feat: v1.1.0 supply chain hardening and Renovate
Summary
Supply chain hardening for all CI catalog components plus Renovate for ongoing maintenance.
Version pins (all previously :latest or outdated):
| Tool | Old | New |
|---|---|---|
| cosign | v2.4.1 | v2.6.3 |
| buildah | :latest |
v1.43.0 |
| verify base image | alpine:latest |
UBI9-minimal:9.7 |
| glab CLI | :latest |
v1.92.1 |
| release-cli | :latest |
v0.24.0 |
Supply chain improvements:
- SHA256 checksum verification for all cosign binary downloads
- Consistent cosign install method across all components (GitHub download + checksum, no more
apk add) - UBI base images throughout (Alpine removed from verify component)
CI quality of life:
- Log collapsing (section_start/section_end) in all templates
interruptible: trueon all component jobsrunner-tagandcosign-versioninputs added to verify and binary components- Registry login moved from
before_scripttoscript(foundation pattern) - Secret Detection added to project CI
Renovate:
renovate.jsonwith regex managers for cosign version pins# renovate:annotations on all cosign version defaults- Cosign constrained to v2.x (
allowedVersions: <3.0.0) due to OCI referrer issues (sigstore/cosign#4569, #4641) - UBI images grouped for coordinated updates
Test plan
- Pipeline passes on this branch (YAML validation + secret detection)
- Merge to main, verify pipeline passes
- Tag v1.1.0, verify catalog publish succeeds
- Verify consuming projects (postern, manifold) work with v1.1.0 components