chore: OCI label minimum + prose cleanup

Andrew Dunnrequested to merge
andunn-oci-labels into main

Summary

Two changes bundled because each is too small to merit its own MR:

1. OCI labels: trimmed to a purposeful minimum (3 Dockerfiles)

From 17 labels per image to 7. Each remaining one earns its place: title (per-variant), description, licenses, vendor, source, authors, base.name.

Removed:

  • 6 RH-style legacy labels (name, vendor, maintainer, version, summary, description). OCI keys carry the same information; maintainer is deprecated by OCI; the vendor literal needed correcting from "GitLab Public Sector Solutions Architecture" (team) to "GitLab" (organizational entity).
  • 7 custom io.gitlab.public-sector-tools.* labels. No consumer parses them; image tag + SBOM + SLSA attestation carry the same audit signal.

Variant titles now reflect each Dockerfile (kaniko-standard / kaniko-debug / kaniko-warmer) instead of the project name kaniko. Registries display the title; the distinction matters when scanning a registry catalog.

Descriptions rewritten factually: what the variant is, not what it isn't. The old Dockerfile.standard description called the image "not GitLab-CI-compatible" which read confusingly via docker inspect.

Vendor literal: GitLab. Authors: GitLab Public Sector <public-sector@gitlab.com>. The team attribution lives in authors; vendor stays at the organizational level.

Deferred: the three chain-of-custody OCI labels (version / revision / created). These need the pipeline catalog to auto-inject matching ARGs (pipeline!45 (merged) merged, awaiting v3.1.0 tag). Follow-up MR adds these labels + bumps the consumer pin once tagged.

2. Prose + stale-infrastructure cleanup

  • SECURITY.md Reporting section rewritten: email `public-sector@gitlab.com` as default (no GitLab account required), confidential issue + GitLab Ultimate's private vulnerability reporting documented as alternatives, upstream chainguard-forks coordination called out separately.
  • Two stale public-sector-tools/kaniko prose refs in SECURITY.md updated.
  • README.md: dropped two-line pointer at removed scripts/verify-posture.sh + .gitlab/posture-claims.yaml (both removed in commit 1e5ca05; verification moved into the catalog posture component).
  • CONTRIBUTING.md: dropped ## Posture verification section for the same reason. CI runs the catalog component on every MR.
  • CHANGELOG.md lead-paragraph namespace ref updated.
  • patches/fips-strict/0001-fips-strict-curve-preferences.patch commit-message URL refs updated. The patch applies by diff content, not by message hash; cosmetic for auditors reading the patch artifact directly.

Test plan

  • CI green on the MR-event pipeline (kaniko's container builds gate on MR events; branch-push pipelines schedule zero jobs)
  • All 7 image tags build successfully with the new label block (no LABEL syntax error)
  • docker inspect a built image manifests the 7 OCI labels; no RH-legacy / no io.gitlab.public-sector-tools.* residue
  • Vale passes (warning level)
Edited by Andrew Dunn

Merge request reports