Confusion around releasing components and the integration with the CI/CD Catalog
My (subjective) assumption and intuition about the CI/CD Catalog and released components
The current CI/CD components documentation has a section about Publishing a component project w.r.t making it "available" in the CI/CD Catalog.
Apart from those manual releases of components (that usually happen in a pipeline), "something" creates a special ~latest
release for published CI/CD components of the CI/CD catalog.
Just by reading this, I've assumed that the CI/CD Catalog acts as some kind of a "CI/CD component" store where released components are "magically" being pushed to (together with the ~latest
version) and on the other hand are being fetched from when including a released component (or maybe ~latest
is just implemented when fetching? .. but doesn't matter for the discussion here too much.).
This made most sense for me, because the syntax of inlcude.component
does not appear as a valid (Git) URL (there is no scheme, the templates
directory is magically omitted and the file extension is also missing) and the ref (the thing after the @
) is also not necessarily a valid Git ref (because of ~latest
).
Thus, I can only assume that when I include a component it does NOT directly hit the GitLab project for resources, but actually uses the CI/CD Catalog as a proxy / store for released components - I say "released components", because again, the docs have some kind of an emphasis on that.
Reality
However, that does not seem to be the case. It turns out that a user of a component is able to include the component via the include.component
syntax even for unreleased refs - which may make sense for non-tag refs, but I would have expected that only released tags (as in a GitLab release exists for that tag) can be included.
So, it seems that the CI/CD Catalog is actually only used for discoverability (well, in hindsight the name "catalog" kind implies that, but again there is ~latest
and there is the special include.component
syntax ...)
I'm well aware, that there is some kind of a responsibility on the user side to verify if the ref they are about to include is actually released (or meets some other kind of important criteria for them).
Problem
I see multiple problems here:
- UX: the current
include.component
syntax suggests that it does not fetch directly from Git (because it's no valid URL, see above), which it kinda does though - UX: the
~latest
ref suggests that there is magic things going on for components in the catalog - Technical: the availability of a tag does NOT mean that my component is released and ready to be consumed. For example, what if I need some build artifacts for the component? E.g. a job image that is built in the pipeline upon tag creation (I think it will be a common use case, see #438275)
- Technical: how would the
~latest
(CI/CD catalog) ref work in terms of "context interpolation" as suggested in Backend: Allow interpolation to use local conte... (#438275) ? How can a user of "context interpolation" reference correct build artifacts?
(Idea) Proposals
- Have the option to only reference releases
- Clearly document what revisions are available for
include.component
and that it has nothing to do with the Catalog or Catalog projects, except the~latest
- Maybe it would also be worth thinking about actually releasing components as some kind of bundles / artifacts in the Package Registry or Catalog (or some combination of both)