# Graph Indexer Release/Offline Bundle Plan (DEVOPS-GRAPH-INDEX-28-010-REL)

## Goals
- Publish signed Helm/Compose bundles for Graph Indexer with offline parity.
- Provide SBOM + attestations for images/charts and reproducible artefacts for air-gap kits.

## Artefacts
- Helm chart + values overrides (offline/airgap).
- Docker/OCI images (indexer, api) pinned by digest.
- SBOMs (SPDX JSON) for images and chart.
- Cosign attestations for images and chart tarball.
- Offline bundle: tarball containing images (oras layout), charts, values, SBOMs, attestations, and `SHA256SUMS`.

## Pipeline outline
1) **Build** images (indexer + api) with SBOM generation (`syft`), tag and record digests.
2) **Sign** images with cosign key (KMS for online; file key for offline bundle) and produce attestations.
3) **Chart package**: render chart, package to `.tgz`, generate SBOM for chart, sign with cosign.
4) **Compose export**: render Compose file with pinned digests and non-root users.
5) **Bundle**: assemble offline tarball:
   - `images/` oras layout with signed images
   - `charts/graph-indexer.tgz` + signature
   - `compose/graph-indexer.yml` (pinned digests)
   - `sboms/` for images + chart
   - `attestations/` (cosign bundles)
   - `SHA256SUMS` and `SHA256SUMS.sig`
6) **Verify step**: pipeline stage runs `cosign verify`, `sha256sum --check`, and `helm template` smoke render with airgap values.
7) **Publish**: upload to artefact store + offline kit; write manifest with hashes/versions.

## Security/hardening
- Non-root images, read-only rootfs, drop NET_RAW, seccomp default.
- Telemetry disabled; no registry pulls at runtime.
- mTLS between indexer and dependencies (documented values).

## Evidence to capture
- Image digests, SBOM hashes, cosign verification logs.
- Bundle `SHA256SUMS` and signed manifest.
- Helm/Compose render outputs (short).

## Owners
- DevOps Guild (build/pipeline)
- Graph Indexer Guild (chart/values)
- Platform Security (signing policy)