> For the complete CircleCI developer hub index, see [llms.txt](https://circleci.com/developer/llms.txt)

# giantswarm/architect

Tools for interactions with Giant Swarm app catalogs and registries. Full orb source
code: https://github.com/giantswarm/architect-orb.


## Commands

### changelog-lint

### cosign-sign-verify

| Parameter | Type | Default | Description |
|---|---|---|---|
| `kind` | enum | oci | Which cosign subcommand pair to invoke.
`oci`    → `cosign sign` / `cosign verify` on OCI references.
`blob`   → `cosign sign-blob --bundle` / `cosign verify-blob --bundle` on files.
`attest` → `cosign attest --predicate --type` / `cosign verify-attestation --type`
           on OCI references (signed SBOM / in-toto attestations).
 |
| `refs_file` | string | /tmp/.cosign_refs | Path to a file containing one entry per line. See the command header for the
per-kind format. Defaults to `/tmp/.cosign_refs` for `oci`;
`/tmp/.cosign_blobs` (blob) and `/tmp/.cosign_attest` (attest) are the
conventional choices for the other kinds (set explicitly).
 |

### determine-catalog-name

| Parameter | Type | Default | Description |
|---|---|---|---|
| `app_catalog` | string |  |  |
| `app_catalog_test` | string |  |  |
| `on_tag` | boolean | true | When this is `false`, commits to `master` will be pushed to `app_catalog` instead of `app_catalog_test`.
Set this to `false` for deployments that follow a a master branch for production releases rather than
using tags (the default).
 |

### generate-github-token

| Parameter | Type | Default | Description |
|---|---|---|---|
| `app_id_env_var` | string | CIRCLECI_ARCHITECT_GITHUB_APP_APP_ID |  |
| `installation_id_env_var` | string | CIRCLECI_ARCHITECT_GITHUB_APP_INSTALLATION_ID |  |
| `private_key_base64_env_var` | string | CIRCLECI_ARCHITECT_GITHUB_APP_PRIVATE_KEY_B64 |  |
| `token-env-var` | string |  | Name of an environment variable holding a pre-minted GitHub token. When
the named variable is non-empty at runtime, it is exported as GITHUB_TOKEN
and App token generation is skipped. Falls back to the GitHub App when
the variable is absent or empty.
 |

### gitleaks

| Parameter | Type | Default | Description |
|---|---|---|---|
| `config` | string |  | (Optional) Path to a config file to use for gitleaks configuration. |

### go-build

| Parameter | Type | Default | Description |
|---|---|---|---|
| `architectures` | string | linux/amd64,linux/arm64 | Comma-separated list of target architectures to build in this job (e.g.,
"linux/amd64,linux/arm64"). The resolved list is written to `.platforms` in the
workspace for downstream auto-discovery in `push-to-registries`.
 |
| `binary` | string |  |  |
| `build_concurrency` | string | 1 | Maximum number of architectures to compile concurrently. "1" builds
sequentially (the default; no extra CPU/RAM pressure on a `medium`
executor). "auto" uses the number of available CPUs. Raise it alongside
`resource_class` (roughly to the vCPU count) when building three or more
architectures: each concurrent `go build` can occupy ~1 vCPU and a
significant amount of RAM, so an under-provisioned executor will thrash
or OOM.
 |
| `path` | string | . | The path where the Go package to build is located.
 |
| `pre_test_target` | string |  | Executes the requested Makefile target before lints and tests. Helpful to generate code in advance.
 |
| `sign` | boolean | true | Sign each produced binary with cosign keyless OIDC, emitting a sibling
`<binary>-<GOOS>-<GOARCH>.bundle` file (Sigstore bundle). Public repos only —
private repos are skipped at runtime to avoid leaking artifacts/timestamps into
the public Rekor transparency log.
 |
| `tags` | string |  |  |
| `test_target` | string |  | Executes the requested Makefile target.
 |
| `trimpath` | boolean | true | Pass `-trimpath` to `go build`. Strips absolute file paths from the produced
binary (DWARF debug info, `runtime.Caller`, panic stack traces, embedded build
info), so builds are reproducible across hosts and the build-host directory
layout doesn't ride along in the binary. Matches `goreleaser`'s default and
standard Go release practice (Kubernetes, kubectl, controller-runtime, …).
Set to `false` if a debugger needs the embedded build path to resolve sources.
 |

