feat(catalog)!: v2 canonical template shape (foundation MR)

Andrew Dunnrequested to merge
feat/v2-foundations into main

Summary

First MR of the v2.0 modernization. Lands the canonical v2 template shape across all 14 components, the contributing guide, and a lint job that enforces the shape on every future MR.

What changes:

  • Every template declares spec:component: [name, version] so $[[ component.version ]] resolves
  • Input keys move from kebab-case to snake_case (matches the modern half of gitlab.com/components/* -- sast, opentofu, dependency-scanning)
  • Every input declares type: + description:; options: enums and regex: validation added where the value set is closed
  • interruptible: policy: true for read/scan/build jobs, false for attestation/release jobs
  • CONTRIBUTING.md documents the canonical shape and tag protocol
  • lint-templates job in .gitlab-ci.yml enforces the shape -- fails any future MR that drifts

Breaking changes

Input keys are now snake_case. Consumers must update their includes:

Old (v1) New (v2)
job-name job_name
image-name image_name
cosign-version cosign_version
tag-suffix tag_suffix
runner-tag runner_tag
min-alert-level min_alert_level
allow-failure allow_failure
job-rules job_rules

Pin to v1.6.1 to defer the migration; consumer-migration MRs will land per project on their own cadence.

audit -- language: now constrained at compose time via options: [rust, go, node, python].

extra-assets -- fail_if_empty is now a proper type: boolean (was a string-typed "true" in v1).

Out of scope (separate MRs in the v2 series)

  • Catalog-managed images (ci-tools, ci-go, ci-rust, ci-buildah, ci-buildkit, ci-kaniko, posture-verify) -- image refs unchanged
  • glab repo publish catalog switch from release-cli
  • Container build engine split (buildkit / buildah / kaniko)
  • posture-verify component + catalog .gitlab/posture-claims.yaml
  • audit delegation to gitlab.com/components/dependency-scanning@1
  • Hermeto prefetch component
  • Pages-published per-component docs

How to migrate (consumer-side)

A consumer-migration MR series will land the shape change per PST project. Order: storyping -> p1-vp-generator/postern/manifold -> assay/posture/tach -> kaniko. Each consumer's migration MR also adopts the catalog Renovate preset so future bumps land as Renovate MRs.

Tag protocol

v2 onward: vX.Y.Z for finals, vX.Y.Z-rc.N for release candidates. ~latest excludes pre-releases (source-confirmed). RCs immutable from publish; iterate via rc.N+1.

Note: project push rule was also fixed

The project's commit-message push rule had a double-backslash bug that rejected ALL scoped Conventional Commits (feat(scope):). Updated via API in the same change to:

^(feat|fix|chore|docs|refactor|test|ci|build|perf|style|revert)(\(.+\))?!?:.+

Now correctly accepts scoped commits with optional ! for breaking changes.

Test plan

  • syntax job passes (every template parses)
  • lint-templates job passes (every template matches canonical shape)
  • Local linter green: 14/14
  • After merge: cut v2.0.0-rc.1; sim-consumer MR (separate) validates

Merge request reports