chore(ci): adopt pipeline catalog v4.0.0 (build/sign split) (!16) · Merge requests · GitLab.com / Public Sector / postern

Migrate postern CI to public-sector/pipeline catalog v4.0.0 (breaking).

What changed

Bumped container@v3.0.0 → @v4.0.0 and verify@v3.0.0 → @v4.0.0.
Added a paired container-sign@v4.0.0 include for the single container-build job.

Why

v4.0.0 splits build and sign: container now builds + pushes + writes container.env but no longer cosign-signs. Each build job needs a paired container-sign to preserve signatures. :latest gating to the default branch is now handled inside the container component.

container-sign inputs

input	value
`image_name`	`$CI_REGISTRY_IMAGE`
`container_job`	`container-build`
`job_name`	`container-sign`
`stage`	`scan` (after build, before verify)

Build jobs paired

container-build (the catalog container component, default job_name) → container-sign.

The project-local build-stage jobs (build-dev-binaries, extract-prod-binary, build-docs) do not produce signable container images and need no sign pairing.

Out of scope

release@v3.0.0 and container-scan-summary@v3.0.0 are left unchanged — their interfaces are unaffected by the v4.0.0 build/sign split.

Validation

glab ci lint passes; YAML loads clean.

🤖 Generated with Claude Code

chore(ci): adopt pipeline catalog v4.0.0 (build/sign split)

What changed

Why

container-sign inputs

Build jobs paired

Out of scope

Validation

Merge request reports