taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 09:10:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
274 Commits 2 Branches 38 Tags
357368f80d24072dfbdd94f82ec4a2b159e9333b
Commit Graph

274 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
devitway
79fa8e0d4a chore: add CODEOWNERS, CHANGELOG v0.2.33, SLSA provenance, QA scripts 2026-03-19 12:39:58 +00:00
devitway
b23765bebd fix: update cosign-installer SHA to v3.8.0 2026-03-19 11:42:53 +00:00
devitway
b91c5531b6 release: bump version to v0.2.33 (#46) 2026-03-19 11:41:06 +00:00
devitway
596b18a3fa release: bump version to v0.2.33 2026-03-19 11:08:51 +00:00
devitway
07aed45518 fix: use tag for codeql-action in scorecard (webapp rejects SHA pins) 2026-03-19 10:42:14 +00:00
devitway
4ec963d41c fix: add repo_token and permissions to scorecard workflow 2026-03-19 10:35:57 +00:00
devitway
7f7e3e4986 fix: revert scorecard-action to tag (Docker action incompatible with SHA pin) 2026-03-19 10:33:27 +00:00
devitway
d51f176fd8 fix: use commit SHA for scorecard-action (not tag SHA) 2026-03-19 09:21:29 +00:00
devitway
34d30433cb fix: correct scorecard-action SHA pin for v2.4.3 2026-03-19 09:19:41 +00:00
devitway
a6db016d7d ci: retrigger scorecard workflow 2026-03-19 09:18:00 +00:00
DevITWay | Pavel Volkov
fbd2aa35e8 ci: improve OpenSSF Scorecard rating (#45) 
- Add CodeQL workflow for SAST analysis (Actions language)
- Pin scorecard-action and codeql-action by SHA in scorecard.yml
- Add cargo-audit SARIF upload for security tab integration
 2026-03-19 11:51:11 +03:00
devitway
fa2cd45ed3 security: harden Docker registry and container runtime 
- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID)
- Reject sha512 digests (only sha256 supported)
- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL
- Bind upload sessions to repository name (prevent session fixation)
- Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion)
- Fix catalog to show namespaced images (library/alpine instead of library)
- Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Run containers as non-root user (USER nora) in all 3 Dockerfiles
- Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB
 2026-03-19 08:29:28 +00:00
devitway
f76dab1184 fix: pin ClusterFuzzLite base image by SHA, fix Docker tag double-suffix 2026-03-18 13:20:35 +00:00
devitway
e6043a6e2f fix: use project gitleaks config in CI, relax rules for documentation examples 2026-03-18 12:48:05 +00:00
devitway
54a08153f1 docs: add public roadmap, cosign verification in install script 2026-03-18 12:36:51 +00:00
devitway
a36287a627 community: add issue/PR templates, code of conduct, update contributing guide 2026-03-18 12:22:10 +00:00
devitway
eb1b8db01e chore: remove unused crates and demo traffic scripts 
- Remove nora-cli (unimplemented stub)
- Remove nora-storage (standalone S3 server, not used)
- Remove demo traffic generator and systemd service
 2026-03-18 12:19:58 +00:00
devitway
58f98949e4 style: clean up code comments 2026-03-18 11:23:11 +00:00
devitway
67b55fba92 chore: repo cleanup — remove dead crates from workspace, stale files, duplicate assets 
- Remove nora-cli and nora-storage from workspace (stub crates, not used)
- Remove root install.sh (duplicate of dist/install.sh)
- Remove root logo.jpg (duplicate of ui/logo.jpg)
- Remove committed SBOM .cdx.json files (generated by CI in release)
- Remove stale .githooks/ (real hook is in .git/hooks/)
- Update version in docs-ru to 0.2.32
- Add *.cdx.json to .gitignore
 2026-03-18 11:20:22 +00:00
devitway
e38e4ab4fb test: E2E smoke tests + Playwright browser tests (23 tests) 
smoke.sh:
- Full E2E smoke test: health, npm proxy/publish/security, Maven, PyPI, Docker, Raw, UI, mirror CLI
- Self-contained: starts NORA, runs tests, cleans up

