mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

chore: switch from develop/dev to main/latest image tags (#434)
All checks were successful
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/coordinator Pipeline was successful
Details
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details

Browse Source 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
This commit was merged in pull request #434.
This commit is contained in:
Jason Woltje
2026-02-21 22:05:07 +00:00
committed by jason.woltje
parent 25ae14aba1
commit 23d610ba5b
17 changed files with 70 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.env.example
View File

@@ -215,11 +215,9 @@ NODE_ENV=development
# Used by docker-compose.yml (pulls images) and docker-swarm.yml
# For local builds, use docker-compose.build.yml instead
# Options:
# - dev: Pull development images from registry (default, built from develop branch)
# - latest: Pull latest stable images from registry (built from main branch)
# - <commit-sha>: Use specific commit SHA tag (e.g., 658ec077)
# - latest: Pull latest images from registry (default, built from main branch)
# - <version>: Use specific version tag (e.g., v1.0.0)
IMAGE_TAG=dev
IMAGE_TAG=latest
# ======================
# Docker Compose Profiles

13
.woodpecker/README.md
View File

@@ -85,12 +85,11 @@ install -> [ruff-check, mypy, security-bandit, security-pip-audit, test]
## Image Tagging
| Condition | Tag | Purpose |
| ---------------- | -------------------------- | -------------------------- |
| Always | `${CI_COMMIT_SHA:0:8}` | Immutable commit reference |
| `main` branch | `latest` | Current production release |
| `develop` branch | `dev` | Current development build |
| Git tag | tag value (e.g., `v1.0.0`) | Semantic version release |
| Condition | Tag | Purpose |
| ------------- | -------------------------- | -------------------------- |
| Always | `${CI_COMMIT_SHA:0:8}` | Immutable commit reference |
| `main` branch | `latest` | Current latest build |
| Git tag | tag value (e.g., `v1.0.0`) | Semantic version release |
## Required Secrets
@@ -138,5 +137,5 @@ Fails on blockers or critical/high severity security findings.
### Pipeline runs Docker builds on pull requests
- Docker build steps have `when: branch: [main, develop]` guards
- Docker build steps have `when: branch: [main]` guards
- PRs only run quality gates, not Docker builds

10
.woodpecker/api.yml
View File

@@ -152,12 +152,10 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:dev"
fi
/kaniko/executor --context . --dockerfile apps/api/Dockerfile --snapshot-mode=redo $DESTINATIONS
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- build
@@ -180,7 +178,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest"
else
SCAN_TAG="dev"
SCAN_TAG="latest"
fi
mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -188,7 +186,7 @@ steps:
--ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-api:$$SCAN_TAG
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- docker-build-api
@@ -230,7 +228,7 @@ steps:
}
link_package "stack-api"
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- security-trivy-api

10
.woodpecker/coordinator.yml
View File

@@ -92,12 +92,10 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:dev"
fi
/kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile --snapshot-mode=redo $DESTINATIONS
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- ruff-check
@@ -124,7 +122,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest"
else
SCAN_TAG="dev"
SCAN_TAG="latest"
fi
mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -132,7 +130,7 @@ steps:
--ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-coordinator:$$SCAN_TAG
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- docker-build-coordinator
@@ -174,7 +172,7 @@ steps:
}
link_package "stack-coordinator"
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- security-trivy-coordinator

18
.woodpecker/infra.yml
View File

@@ -36,12 +36,10 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:dev"
fi
/kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile --snapshot-mode=redo $DESTINATIONS
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
docker-build-openbao:
@@ -61,12 +59,10 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:dev"
fi
/kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile --snapshot-mode=redo $DESTINATIONS
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
# === Container Security Scans ===
@@ -87,7 +83,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest"
else
SCAN_TAG="dev"
SCAN_TAG="latest"
fi
mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -95,7 +91,7 @@ steps:
--ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-postgres:$$SCAN_TAG
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- docker-build-postgres
@@ -116,7 +112,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest"
else
SCAN_TAG="dev"
SCAN_TAG="latest"
fi
mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -124,7 +120,7 @@ steps:
--ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-openbao:$$SCAN_TAG
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- docker-build-openbao
@@ -167,7 +163,7 @@ steps:
link_package "stack-postgres"
link_package "stack-openbao"
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- security-trivy-postgres

