Tags

Tags give the ability to mark specific points in history as being important

  • v3.3.2

    protected
    0306e4fa · Merge branch 'andunn-govulncheck-pin' into 'main' ·
    Release: pipeline v3.3.2 
    **Patch release.** Includes the backtick fix from v3.3.1 plus the `GOVULNCHECK_VERSION` pin fix that was blocking the v3.3.1 tag pipeline from completing.

- **Backtick fix (was: v3.3.1).** Dropped the GitLab `release:` keyword in favor of an explicit `glab release create --notes-file` invocation. The `release:` keyword routed `${CI_COMMIT_TAG_MESSAGE}` through shell `eval`, treating backticks as command substitution and stripping every `code span` from the release page. The replacement reads the tag annotation directly from `git tag -l --format='%(contents)'` into a file, then passes that file to `glab` — no shell expansion of the description body. Re-runs are idempotent: `glab release create` updates an existing release in place rather than failing.
- **`GOVULNCHECK_VERSION` pin fix.** `containers/ci-go.Containerfile` had `ARG GOVULNCHECK_VERSION=1.3.0` (no `v` prefix); Go's module loader rejects bare semver: `invalid version: unknown revision 1.3.0`. Fixed to `v1.3.0` to match the sibling `GOLANGCI_LINT_VERSION=v2.4.0` shape. This was silently blocking every tag pipeline since the pin drifted; surfaced when v3.3.1's tag pipeline couldn't reach its own release stage.

- [MR !57](https://gitlab.com/gitlab-com/public-sector/pipeline/-/merge_requests/57) — backtick fix
- [MR !58](https://gitlab.com/gitlab-com/public-sector/pipeline/-/merge_requests/58) — pin fix
- Lab evidence: [kaniko test-catalog-rc1](https://gitlab.com/gitlab-com/public-sector/kaniko/-/releases/test-catalog-rc1) — pre-merge validation of the backtick fix against a real consumer; 32-backtick parity from source tag to rendered release page
- [CHANGELOG](https://gitlab.com/gitlab-com/public-sector/pipeline/-/blob/main/CHANGELOG.md)

  • v3.3.1

    protected
    eef303cf · Merge branch 'andunn-release-backtick-fix' into 'main' · 
    **Patch release.** Fixes the `templates/release` catalog component so backtick-delimited content in tag annotations renders correctly on the release page, and makes tag-pipeline re-runs idempotent.

- **Backtick fix.** Dropped the GitLab `release:` keyword in favor of an explicit `glab release create --notes-file` invocation. The `release:` keyword routed `${CI_COMMIT_TAG_MESSAGE}` through shell `eval`, treating backticks as command substitution and silently stripping every `code span` from the release page. The replacement reads the tag annotation directly from `git tag -l --format='%(contents)'` into a file, then passes that file to `glab` — no shell expansion of the description body.
- **Re-run idempotency.** `glab release create` updates an existing release in place rather than failing with `--no-update flag was specified`. Force-pushed tags, Renovate re-runs, and operator-initiated re-tags all succeed.

- [CHANGELOG anchor](https://gitlab.com/gitlab-com/public-sector/pipeline/-/blob/main/CHANGELOG.md#v331)
- [MR !57](https://gitlab.com/gitlab-com/public-sector/pipeline/-/merge_requests/57)
- Lab evidence: [kaniko test-catalog-rc1](https://gitlab.com/gitlab-com/public-sector/kaniko/-/releases/test-catalog-rc1) — pre-merge validation against the branch SHA, 32 backticks in source tag, 32 backticks in rendered release page (parity)

  • v3.3.0

    protected
    3ded06e1 · Merge branch 'chore/changelog-v3.3.0' into 'main' · 
    v3.3.0 - paper component + ci-latex image, runner_tag inputs, OCI metadata, dependency freshness, Fedora 44 base

  • v3.2.0

    protected
    23a0e12f · Merge branch 'andunn-runner-tag-exposure' into 'main' ·
    Release: pipeline v3.2.0 
    v3.2.0 -- expose runner_tag input on compliance/container-attest/container-sbom/vale templates. Default saas-linux-large-amd64 (one tier up from previous implicit small). Backward-compatible; consumers that don't set the input get the new default.

  • v3.1.0

    protected
    588c2d3e · Merge branch 'andunn-oci-metadata-ARGs' into 'main' ·
    Release: pipeline v3.1.0 
    v3.1.0 -- container component auto-injects OCI image-metadata build-args (OCI_VERSION / OCI_REVISION / OCI_CREATED) sourced from CI predefined variables. Additive, backward-compatible with v3.0.0 consumers. Pairs with the forthcoming container-image standard in reference.

