Investigate what release environments needs to use images created from the security gitlab repo
Context
Release environments currently build images in the cng-mirror repository. (example pipeline) This is fine because it's using public code from the canonical gitlab repository.
We're working on migrating the integration to the security mirror of the gitlab repository, which means that we'll be deploying non-public code to release environments. Since cng-mirror repository is public (including the pipeline), we should not show the security commit sha there.
Most likely, we'll need to use the dev mirror of the cng repo (https://dev.gitlab.org/gitlab/charts/components/images) that we currently use for auto-deploy pipelines since that already packages security repo commits.
This issue is to investigate this feasibility and configure the release environments workflow accordingly.
Exit Criteria
-
Release environments images can be built in a secure repository that can build non-public code without exposing commits. -
Release environments images can still be built in the GitLab canonical pipeline.