10
.woodpecker/orchestrator.yml
View File

@@ -109,12 +109,10 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:dev"
fi
/kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile --snapshot-mode=redo $DESTINATIONS
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- build
@@ -137,7 +135,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest"
else
SCAN_TAG="dev"
SCAN_TAG="latest"
fi
mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -145,7 +143,7 @@ steps:
--ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-orchestrator:$$SCAN_TAG
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- docker-build-orchestrator
@@ -187,7 +185,7 @@ steps:
}
link_package "stack-orchestrator"
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- security-trivy-orchestrator

10
.woodpecker/web.yml
View File

@@ -120,12 +120,10 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:dev"
fi
/kaniko/executor --context . --dockerfile apps/web/Dockerfile --snapshot-mode=redo --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- build
@@ -148,7 +146,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest"
else
SCAN_TAG="dev"
SCAN_TAG="latest"
fi
mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -156,7 +154,7 @@ steps:
--ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-web:$$SCAN_TAG
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- docker-build-web
@@ -198,7 +196,7 @@ steps:
}
link_package "stack-web"
when:
- branch: [main, develop]
- branch: [main]
event: [push, manual, tag]
depends_on:
- security-trivy-web

11
README.md
View File

@@ -232,7 +232,7 @@ docker compose -f docker-compose.openbao.yml up -d
sleep 30 # Wait for auto-initialization
# 5. Deploy swarm stack
IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic
# 6. Check deployment status
docker stack services mosaic
@@ -526,10 +526,9 @@ KNOWLEDGE_CACHE_TTL=300 # 5 minutes
### Branch Strategy
- `main`Stable releases only
- `develop` — Active development (default working branch)
- `feature/*`Feature branches from develop
- `fix/*` — Bug fix branches
- `main`Trunk branch (all development merges here)
- `feature/*` — Feature branches from main
- `fix/*`Bug fix branches from main
### Running Locally
@@ -739,7 +738,7 @@ See [Type Sharing Strategy](docs/2-development/3-type-sharing/1-strategy.md) for
4. Run tests: `pnpm test`
5. Build: `pnpm build`
6. Commit with conventional format: `feat(#issue): Description`
7. Push and create a pull request to `develop`
7. Push and create a pull request to `main`
### Commit Format

4
docker-compose.openbao.yml
View File

@@ -14,7 +14,7 @@ services:
# OpenBao Secrets Vault
# ======================
openbao:
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
entrypoint: ["dumb-init", "--"]
command: ["bao", "server", "-config=/openbao/config/config.hcl"]
environment:
@@ -48,7 +48,7 @@ services:
# Has built-in retry logic (polls OpenBao API for 60 seconds).
# After init, runs an unseal watch loop to handle container restarts.
openbao-init:
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
command: /openbao/init.sh
environment:
VAULT_ADDR: http://openbao:8200

12
docker-compose.yml
View File

@@ -3,7 +3,7 @@ services:
# PostgreSQL Database
# ======================
postgres:
image: git.mosaicstack.dev/mosaic/stack-postgres:${IMAGE_TAG:-dev}
image: git.mosaicstack.dev/mosaic/stack-postgres:${IMAGE_TAG:-latest}
container_name: mosaic-postgres
restart: unless-stopped
environment:
@@ -251,7 +251,7 @@ services:
# OpenBao Secrets Management (Optional)
# ======================
openbao:
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
container_name: mosaic-openbao
restart: unless-stopped
user: root
@@ -283,7 +283,7 @@ services:
- "com.mosaic.description=OpenBao secrets management"
openbao-init:
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest}
container_name: mosaic-openbao-init
restart: unless-stopped
user: root
@@ -345,7 +345,7 @@ services:
# Mosaic API
# ======================
api:
image: git.mosaicstack.dev/mosaic/stack-api:${IMAGE_TAG:-dev}
image: git.mosaicstack.dev/mosaic/stack-api:${IMAGE_TAG:-latest}
container_name: mosaic-api
restart: unless-stopped
environment:
@@ -424,7 +424,7 @@ services:
# Mosaic Orchestrator
# ======================
orchestrator:
image: git.mosaicstack.dev/mosaic/stack-orchestrator:${IMAGE_TAG:-dev}
image: git.mosaicstack.dev/mosaic/stack-orchestrator:${IMAGE_TAG:-latest}
container_name: mosaic-orchestrator
restart: unless-stopped
# Run as non-root user (node:node, UID 1000)
@@ -491,7 +491,7 @@ services:
# Mosaic Web
# ======================
web:
image: git.mosaicstack.dev/mosaic/stack-web:${IMAGE_TAG:-dev}
image: git.mosaicstack.dev/mosaic/stack-web:${IMAGE_TAG:-latest}
container_name: mosaic-web
restart: unless-stopped
environment:

