Tags give the ability to mark specific points in history as being important
-
v3.2.0
protectedRelease: pipeline v3.2.023a0e12f · ·v3.2.0 -- expose runner_tag input on compliance/container-attest/container-sbom/vale templates. Default saas-linux-large-amd64 (one tier up from previous implicit small). Backward-compatible; consumers that don't set the input get the new default.
-
v3.1.0
protectedRelease: pipeline v3.1.0588c2d3e · ·v3.1.0 -- container component auto-injects OCI image-metadata build-args (OCI_VERSION / OCI_REVISION / OCI_CREATED) sourced from CI predefined variables. Additive, backward-compatible with v3.0.0 consumers. Pairs with the forthcoming container-image standard in reference.
-
v3.0.0
protectedRelease: pipeline v3.0.010d48aee · ·v3.0.0 — namespace migration to gitlab-com/public-sector First release at the new path gitlab-com/public-sector/pipeline. Every catalog image, cosign OIDC identity, and SLSA provenance subject moves to the new namespace. Hard break from v2.x. Consumers must update include lines: $CI_SERVER_FQDN/gitlab-com/public-sector/pipeline/<name>@v3.0.0 Removed: posture-verify component (divested to GitLab compliance product). Deferred: ci-kaniko image (returns when kaniko ships at the new path). Bootstrap: image-build runs under quay.io/buildah/stable:v1.43.0 with runtime cosign install. v3.1.0+ uses the just-published ci-buildah image.
-
v2.7.0
protectedRelease: pipeline v2.7.04682fe69 · ·v2.7.0 - validation cleanup + pipeline-self-validates roll-up
-
v2.6.0
protectedRelease: pipeline v2.6.0dfa79dbc · ·v2.6.0 - catalog IS the Renovate runner (presets/renovate-runner.gitlab-ci.yml + self-include)
-
v2.5.0
protectedRelease: pipeline v2.5.03d2528e4 · ·v2.5.0 - declare artifacts.reports.cyclonedx for GitLab Dependency List ingestion
-
v2.4.0
protectedRelease: pipeline v2.4.0869c1ad3 · ·v2.4.0 - catalog dogfooding (use ci-buildah:v2.3.0 as build host)
-
v2.3.0
protectedRelease: pipeline v2.3.0e6a45938 · ·v2.3.0 - container-scan-summary component + vale no-findings message
-
v2.2.0
protectedRelease: pipeline v2.2.000bc90fb · ·v2.2.0 - vale mode (project|docs) + posture-verify shell-expansion fix
-
v2.1.1
protectedRelease: pipeline v2.1.1e0074f88 · ·v2.1.1: conditional cosign install in binary component Patch release. Restores compatibility with consumer-overridden build_image values that don't ship cosign (rust:1.88.0, golang:1.25). Surfaced during the assay/posture/tach migrations. See CHANGELOG.md.
-
v2.1.0
protectedRelease: pipeline v2.1.01537453f · ·v2.1.0: build-container-buildah + stable footing Additive release. Goal: stable footing for consumer migration. Highlights - build-container-buildah component. Functionally equivalent to the legacy container component, named for symmetry with the buildkit and kaniko siblings that will follow. - Sim harness expansion: sim-buildah builds + signs a fixture image via the new component end-to-end against the just-built ci-buildah image. The catalog's own integration test surface. - binary component CWD-resilient: a consumer build_script that cd's elsewhere no longer breaks the subsequent dist/ manipulation. - lint-templates enforces spec.description <= 256 chars before MR. Deferred to a later v2.x - build-container-buildkit: POC sim established that rootless buildkitd via rootlesskit on the gitlab.com SaaS Linux Docker executor errors with "No subuid ranges found for user 0 (root)". Real fix needs a non-root user baked into ci-buildkit plus subuid setup plus GitLab runner accepting the non-root USER. POC sim retained as manual-trigger scaffolding. - build-container-kaniko: blocked on factory/kaniko publishing the chainguard-fork kaniko image at :latest. The ci-kaniko Containerfile and build job exist with allow_failure: true and unblock automatically when the upstream ships. See CHANGELOG.md for the full v2.0.x -> v2.1.0 notes.
-
v2.0.2
protectedRelease: pipeline v2.0.2b01d4e3e · ·v2.0.2: drop redundant catalog publish step Patch release. v2.0.1's create-release job failed at the explicit glab repo publish catalog step with 422 (Release has already been published) because release-create on a catalog-resource project auto-publishes the version. The explicit publish call is redundant. Fix: drop the explicit glab repo publish catalog step from .gitlab-ci.yml.
