chore(ci): adopt pipeline catalog v4.0.0 (build/sign split)

What

Migrate the pipeline to catalog v4.0.0 of gitlab-com/public-sector/pipeline.

Catalog v4.0.0 is a breaking release: the container component now only builds + pushes + writes container.env; it no longer signs. Signing moves to a new container-sign component. :latest gating is handled by the component.

Changes

• Bumped all 7 pipeline/container@v3.3.2 -> @v4.0.0.
• Bumped all 7 pipeline/verify@v3.3.2 -> @v4.0.0.
• Added a paired container-sign@v4.0.0 job for every build variant so each pushed image (standard + FIPS, debug + FIPS + FIPS-strict, warmer + FIPS) keeps its cosign signature. Sign jobs run in the build stage (needs: the build job), so signatures exist before attest / scan / verify.

Other catalog components (container-sbom, container-attest, container-scan-summary, compliance, vale, release) are left at @v3.3.2 per scope.

Build job → paired container-sign

All image_name: $CI_REGISTRY_IMAGE.

Build job	tag_suffix	container-sign job	container_job
container-build-standard	""	container-sign-standard	container-build-standard
container-build-standard-fips	-fips	container-sign-standard-fips	container-build-standard-fips
container-build-debug	-debug	container-sign-debug	container-build-debug
container-build-debug-fips	-fips-debug	container-sign-debug-fips	container-build-debug-fips
container-build-debug-fips-strict	-fips-strict-debug	container-sign-debug-fips-strict	container-build-debug-fips-strict
container-build-warmer	-warmer	container-sign-warmer	container-build-warmer
container-build-warmer-fips	-fips-warmer	container-sign-warmer-fips	container-build-warmer-fips

7 build variants, 7 paired sign jobs, one-for-one.

Validation

• glab ci lint -> valid (resolves v4.0.0 includes).
• python3 yaml.safe_load -> OK.

Notes

• Branch named andunn-catalog-v4 (not chore/catalog-v4): the repo's push hook enforces ^(main|[0-9]+-.+|andunn-.+|rcain-.+|v[0-9].+)$, which rejects the chore/ prefix.
• No merge, no tag.

🤖 Generated with Claude Code