validate gets change_paths) via
.promote-rules / .validate-rules anchors (build rules minus merge_request).
promote and validate-and-promote fire on identical conditions. BREAKING:
removes those two inputs. carmine re-pins and drops its overrides.

  • v6.0.0

    cd83d304 · Merge branch 'feat/promote-autogated' into 'main' ·
    Release: v6.0.0 
    v6.0.0 — base-build-scratch promote auto-gates on build_change_paths

Removes the promote_job_rules input; promote shares the build jobs' change-path
gate (heavy-job-rules minus merge_request) via an internal .promote-rules anchor.
A docs/CI-only push no longer runs promote or fires a cascade, and build and
promote can't drift. BREAKING: consumers passing promote_job_rules must drop it.
Backfills v5.0.0/v5.0.1 CHANGELOG entries.

  • v5.0.1

    2ec56788 · Merge branch 'fix/kmod-sha-tag' into 'main' ·
    Release: v5.0.1 
    catalog v5.0.1: sha-tag kmod images (end cross-pipeline race)

  • v5.0.0

    fe842838 · Merge branch 'fix/release-notes-sh' into 'main' ·
    Release: v5.0.0 
    v5.0.0 — :stable must be earned

   promotion behind a verification job (basef boot-smoke). A failed gate skips
   promote, so :stable never moves and the cascade never fires; a passing gate
   promotes and pins :stable to the exact smoke-validated digest.
   consumer's preflight responsibility). Justifies the major bump.

Catalog's own CI migrated to composable just recipes (component templates
remain inline YAML — they ship to consumers). Proven end-to-end on the
crucible nested-KVM runner in both directions (fail blocks, pass promotes).

  • v4.8.0

    81421dd4 · Merge branch 'factor-kickstart-validation' into 'main' ·
    Release: v4.8.0 
    factor validate-kickstart into shared script — single source of truth across CI + operator-local; consumers (carmine, crimson) reuse the same shell+python via clone or sibling path

  • v4.7.0

    00776045 · Merge branch 'add-proceed-var-input' into 'main' ·
    Release: v4.7.0 
    v4.7.0 — proceed_var input for upstream-alignment gating

  • v4.6.0

    235f90dc · Merge branch 'migrate-scripts-to-catalog' into 'main' · 
    v4.6.0 — extract kickstart + summary components from carmine

  • v4.5.0

    121bde24 · Merge branch 'v4.5.0-mr-event-path-filter' into 'main' ·
    Release: v4.5.0 
    v4.5.0 — path-filter MR-event heavy-job-rules + drop pyinfra default

  • v4.4.0

    0d2c02a1 · Merge branch 'drop-ci-yaml-from-build-change-paths' into 'main' ·
    Release: v4.4.0 
    v4.4.0 — drop .gitlab-ci.yml from build_change_paths + optional needs on promote

Removes .gitlab-ci.yml from default build_change_paths in
base-build-scratch.yml and instance.yml so non-image-affecting pushes
to main no longer trigger the bootc cascade.

Bundled fix for the sibling empty-pipeline failure: promote jobs now
have optional: true on their needs of the build job, plus a runtime
guard that exits 0 silently when the SHA-tagged image doesn't exist.

See CHANGELOG.md for details.

  • v4.3.0

    febfef66 · Merge branch 'v4.3.0-drop-cosign' into 'main' ·
    Release: v4.3.0 
    v4.3.0: drop cosign signing — subtractive release

containers/image cannot verify our keyless signatures at pull time
(containers/container-libs#388 since Oct 2025, no fix landed).
Signing without verification is ceremony; remove the ceremony.

SBOM generation stays as real audit value. See basef README for the
upstream blocker + monthly re-check + how-to-re-enable runbook.

  • v4.2.0

    6a90e490 · Merge branch 'v4.2.0-subtractive' into 'main' ·
    Release: v4.2.0 
    v4.2.0: subtractive release — drop WATCH_CVE infrastructure

Reverts the v4.1.2/v4.1.3 WATCH_CVE != 'true' guards. With cve-watch
deprecated on the consumer side (replaced by daily basef-recurring
+ manual tools/acute-rebuild), the discriminator is dead weight.

Validated at SHA 1ab93a60 via basef MR !19 (green) and carmine MR !19 (green).

  • v4.1.3

    d6e7f2f2 · Merge branch 'v4.1.3-promote-guard' into 'main' ·
    Release: v4.1.3 
    v4.1.3: WATCH_CVE guard on promote_job_rules

Continuation of v4.1.2. promote's needs caused empty-jobs pipeline
failure on cve-watch schedules. Gate fixed.

