All projects

Shared CI/CD Component Catalog

CI/CDGitLabSupply ChaincosignSBOM

A dedicated hub that publishes 14 versioned, typed-input GitLab CI/CD components — plus one shared toolchain image — consumed by every repo in the estate. Releases are cut automatically from Conventional Commits; every artifact is cosign-signed and ships a syft SBOM attestation.

View Code on GitHub

Component release flow

Diagram: Component release flow

Before this hub, four repos each carried their own copy of the same lint, scan, and publish jobs — and drifted. The catalog centralizes that job logic behind a typed input surface, versions it like any other dependency, and hardens the supply chain end to end.

Components as a versioned API

Each component declares its inputs with types and defaults, so a consumer pipeline reads like configuration: include the component at a pinned version, pass inputs, done. A documented group-wide CI contract fixes the stage vocabulary (scan → lint → test → validate → publish → image → release → mirror) so every repo’s pipeline has the same shape, and a config-resolution convention lets a consumer’s own rule files override the defaults baked into the shared image — without forking the job.

Releases cut from commit messages

The catalog releases itself. An auto-tag job inspects the Conventional Commits since the last tag, computes the next SemVer (feat → minor, fix → patch, breaking → major), pushes the tag, and the tag pipeline publishes the release to the CI/CD catalog. Versioning discipline stops being a human habit and becomes pipeline output.

A golden image with a warranty

One ci-base image bakes the shared toolchain, Python CI tooling, and default configs. It is rebuilt on a weekly schedule so base-layer CVE fixes land without anyone editing a Dockerfile, scanned with trivy, signed with cosign by digest, and shipped with a syft SPDX SBOM attached as an attestation. Consumers pick the image up through digest-pinned Renovate bumps — every update is a reviewable merge request, not a silent drift.

Key Technical Highlights

  • One source of truth for CI: 14 components (scan, lint, build, sign, SBOM, mirror, release) replace hand-rolled pipelines. Every consumer pins a version and passes typed inputs — the job logic lives once.
  • Automatic SemVer releases: An auto-tag component reads Conventional Commits since the last tag and cuts the next version (feat→minor, fix→patch, !→major); the tag pipeline publishes to the CI/CD Catalog.
  • Signed + attested by default: Every CI image and Helm chart is cosign-signed by digest, and a syft SPDX SBOM is attached as a cosign attestation — a real supply-chain story, not just a checksum.
  • One shared base image: A single ci-base image bakes the common toolchain and shared config defaults; consumers layer only their repo-specific tools and adopt updates via digest-pinned Renovate bumps.

Auto-tag release pipeline

Diagram: Auto-tag release pipeline
Nobody tags by hand — the version is computed from the commit history and published in the same pipeline.

Technologies

GitLab CIcosignsyfttrivygitleaksDockerRenovate