Document the process for setting up a build that is 100% disconnected from the internet
Problem to solve
We have some loose documentation (here and here) on how to supported isolated builds for SLSA compliance, but there is not a great recommendation for how to accomplish a fully air-gapped build today.
Proposal
In slack, Govern PM discussed:
It would be possible by pre-fetching the build dependencies and then disconnecting all network access after the git repository is pulled but before the build process is started. Then after the build is complete, network access to the GitLab server could be restored so the final build artifact can be pushed into a registry somewhere.
As best I understand, this is all something that we support today, we just don't do a great job of documenting the steps involved in configuring and setting it all up.
Edited by Sam White