Stage: release
The release stage is the only stage that produces a customer-installable
artifact. It runs only on an annotated v*.*.* git tag (e.g. v1.0.0); on
any branch or MR pipeline it evaluates to when: never, so a normal push never
publishes. It packages the karc-portal Helm chart as an OCI artifact,
cosign-signs the released images and the chart, attaches the SBOM as an in-toto
attestation, and creates the GitLab Release. It runs after
gitops.
Part of the Full pipeline action map. Use the Fullscreen button on the diagram to view it edge-to-edge.
flowchart TD TAG["Annotated v*.*.* git tag pushed<br/>(branch/MR pipelines skip: when never)"] GUARD["Version guard<br/>Chart.yaml version + appVersion == tag"] PKG["helm package apps/karc-portal<br/>helm push -> oci://.../charts/karc-portal<br/>customer-installable OCI chart"] RETAG["crane copy tested digests<br/>-> :<version> / :v<version><br/>portal + karc-portal-migrate"] SIGN["cosign keyless-sign (Fulcio/Rekor)<br/>image digests + OCI chart<br/>+ CycloneDX SBOM as in-toto attestation<br/>SC_REQUIRE_SIGN=true — release fails if unsigned"] REL["release:gitlab-release<br/>create GitLab Release<br/>auto notes + chart tarball attached"] TAG --> GUARD --> PKG --> RETAG --> SIGN --> REL class GUARD,PKG,RETAG release class SIGN sign class REL rel class TAG io classDef release fill:#1f6feb,stroke:#0b3d91,color:#ffffff classDef sign fill:#2da44e,stroke:#116329,color:#ffffff classDef rel fill:#6639ba,stroke:#3b1f7a,color:#ffffff classDef io fill:#57606a,stroke:#32383f,color:#ffffff
Jobs in this stage
Section titled “Jobs in this stage”| Job | What it does | Why |
|---|---|---|
release:publish | On a v*.*.* tag: asserts the chart version and appVersion both equal the tag, helm packages apps/karc-portal and helm pushes it to oci://$CI_REGISTRY_IMAGE/charts/karc-portal as an OCI chart, then crane copys the exact CI-tested source digests (portal + karc-portal-migrate) to the :<version> / :v<version> release tags. | Ships a versioned, immutable OCI Helm chart that resolves to the same bytes CI validated — no rebuild, so the released artifact is byte-identical to what was tested. |
release:publish (supply-chain step) | cosign keyless-signs the two released image digests and the pushed OCI chart (Fulcio-issued cert via the GitLab CI OIDC identity, signature recorded in Rekor), then attaches the CycloneDX SBOM as an in-toto cosign attestation on each released digest. Runs with SC_REQUIRE_SIGN=true. | A release carries the strongest provenance: consumers can cosign verify the images and chart, and inspect the attached SBOM, before deploying. Unlike the per-commit attest stage (non-blocking), a release that cannot be signed fails. |
release:gitlab-release | Generates release notes from conventional commits since the previous v* tag and creates the GitLab Release with the notes and the packaged chart tarball attached. | Automates the Release — no manual glab release create step; the notes and the installable chart are published together. |
Consumers then install with the signed, versioned OCI chart:
helm install karc-portal \ oci://registry.gitlab.com/compliance-calitii/sarc/charts/karc-portal \ --version 1.0.0 -f values-<cloud>.yamlWhy this stage exists
Section titled “Why this stage exists”The per-commit stages produce evidence for every build; the release stage produces the shippable artifact and gives it release-grade provenance. A versioned OCI chart plus cosign-signed, transparency-logged image digests and an attached SBOM mean a customer can verify exactly what they are installing — cryptographically, against a public log — before it ever touches a cluster.
Stages: gitops → release → mirror · all stages