11
docker/DOCKER-COMPOSE-GUIDE.md
View File

@@ -12,10 +12,10 @@ Pull and run the latest images from the Gitea container registry:
# Copy environment template
cp .env.example .env
# Edit .env and set IMAGE_TAG (optional, defaults to 'dev')
# IMAGE_TAG=dev # Development images (develop branch)
# IMAGE_TAG=latest # Production images (main branch)
# Edit .env and set IMAGE_TAG (optional, defaults to 'latest')
# IMAGE_TAG=latest # Latest images from main branch (default)
# IMAGE_TAG=658ec077 # Specific commit SHA
# IMAGE_TAG=v1.0.0 # Specific version tag
# Pull and start services
docker compose pull
@@ -49,8 +49,7 @@ docker compose -f docker-compose.build.yml up -d --build
The `IMAGE_TAG` environment variable controls which image version to pull:
- `dev` - Latest development build from `develop` branch (default)
- `latest` - Latest stable build from `main` branch
- `latest` - Latest build from `main` branch (default)
- `658ec077` - Specific commit SHA (first 8 characters)
- `v1.0.0` - Specific version tag
@@ -210,7 +209,7 @@ The repository includes three example compose files for common deployment scenar
```bash
# Set in .env
COMPOSE_PROFILES=full
IMAGE_TAG=dev
IMAGE_TAG=latest
# Start all services
docker compose up -d

6
docs/AGENTS.md
View File

@@ -29,12 +29,12 @@ Context = tokens = cost. Be smart.
2. Code → TDD: write test (RED), implement (GREEN), refactor
3. Test → pnpm test (must pass)
4. Push → git push origin feature/XX-description
5. PR → Create PR to develop (not main)
5. PR → Create PR to main
6. Review → Wait for approval or self-merge if authorized
7. Close → Close related issues via API
```
**Never merge directly to develop without a PR.**
**Never merge directly to main without a PR.**
### Issue Management
@@ -53,7 +53,7 @@ curl -s -X PATCH -H "Authorization: token $TOKEN" -H "Content-Type: application/
-d '{"state":"closed"}'
# Create PR (tea CLI works for this)
tea pulls create --repo mosaic/stack --base develop --head feature/XX-name \
tea pulls create --repo mosaic/stack --base main --head feature/XX-name \
--title "feat(#XX): Title" --description "Description"
```

9
docs/CONTRIBUTING.md
View File

@@ -159,13 +159,12 @@ We follow a Git-based workflow with the following branch types:
### Workflow
1. Always branch from `develop`
2. Merge back to `develop` via pull request
3. `main` is for stable releases only
1. Always branch from `main`
2. Merge back to `main` via pull request
```bash
# Start a new feature
git checkout develop
git checkout main
git pull --rebase
git checkout -b feature/my-feature-name
@@ -269,7 +268,7 @@ Clarified pagination and filtering parameters.
2. Create a PR via GitLab at:
https://git.mosaicstack.dev/mosaic/stack/-/merge_requests
3. Target branch: `develop`
3. Target branch: `main`
4. Fill in the PR template:
- **Title:** `feat(#issue): Brief description` (follows commit format)

