eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Fold enforce-tag-immutability into harden-zot-registry #235

Merged
eblume merged 1 commit from enforce-tag-immutability into main 2026-02-21 08:05:17 -08:00
Conversation 0 Commits 1 Files changed 4 +30 -31
eblume commented 2026-02-21 07:53:42 -08:00
Owner
Copy link

Summary

  • Removed status: active from enforce-tag-immutability card — its requirements are folded into the parent harden-zot-registry goal's accessControl configuration
  • Updated harden-zot-registry with three-tier access control spec (anonymous read, artifact-workloads read+create, admins full)
  • Added artifact-workloads group creation step to register-zot-oidc-client
  • Added service account context to wire-ci-registry-auth

Rationale

Tag immutability requires authentication to be meaningful. Without auth, everyone is anonymous and gets the same policy. Rather than client-side push checks, the registry enforces immutability server-side: CI gets ["read", "create"] (no update/delete), so pushing an existing tag is rejected by zot itself.

Test plan

  • mise run docs-check-links passes
  • mise run docs-mikado shows enforce-tag-immutability as resolved
## Summary - Removed `status: active` from `enforce-tag-immutability` card — its requirements are folded into the parent `harden-zot-registry` goal's `accessControl` configuration - Updated `harden-zot-registry` with three-tier access control spec (anonymous read, artifact-workloads read+create, admins full) - Added `artifact-workloads` group creation step to `register-zot-oidc-client` - Added service account context to `wire-ci-registry-auth` ## Rationale Tag immutability requires authentication to be meaningful. Without auth, everyone is anonymous and gets the same policy. Rather than client-side push checks, the registry enforces immutability server-side: CI gets `["read", "create"]` (no update/delete), so pushing an existing tag is rejected by zot itself. ## Test plan - [ ] `mise run docs-check-links` passes - [ ] `mise run docs-mikado` shows enforce-tag-immutability as resolved
Tag immutability requires auth to be meaningful, so it can't be resolved
independently. Replace client-side push checks with server-side
accessControl policy: artifact-workloads group gets read+create (no
update/delete), enforcing immutability at the registry level.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume merged commit 04e036c603 into main 2026-02-21 08:05:17 -08:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!235
No description provided.