### go-cache-restore

### go-cache-save

### go-test

| Parameter | Type | Default | Description |
|---|---|---|---|
| `path` | string | . | The path where the Go package to test is located.
 |
| `pre_test_target` | string |  | Executes the requested Makefile target before lints and tests. Helpful to generate code in advance.
 |
| `test_target` | string |  | Executes the requested Makefile target.
 |

### image-build-and-push

| Parameter | Type | Default | Description |
|---|---|---|---|
| `annotations` | string |  | Newline-separated OCI annotations passed to 'docker buildx build --annotation'.
Each line uses the buildx format '[type:]key=value'. For multi-arch builds:
  manifest:key=value            - annotates each platform manifest
  index:key=value               - annotates the manifest list (OCI index)
  manifest-descriptor:key=value - annotates descriptors in the index
  key=value (no prefix)         - defaults to index for multi-platform builds
 |
| `build-context` | string | . |  |
| `dockerfile` | string | ./Dockerfile |  |
| `force-public` | boolean | false |  |
| `image` | string |  |  |
| `oci-labels` | boolean | true | Emit standard OCI image labels and matching index annotations
(org.opencontainers.image.{source,revision,version,created}) derived from the
CircleCI build context.
 |
| `platforms` | string |  | Comma-separated list of platforms for multi-arch image build (e.g.,
'linux/amd64,linux/arm64'). When empty, the list is auto-derived from the `.platforms`
file written by `go-build` to the workspace. Falls back to 'linux/amd64,linux/arm64'
if neither is available.
 |
| `provenance` | enum | min | Buildx SLSA provenance attestation mode.
- "min" (default): minimal provenance, attached as inline attestation manifest.
- "max": rich provenance with full BuildKit args / source provenance.
- "false": disable provenance attestation entirely (cleaner manifest list).
 |
| `push` | boolean | true | Push the built image to the configured registries (default). Set to false to only
validate that the image builds for every target platform: the result stays in the
BuildKit cache (multi-platform images cannot be loaded into the docker image store),
no registry credentials are needed, and signing / provenance / SBOM generation are
skipped — those only make sense on a published image.
 |
| `registries-data` | string |  | A string that defines configuration for registries
Each line describes one registry using the following format
visibility registry username_envvar password_envvar push_dev_image
 |
| `sbom` | boolean | true | Generate and attach a Software Bill of Materials (SPDX) attestation per platform.
On public images, when `sign` is true, the exact SPDX predicate buildx produced is
additionally signed as a cosign keyless attestation (`--type spdxjson`) so consumers
can cryptographically verify its origin (see `sign`).
 |
| `sbom-cyclonedx` | boolean | false | Additionally generate a CycloneDX SBOM per architecture (with syft). BuildKit's
`--attest type=sbom` only emits SPDX, so CycloneDX is produced out-of-band.
- Public images with `sign: true`: the SBOM is signed as a cosign keyless
  attestation (`--type cyclonedx`) — a verifiable, trustable referrer.
- Otherwise (private images, or `sign: false`): the SBOM is attached unsigned as an
  OCI referrer (artifactType `application/vnd.cyclonedx+json`) using oras, since
  signing private artifacts would leak their digests/timestamps into the public
  Rekor transparency log.
Requires syft and oras in the architect image.
 |
| `sign` | boolean | true | Sign the pushed image manifest — and its SPDX / CycloneDX SBOM attestations — with
cosign keyless OIDC. Public images only — private images are skipped at runtime to
avoid leaking digests/timestamps into the public Rekor transparency log. Mints a
fresh CircleCI OIDC token with audience=sigstore via `circleci run oidc get` so
Fulcio's federation accepts it.
 |
| `split-china-push` | boolean | false | Use self-hosted CircleCI runner in China for pushing image to Aliyun. |
| `tag-latest-branch` | string |  |  |
| `tag-suffix` | string |  |  |

