Erich Blume
04e036c603
## Summary - Removed `status: active` from `enforce-tag-immutability` card — its requirements are folded into the parent `harden-zot-registry` goal's `accessControl` configuration - Updated `harden-zot-registry` with three-tier access control spec (anonymous read, artifact-workloads read+create, admins full) - Added `artifact-workloads` group creation step to `register-zot-oidc-client` - Added service account context to `wire-ci-registry-auth` ## Rationale Tag immutability requires authentication to be meaningful. Without auth, everyone is anonymous and gets the same policy. Rather than client-side push checks, the registry enforces immutability server-side: CI gets `["read", "create"]` (no update/delete), so pushing an existing tag is rejected by zot itself. ## Test plan - [ ] `mise run docs-check-links` passes - [ ] `mise run docs-mikado` shows enforce-tag-immutability as resolved Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/235 |
||
|---|---|---|
| .. | ||
| add-container-version-sync-check.md | ||
| add-dagger-nix-build.md | ||
| adopt-commit-based-container-tags.md | ||
| enforce-tag-immutability.md | ||
| fix-ntfy-nix-version.md | ||
| harden-zot-registry.md | ||
| install-dagger-on-nix-runner.md | ||
| pin-container-versions.md | ||
| register-zot-oidc-client.md | ||
| wire-ci-registry-auth.md | ||