Understanding Release Bundles v2

A Release Bundle v2 consists of a uniquely identified combination of repository key, name, and version. If the combination of repository key, name, and version already exists, an error occurs.

All Release Bundles must contain at least one artifact. Release Bundle source artifacts cannot contain any path collisions. As a result, you cannot create a Release Bundle containing the same path and name from different repositories, as this leaves open the possibility of compromising package consistency.

Release Bundles may include source artifacts from local and Federated repositories, but not from remote or virtual repositories. Release Bundles cannot include source artifacts from other Release Bundle repositories unless they are cloned are merged (for more information, see Source Type - Release Bundles).

All properties of source artifacts are collected and stored at the time of Release Bundle creation. Subsequent updates to source artifact properties do not impact the state of the Release Bundle.

All Release Bundle artifacts are located at {repository-key}/{name}/{version}/artifacts and placed in a directory that corresponds to the package type of the source artifact.

A Release Bundle is stored in a read-only repository with the package type ReleaseBundles as a self-contained specification located at the path {repository-key}/{name}/{version}. The specification is stored in the form of a DSSE attestation, which is a signature envelope with a Base64-encoded payload.

In addition to the attestation, each Release Bundle contains a snapshot of all included artifacts. Deleting any original source artifact does not compromise the consistency of the contents of the Release Bundle.

If a Release Bundle repository does not exist at the time the Release Bundle is created, it is initialized automatically. The default key of a Release Bundle repository is release-bundles-v2. For project-specific Release Bundles, it is is {project-key}-release-bundles-v2.

If source artifacts contain a Docker manifest (manifest.json or list.manifest.json), the manifest is resolved automatically during Release Bundle creation. This means that the Release Bundle will include both a manifest and all Docker image layers. This behavior can be disabled using the relevant property in the request body.