Handbook - Operations

Release Artifact Verification

Verify CloudGrid release manifests, signatures, checksums, SBOMs, scan reports, image digests, and binary archives before deployment.

On this page
On this page

Verify release artifacts before running local Compose or installing the Helm chart. A CloudGrid release is one coherent artifact set produced by the release workflow; do not mix files from different versions.

Release Artifact Set

The release workflow publishes these artifacts:

ArtifactPurpose
release-manifest.jsonVersion, commit SHA, image names, immutable tags, image digests, SBOM names, scan report names, chart path, compose path, and binary checksum path.
cloudgrid-<version>.tgzHelm chart package.
release-values.yamlDigest-pinned image values generated from the release manifest.
checksums.txt and checksums.txt.sigSigned checksums for chart, manifest, Compose files, and binary archives.
cloudgrid-chart.spdx.jsonHelm chart SBOM.
cloudgrid.compose.yamlLocal release Compose stack.
cloudgrid.env.exampleLocal release Compose environment example.
cloudgrid-local.shLocal release wrapper.
<image>.spdx.jsonImage SBOM for each service image.
<image>.grype.sarifImage vulnerability scan report for each service image.
<service>_<version>_<os>_<arch>.zipConvenience binary archive for each Go service target, such as cloudgrid-storage-read_v1.0.0-beta_linux_amd64.zip.

Images are published to ghcr.io/cloudgrid-dev/<image> with immutable release tags such as v1.0.0-beta and commit tags such as sha-<shortsha>. Production deployment should use image digests, not mutable tags.

1. Verify Checksums

Download the release assets for one version into a clean directory, then run:

sha256sum --check checksums.txt

The checksum file covers release archives and generated release files. If a checksum fails, stop and replace the local artifact set.

2. Verify Signed Checksum Files

CloudGrid signs checksum blobs with cosign sign-blob in the release workflow:

cosign verify-blob \
  --signature checksums.txt.sig \
  checksums.txt

Use the binary checksum signature in the same way when verifying binary archive checksums.

3. Inspect The Release Manifest

Use the manifest as the deployment source of truth:

jq '.version, .commit, .images[] | {image, versionTag, commitTag, digest, sbom, scan}' release-manifest.json

Confirm:

  • the version matches the intended release;
  • the commit matches the approved release commit;
  • every service image has a digest;
  • every image lists an SBOM and vulnerability scan report;
  • release-values.yaml was generated from the same manifest.

4. Verify Image Signatures And Provenance

Verify each service image by digest:

cosign verify ghcr.io/cloudgrid-dev/cloudgrid-bff@sha256:<digest>

Repeat for:

  • cloudgrid-bff
  • cloudgrid-otlp-collector
  • cloudgrid-storage-read
  • cloudgrid-storage-write
  • cloudgrid-control-plane
  • cloudgrid-ai-eval-runner
  • cloudgrid-alert-evaluator
  • cloudgrid-storage-maintenance

The workflow also publishes provenance attestations for image digests. Keep the signature and attestation verification output with your deployment record.

5. Review SBOMs And Scan Reports

Review these files before promotion:

cloudgrid-bff.spdx.json
cloudgrid-bff.grype.sarif
cloudgrid-chart.spdx.json

Repeat for every service image. The release workflow fails on critical runtime-layer vulnerabilities unless a time-bounded exception is recorded in the release manifest with package, CVE, affected image, justification, owner, and expiry.

6. Verify Helm Chart Values

Open release-values.yaml and confirm that each service uses an image digest:

bff:
  image:
    repository: cloudgrid-bff
    digest: sha256:<digest>

Do not deploy production values that use latest. Human-readable release tags are acceptable in notes and local examples, but production rollout values should pin digests.

7. Verify Local Compose Files

For local evaluation releases:

sha256sum --check checksums.txt
./cloudgrid-local.sh pull

Local Compose is not a production deployment path. It runs with local auth and local defaults and must not be exposed to untrusted networks.

Promotion Record

For every promoted environment, record:

  • CloudGrid version and commit SHA;
  • Helm chart version;
  • release-manifest.json;
  • release-values.yaml or mirrored equivalent;
  • image digests actually deployed;
  • SBOM and scan report review outcome;
  • production benchmark JSON result used for readiness.

Next Step

After verification, use Enterprise Helm install or Private registry and air-gapped installs.

Last updated .