feat: v1.6.0 -- five new components + container idempotency guard

Andrew Dunnrequested to merge
v1.6.0 into main

Summary

This release adds five new catalog components and patches one existing component, bringing the pipeline catalog to v1.6.0:

  • container-sbom -- CycloneDX SBOM via syft, cosign-attested against image digest (type cyclonedx)
  • container-attest -- SLSA v1.0 provenance attestation against image digest (type slsaprovenance1)
  • container-manifest -- multi-arch OCI manifest list assembly from per-arch container-build jobs, with cosign signature on the list
  • clone-upstream -- HTTPS-only upstream Git clone preserved as a CI artifact with provenance metadata, for downstream container builds
  • vale -- gitlab-docs prose linting with style packs fetched fresh from gitlab-org/gitlab master on every run
  • container (patched) -- new skip-if-tag-exists input runs skopeo inspect before build; on existing-image hit, writes the remote digest to container.env and exits 0 (idempotency for tag-pipeline re-runs)

Also adds a presets/ subdirectory with a shared Renovate configuration preset that PST consumer projects can extend:

gitlab>gitlab-com/public-sector-tools/pipeline//presets/renovate.json

Test plan

  • YAML structural validity confirmed locally for every new template
  • Component required-input cross-check passes
  • Backward-compatible: additions only; the container patch defaults skip-if-tag-exists: false so existing consumers see no behavior change
  • Tag v1.6.0 after merge (annotated, signed)
  • First consumer pipeline against v1.6.0 -- the forthcoming public-sector-tools/kaniko project will be the smoke test

Merge request reports