### image-login-to-registries

| Parameter | Type | Default | Description |
|---|---|---|---|
| `client` | enum | docker | Registry client to login to registries with |
| `registries-data` | string |  | A string that defines configuration for registries
Each line describes one registry using the following format

visibility registry username_envvar password_envvar push_dev_image

where

access is one of ("public" "private" "public/private")
registry is a string containing registry url
username_envvar is a string containing the name of an env var with a username
password_envvar is as string containing the name of an env var with a password
push_dev is boolean, when true, dev images are uploaded to registries
 |

### image-prepare-tag

| Parameter | Type | Default | Description |
|---|---|---|---|
| `tag-suffix` | string |  |  |

### integration-test-create-cluster

| Parameter | Type | Default | Description |
|---|---|---|---|
| `kind-config` | string |  |  |
| `kubernetes-version` | string |  |  |

### integration-test-export-logs

### integration-test-go-test

| Parameter | Type | Default | Description |
|---|---|---|---|
| `env-file` | string |  |  |
| `test-dir` | string |  |  |
| `test-timeout` | string |  |  |

### integration-test-install-app-platform

| Parameter | Type | Default | Description |
|---|---|---|---|
| `install-app-platform` | boolean |  |  |

### integration-test-install-tools

| Parameter | Type | Default | Description |
|---|---|---|---|
| `apptestctl-version` | string |  |  |
| `helm-version` | string |  |  |
| `kubernetes-version` | string |  |  |

### integration-test-setup

| Parameter | Type | Default | Description |
|---|---|---|---|
| `setup-script` | string |  |  |

### machine-install-go

| Parameter | Type | Default | Description |
|---|---|---|---|
| `archive_sha` | string | 1241381b2843fae5a9707eec1f8fb2ef94d827990582c7c7c32f5bdfbfd420c8 |  |
| `go_version` | string | 1.21.3 |  |

### package-helm-with-abs

| Parameter | Type | Default | Description |
|---|---|---|---|
| `chart` | string |  | Name of the chart inside helm directory to build. |
| `override_app_version` | boolean | true | When `true`, passes `--override-app-version <version>` to App Build Suite,
stamping the app version with the value computed by `gitsemver` (or read
from the `.build_version` workspace file).  Set to `false` to leave the
appVersion declared in `Chart.yaml` unchanged.
 |
| `override_chart_version` | boolean | true | When `true`, passes `--override-chart-version <version>` to App Build Suite,
stamping the chart version with the value computed by `gitsemver` (or read
from the `.build_version` workspace file).  Set to `false` to leave the
version declared in `Chart.yaml` unchanged.
 |

### prepare-catalogbot-git-ssh

### push-helm

| Parameter | Type | Default | Description |
|---|---|---|---|
| `chart` | string |  |  |
| `force-public` | boolean | false |  |
| `push_to_appcatalog` | boolean | true |  |
| `push_to_oci_registry` | boolean | true |  |
| `sign` | boolean | true | Sign the pushed Helm chart with cosign keyless OIDC. Public charts only —
private charts are skipped at runtime to avoid leaking digests/timestamps
into the public Rekor transparency log. Mints a fresh CircleCI OIDC token
with audience=sigstore via `circleci run oidc get`.
 |

### run-kyverno

| Parameter | Type | Default | Description |
|---|---|---|---|
| `kyverno-policies_version` | string |  | Version of Kyverno policies to use |
| `kyverno_version` | string |  | Version of Kyverno CLI to use |
| `yq_version` | string | 4.53.3 | Version of yq to use |