4
docs/OPENBAO-DEPLOYMENT.md
View File

@@ -144,7 +144,7 @@ sleep 30
docker logs mosaic-openbao-init
# 3. Deploy swarm stack
IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic
# 4. Verify API connects to OpenBao
docker service logs mosaic_api | grep -i openbao
@@ -172,7 +172,7 @@ docker logs mosaic-openbao-init
# OPENBAO_SECRET_ID=...
# 2. Deploy stack (no OpenBao)
IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic
# 3. Verify API connects to external Vault
docker service logs mosaic_api | grep -i vault

8
docs/PORTAINER-DEPLOYMENT.md
View File

@@ -62,7 +62,7 @@ If using private registry images from `git.mosaicstack.dev`:
4. **Web editor:** Copy and paste contents of `docker-compose.portainer.yml`
5. **Environment variables:**
```
IMAGE_TAG=dev
IMAGE_TAG=latest
OPENBAO_PORT=8200
```
6. Click **Deploy the stack**
@@ -90,7 +90,7 @@ If using private registry images from `git.mosaicstack.dev`:
**Option A: Git Repository (Recommended)**
- Repository URL: `https://git.mosaicstack.dev/mosaic/stack`
- Repository reference: `refs/heads/develop`
- Repository reference: `refs/heads/main`
- Compose path: `docker-compose.swarm.yml`
- Authentication: Enable if repository is private
- Enable **Automatic updates** (optional)
@@ -103,7 +103,7 @@ If using private registry images from `git.mosaicstack.dev`:
4. **Environment variables:**
```
IMAGE_TAG=dev
IMAGE_TAG=latest
POSTGRES_PASSWORD=<your-secure-password>
JWT_SECRET=<your-jwt-secret>
BETTER_AUTH_SECRET=<your-auth-secret>
@@ -148,7 +148,7 @@ If using private registry images from `git.mosaicstack.dev`:
```bash
# Image Configuration
IMAGE_TAG=dev # or 'latest' or specific commit SHA
IMAGE_TAG=latest # or 'latest' or specific commit SHA
# Database
POSTGRES_PASSWORD=<secure-password>

6
docs/SWARM-DEPLOYMENT.md
View File

@@ -49,7 +49,7 @@ nano .env
- `OIDC_CLIENT_ID` - From your Authentik/OIDC provider
- `OIDC_CLIENT_SECRET` - From your Authentik/OIDC provider
- `OIDC_ISSUER` - Your OIDC provider URL (must end with `/`)
- `IMAGE_TAG` - `dev` or `latest` or specific commit SHA
- `IMAGE_TAG` - `latest` (default) or specific version/commit SHA
### 2. Configure for External Services (Optional)
@@ -131,10 +131,10 @@ See [OpenBao Deployment Guide](OPENBAO-DEPLOYMENT.md) for detailed options.
cd /opt/mosaic/stack
# Using the deploy script (recommended)
IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic
# Or manually
IMAGE_TAG=dev docker stack deploy \
IMAGE_TAG=latest docker stack deploy \
-c docker-compose.swarm.yml \
--with-registry-auth mosaic
```

12
docs/harbor-tag-retention-policy.md
View File

@@ -9,17 +9,15 @@ Images are tagged based on branch and event type:
| Trigger | Tags Applied | Example |
| ----------------- | ----------------- | -------------------- |
| Push to `main` | `{sha}`, `latest` | `658ec077`, `latest` |
| Push to `develop` | `{sha}`, `dev` | `a1b2c3d4`, `dev` |
| Git tag (release) | `{sha}`, `{tag}` | `658ec077`, `v1.0.0` |
### Tag Meanings
| Tag | Purpose | Stability |
| -------------------------- | ------------------------------------------ | --------- |
| `latest` | Current production-ready build from `main` | Stable |
| `dev` | Current development build from `develop` | Unstable |
| `v*` (e.g., `v1.0.0`) | Versioned release | Immutable |
| `{sha}` (e.g., `658ec077`) | Specific commit for traceability | Immutable |
| Tag | Purpose | Stability |
| -------------------------- | ---------------------------------- | --------- |
| `latest` | Current build from `main` | Latest |
| `v*` (e.g., `v1.0.0`) | Versioned release | Immutable |
| `{sha}` (e.g., `658ec077`) | Specific commit for traceability | Immutable |
## Retention Policy Configuration