Currently the image is pushed to quay.io but since container images are not signed, there is no gurantee that the correct image is provided by quay. This patch provides the image's SHA256 digest as part of the build process so it's possible to verify that the correct image is up and downlaoded. This is a first, basic setup to allow better audits of the images. In future container images should get signed, but this requires some additional work.
Validating GitLab CI configuration… Learn more