Only push tags from hardening manifest to ironbank-staging on development
Currently build-run.sh
pushes all the tags listed in the hardening manifest to the ironbank-staging
. This is bad because whenever master
, development
and feature branches run a pipeline, they will clobber each other's tags.
However the pipeline itself only actually uses the ci-*
tags (Twistlock scanning) or the digest, not these tags.
One of the current use cases of these tags is STAGING_BASE_IMAGE
I think, but that use case could easily use the ci-*
tags instead.
The new use case is we want to enable P1 internal teams (PB and BB) to test IB images prior to approval by granting them read access to ironbank-staging
. We need to ensure these tags are not clobbered by different branches. I think pushing them on development
is appropriate to support this.