Tags

Tags give the ability to mark specific points in history as being important

  • v1.5.0

    protected
    8587ed79 · fix: shorten extra-assets description to fit 256-char limit ·
    Release: v1.5.0 
    v1.5.0 -- extra-assets component + reference templates

  • v1.4.2

    protected
    cb914aab · revert: release binary-job-2/3 inputs (GitLab rejects blank job in needs) ·
    Release: v1.4.2 
    v1.4.2 -- revert multi-binary-job (use custom asset link job instead)

  • v1.4.1

    protected
    5bcc1137 · feat: release component supports multiple binary jobs ·
    Release: v1.4.1 
    v1.4.1 -- release component supports multiple binary jobs

New inputs: binary-job-2, binary-job-3 for projects that build
variants (FIPS, cross-compile, etc.) in separate jobs.

  • v1.4.0

    protected
    01591858 · feat: add tag-suffix to container and retry cosign downloads ·
    Release: v1.4.0 
    v1.4.0 -- container tag-suffix and cosign retry

- container: new tag-suffix input (e.g. '-fips') for variant images
- all components: retry cosign download on transient GitHub 5xx errors

  • v1.3.2

    protected
    6858f7ce · fix: attest skips non-binary artifacts, outputs bare SLSA predicate ·
    Release: v1.3.2 
    v1.3.2 -- fix attest for non-binary artifacts and SLSA predicate format

- Skip checksums, SBOMs, attestation artifacts (basename match)
- Output bare SLSA v1.0 predicate body for cosign (not full Statement)

  • v1.3.1

    protected
    6a61b8e2 · fix: POSIX shell in compliance component; pin govulncheck for Go 1.23 ·
    Release: v1.3.1 
    v1.3.1 -- fix POSIX shell compatibility and Go 1.23 support

- compliance: use POSIX-compliant shell (Alpine uses ash, not bash)
- audit: pin govulncheck to v1.1.4 (latest requires Go 1.25+)

  • v1.3.0

    protected
    db8b95e9 · feat: add audit, compliance, and attest components for DoD-grade baseline ·
    Release: v1.3.0 
    v1.3.0 -- DoD-grade baseline components

New components for DoD-grade baseline across all projects:

- audit: language-aware dependency scanning (cargo-deny, govulncheck, npm audit, pip-audit)
- compliance: validates SECURITY.md has required sections and no vacuous placeholders
- attest: generates SLSA v1.0 provenance attestations via cosign keyless signing

Updates to existing components:
- release: links SLSA attestation bundles to release page when attest job runs

Template additions:
- compliance/SECURITY.md.scaffold: starting point for project SECURITY.md
  with NIST SP 800-53, NIST SP 800-218 SSDF, CMMC 2.0 L2, and FIPS
  sections scaffolded

  • v1.2.0

    protected
    5749b48e · feat: link binary and container assets to release page ·
    Release: v1.2.0 
    v1.2.0 -- release component links binaries and container to release page

The release component now creates release asset links for:
- Binary artifacts from the generic package registry (auto-discovered from dist/)
- Container image (when container-image input is provided)

New input: binary-job (default: binary-build) controls artifact dependency.
Removed input: binary-names (now auto-discovered from dist/ directory).

Projects using the release component now get downloadable binaries on the
release page without any additional CI configuration.

  • v1.1.1

    protected
    fc083a98 · fix(verify): remove curl install -- UBI9-minimal ships curl-minimal ·
    Release: v1.1.1 
    v1.1.1: Fix verify component curl conflict on UBI9-minimal

UBI9-minimal:9.7 ships curl-minimal which conflicts with full curl.
Removed the microdnf install since curl-minimal supports all needed flags.

  • v1.1.0

    protected
    077d6279 · Merge branch 'chore/v1.1.0-supply-chain-hardening' into 'main' ·
    Release: v1.1.0 
    v1.1.0: Supply chain hardening and Renovate

- Cosign v2.4.1 -> v2.6.3 with SHA256 checksum verification
- Buildah pinned to v1.43.0
- Alpine replaced with UBI9-minimal:9.7 in verify component
- glab CLI pinned to v1.92.1, release-cli to v0.24.0
- Log collapsing, interruptible jobs, runner-tag inputs
- Secret Detection in project CI
- Renovate config with cosign v2.x constraint

  • v1.0.0

    protected
    b7f54014 · chore: tidy -- hero, avatar, badges, README structure ·
    Release: v1.0.0 
    pipeline v1.0.0

CI/CD catalog components for regulated container builds.

Components:
- container: buildah + UBI10-micro, cosign keyless sign (v2.4.1)
- verify: cosign signature verification against GitLab OIDC identity
- binary: cross-compile, checksums, cosign sign-blob, package registry
- release: GitLab release with asset links (glab, not deprecated release-cli)

All components support configurable job names, consumer-controlled
rules (array input), and parameterized inputs. No global keywords.

Validated: postern pipeline passes all four jobs (test, container-build,
container_scanning, container-verify) consuming these components.