chore(ci): adopt pipeline catalog v4.0.0 (build/sign split)

Andrew Dunnrequested to merge
chore/catalog-v4 into main

What

Migrate manifold CI to public-sector pipeline catalog v4.0.0 (breaking).

Version bumps

  • pipeline/container@v3.0.0 -> @v4.0.0
  • pipeline/verify@v3.0.0 -> @v4.0.0

Build/sign split

catalog v4.0.0 splits build and sign: container now only builds + pushes + writes container.env (no longer signs). Added a paired pipeline/container-sign@v4.0.0 that cosign-signs the pushed digests (keyless via OIDC), reading container.env from the build job.

  • Build job: container-build (explicitly named; matches v4 default)
  • Sign job: container-sign, inputs image_name: $CI_REGISTRY_IMAGE, container_job: container-build, stage: container
  • Placed in the container stage (ordered after the build via needs) so the verify stage sees signed images.
  • job_rules on sign match the build (tag + default branch only); :latest gating is handled inside the component.

Only one build job in this repo -- no FIPS variant.

Validation

  • glab ci lint: valid
  • yaml-load: OK

🤖 Generated with Claude Code

Merge request reports