Two container/registry gaps in the shared catalog surface in every consumer. Found while engineering `public-sector/postern`'s release pipeline (no semver image was ever pullable; registry full of orphaned commit-SHA tags). ### 1. `templates/container`: `:latest` is pushed + signed on every MR pipeline The default `job_rules` include `merge_request_event`, and the build script pushes **and cosign-signs** `:latest` unconditionally: ``` LATEST_TAG="latest${SUFFIX}" TAGS="-t ${IMAGE}:${SHA_TAG} -t ${IMAGE}:${LATEST_TAG}" ... buildah push "${IMAGE}:${LATEST_TAG}" # runs on MR pipelines too cosign sign "${IMAGE}@${digest-latest}" ``` So any open MR's pipeline moves `:latest` to unreviewed MR code (transient clobber) and adds a signature for it. `:latest` should track the default branch only. **Proposed fix:** gate the `:latest` push + sign to `$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH` (and tag pipelines). Keep `:SHA` on MR pipelines (needed for downstream smoke/scan jobs); keep `:$CI_COMMIT_TAG` on tag pipelines. ### 2. No standard registry cleanup policy `container_expiration_policy` is `enabled: false` on `postern` and on `kaniko` (sampled) — likely estate-wide. Nothing is ever pruned, so commit-SHA build tags (and their cosign `.sig` tags) accumulate without bound. **Proposed fix:** ship a recommended cleanup policy (component input or a documented baseline + a small apply step) and roll it across public-sector. A working shape, verified on postern: ``` enabled: true cadence: 7d keep_n: 10 older_than: 30d name_regex: ".*" name_regex_keep: "^(latest|v\\d+\\.\\d+\\.\\d+(-.*)?|sha256-[a-f0-9]{64}\\.sig)$" ``` This protects `latest`, all semver tags, and all cosign signatures, while pruning stale SHA build tags. Note the `.sig` carve-out: GitLab's cleanup treats cosign signatures as ordinary tags, so without protecting `sha256-…​.sig` it will delete signatures of images you keep and break `cosign verify`. --- Filing per discussion; postern is being brought to a clean baseline locally in the meantime (cleanup policy applied, registry wiped, v0.3.0 re-issued). Cross-ref: the Renovate scheduling gap is #2.