chore(ci): migrate to catalog v2.1.1 (snake_case + version bumps)

Andrew Dunnrequested to merge
andunn-catalog-v2.1.1 into main

Summary

Phase A of the kaniko → catalog-v2.x migration. Mechanical only; no behavior change.

  • Bump 29 component refs to @v2.1.1:
    • compliance @v1.5.0 → @v2.1.1 (x1)
    • vale @v1.6.1 → @v2.1.1 (x1)
    • container @v1.5.0 → @v2.1.1 (x7 variants)
    • container-sbom @v1.6.0 → @v2.1.1 (x7)
    • container-attest @v1.6.0 → @v2.1.1 (x7)
    • verify @v1.5.0 → @v2.1.1 (x7)
  • Rename 8 input keys to snake_case per v2 contract: job-name / image-name / tag-suffix / build-args / runner-tag / container-job / needs-job / min-alert-level.
  • Update comment referencing inputs.build-args to inputs.build_args to match v2's interpolation contract.

Phase B (swap bespoke verify-posture job to the catalog's posture-verify component) is intentionally deferred to its own MR once Phase A's attestation surfaces are verified equivalent.

Renovate: kaniko already extends the PST shared preset (gitlab>gitlab-com/public-sector-tools/pipeline//presets/renovate.json), no renovate.json change needed.

Test plan

  • MR pipeline green
  • All 7 container-build variants succeed and cosign-sign
  • All 7 container-sbom variants attest CycloneDX
  • All 7 container-attest variants attest SLSA v1.0
  • All 7 container-verify jobs succeed
  • fips-smoke green
  • verify-posture green (still on bespoke job; Phase B follow-up)
  • Attestation identity preserved (cosign verify on a post-merge main tag should match the same OIDC subject as pre-migration)

Merge request reports