chore(ci): adopt pipeline catalog v4.0.0 (build/sign split) (!7) · Merge requests · GitLab.com / Public Sector / tach

What

Migrate .gitlab-ci.yml to pipeline catalog v4.0.0.

Version bumps

pipeline/attest v3.0.0 -> v4.0.0 (binary/SLSA attestation; unchanged in v4, bumped for consistency)
pipeline/container v3.0.0 -> v4.0.0 (BREAKING: builds + pushes + writes container.env; no longer signs)
pipeline/verify v3.0.0 -> v4.0.0

Build/sign split (BREAKING in v4)

container@v4 no longer signs. Each container build job is now paired with a container-sign@v4.0.0 job to preserve cosign signatures:

build job	paired sign job	container_job	image_name
`container-build` (default)	`container-sign`	`container-build`	`$CI_REGISTRY_IMAGE`
`container-build-fips`	`container-sign-fips`	`container-build-fips`	`$CI_REGISTRY_IMAGE`

:latest gating is handled inside the component.

Note

container-sign defaults to a stage: attest that does not exist in this repo's stage list; both sign jobs set stage: container (exists, sits between build and verify; ordering also enforced via needs on the build job).

Out of scope (left at v3): binary, audit, compliance, release, container-scan-summary.

Validated with glab ci lint (valid) and YAML load.

chore(ci): adopt pipeline catalog v4.0.0 (build/sign split)

What

Version bumps

Build/sign split (BREAKING in v4)

Note

Merge request reports