  • v3.0.0

    protected
    10d48aee · fix(ci): bootstrap v3.0.0 image-build from quay.io/buildah/stable ·
    Release: pipeline v3.0.0 
    v3.0.0 — namespace migration to gitlab-com/public-sector

First release at the new path gitlab-com/public-sector/pipeline.
Every catalog image, cosign OIDC identity, and SLSA provenance
subject moves to the new namespace.

Hard break from v2.x. Consumers must update include lines:
  $CI_SERVER_FQDN/gitlab-com/public-sector/pipeline/<name>@v3.0.0

Removed: posture-verify component (divested to GitLab compliance
product). Deferred: ci-kaniko image (returns when kaniko ships
at the new path).

Bootstrap: image-build runs under quay.io/buildah/stable:v1.43.0
with runtime cosign install. v3.1.0+ uses the just-published
ci-buildah image.

  • v2.7.0

    protected
    4682fe69 · Merge branch 'feat/v2.7.0-validation-cleanup' into 'main' ·
    Release: pipeline v2.7.0 
    v2.7.0 - validation cleanup + pipeline-self-validates roll-up

  • v2.6.0

    protected
    dfa79dbc · Merge branch 'feat/v2.6.0-renovate-runner-preset' into 'main' ·
    Release: pipeline v2.6.0 
    v2.6.0 - catalog IS the Renovate runner (presets/renovate-runner.gitlab-ci.yml + self-include)

  • v2.5.0

    protected
    3d2528e4 · Merge branch 'feat/v2.5.0-sbom-ingestion' into 'main' ·
    Release: pipeline v2.5.0 
    v2.5.0 - declare artifacts.reports.cyclonedx for GitLab Dependency List ingestion

  • v2.4.0

    protected
    869c1ad3 · Merge branch 'feat/v2.4.0-dogfood-ci-buildah' into 'main' ·
    Release: pipeline v2.4.0 
    v2.4.0 - catalog dogfooding (use ci-buildah:v2.3.0 as build host)

  • v2.3.0

    protected
    e6a45938 · Merge branch 'feat/v2.3.0-vale-noop-scan-summary' into 'main' ·
    Release: pipeline v2.3.0 
    v2.3.0 - container-scan-summary component + vale no-findings message

  • v2.2.0

    protected
    00bc90fb · Merge branch 'fix/posture-verify-shell-expansion' into 'main' ·
    Release: pipeline v2.2.0 
    v2.2.0 - vale mode (project|docs) + posture-verify shell-expansion fix

  • v2.1.1

    protected
    e0074f88 · Merge branch 'fix/binary-conditional-cosign' into 'main' ·
    Release: pipeline v2.1.1 
    v2.1.1: conditional cosign install in binary component

Patch release. Restores compatibility with consumer-overridden
build_image values that don't ship cosign (rust:1.88.0, golang:1.25).
Surfaced during the assay/posture/tach migrations. See CHANGELOG.md.
    Verified

  • v2.1.0

    protected
    1537453f · Merge branch 'docs/changelog-v2.1.0' into 'main' ·
    Release: pipeline v2.1.0 
    v2.1.0: build-container-buildah + stable footing

Additive release. Goal: stable footing for consumer migration.

Highlights
- build-container-buildah component. Functionally equivalent to
  the legacy container component, named for symmetry with the
  buildkit and kaniko siblings that will follow.
- Sim harness expansion: sim-buildah builds + signs a fixture image
  via the new component end-to-end against the just-built ci-buildah
  image. The catalog's own integration test surface.
- binary component CWD-resilient: a consumer build_script that cd's
  elsewhere no longer breaks the subsequent dist/ manipulation.
- lint-templates enforces spec.description <= 256 chars before MR.

Deferred to a later v2.x
- build-container-buildkit: POC sim established that rootless
  buildkitd via rootlesskit on the gitlab.com SaaS Linux Docker
  executor errors with "No subuid ranges found for user 0 (root)".
  Real fix needs a non-root user baked into ci-buildkit plus subuid
  setup plus GitLab runner accepting the non-root USER. POC sim
  retained as manual-trigger scaffolding.
- build-container-kaniko: blocked on factory/kaniko publishing the
  chainguard-fork kaniko image at :latest. The ci-kaniko Containerfile
  and build job exist with allow_failure: true and unblock
  automatically when the upstream ships.

See CHANGELOG.md for the full v2.0.x -> v2.1.0 notes.
    Verified

  • v2.0.2

    protected
    b01d4e3e · Merge branch 'fix/drop-redundant-catalog-publish' into 'main' ·
    Release: pipeline v2.0.2 
    v2.0.2: drop redundant catalog publish step

Patch release. v2.0.1's create-release job failed at the explicit
glab repo publish catalog step with 422 (Release has already been
published) because release-create on a catalog-resource project
auto-publishes the version. The explicit publish call is redundant.

