Tags give the ability to mark specific points in history as being important
-
v4.4.0
Release: v4.4.00d2c02a1 · ·v4.4.0 — drop .gitlab-ci.yml from build_change_paths + optional needs on promote Removes .gitlab-ci.yml from default build_change_paths in base-build-scratch.yml and instance.yml so non-image-affecting pushes to main no longer trigger the bootc cascade. Bundled fix for the sibling empty-pipeline failure: promote jobs now have optional: true on their needs of the build job, plus a runtime guard that exits 0 silently when the SHA-tagged image doesn't exist. See CHANGELOG.md for details.
-
v4.3.0
Release: v4.3.0febfef66 · ·v4.3.0: drop cosign signing — subtractive release containers/image cannot verify our keyless signatures at pull time (containers/container-libs#388 since Oct 2025, no fix landed). Signing without verification is ceremony; remove the ceremony. SBOM generation stays as real audit value. See basef README for the upstream blocker + monthly re-check + how-to-re-enable runbook.
-
v4.2.0
Release: v4.2.06a90e490 · ·v4.2.0: subtractive release — drop WATCH_CVE infrastructure Reverts the v4.1.2/v4.1.3 WATCH_CVE != 'true' guards. With cve-watch deprecated on the consumer side (replaced by daily basef-recurring + manual tools/acute-rebuild), the discriminator is dead weight. Validated at SHA 1ab93a60 via basef MR !19 (green) and carmine MR !19 (green).
-
v4.1.1
Release: v4.1.126d47167 · ·v4.1.1: heavy-job rules accept api source Group access token POSTs to /projects/:id/pipeline create source=api pipelines. This patch adds 'if: $CI_PIPELINE_SOURCE == "api"' to heavy-job-rules in base-build-scratch, instance, and container-build. Backward-compatible: trigger source still accepted. Pivots the cascade pattern from N per-project trigger tokens to a single group access token (TRIGGER at dunn.dev/immutable scope). basef + carmine consumer pin bumps land alongside this.
-
v4.1.0
Release: v4.1.0d66ec0a4 · ·v4.1.0: substrate -> instance cascade Validated against basef + carmine v4.1.0 MRs (both GREEN). Catalog changes: - base-build-scratch .heavy-job-rules, instance build rules, container-build job_rules: accept ACUTE=true and trigger source Wires the basef -> carmine cascade pattern with cve-watch acute trigger (deterministic pre-screen) and operator acute-rebuild command. AI triage (claude-sonnet) lands in v4.2.0.
-
v4.0.0
Release: v4.0.0d8b589ce · ·v4.0.0: honest CI baseline Validated against basef + carmine via SHA-pinned MRs (2b048d7f). Both consumer pipelines GREEN before tag. Removed: - verify-downstream (broken Tier 4 trigger pattern since v3.1.0) - pyinfra-smoke, bootc-boot-smoke (never wired) - pipeline-source rule branches added in v3.3.1 Changed: - workflow.auto_cancel.on_new_commit: interruptible Migration: bump consumer pin to v4.0.0. Drop pipeline-source workflow rule from consumers (was only needed for verify-downstream). This is the foundation. v4.1.0 wires the substrate-instance cascade (basef -> carmine trigger + CVE-watch + AI triage).
-
v3.3.1
Release: v3.3.1a729b640 · ·catalog v3.3.1 — verify-downstream chain fixed v3.3.0 inherited a broken verify-downstream bridge that had been red since v3.1.0: the catalog tag pipeline fires multi-project trigger pipelines into basef + carmine with strategy: depend, but no rule on either side accepted $CI_PIPELINE_SOURCE == "pipeline" — so the downstream pipelines had zero allowed jobs and the bridges failed with downstream_pipeline_creation_failed. v3.3.1 closes that gap on the catalog side: every heavy-job rules location (base-build-scratch's .heavy-job-rules anchor, instance.yml's build job, container-build.yml's job_rules default) now accepts pipeline-source unconditionally. Consumers (basef, carmine) accept it guarded on TRIGGERED_BY_CATALOG=true. No functional changes to any build, validate, sign, or promote step. Self-test + heavy-job-on-pipeline-source the only new behavior.
-
v3.3.0
Release: v3.3.001812359 · ·v3.3.0: path-based rules + promotion idempotency Heavy build jobs gate on rules: changes: paths: via new build_change_paths input. Doc-only / settings-only / CI-only pushes to main no longer trigger rebuilds. MR + schedule pipelines unchanged. Promotion steps (validate.yml, instance.yml, base-build-scratch.yml, container-build.yml) now compare source and destination digests before skopeo copy. No-op promotions log and skip. container-build.yml job_rules default changed: previously unconditional, now path-gated on main push. Consumers can restore old behavior via inputs.job_rules. New input: build_change_paths (array). Default covers images/**, modules/**, manifests/**, Containerfile*, .gitlab-ci.yml.
