Shared CI/CD Component Catalog
A dedicated hub that publishes 14 versioned, typed-input GitLab CI/CD components — plus one shared toolchain image — consumed by every repo in the estate. Releases are cut automatically from Conventional Commits; every artifact is cosign-signed and ships a syft SBOM attestation.
View Code on GitHubComponent release flow
Before this hub, four repos each carried their own copy of the same lint, scan, and publish jobs — and drifted. The catalog centralizes that job logic behind a typed input surface, versions it like any other dependency, and hardens the supply chain end to end.
Components as a versioned API
Each component declares its inputs with types and defaults, so a consumer pipeline reads like configuration: include the component at a pinned version, pass inputs, done. A documented group-wide CI contract fixes the stage vocabulary (scan → lint → test → validate → publish → image → release → mirror) so every repo’s pipeline has the same shape, and a config-resolution convention lets a consumer’s own rule files override the defaults baked into the shared image — without forking the job.
Releases cut from commit messages
The catalog releases itself. An auto-tag job inspects the Conventional Commits since the last tag, computes the next SemVer (feat → minor, fix → patch, breaking → major), pushes the tag, and the tag pipeline publishes the release to the CI/CD catalog. Versioning discipline stops being a human habit and becomes pipeline output.
A golden image with a warranty
One ci-base image bakes the shared toolchain, Python CI tooling, and default configs. It is rebuilt on a weekly schedule so base-layer CVE fixes land without anyone editing a Dockerfile, scanned with trivy, signed with cosign by digest, and shipped with a syft SPDX SBOM attached as an attestation. Consumers pick the image up through digest-pinned Renovate bumps — every update is a reviewable merge request, not a silent drift.
Key Technical Highlights
- One source of truth for CI: 14 components (scan, lint, build, sign, SBOM, mirror, release) replace hand-rolled pipelines. Every consumer pins a version and passes typed inputs — the job logic lives once.
- Automatic SemVer releases: An auto-tag component reads Conventional Commits since the last tag and cuts the next version (feat→minor, fix→patch, !→major); the tag pipeline publishes to the CI/CD Catalog.
- Signed + attested by default: Every CI image and Helm chart is cosign-signed by digest, and a syft SPDX SBOM is attached as a cosign attestation — a real supply-chain story, not just a checksum.
- One shared base image: A single ci-base image bakes the common toolchain and shared config defaults; consumers layer only their repo-specific tools and adopt updates via digest-pinned Renovate bumps.