Tags

v1.6.0

v1.6.0 - ci-go pre-baked image; Go templates flipped from mirror.gcr.io

First of the per-language pre-baked builder images. Replaces v1.5.3's
mirror.gcr.io stopgap with an authenticated pull from
registry.gitlab.com/dunn.dev/pipeline/ci-go:latest, eliminating the
docker.io unauthenticated pull rate cap that bit bairn's v0.3.0 tag
pipeline twice.

ci-go bundles: golang:1.25 + govulncheck + syft 1.32.0 + cosign 2.6.3.
Tools pinned in containers/ci-go.Containerfile (single source of
truth for versions).

Catalog .gitlab-ci.yml grew a .container-build extends-target so
ci-rust / ci-node / ci-py can land in upcoming minor releases without
copy-paste churn.

Templates affected:
- go-build, go-release-binary, go-audit, go-sbom, slsa-attest

Each template's tool install block is now \`command -v <tool> ||
install\` so consumers overriding \`image\` (e.g. with vanilla golang
or alpine) still get a working pipeline.

Backwards-compatible. Consumers using v1.5.x explicit \`image\` inputs
keep their override; consumers on defaults silently switch to the
faster, authenticated pull.

Catalog v2.0 (TBD) may collapse the per-action templates into a
single \`ci-<lang>\` swiss-army template; until then per-action stays.

v1.5.3

v1.5.3 - default base images via mirror.gcr.io

Fixes a runner-side reliability issue: the storr runner is
unauthenticated to docker.io and tag pipelines that fan out across
multiple Go template jobs hit the per-IP unauthenticated pull cap
(toomanyrequests). All Go templates default to mirror.gcr.io/library/
golang now; go-sbom + slsa-attest default to mirror.gcr.io/library/
alpine. Both expose 'image' as an input for consumers to override.

API-compatible patch release. Consumers that pinned an image input
keep their pinned image.

v1.5.2

v1.5.2 - release-create upserts on every fire

create-release and upload-release-assets now PUT-or-POST so
every pipeline run converges the release record + asset links to
the current intent. Replaces v1.5.1's skip-if-exists behavior,
which left the release page stuck on the first pipeline's values
when a re-tag or rerun carried new content.

No other component changes.

v1.5.1

v1.5.1 - release-create idempotent on duplicate-pipeline-fire

Single fix: release-create no longer fails when a tag's release
already exists. Replaces the GitLab CI release: keyword (which
always invokes release-cli with --no-update) with a script that
checks the API for an existing release and skips create when one
is present. upload-release-assets similarly tolerates pre-existing
asset links: 400/409 responses with "already exists" or
"has already been taken" downgrade to "already linked" instead of
failing the job.

Caught during dunn.dev/bairn v0.2.2 release: a manual API trigger
and a delayed auto-trigger raced; the second pipeline failed at
"Release v0.2.2 already exists." Cosmetic but annoying. With this
fix, future duplicate fires complete silently as no-ops.

Both jobs now use registry.gitlab.com/dunn.dev/pipeline/ci:latest
(curl + jq + bash) which matches the rest of the catalog.

No other component changes.

v1.5.0

v1.5.0

Full supply-chain components for Go projects:

- go-audit: lint-stage govulncheck. allow_failure: true.
- go-sbom: tag-only CycloneDX SBOM per binary via syft.
- slsa-attest: tag-only SLSA v1.0 provenance per binary,
  keyless-signed via cosign + GitLab OIDC. Predicate field set
  matches public-sector-tools' attest template; verify with
  cosign verify-blob-attestation --type slsaprovenance1 or
  slsa-verifier.
- release-create: updated to link SBOMs and SLSA bundles
  alongside binaries on the GitLab Release page.

Combined with v1.4.0's go-build, go-release-binary, and the
existing release-create, any Go project in the dunn.dev estate
can now compose a full branch-and-tag CI from catalog includes:
audit + build on branches; package + sbom + attest + release on
tags.

First consumer: dunn.dev/bairn at v0.1.0.

v1.4.0

v1.4.0

Three Go-focused components:

- go-build: branch verification cross-compile (matrix of
  GOOS/GOARCH, version-from-ref ldflags). Skipped on tags.
- go-release-binary: tag-only build, sha256 checksums, cosign
  keyless signing via GitLab OIDC, upload to the project's
  generic package registry.
- release-create: tag-only GitLab Release creation with annotated
  tag message + asset linking from the package registry.

Together these enable a full branch-and-tag CI shape for any Go
project in the dunn.dev estate. First consumer: dunn.dev/bairn.

Modeled on the binary + release templates in
gitlab.com/gitlab-com/public-sector-tools/pipeline (Apache 2),
scaled down to the dunn.dev estate's needs (no SBOM, no SLSA
attestation; those layer on later if a project needs them).

Existing components (claude-drift-triage, cloudflare-pages,
cloudflare-r2, cloudflare-worker, container-image) ship at v1.4.0
unchanged.

v1.3.0

v1.3.0 — claude-drift-triage component

Adds claude-drift-triage to the catalog. LLM-augmented schema
drift triage: a consumer's drift command emits diffs; the
component sends them to Claude for classification and concrete
next-step suggestions; optionally opens a GitLab issue with the
triage.

No breaking changes; existing components unchanged. CI image
unchanged (curl + jq + bash already present).

Validated via glab api ci/lint against a synthetic consumer
(see commit 0d04dfa).

v1.2.0

v1.1.1

v1.1.0

default to shared CI image, image input on all components

v1.0.0

initial release: cloudflare-pages, cloudflare-worker, cloudflare-r2, container-image