237a8c9e75
fix: smoke test image tag v-prefix mismatch ( #101 )
...
* fix: smoke test uses semver tag (0.4.0) not git ref (v0.4.0)
github.ref_name = v0.4.0 but Docker metadata strips the v prefix,
so the image is tagged 0.4.0. Use steps.meta-alpine.outputs.version
which matches the actual image tag.
* ci: add actionlint to catch workflow syntax errors on PRs
Prevents broken release.yml from reaching main. Catches: syntax errors
in run scripts, invalid step output references, missing image names,
and other GitHub Actions misconfigurations.
2026-04-06 01:33:33 +03:00
45997c0abb
fix: smoke test syntax error — missing image name in docker run ( #100 )
...
The docker run command was truncated, missing the image reference.
This caused a bash syntax error (unexpected do token) when the for
loop was parsed as part of the docker run arguments.
2026-04-06 01:15:25 +03:00
25b216d593
fix: remove local NORA from release push targets ( #99 )
...
Push images only to ghcr.io. Local NORA (localhost:5000) rate limiter
returns 429 during parallel image builds, failing the entire release.
Also remove NORA cache-from/cache-to lines (same 429 issue).
2026-04-06 01:07:56 +03:00
0f9be2fa48
fix: add ignore-error to cache-to in release workflow ( #98 )
...
Local NORA rate limiter returns 429 when 3 Docker builds push cache
layers in quick succession. Adding ignore-error=true so cache write
failure does not fail the entire release pipeline.
2026-04-06 01:01:23 +03:00
ac3a8a7c43
quality: MSRV, tarpaulin config, proptest for parsers ( #84 )
...
* fix: proxy dedup, multi-registry GC, TOCTOU and credential hygiene
- Deduplicate proxy_fetch/proxy_fetch_text into generic proxy_fetch_core
with response extractor closure (removes ~50 lines of copy-paste)
- GC now scans all registry prefixes, not just docker/
- Add tracing::warn to fire-and-forget cache writes in docker proxy
- Mark S3 credentials as skip_serializing to prevent accidental leaks
- Remove TOCTOU race in LocalStorage get/delete (redundant exists check)
* chore: clean up root directory structure
- Move Dockerfile.astra and Dockerfile.redos to deploy/ (niche builds
should not clutter the project root)
- Harden .gitignore to exclude session files, working notes, and
internal review scripts
* refactor(metrics): replace 13 atomic fields with CounterMap
Per-registry download/upload counters were 13 individual AtomicU64
fields, each duplicated across new(), with_persistence(), save(),
record_download(), record_upload(), and get_registry_* (6 touch points
per counter). Adding a new registry required changes in 6+ places.
Now uses CounterMap (HashMap<String, AtomicU64>) for per-registry
counters. Adding a new registry = one entry in REGISTRIES const.
Added Go registry to REGISTRIES, gaining go metrics for free.
* quality: add MSRV, tarpaulin config, proptest for parsers
- Set rust-version = 1.75 in workspace Cargo.toml (MSRV policy)
- Add tarpaulin.toml: llvm engine, fail-under=25, json+html output
- Add coverage/ to .gitignore
- Update CI to use tarpaulin.toml instead of inline flags
- Add proptest dev-dependency and property tests:
- validation.rs: 16 tests (never-panics + invariants for all 4 validators)
- pypi.rs: 5 tests (extract_filename never-panics + format assertions)
* test: add unit tests for 14 modules, coverage 21% → 30%
Add 149 new tests across auth, backup, gc, metrics, mirror parsers,
docker (manifest detection, session cleanup, metadata serde),
docker_auth (token cache), maven, npm, pypi (normalize, rewrite, extract),
raw (content-type guessing), request_id, and s3 (URI encoding).
Update tarpaulin.toml: raise fail-under to 30, exclude UI/main from
coverage reporting as they require integration tests.
* bench: add criterion benchmarks for validation and manifest parsing
Add parsing benchmark suite with 14 benchmarks covering:
- Storage key, Docker name, digest, and reference validation
- Docker manifest media type detection (v2, OCI index, minimal, invalid)
Run with: cargo bench --package nora-registry --bench parsing
* test: add 48 integration tests via tower oneshot
Add integration tests for all HTTP handlers:
- health (3), raw (7), cargo (4), maven (4), request_id (2)
- pypi (5), npm (5), docker (12), auth (6)
Create test_helpers.rs with TestContext pattern.
Add tower and http-body-util dev-dependencies.
Update tarpaulin fail-under 30 to 40.
Coverage: 29.5% to 43.3% (2089/4825 lines)
* fix: clean clippy warnings in tests, fix flaky audit test
Add #[allow(clippy::unwrap_used)] to 18 test modules.
Fix 3 additional clippy lints: writeln_empty_string, needless_update,
unnecessary_get_then_check.
Fix flaky audit test: replace single sleep(50ms) with retry loop (max 1s).