Fix: drop the explicit glab repo publish catalog step from
.gitlab-ci.yml.
    Verified

  • v2.0.1

    protected
    e3a5b52f · Merge branch 'docs/changelog-v2.0.1' into 'main' ·
    Release: pipeline v2.0.1 
    v2.0.1: CI publish-flow auth fix

Patch release. Validates the production catalog publish path.

The v2.0.0 create-release CI job failed authentication because glab
sent CI_JOB_TOKEN as a Bearer token, which /api/v4/user rejects.
v2.0.0 was manually published to the catalog as a one-time workaround;
v2.0.1 makes CI work end-to-end via glab CI auto-login.

Fix: GLAB_ENABLE_CI_AUTOLOGIN=true in the create-release job variables.
With GITLAB_CI=true (always set in CI), glab routes the token via
gitlab.JobTokenAuthSource (job-token header) instead of Bearer.
    Verified

  • v2.0.0

    protected
    8884dfdb · Merge branch 'fix/binary-cwd-resilient' into 'main' ·
    Release: pipeline v2.0.0 
    v2.0.0: pipeline catalog modernization

The catalog now demonstrates what GitLab + DevSecOps looks like when
fully exercised. Every component declares spec:component for
$[[ component.version ]] interpolation, ships in a v2 canonical shape
(snake_case keys, typed inputs, options/regex validation), and
consumes catalog-managed images instead of curl-installing tooling
at runtime.

Highlights
- spec:component on every template; $[[ component.version ]] resolves
  to the consumer's catalog tag for image refs.
- snake_case input keys; typed inputs with options enums + regex.
- Eight UBI9-based catalog-managed images (ci-tools, ci-go,
  ci-go-fips, ci-rust, ci-buildah, ci-buildkit, ci-kaniko,
  posture-verify) -- built, cosign-signed, and SBOM-attested at
  every catalog tag. No runtime curl-installs in jobs.
- posture-verify component: iterate a project's
  .gitlab/posture-claims.yaml and run each consumer-authored verify
  command, fail closed on any evidence that doesn't hold up.
- Catalog publish flow uses glab repo publish catalog (release-cli
  is deprecation-tracked for GitLab 20.0).
- In-repo sim harness validates every component end-to-end against
  the just-built catalog-managed images.

Migration: see CHANGELOG.md for the v1.x -> v2.0.0 input map.
Consumers may stay on v1.6.1 until ready.

Deferred to v2.1.0+:
- build-container-buildkit / build-container-buildah /
  build-container-kaniko engine components.
- hermeto-prefetch (hermetic dependency snapshots).
- Pages-published per-component docs.
- Immutable container-tag bootstrap (REST API quirks under
  investigation).
- Native SLSA dual-emit (ATTEST_CONTAINER_IMAGES) once
  slsa_provenance_statement FF rollout state is clearer.
- Catalog dogfooding (catalog .gitlab-ci.yml using ci-buildah for
  its own builds).

v2.0.0-rc.1 through rc.4 stay as frozen records of the RC iteration.
    Verified

  • v2.0.0-rc.4

    protected
    39bb25c4 · Merge branch 'fix/rc3-buildkit-zig' into 'main' · 
    v2.0.0-rc.4: fourth v2 release candidate

Same scope as rc.3 with image-build fixes from MR !10:
- ci-buildkit tar extraction landing (drop --strip-components)
- ci-rust pinned to Zig 0.13.0 (0.14+ changed URL naming)

rc.1-rc.3 remain as frozen records of earlier attempts.
    Verified

  • v2.0.0-rc.3

    protected
    24ee06c7 · Merge branch 'fix/rc2-image-build-fixes' into 'main' · 
    v2.0.0-rc.3: third v2 release candidate

Same scope as v2.0.0-rc.2 with image-build fixes from MR !9:
- ci-go drops inline sha256sum verification (format mismatch)
- ci-rust uses post-install rustup component add for clippy + rustfmt
- ci-buildkit drops bogus provenance-as-checksum fetch
- ci-kaniko allow_failure: true (factory/kaniko :latest not yet published)

rc.1 and rc.2 remain as frozen records of earlier failed attempts.
    Verified

  • v2.0.0-rc.2

    protected
    ac36a741 · Merge branch 'fix/curl-minimal-conflict' into 'main' · 
    v2.0.0-rc.2: second v2 release candidate

Same scope as v2.0.0-rc.1 with the curl-minimal package conflict
fixed (MR !8). rc.1 remains as a frozen record of the failed first
attempt.
    Verified