  • v4.1.2

    3497295f · Merge branch 'v4.1.2-cve-watch-guard' into 'main' ·
    Release: v4.1.2 
    v4.1.2: WATCH_CVE guard on scheduled heavy-job rules

Hot fix. cve-watch schedules (WATCH_CVE=true) were running the
heavy DAG. Now gated on WATCH_CVE != true. Recurring rebuild
schedules (basef-recurring, no WATCH_CVE) still run heavy DAG.

  • v4.1.1

    26d47167 · Merge branch 'v4.1.1-api-source' into 'main' ·
    Release: v4.1.1 
    v4.1.1: heavy-job rules accept api source

Group access token POSTs to /projects/:id/pipeline create source=api
pipelines. This patch adds 'if: $CI_PIPELINE_SOURCE == "api"' to
heavy-job-rules in base-build-scratch, instance, and container-build.
Backward-compatible: trigger source still accepted.

Pivots the cascade pattern from N per-project trigger tokens to a
single group access token (TRIGGER at dunn.dev/immutable scope).
basef + carmine consumer pin bumps land alongside this.

  • v4.1.0

    d66ec0a4 · Merge branch 'v4.1-cascade' into 'main' ·
    Release: v4.1.0 
    v4.1.0: substrate -> instance cascade

Validated against basef + carmine v4.1.0 MRs (both GREEN).

Catalog changes:
- base-build-scratch .heavy-job-rules, instance build rules,
  container-build job_rules: accept ACUTE=true and trigger source

Wires the basef -> carmine cascade pattern with cve-watch acute
trigger (deterministic pre-screen) and operator acute-rebuild
command. AI triage (claude-sonnet) lands in v4.2.0.

  • v4.0.0

    d8b589ce · Merge branch 'v4-honest-baseline' into 'main' ·
    Release: v4.0.0 
    v4.0.0: honest CI baseline

Validated against basef + carmine via SHA-pinned MRs (2b048d7f).
Both consumer pipelines GREEN before tag.

Removed:
- verify-downstream (broken Tier 4 trigger pattern since v3.1.0)
- pyinfra-smoke, bootc-boot-smoke (never wired)
- pipeline-source rule branches added in v3.3.1

Changed:
- workflow.auto_cancel.on_new_commit: interruptible

Migration: bump consumer pin to v4.0.0. Drop pipeline-source workflow
rule from consumers (was only needed for verify-downstream).

This is the foundation. v4.1.0 wires the substrate-instance cascade
(basef -> carmine trigger + CVE-watch + AI triage).

  • v3.3.1

    a729b640 · Merge branch 'verify-downstream-trigger-source' into 'main' ·
    Release: v3.3.1 
    catalog v3.3.1 — verify-downstream chain fixed

v3.3.0 inherited a broken verify-downstream bridge that had been red
since v3.1.0: the catalog tag pipeline fires multi-project trigger
pipelines into basef + carmine with strategy: depend, but no rule
on either side accepted $CI_PIPELINE_SOURCE == "pipeline" — so the
downstream pipelines had zero allowed jobs and the bridges failed
with downstream_pipeline_creation_failed.

v3.3.1 closes that gap on the catalog side: every heavy-job rules
location (base-build-scratch's .heavy-job-rules anchor, instance.yml's
build job, container-build.yml's job_rules default) now accepts
pipeline-source unconditionally. Consumers (basef, carmine) accept it
guarded on TRIGGERED_BY_CATALOG=true.

No functional changes to any build, validate, sign, or promote step.
Self-test + heavy-job-on-pipeline-source the only new behavior.

  • v3.3.0

    01812359 · Merge branch 'worker-a-low-churn-v3.0.5' into 'main' ·
    Release: v3.3.0 
    v3.3.0: path-based rules + promotion idempotency

Heavy build jobs gate on rules: changes: paths: via new
build_change_paths input. Doc-only / settings-only / CI-only
pushes to main no longer trigger rebuilds. MR + schedule
pipelines unchanged.

Promotion steps (validate.yml, instance.yml, base-build-scratch.yml,
container-build.yml) now compare source and destination digests
before skopeo copy. No-op promotions log and skip.

container-build.yml job_rules default changed: previously
unconditional, now path-gated on main push. Consumers can restore
old behavior via inputs.job_rules.

New input: build_change_paths (array). Default covers images/**,
modules/**, manifests/**, Containerfile*, .gitlab-ci.yml.