-
v2.0.1
protectedRelease: pipeline v2.0.1e3a5b52f · ·v2.0.1: CI publish-flow auth fix Patch release. Validates the production catalog publish path. The v2.0.0 create-release CI job failed authentication because glab sent CI_JOB_TOKEN as a Bearer token, which /api/v4/user rejects. v2.0.0 was manually published to the catalog as a one-time workaround; v2.0.1 makes CI work end-to-end via glab CI auto-login. Fix: GLAB_ENABLE_CI_AUTOLOGIN=true in the create-release job variables. With GITLAB_CI=true (always set in CI), glab routes the token via gitlab.JobTokenAuthSource (job-token header) instead of Bearer.
-
v2.0.0
protectedRelease: pipeline v2.0.08884dfdb · ·v2.0.0: pipeline catalog modernization The catalog now demonstrates what GitLab + DevSecOps looks like when fully exercised. Every component declares spec:component for $[[ component.version ]] interpolation, ships in a v2 canonical shape (snake_case keys, typed inputs, options/regex validation), and consumes catalog-managed images instead of curl-installing tooling at runtime. Highlights - spec:component on every template; $[[ component.version ]] resolves to the consumer's catalog tag for image refs. - snake_case input keys; typed inputs with options enums + regex. - Eight UBI9-based catalog-managed images (ci-tools, ci-go, ci-go-fips, ci-rust, ci-buildah, ci-buildkit, ci-kaniko, posture-verify) -- built, cosign-signed, and SBOM-attested at every catalog tag. No runtime curl-installs in jobs. - posture-verify component: iterate a project's .gitlab/posture-claims.yaml and run each consumer-authored verify command, fail closed on any evidence that doesn't hold up. - Catalog publish flow uses glab repo publish catalog (release-cli is deprecation-tracked for GitLab 20.0). - In-repo sim harness validates every component end-to-end against the just-built catalog-managed images. Migration: see CHANGELOG.md for the v1.x -> v2.0.0 input map. Consumers may stay on v1.6.1 until ready. Deferred to v2.1.0+: - build-container-buildkit / build-container-buildah / build-container-kaniko engine components. - hermeto-prefetch (hermetic dependency snapshots). - Pages-published per-component docs. - Immutable container-tag bootstrap (REST API quirks under investigation). - Native SLSA dual-emit (ATTEST_CONTAINER_IMAGES) once slsa_provenance_statement FF rollout state is clearer. - Catalog dogfooding (catalog .gitlab-ci.yml using ci-buildah for its own builds). v2.0.0-rc.1 through rc.4 stay as frozen records of the RC iteration.
-
v2.0.0-rc.4
protected39bb25c4 · ·v2.0.0-rc.4: fourth v2 release candidate Same scope as rc.3 with image-build fixes from MR !10: - ci-buildkit tar extraction landing (drop --strip-components) - ci-rust pinned to Zig 0.13.0 (0.14+ changed URL naming) rc.1-rc.3 remain as frozen records of earlier attempts.
-
v2.0.0-rc.3
protected24ee06c7 · ·v2.0.0-rc.3: third v2 release candidate Same scope as v2.0.0-rc.2 with image-build fixes from MR !9: - ci-go drops inline sha256sum verification (format mismatch) - ci-rust uses post-install rustup component add for clippy + rustfmt - ci-buildkit drops bogus provenance-as-checksum fetch - ci-kaniko allow_failure: true (factory/kaniko :latest not yet published) rc.1 and rc.2 remain as frozen records of earlier failed attempts.
-
v2.0.0-rc.2
protectedac36a741 · ·v2.0.0-rc.2: second v2 release candidate Same scope as v2.0.0-rc.1 with the curl-minimal package conflict fixed (MR !8). rc.1 remains as a frozen record of the failed first attempt.
-
v2.0.0-rc.1
protected96645e82 · ·v2.0.0-rc.1: first v2 release candidate Lands the v2 canonical template shape and the eight catalog-managed images that consumers and templates now pull instead of curl-installing at runtime. Highlights: - Every template declares spec:component for $[[ component.version ]] interpolation. - snake_case input keys (breaking change from v1 kebab-case). - Typed inputs with options enums and regex validation throughout. - Eight UBI9-based images: ci-tools, ci-go, ci-go-fips, ci-rust, ci-buildah, ci-buildkit, ci-kaniko, posture-verify. - Templates consume the catalog-managed images via $[[ component.version ]]. This RC validates the v2 contract end-to-end. Pin to @v2.0.0-rc.1 to canary; ~latest stays on v1.6.1 until v2.0.0 final ships.