Playwright (tests/e2e/):
- Dashboard: page load, registry sections visible, npm count > 0, Docker stats
- npm: URL rewriting, scoped packages, tarball download, publish, immutability, security
- Docker: v2 check, catalog, manifest push/pull, tags list
- Maven: proxy download, upload
- PyPI: simple index, package page
- Raw: upload and download
- Health, metrics, OpenAPI endpoints

All 23 tests pass in 4.7s against live NORA instance.
 2026-03-18 11:04:19 +00:00
devitway
3fe2ae166d docs: add CII Best Practices passing badge 2026-03-18 10:46:51 +00:00
devitway
ccaf543bcc security: pin Docker base images by SHA, cosign signing in release, branch protection 
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies)
- Add cosign keyless signing for Docker images and binary (Signed-Releases)
- Enable branch protection: strict status checks, linear history, no force push
- Add .sig and .pem to GitHub Release assets
 2026-03-18 09:49:45 +00:00
devitway
68ed6546c8 docs: changelog v0.2.32 2026-03-18 09:43:49 +00:00
devitway
eccb80c7f2 fix: allow NCSA license for libfuzzer-sys in cargo-deny 2026-03-18 09:27:30 +00:00
devitway
f27b59b5a8 fix: add MIT license to nora-fuzz crate (cargo-deny compliance) 2026-03-18 09:23:31 +00:00
devitway
3fc57cc351 fix: correct cargo-deny key for unused license allowance 2026-03-18 09:19:50 +00:00
devitway
698b8d66ca fix: allow unused license entries in cargo-deny config 2026-03-18 09:15:25 +00:00
devitway
9de623a14e fix: Docker dashboard for namespaced images, library/ auto-prepend for Hub official images (v0.2.32) 
Docker dashboard:
- build_docker_index now finds manifests segment by position, not fixed index
- Correctly indexes library/alpine, grafana/grafana, and other namespaced images

Docker proxy:
- Auto-prepend library/ for single-segment names when upstream returns 404
- Applies to both manifests and blobs
- nginx, alpine, node now work without explicit library/ prefix
- Cached under original name for future local hits
 2026-03-18 08:07:53 +00:00
devitway
cb37813f11 security: add cargo-fuzz targets and ClusterFuzzLite config 
Fuzz targets:
- fuzz_validation: storage key, Docker name, digest, reference validators
- fuzz_docker_manifest: Docker/OCI manifest media type detection

Infrastructure:
- lib.rs exposing validation module and docker_fuzz for fuzz harnesses
- ClusterFuzzLite project config (libfuzzer + ASan)
 2026-03-17 11:20:17 +00:00
devitway
bc9604bac3 fix: use tags for scorecard webapp verification 2026-03-17 11:04:48 +00:00
devitway
15d12d073a fix: use scorecard-action by tag for webapp verification 2026-03-17 11:02:14 +00:00
devitway
f1259e49b2 docs: add OpenSSF Scorecard badge 2026-03-17 10:41:00 +00:00
devitway
0727b421a9 Merge pull request #32 from getnora-io/dependabot/cargo/tracing-subscriber-0.3.23 
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
 2026-03-17 13:38:22 +03:00
devitway
22b01c9d78 Merge pull request #31 from getnora-io/dependabot/cargo/clap-4.6.0 
chore(deps): bump clap from 4.5.60 to 4.6.0
 2026-03-17 13:38:20 +03:00
devitway
73f3994b80 Merge pull request #30 from getnora-io/dependabot/cargo/tempfile-3.27.0 
chore(deps): bump tempfile from 3.26.0 to 3.27.0
 2026-03-17 13:38:17 +03:00
devitway
debf31d4b9 Merge pull request #33 from getnora-io/security/scorecard-hardening 
security: OpenSSF Scorecard hardening
 2026-03-17 13:36:40 +03:00
devitway
7df118d488 security: harden OpenSSF Scorecard compliance 
- Pin all GitHub Actions by SHA hash (Pinned-Dependencies)
- Add top-level permissions: read-all (Token-Permissions)
- Add explicit job-level permissions (least privilege)
- Add OpenSSF Scorecard workflow with weekly schedule
- Publish scorecard results to scorecard.dev and GitHub Security tab
 2026-03-17 10:30:15 +00:00
dependabot[bot]
fd1a4c5fd5 chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23 
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from 0.3.22 to 0.3.23.
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.22...tracing-subscriber-0.3.23)

