git.stella-ops.org/devops/services/graph-indexer/release-plan.md

Graph Indexer Release/Offline Bundle Plan (DEVOPS-GRAPH-INDEX-28-010-REL)

Goals

• Publish signed Helm/Compose bundles for Graph Indexer with offline parity.
• Provide SBOM + attestations for images/charts and reproducible artefacts for air-gap kits.

Artefacts

• Helm chart + values overrides (offline/airgap).
• Docker/OCI images (indexer, api) pinned by digest.
• SBOMs (SPDX JSON) for images and chart.
• Cosign attestations for images and chart tarball.
• Offline bundle: tarball containing images (oras layout), charts, values, SBOMs, attestations, and SHA256SUMS.

Pipeline outline

1. Build images (indexer + api) with SBOM generation (syft), tag and record digests.
2. Sign images with cosign key (KMS for online; file key for offline bundle) and produce attestations.
3. Chart package: render chart, package to .tgz, generate SBOM for chart, sign with cosign.
4. Compose export: render Compose file with pinned digests and non-root users.
5. Bundle: assemble offline tarball:
   • images/ oras layout with signed images
   • charts/graph-indexer.tgz + signature
   • compose/graph-indexer.yml (pinned digests)
   • sboms/ for images + chart
   • attestations/ (cosign bundles)
   • SHA256SUMS and SHA256SUMS.sig
6. Verify step: pipeline stage runs cosign verify, sha256sum --check, and helm template smoke render with airgap values.
7. Publish: upload to artefact store + offline kit; write manifest with hashes/versions.

Security/hardening

• Non-root images, read-only rootfs, drop NET_RAW, seccomp default.
• Telemetry disabled; no registry pulls at runtime.
• mTLS between indexer and dependencies (documented values).

Evidence to capture

• Image digests, SBOM hashes, cosign verification logs.
• Bundle SHA256SUMS and signed manifest.
• Helm/Compose render outputs (short).

Owners

• DevOps Guild (build/pipeline)
• Graph Indexer Guild (chart/values)
• Platform Security (signing policy)