Tags

Tags give the ability to mark specific points in history as being important

  • v1.2.0

    a6b59926 · feat(instance): add git-tag-based image promotion with signing and SBOM ·

  • v1.1.0

    1c498c7d · fix: Support public base images in detect-changes (try without creds first) ·

  • v1.0.0

    15943488 · docs: Pin instance template examples to v1.0.0 · 
    v1.0.0: First stable release

immutable-base produces signed, immutable bootc (OCI Bootable Container)
images for CentOS Stream 10 and Fedora 43 with pre-compiled kernel modules
for ZFS storage and NVIDIA GPU support. This tag marks the first stable
release of the base image pipeline, shared instance CI template, and
supporting documentation.

Base Image Variants:
  - base                Minimal CentOS Stream 10 bootc + utilities
  - base-zfs            CentOS + ZFS kernel modules and tools
  - base-zfs-nvidia     CentOS + ZFS + NVIDIA drivers + container toolkit
  - fedora-base         Minimal Fedora 43 bootc + utilities

Pipeline Architecture:
  - Full nightly rebuilds with no caching or conditional skips
  - Multi-stage builds: DKMS compilation in builder stages, only .ko files
    and userspace binaries in final images
  - Bidirectional kernel pinning via rpm.vercmp handles bootc/kernel-devel
    version mismatches in either direction
  - Cosign v2.6.2 keyless signing via GitLab OIDC + Sigstore Fulcio
  - CycloneDX SBOMs generated by syft, attested via cosign
  - Upstream-direct sourcing: NVIDIA from CUDA repo, ZFS from OpenZFS

Shared Instance Template (instance/.gitlab-ci.yml):
  - Single canonical CI template for all downstream instance repos
  - Schedule-aware detect-changes (only rebuild when base image changes)
  - Cosign signing, SBOM generation, and signed attestations
  - Instance repos reduce to a 7-line .gitlab-ci.yml include

Known Limitations:
  - Cosign pinned to v2.6.2 with --new-bundle-format=false. Cosign v3+
    defaults to protobuf bundles which the containers/image verification
    library cannot parse yet (tracking containers/container-libs#567,
    check Q3 2026).
  - Signature verification relaxed to insecureAcceptAnything in policy.json
    until containers/image supports cosign v3 bundle verification (same
    upstream blocker as above).
  - AMD GPU kernel module builds disabled due to dma_resv API
    incompatibility with kernel 6.12 (tracking ROCm/ROCm#5111).
    Containerized ROCm is the recommended alternative.
  - No vulnerability scanning: Trivy does not support CentOS Stream or
    Fedora security advisories. SBOMs provide dependency tracking.