### run-tests-with-ats

| Parameter | Type | Default | Description |
|---|---|---|---|
| `additional_app-test-suite_flags` | string |  | Additional app-test-suite flags to use |
| `app-test-suite_container_tag` | string |  | Container tag of app-test-suite to use (check gsoci.azurecr.io/giantswarm/app-test-suite) |
| `app-test-suite_version` | string |  | Version of app-test-suite dats.sh container wrapper to use (git tag or commit) |
| `chart_archive_prefix` | string |  | Prefix for the chart archive file to execute tests for. |

### tools-info

| Parameter | Type | Default | Description |
|---|---|---|---|
| `show_abs_version` | boolean | false |  |
| `show_architect_version` | boolean | true |  |
| `show_bash_version` | boolean | true |  |
| `show_git_version` | boolean | true |  |
| `show_gitsemver_version` | boolean | true |  |
| `show_go_version` | boolean | true |  |
| `show_helm_version` | boolean | true |  |

## Jobs

### changelog-lint

It checks if CHANGELOG.md file is in format described in
https://keepachangelog.com/en/1.0.0/.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `resource_class` | enum | small | Configures amount CPU and RAM for the job. See
https://circleci.com/docs/2.0/configuration-reference/#docker-executor
for details.
 |

### gitleaks

Runs the gitleaks tool to search for secrets contained in commits since the last revision.

| Parameter | Type | Default | Description |
|---|---|---|---|
| `config` | string |  | (Optional) Path to a config file to use for gitleaks configuration. |
| `resource_class` | enum | small | Configures amount CPU and RAM for the job. See
https://circleci.com/docs/2.0/configuration-reference/#docker-executor
for details.
 |

### go-build

It does everything that go-test
(https://circleci.com/orbs/registry/orb/giantswarm/architect#jobs-go-test)
job does and runs `go build` against the codebase on top of that. It injects
all the variables go-test job does into the produced binary.

The job produces static binaries named `<binary>-<GOOS>-<GOARCH>` for each
entry in `architectures`, persists them to the workspace, and writes the
resolved architecture list to `.platforms` so downstream `push-to-registries`
can auto-derive `--platform`.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `architectures` | string | linux/amd64,linux/arm64 | Comma-separated list of target architectures to build (e.g.,
"linux/amd64,linux/arm64"). The resolved list is written to `.platforms` in
the workspace for downstream auto-discovery in `push-to-registries`.
 |
| `binary` | string |  | Name of the binary produced by the job. It is also persisted to the workspace. |
| `build_concurrency` | string | 1 | Maximum number of architectures to compile concurrently. "1" builds
sequentially (the default). "auto" uses the number of available CPUs.
Raise it alongside `resource_class` (roughly to the vCPU count) when
building three or more architectures. CircleCI Docker credit rates scale
with the resource class (medium 10/min, large 20/min, xlarge 40/min), so a
larger class that finishes proportionally faster is often cheaper as well
as quicker: a 10-minute `medium` build (100 credits) that drops to 4
minutes on `large` costs 80 credits.
 |
| `clone_depth` | integer | 1 | Number of commits to include in the local git history after checkout.
Use `0` for unlimited depth (unshallow). Values greater than `1` deepen
the history to that many commits. The default of `1` preserves the
current behaviour of CircleCI's built-in `checkout` step. Use `0` when
build steps (e.g. `go generate`) rely on `git log` / `git rev-list` to
find the last commit that touched a specific file.
 |
| `path` | string | . | The path where the Go package to build is located.
 |
| `pre_test_target` | string |  | Executes the requested Makefile target before lints and tests. Helpful to generate code in advance.
 |
| `resource_class` | enum | medium | Configures amount CPU and RAM for the job. See
https://circleci.com/docs/2.0/configuration-reference/#docker-executor
for details.
 |
| `sign` | boolean | true | Sign each produced binary with cosign keyless OIDC, persisting a sibling
`<binary>-<GOOS>-<GOARCH>.bundle` file (Sigstore bundle). Public repos only —
private repos are skipped at runtime to avoid leaking artifacts into the
public Rekor transparency log.
 |
| `tags` | string |  | Additional tags to include in -tags flag of go build.
 |
| `test_target` | string |  | Executes the requested Makefile target.
 |
| `trimpath` | boolean | true | Pass `-trimpath` to `go build`. Strips absolute file paths from the produced
binary so builds are reproducible across hosts and don't leak the build-host
directory layout. Set to `false` if a debugger needs the embedded build path
to resolve sources.
 |

