chore: ship-readiness cleanup (CODEOWNERS dedup, CHANGELOG truth-up)

Andrew Dunnrequested to merge
andunn-shipreadiness-cleanup into main

Summary

Post-v1.0.1 ship-readiness audit surfaced four real bugs in the public presentation of the project. This MR fixes the two that live in the git tree; the other two (project description, topics) are repo metadata and ship as glab api calls after merge.

What this MR changes

CODEOWNERS consolidation (chore:)

Two CODEOWNERS files existed in the tree -- /CODEOWNERS (root, flat) and /.gitlab/CODEOWNERS (sectioned [Maintainers]). GitLab's lookup order prefers /.gitlab/CODEOWNERS, so the root file was silently ignored. The two files also disagreed: the root file carried a .gitlab-ci.yml-specific rule the .gitlab/ form did not. The first MR that actually exercised path-specific approval would have surfaced this.

  • Delete /CODEOWNERS.
  • Expand /.gitlab/CODEOWNERS with the path sections from the public-sector/reference template: [Legal and policy], [Brand and design], [CI]. Both maintainers own every section.

CHANGELOG reconciliation (docs:)

The v1.0.0 "Added" section listed two files that never shipped in the v1.0.0 tag:

  • .gitlab/posture-claims.yaml
  • scripts/verify-posture.sh

Git history (git log --all --oneline -- '.gitlab/posture-claims*' 'scripts/verify-posture*') shows both files were added pre-1.0 and then removed two days before the v1.0.0 tag in commit 1e5ca05 ("chore: namespace migration + remove posture-verify"). The standards-conformance layer was deliberately divested to the reference-check catalog component (v3.1.0+). The CHANGELOG entry was authored before that divestiture and never reconciled, so the shipped v1.0.0 release notes referenced paths that did not exist in the tagged tree.

  • Remove the two bullets from v1.0.0.
  • Note the reconciliation under Unreleased / Fixed so the next release is unambiguous about what changed and why.

What this MR does NOT change (follow-up glab api calls)

The audit also found two repo-metadata bugs. They are not part of the git diff and ship via API after merge:

Project description is wrong -- currently says "six variants", kaniko ships seven (the FIPS-strict variant landed in 7d15b04):

glab api --method PUT projects/gitlab-com%2Fpublic-sector%2Fkaniko \
  -f description='A curated kaniko for GitLab Runner. Seven signed image variants per release on UBI9, including a FIPS-strict path for GODEBUG=fips140=only environments.'

Topics are sparse -- existing topics are FIPS, container-build, kaniko, public-sector, ubi9. Audit recommends adding cosign, slsa, sbom, fips140-3, gitlab-runner, container-image:

glab api --method PUT projects/gitlab-com%2Fpublic-sector%2Fkaniko \
  --input <(printf '{"topics":[%s]}' '"kaniko","container-image","gitlab-runner","cosign","slsa","sbom","fips140-3","public-sector","FIPS","container-build","ubi9"') \
  -H "Content-Type: application/json"

Test plan

  • .gitlab/CODEOWNERS parses cleanly in the GitLab UI (Repository -> CODEOWNERS validator).
  • CODEOWNERS approval still triggers on this MR (both maintainers should show in the approvers panel under the appropriate sections).
  • CHANGELOG renders correctly in the Releases UI for v1.0.0 after merge (no broken inline file references).
  • Post-merge: run the two glab api commands above; verify with glab api projects/gitlab-com%2Fpublic-sector%2Fkaniko | jq '{description, topics}'.

Audit context

Surfaced by the post-v1.0.1 ship-readiness audit. The four findings were:

  1. CODEOWNERS file conflict (fixed in this MR).
  2. Project description says "six variants" -- ships seven (follow-up API call).
  3. Topics missing supply-chain + integration keywords (follow-up API call).
  4. CHANGELOG references files that don't exist in the v1.0.0 tree (fixed in this MR).

Merge request reports