Erich Blume
04e036c603
## Summary - Removed `status: active` from `enforce-tag-immutability` card — its requirements are folded into the parent `harden-zot-registry` goal's `accessControl` configuration - Updated `harden-zot-registry` with three-tier access control spec (anonymous read, artifact-workloads read+create, admins full) - Added `artifact-workloads` group creation step to `register-zot-oidc-client` - Added service account context to `wire-ci-registry-auth` ## Rationale Tag immutability requires authentication to be meaningful. Without auth, everyone is anonymous and gets the same policy. Rather than client-side push checks, the registry enforces immutability server-side: CI gets `["read", "create"]` (no update/delete), so pushing an existing tag is rejected by zot itself. ## Test plan - [ ] `mise run docs-check-links` passes - [ ] `mise run docs-mikado` shows enforce-tag-immutability as resolved Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/235 |
||
|---|---|---|
| .. | ||
| authentik | ||
| configuration | ||
| deployment | ||
| knowledgebase | ||
| operations | ||
| plans | ||
| zot | ||
| agent-change-process.md | ||
| how-to.md | ||