### go-test

Checks if the code is formatted by `go fmt` and then runs `go vet` and `go
test` It also injects following variables into the
"github.com/ORGANIZATION/REPOSITORY/pkg/project" package for testing:

- "buildTimestamp" in RFC-3339 format in UTC time zone.
- "gitSHA" SHA of the built commit.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `path` | string | . | The path where the Go package to test is located.
 |
| `pre_test_target` | string |  | Executes the requested Makefile target before lints and tests. Helpful to generate code in advance.
 |
| `resource_class` | enum | medium | Configures amount CPU and RAM for the job. See
https://circleci.com/docs/2.0/configuration-reference/#docker-executor
for details.
 |
| `test_target` | string |  | Executes the requested Makefile target.
 |

### integration-test

Runs an integration test by creating a KIND cluster and executing it as a Go
test.

Uses the machine executor and replaces the Go version with a version
controlled by us since the preinstalled Go is very outdated.

See [docs](docs/integration_test.md) for more details.


| Parameter | Type | Default | Description |
|---|---|---|---|
| `apptestctl-version` | string | v0.25.1 | apptestctl version for bootstrapping app platform. |
| `env-file` | string |  | File of environment variables to set. |
| `helm-version` | string | v3.21.2 | Helm version to install. |
| `install-app-platform` | boolean | false | When true the apptestctl bootstrap command is used to add support for
installing components in tests via app CRs.
 |
| `kind-config` | string |  | Path to kind config file. |
| `kubernetes-version` | string | v1.36.1 | Kubernetes version for kind cluster. |
| `resource_class` | enum | medium | Configures amount CPU and RAM for the job. See
https://circleci.com/docs/2.0/configuration-reference/#machine-executor-linux
for details.
 |
| `setup-script` | string |  | Path to setup script with commands to execute before each test. |
| `test-dir` | string |  | Tested package directory. |
| `test-timeout` | string | 20m | If a tests runs longer than this it will panic. |

### push-to-app-catalog

| Parameter | Type | Default | Description |
|---|---|---|---|
| `app_catalog` | string |  | Name of the Github repository inside giantswarm organization hosting the App Catalog for tagged builds. |
| `app_catalog_test` | string |  | Name of the Github repository inside giantswarm organization hosting the App Catalog for test builds. |
| `attach_workspace` | boolean | false | If true, the previously persisted workspace will be attached after checkout. |
| `chart` | string |  | Name of the chart inside helm directory to push to the App Catalog. |
| `ct_config` | string |  | Chart Testing Config file path |
| `executor` | enum | app-build-suite | Kept for backwards compatibility. Only `app-build-suite` is accepted.
Will be removed in a future version.
 |
| `explicit_allow_chart_name_mismatch` | boolean | false | If 'explicit_allow_chart_name_mismatch' is set to true, the name of the chart can be anything.
Otherwise the name set in the 'chart' parameter must start with the repository name and optionally continue with '-app'.
 |
| `force-public` | boolean | false | Skip the repo visibility check and push the the chart to public registry |
| `on_tag` | boolean | true | When this is `false`, commits to `master` will be pushed to `app_catalog` instead of `app_catalog_test`.
Set this to `false` for deployments that follow a a master branch for production releases rather than
using tags (the default).
 |
| `override_app_version` | boolean | true | When `true` (the default), passes `--override-app-version` to App Build Suite,
stamping the app version with the value from `gitsemver` (or `.build_version`
workspace file).  Set to `false` to leave the appVersion in `Chart.yaml` unchanged.
 |
| `override_chart_version` | boolean | true | When `true` (the default), passes `--override-chart-version` to App Build Suite,
stamping the chart version with the value from `gitsemver` (or `.build_version`
workspace file).  Set to `false` to leave the version in `Chart.yaml` unchanged.
 |
| `persist_chart_archive` | boolean | false | When this is `true`, the packaged chart archive will be persisted to the workspace.
Set this to `true`, if you're planning to execute tests using app-test-suite.
 |
| `push_to_appcatalog` | boolean | true | Push the chart to App Catalog git repository if this is `true`.
 |
| `push_to_oci_registry` | boolean | true | Push the chart to OCI registry if this is `true`.
 |
| `resource_class` | enum | small | Configures amount CPU and RAM for the job. See
https://circleci.com/docs/2.0/configuration-reference/#docker-executor
for details.
 |
| `sign` | boolean | true | Sign the published Helm chart with cosign keyless OIDC. Public charts only —
private charts are skipped at runtime to avoid leaking digests/timestamps
into the public Rekor transparency log. Requires `CIRCLE_OIDC_TOKEN_V2` in
the job's CircleCI context (auto-injected for context-bound jobs).
 |
| `skip_conftest_deprek8ion` | boolean | false | This parameter has no effect anymore, it is kept for backwards compatibility.
Will be removed in a future version.
 |