---
updated-dependencies:
- dependency-name: tracing-subscriber
  dependency-version: 0.3.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-17 04:25:13 +00:00
dependabot[bot]
d3df26b61a chore(deps): bump clap from 4.5.60 to 4.6.0 
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.60 to 4.6.0.
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.60...clap_complete-v4.6.0)

---
updated-dependencies:
- dependency-name: clap
  dependency-version: 4.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-17 04:25:03 +00:00
dependabot[bot]
1d61f50ab0 chore(deps): bump tempfile from 3.26.0 to 3.27.0 
Bumps [tempfile](https://github.com/Stebalien/tempfile) from 3.26.0 to 3.27.0.
- [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Stebalien/tempfile/compare/v3.26.0...v3.27.0)

---
updated-dependencies:
- dependency-name: tempfile
  dependency-version: 3.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-17 04:24:55 +00:00
devitway
8646926294 docs: Russian documentation — admin guide, user guide, technical spec (Минцифры) 2026-03-16 13:58:17 +00:00
devitway
c7e15b47aa docs: add CycloneDX SBOM (238 components, 0 vulnerabilities) 2026-03-16 13:29:59 +00:00
devitway
b7d303bf54 feat: nora mirror CLI + systemd + install script 
nora mirror:
- Pre-fetch dependencies through NORA proxy cache
- npm: --lockfile (v1/v2/v3) and --packages with --all-versions
- pip: requirements.txt parser
- cargo: Cargo.lock parser
- maven: dependency:list output parser
- Concurrent downloads (--concurrency, default 8)
- Progress bar with indicatif
- Health check before start

dist/:
- nora.service — systemd unit with security hardening
- nora.env.example — environment configuration template
- install.sh — automated install (binary + user + systemd + config)

Tested: 103 tests pass, 0 clippy warnings, cargo audit clean.
Smoke: mirrored 70 npm packages from real lockfile in 5.4s.
 2026-03-16 13:27:37 +00:00
devitway
82ea93d07f docs: changelog v0.2.31 2026-03-16 12:51:10 +00:00
devitway
01027888cb feat: npm full proxy — URL rewriting, scoped packages, publish, integrity cache (v0.2.31) 
npm proxy:
- Rewrite tarball URLs in metadata to point to NORA (was broken — tarballs bypassed NORA)
- Scoped packages (@scope/package) full support in handler and repo index
- Metadata cache TTL (NORA_NPM_METADATA_TTL, default 300s) with stale-while-revalidate
- proxy_auth now wired into fetch_from_proxy (was configured but unused)

npm publish:
- PUT /npm/{package} — accepts standard npm publish payload
- Version immutability — 409 Conflict on duplicate version
- Tarball URL rewriting in published metadata

Security:
- SHA256 integrity verification on cached tarballs (immutable cache)
- Attachment filename validation (path traversal protection)
- Package name mismatch detection (URL vs payload)

Config:
- npm.metadata_ttl — configurable cache TTL (env: NORA_NPM_METADATA_TTL)
 2026-03-16 12:32:16 +00:00
devitway
b2be7102fe style: cargo fmt 2026-03-16 08:58:27 +00:00
devitway
a9996b6b54 fix: dashboard — docker namespaced repos, npm proxy cache, upstream display (v0.2.30) 2026-03-16 08:55:33 +00:00
devitway
2cca9919ff docs: rewrite README — new slogan, roadmap, trim TLS/FSTEC, fix config example 2026-03-16 07:39:43 +00:00
devitway
68f4bb2168 fix: clean up stale smoke test container before run 2026-03-15 22:25:37 +00:00
devitway
9c8f9f9a08 docs: trim README, link to docs site, fix website URL 2026-03-15 22:21:08 +00:00