Prefix unused token variable with underscore.
cargo clippy --all-targets = 0 warnings (was 245 errors)
2026-04-05 10:01:50 +03:00
dependabot[bot]
d396206526
chore(deps): bump sigstore/cosign-installer from 3.8.0 to 4.1.1 ( #71 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 3.8.0 to 4.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](c56c2d3e59...cad07c2e89support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: DevITWay | Pavel Volkov <devitway@gmail.com >
2026-04-02 12:32:22 +00:00
dependabot[bot]
4df4aacc32
chore(deps): bump schneegans/dynamic-badges-action from 1.7.0 to 1.8.0 ( #67 )
...
Bumps [schneegans/dynamic-badges-action](https://github.com/schneegans/dynamic-badges-action ) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/schneegans/dynamic-badges-action/releases )
- [Changelog](https://github.com/Schneegans/dynamic-badges-action/blob/master/changelog.md )
- [Commits](e9a478b161...0e50b8bad3support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: DevITWay | Pavel Volkov <devitway@gmail.com >
2026-03-31 19:03:26 +00:00
975264c353
fix(deps): update rustls-webpki 0.103.9 -> 0.103.10 (RUSTSEC-2026-0049)
...
Also revert codeql-action to tag pin in scorecard.yml —
scorecard webapp rejects SHA pins for this specific action.
2026-03-20 23:07:09 +00:00
9709471485
fix: address code review findings
...
- Pin slsa-github-generator and codeql-action by SHA (not tag)
- Replace anonymous tuple with GroupedActivity struct for readability
- Replace unwrap() with if-let for safety
- Add warning message on attestation failure instead of silent || true
- Fix clippy: map_or -> is_some_and
2026-03-20 22:14:16 +00:00
3246bd9ffd
ci: add test coverage with tarpaulin and dynamic badge via gist
2026-03-20 09:32:22 +00:00
79fa8e0d4a
chore: add CODEOWNERS, CHANGELOG v0.2.33, SLSA provenance, QA scripts
2026-03-19 12:39:58 +00:00
b23765bebd
fix: update cosign-installer SHA to v3.8.0
2026-03-19 11:42:53 +00:00
07aed45518
fix: use tag for codeql-action in scorecard (webapp rejects SHA pins)
2026-03-19 10:42:14 +00:00
4ec963d41c
fix: add repo_token and permissions to scorecard workflow
2026-03-19 10:35:57 +00:00
7f7e3e4986
fix: revert scorecard-action to tag (Docker action incompatible with SHA pin)
2026-03-19 10:33:27 +00:00
d51f176fd8
fix: use commit SHA for scorecard-action (not tag SHA)
2026-03-19 09:21:29 +00:00
34d30433cb
fix: correct scorecard-action SHA pin for v2.4.3
2026-03-19 09:19:41 +00:00
fbd2aa35e8
ci: improve OpenSSF Scorecard rating ( #45 )
...
- Add CodeQL workflow for SAST analysis (Actions language)
- Pin scorecard-action and codeql-action by SHA in scorecard.yml
- Add cargo-audit SARIF upload for security tab integration
2026-03-19 11:51:11 +03:00
f76dab1184
fix: pin ClusterFuzzLite base image by SHA, fix Docker tag double-suffix
2026-03-18 13:20:35 +00:00
e6043a6e2f
fix: use project gitleaks config in CI, relax rules for documentation examples
2026-03-18 12:48:05 +00:00
ccaf543bcc
security: pin Docker base images by SHA, cosign signing in release, branch protection
...
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies)
- Add cosign keyless signing for Docker images and binary (Signed-Releases)
- Enable branch protection: strict status checks, linear history, no force push
- Add .sig and .pem to GitHub Release assets
2026-03-18 09:49:45 +00:00
bc9604bac3
fix: use tags for scorecard webapp verification
2026-03-17 11:04:48 +00:00
15d12d073a
fix: use scorecard-action by tag for webapp verification
2026-03-17 11:02:14 +00:00
7df118d488
security: harden OpenSSF Scorecard compliance
...
- Pin all GitHub Actions by SHA hash (Pinned-Dependencies)
- Add top-level permissions: read-all (Token-Permissions)
- Add explicit job-level permissions (least privilege)
- Add OpenSSF Scorecard workflow with weekly schedule
- Publish scorecard results to scorecard.dev and GitHub Security tab
2026-03-17 10:30:15 +00:00
68f4bb2168
fix: clean up stale smoke test container before run
2026-03-15 22:25:37 +00:00
cf5d84ef0a
fix: smoke test port mapping (4000, not 5000)
2026-03-15 21:54:13 +00:00
028e98759a
fix: integration tests match actual protocol support
...
- Docker, Maven: full push/pull (write support exists)
- npm, PyPI, Cargo: endpoint checks only (read-only proxy, no publish yet)
2026-03-15 19:58:36 +00:00
c351ce3534
feat: add Maven, PyPI, Cargo integration tests
...
- Maven: PUT artifact, GET and verify checksum
- PyPI: twine upload + pip install
- Cargo: API endpoint check
- Now testing all 5 protocols: Docker, npm, Maven, PyPI, Cargo
2026-03-15 19:53:27 +00:00
61c3f07aac
fix: add npm auth token for integration test publish
2026-03-15 19:49:54 +00:00
314c038d94
feat: add integration tests, release runbook, cache fallback
...