### push-to-registries

| Parameter | Type | Default | Description |
|---|---|---|---|
| `annotations` | string |  | Newline-separated OCI annotations passed to 'docker buildx build --annotation'.
Each line uses the buildx format '[type:]key=value'. For multi-arch builds:
  manifest:key=value            - annotates each platform manifest
  index:key=value               - annotates the manifest list (OCI index)
  manifest-descriptor:key=value - annotates descriptors in the index
  key=value (no prefix)         - defaults to index for multi-platform builds
 |
| `build-context` | string | . |  |
| `dockerfile` | string | ./Dockerfile |  |
| `force-public` | boolean | false | Skip the repo visibility check and push the the image to public registries |
| `git-tag-prefix` | string |  |  |
| `hadolint` | enum | warn | Lint the Dockerfile with hadolint before building.
- "warn" (default): run hadolint, print findings, never fail the job.
- "fail": run hadolint and fail the job on any finding.
- "skip": don't run hadolint at all.
 |
| `hadolint-config` | string |  | Optional path to a `.hadolint.yaml` configuration file. When empty,
hadolint uses its built-in defaults.
 |
| `image` | string | giantswarm/${CIRCLE_PROJECT_REPONAME} | Name of the  container repository and image. Defaults to `giantswarm/REPO_NAME`. Must not contain registry host name! |
| `oci-labels` | boolean | true | Emit standard OCI image labels (and matching index annotations):
org.opencontainers.image.{source,revision,version,created}.
 |
| `platforms` | string |  | Comma-separated list of platforms for the buildx build. When empty, the list is
auto-derived from the `.platforms` file written by `go-build` to the workspace.
Falls back to `linux/amd64,linux/arm64` if neither is available.
 |
| `provenance` | enum | min | Buildx SLSA provenance attestation mode: "min" (default), "max", or "false".
 |
| `push` | boolean | true | Push the built image to the configured registries (default). Set to false to only
validate that the image builds for every target platform — same Dockerfile lint,
same multi-arch buildx build (QEMU, `.platforms` auto-derivation, workspace attach),
but the result stays in the BuildKit cache. No registry credentials are used and
signing / provenance / SBOM generation are skipped. Useful on the branch/PR path of
workflows that push images only on release tags.
 |
| `registries-data` | string |  |  |
| `resource_class` | enum | small | Configures the amount of CPU and RAM for the job. See
https://circleci.com/docs/2.0/configuration-reference/#docker-executor
for details.
 |
| `sbom` | boolean | true | Generate and attach an SPDX SBOM attestation per platform. On public images with
`sign: true`, the exact SPDX predicate buildx produced is also signed as a cosign
keyless attestation (`--type spdxjson`).
 |
| `sbom-cyclonedx` | boolean | false | Additionally generate a CycloneDX SBOM per architecture (with syft). BuildKit's SBOM
attestation only emits SPDX, so CycloneDX is produced out-of-band. On public images
with `sign: true` it is signed as a cosign keyless attestation (`--type cyclonedx`);
otherwise (private images, or `sign: false`) it is attached unsigned as an OCI
referrer (with oras). Defaults to off. Requires syft and oras in the architect image.
 |
| `sign` | boolean | true | Sign the pushed image — and its SPDX / CycloneDX SBOM attestations — with cosign
keyless OIDC. Public images only — private images are skipped at runtime to avoid
leaking digests/timestamps into the public Rekor transparency log. Mints a fresh
CircleCI OIDC token with audience=sigstore via `circleci run oidc get`.
 |
| `split-china-push` | boolean | false | Use self-hosted CircleCI runner in China for pushing image to Aliyun. |
| `tag-latest-branch` | string |  | Name of the branch on which the image will be additionally tagged as "latest". |
| `tag-suffix` | string |  |  |

