Artifact Trust and Promotion designed
App deployment is digest-based and promotion is explicit. Tags are convenience labels, never deployment truth.
Trust Model
Artifacts have lifecycle state and trust state.
Lifecycle states:
publishedpromoteddeprecatedretired
Trust states:
unverifiedverifiedfailed_verificationrevoked
Promotion Model
Promotion moves an artifact through channels such as dev, test, staging,
and prod. Promotion to a later channel must be explicit and auditable.
Non-Negotiables
- Deploy by digest, not mutable tag.
- Preserve promotion history.
- Record actor, project, artifact id, digest, trust transition, target channel, and correlation id.
- Support OCI and future non-OCI artifacts through the same control-plane model.
Developer Evidence
App teams should be able to explain promotion state without reading backend tables. The minimum evidence packet for an app artifact is:
| Evidence | Why it matters |
|---|---|
| Artifact identity and digest | proves the deployed artifact is immutable |
| Artifact type and registry version | proves platform registry meaning was active when promoted |
| Trust state and verification result | proves the artifact is allowed to move forward |
| Promotion channel and actor | proves who moved it and where it can run |
| Correlation and audit reference | links the promotion to release, review, and incident evidence |
For the broader artifact/runtime bundle path, see Artifact And Runtime Lifecycle.
Canonical sources