- CI: integration job — build NORA, docker push/pull, npm publish/install, API checks
- release: cache-from with ignore-error=true (no dependency on localhost:5000)
- RELEASE_RUNBOOK.md: rollback procedure, deploy order, verification steps
2026-03-15 19:36:38 +00:00
233b83f902
security: make CI gates blocking, add smoke test, clean up dead code
...
- gitleaks, cargo audit, trivy fs now block pipeline on findings
- add smoke test (docker run + curl /health) in release workflow
- deny.toml: add review date to RUSTSEC-2025-0119 ignore
- remove unused validation functions (maven, npm, crate)
- replace blanket #![allow(dead_code)] with targeted allows
2026-03-15 19:25:00 +00:00
058fc41f1c
Merge pull request #24 from getnora-io/dependabot/github_actions/docker/metadata-action-6
...
chore(deps): bump docker/metadata-action from 5 to 6
2026-03-12 22:13:55 +03:00
7f5a3c7c8a
Merge pull request #23 from getnora-io/dependabot/github_actions/aquasecurity/trivy-action-0.35.0
...
chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0
2026-03-12 22:13:49 +03:00
5b57cc5913
Merge pull request #22 from getnora-io/dependabot/github_actions/docker/login-action-4
...
chore(deps): bump docker/login-action from 3 to 4
2026-03-12 22:13:45 +03:00
aa844d851d
Merge pull request #21 from getnora-io/dependabot/github_actions/docker/build-push-action-7
...
chore(deps): bump docker/build-push-action from 6 to 7
2026-03-12 22:13:41 +03:00
dependabot[bot]
2c886040d7
chore(deps): bump docker/metadata-action from 5 to 6
...
Bumps [docker/metadata-action](https://github.com/docker/metadata-action ) from 5 to 6.
- [Release notes](https://github.com/docker/metadata-action/releases )
- [Commits](https://github.com/docker/metadata-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/metadata-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:36 +00:00
dependabot[bot]
9ab6ccc594
chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.34.2 to 0.35.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.34.2...0.35.0 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:33 +00:00
dependabot[bot]
679b36b986
chore(deps): bump docker/login-action from 3 to 4
...
Bumps [docker/login-action](https://github.com/docker/login-action ) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](https://github.com/docker/login-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/login-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:27 +00:00
dependabot[bot]
da8c473e02
chore(deps): bump docker/build-push-action from 6 to 7
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v6...v7 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:23 +00:00
dependabot[bot]
3dc8b81261
chore(deps): bump docker/setup-buildx-action from 3 to 4
...
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action ) from 3 to 4.
- [Release notes](https://github.com/docker/setup-buildx-action/releases )
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:20 +00:00
03a3bf9197
Merge pull request #15 from getnora-io/dependabot/github_actions/docker/build-push-action-6
...
chore(deps): bump docker/build-push-action from 5 to 6
2026-03-03 12:14:56 +03:00
6c5f0dda30
Merge pull request #14 from getnora-io/dependabot/github_actions/aquasecurity/trivy-action-0.34.2
...
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.2
2026-03-03 12:14:42 +03:00
fb058302c8
Merge pull request #13 from getnora-io/dependabot/github_actions/softprops/action-gh-release-2
...
chore(deps): bump softprops/action-gh-release from 1 to 2
2026-03-03 12:14:29 +03:00
79565aec47
Merge pull request #12 from getnora-io/dependabot/github_actions/actions/upload-artifact-7
...
chore(deps): bump actions/upload-artifact from 4 to 7
2026-03-03 12:14:16 +03:00
dependabot[bot]
c8793a4b60
chore(deps): bump docker/build-push-action from 5 to 6
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 5 to 6.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:58 +00:00
dependabot[bot]
fd4a7b0b0f
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.2
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.30.0 to 0.34.2.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.30.0...0.34.2 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.34.2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:55 +00:00
dependabot[bot]
7af1e7462c
chore(deps): bump softprops/action-gh-release from 1 to 2
...
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) from 1 to 2.
- [Release notes](https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2 )
---
updated-dependencies:
- dependency-name: softprops/action-gh-release
dependency-version: '2'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:51 +00:00
dependabot[bot]
de1a188fa7
chore(deps): bump actions/upload-artifact from 4 to 7
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v7 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:48 +00:00
dependabot[bot]
36d0749bb3
chore(deps): bump actions/checkout from 4 to 6
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v4...v6 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:43 +00:00
fb0f80ac5a
ci: move scan/release to self-hosted, use NORA for cache and images
...
- Add NORA (localhost:5000) as internal registry for image push and cache
- Replace type=gha cache with type=registry pointing to NORA
- Move scan and release jobs from ubuntu-latest to self-hosted runner
- Upload binary as artifact in build, download in release (no docker pull)
- Generate SBOM from NORA image instead of ghcr.io
- Add driver-opts: network=host to buildx for localhost registry access
2026-02-25 00:19:37 +00:00