### run-kyverno-tests

| Parameter | Type | Default | Description |
|---|---|---|---|
| `kyverno-policies_version` | string | 0.25.0 | Version of Kyverno policies to use |
| `kyverno_version` | string | 1.18.1 | Version of Kyverno CLI to use |
| `resource_class` | enum | medium | Configures amount CPU and RAM for the job. See
https://circleci.com/docs/2.0/configuration-reference/#machine-executor-linux
for details.
 |

### run-tests-with-ats

| Parameter | Type | Default | Description |
|---|---|---|---|
| `additional_app-test-suite_flags` | string |  | Additional app-test-suite flags to use |
| `app-test-suite_container_tag` | string | 0.15.0 | Container tag of app-test-suite to use (check gsoci.azurecr.io/giantswarm/app-test-suite) |
| `app-test-suite_version` | string | v0.15.0 | Version of app-test-suite dabs.sh container wrapper to use (git tag or commit) |
| `chart_archive_prefix` | string |  | Prefix for the chart archive file to execute tests for. |
| `resource_class` | enum | medium | Configures amount CPU and RAM for the job. See
https://circleci.com/docs/2.0/configuration-reference/#machine-executor-linux
for details.
 |

### sync-china-registry

| Parameter | Type | Default | Description |
|---|---|---|---|
| `image` | string | giantswarm/${CIRCLE_PROJECT_REPONAME} | Name of the  container repository and image. Defaults to `giantswarm/REPO_NAME`. Must not contain registry host name! |
| `registries-data` | string |  |  |

### upload-release-assets

Uploads previously persisted build artifacts to the GitHub Release for the
current tag. Designed to run on tagged builds only — apply a tag filter when
wiring it into a workflow.

The release itself is created by the giantswarm/automerge / create-release
GitHub Action shortly after the tag lands; this job retries `gh release upload`
for up to a minute to absorb that race.

Helm charts and container images are NOT uploaded here — they live in the OCI
registry. This job is for downloadable binary artifacts (and their cosign
bundles when signing is enabled).


| Parameter | Type | Default | Description |
|---|---|---|---|
| `attempts` | integer | 12 | Maximum number of upload attempts. Each attempt waits 5s before retrying
to absorb the race with the release-creation GitHub Action.
 |
| `binary` | string |  | Binary name as passed to `go-build`. The job uploads all matching files
from the attached workspace: `<binary>-<GOOS>-<GOARCH>` and any
`<binary>-<GOOS>-<GOARCH>.bundle` cosign signature bundles.
 |
| `github-token-env-var` | string |  | Name of an environment variable holding a GitHub token with contents:write
on the target repository. Leave empty (default) to use the GitHub App token.
Set to an env var name (e.g. TAYLORBOT_GITHUB_ACTION) to use a pre-minted
token instead of generating one from the App.
 |
| `resource_class` | enum | small | Configures the amount of CPU and RAM for the job. See
https://circleci.com/docs/2.0/configuration-reference/#docker-executor
for details.
 |

## Executors

### app-build-suite

### architect

### gitleaks

### machine

A ubuntu-based machine executor

### regctl