-
v3.2.0
Release: v3.2.0e7dcd8d1 · ·v3.2.0 — 2026-05-22 Changed: - installer-anaconda-iso: version input default changes from ${CI_COMMIT_SHORT_SHA} to the literal "current". The canonical download URL is now stable across rebuilds — consumers don't need to chase short-SHAs to find the latest ISO. The baked image's SHA is still queryable post-install via "bootc status"; encoding it in the registry URL added churn without adding information. - installer-anaconda-iso: the upload step now pre-deletes any existing package at the same (name, version) before uploading. GitLab's generic package registry allows duplicate uploads by default; without this, every CI re-run appended a new file at the same path and the registry accumulated multiple ISOs per version. Pre-delete makes the job idempotent. Pair with the group-level genericDuplicatesAllowed: false setting (already flipped) to enforce one-file-per-(name,version) at the registry layer too. -
v3.1.1
Release: v3.1.123bd1e14 · ·v3.1.1 — bootc-boot-smoke --rootfs flag Single-fix patch. Tier 4 verify-downstream from v3.1.0 surfaced that bootc-boot-smoke didn't pass --rootfs to BIB, and the bootc.diskimage-builder.rootfs label on stable tags isn't reliable. New rootfs input (default xfs) matches installer-anaconda-iso. This is the v3.x line settling: with v3.1.0 we proved Tier 4 fires correctly and validates against live consumers; v3.1.1 fixes the first real bug Tier 4 caught.
-
v3.1.0
Release: v3.1.0b32df879 · ·v3.1.0 — Tier 3 2xlarge smoke runners + Tier 4 downstream trigger First minor bump in the v3 line. Brings smoke testing from 'parses clean' to 'runs against real estate images': Tier 3 — runner_tag defaults bumped to saas-linux-2xlarge-amd64 on image-verify, pyinfra-smoke, bootc-boot-smoke. Smaller tiers exhausted disk pulling 3 GB+ estate images under vfs storage. Tier 4 — catalog tag pipelines fire verify-downstream (parallel matrix over basef + carmine) with strategy: depend, so this tag is considered shipped only when both downstream consumers pass at their current pins. Adding a consumer = one matrix row. Closes the catalog-self-test-passes-but-consumer-breaks gap. Known limitation (v3.2 follow-up): GitLab CI doesn't support trigger variables in include: refs, so dynamic-pin via ${CATALOG_VERSION} doesn't work. Tier 4 trigger validates consumer-still-green; Renovate-driven MR bumps validate consumer-against-new-tag. v3.2 will add a project-CI-variable update step in the catalog tag pipeline to enable true dynamic-pin. -
v3.0.4
Release: v3.0.4e780424f · ·v3.0.4 — bib :latest, single-tag patch Single fix: bootc-image-builder pin must be :latest because upstream doesn't ship semver. v3.0.3 publish-images failed building the bib catalog image; carmine main hit the same on bootc-boot-smoke. Also captures the pyinfra-smoke-on-big-images known issue (vfs storage driver + 3GB carmine:stable = disk full) as a v3.1 follow-up — not blocking; affects only consumers running smoke against the full instance image rather than a slim target.
-
v3.0.3
Release: v3.0.340c858fb · ·v3.0.3 — pyinfra-smoke heredoc fix Single-fix patch release. Carmine pipeline failed to lint at v3.0.2 because pyinfra-smoke's heredoc-in-script form lints clean inside the catalog (which doesn't self-test pyinfra-smoke) but breaks downstream consumer lint. Replace storage.conf heredoc with single printf line. Self-test gap noted in CHANGELOG: v3.1 should extend consumer-test to exercise pyinfra-smoke, image-verify, bootc-boot-smoke against realistic targets so the catalog catches these in isolation.
-
v3.0.2
Release: v3.0.2c15ac1ed · ·v3.0.2 — fix seven Phase A bugs surfaced by first real CI Bundles MR !1 (qemu pkg + podman storage + tiny test base + workflow rules + buildah/skopeo pins) and MR !2 (cleanup entrypoint override), plus the container_registry_enabled project setting that was masking empty ${CI_REGISTRY_IMAGE} expansion. Consumers on v3.0.1 should bump: - basef: just a tag pin change - carmine: just a tag pin change Behavior change: workflow.rules now suppresses merge_request_event pipelines on the catalog itself. Branch pushes drive CI on the catalog. (Consumers' workflow rules are independent and unchanged.)