578cdd7dd6
fix: correct scorecard-action SHA pin for v2.4.3
2026-03-19 09:19:41 +00:00
78dd91795d
ci: improve OpenSSF Scorecard rating ( #45 )
...
- Add CodeQL workflow for SAST analysis (Actions language)
- Pin scorecard-action and codeql-action by SHA in scorecard.yml
- Add cargo-audit SARIF upload for security tab integration
2026-03-19 11:51:11 +03:00
52e59a8272
fix: pin ClusterFuzzLite base image by SHA, fix Docker tag double-suffix
2026-03-18 13:20:35 +00:00
8b1b9c8401
fix: use project gitleaks config in CI, relax rules for documentation examples
2026-03-18 12:48:05 +00:00
68365dfe98
community: add issue/PR templates, code of conduct, update contributing guide
2026-03-18 12:22:10 +00:00
b50dd6386e
security: pin Docker base images by SHA, cosign signing in release, branch protection
...
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies)
- Add cosign keyless signing for Docker images and binary (Signed-Releases)
- Enable branch protection: strict status checks, linear history, no force push
- Add .sig and .pem to GitHub Release assets
2026-03-18 09:49:45 +00:00
31afa1f70b
fix: use tags for scorecard webapp verification
2026-03-17 11:04:48 +00:00
f36abd82ef
fix: use scorecard-action by tag for webapp verification
2026-03-17 11:02:14 +00:00
34e85acd6e
security: harden OpenSSF Scorecard compliance
...
- Pin all GitHub Actions by SHA hash (Pinned-Dependencies)
- Add top-level permissions: read-all (Token-Permissions)
- Add explicit job-level permissions (least privilege)
- Add OpenSSF Scorecard workflow with weekly schedule
- Publish scorecard results to scorecard.dev and GitHub Security tab
2026-03-17 10:30:15 +00:00
bbff337b4c
fix: clean up stale smoke test container before run
2026-03-15 22:25:37 +00:00
095270d113
fix: smoke test port mapping (4000, not 5000)
2026-03-15 21:54:13 +00:00
a1da4fff1e
fix: integration tests match actual protocol support
...
- Docker, Maven: full push/pull (write support exists)
- npm, PyPI, Cargo: endpoint checks only (read-only proxy, no publish yet)
2026-03-15 19:58:36 +00:00
868c4feca7
feat: add Maven, PyPI, Cargo integration tests
...
- Maven: PUT artifact, GET and verify checksum
- PyPI: twine upload + pip install
- Cargo: API endpoint check
- Now testing all 5 protocols: Docker, npm, Maven, PyPI, Cargo
2026-03-15 19:53:27 +00:00
5b4cba1392
fix: add npm auth token for integration test publish
2026-03-15 19:49:54 +00:00
ad890be56a
feat: add integration tests, release runbook, cache fallback
...
- CI: integration job — build NORA, docker push/pull, npm publish/install, API checks
- release: cache-from with ignore-error=true (no dependency on localhost:5000)
- RELEASE_RUNBOOK.md: rollback procedure, deploy order, verification steps
2026-03-15 19:36:38 +00:00
233b83f902
security: make CI gates blocking, add smoke test, clean up dead code
...
- gitleaks, cargo audit, trivy fs now block pipeline on findings
- add smoke test (docker run + curl /health) in release workflow
- deny.toml: add review date to RUSTSEC-2025-0119 ignore
- remove unused validation functions (maven, npm, crate)
- replace blanket #![allow(dead_code)] with targeted allows
2026-03-15 19:25:00 +00:00
058fc41f1c
Merge pull request #24 from getnora-io/dependabot/github_actions/docker/metadata-action-6
...
chore(deps): bump docker/metadata-action from 5 to 6
2026-03-12 22:13:55 +03:00
7f5a3c7c8a
Merge pull request #23 from getnora-io/dependabot/github_actions/aquasecurity/trivy-action-0.35.0
...
chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0
2026-03-12 22:13:49 +03:00
5b57cc5913
Merge pull request #22 from getnora-io/dependabot/github_actions/docker/login-action-4
...
chore(deps): bump docker/login-action from 3 to 4
2026-03-12 22:13:45 +03:00
aa844d851d
Merge pull request #21 from getnora-io/dependabot/github_actions/docker/build-push-action-7
...
chore(deps): bump docker/build-push-action from 6 to 7
2026-03-12 22:13:41 +03:00
dependabot[bot]
2c886040d7
chore(deps): bump docker/metadata-action from 5 to 6
...
Bumps [docker/metadata-action](https://github.com/docker/metadata-action ) from 5 to 6.
- [Release notes](https://github.com/docker/metadata-action/releases )
- [Commits](https://github.com/docker/metadata-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/metadata-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:36 +00:00
dependabot[bot]
9ab6ccc594
chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.34.2 to 0.35.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.34.2...0.35.0 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:33 +00:00
dependabot[bot]
679b36b986
chore(deps): bump docker/login-action from 3 to 4
...
Bumps [docker/login-action](https://github.com/docker/login-action ) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](https://github.com/docker/login-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/login-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:27 +00:00
dependabot[bot]
da8c473e02
chore(deps): bump docker/build-push-action from 6 to 7
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v6...v7 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:23 +00:00
dependabot[bot]
3dc8b81261
chore(deps): bump docker/setup-buildx-action from 3 to 4
...
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action ) from 3 to 4.
- [Release notes](https://github.com/docker/setup-buildx-action/releases )
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:20 +00:00
03a3bf9197
Merge pull request #15 from getnora-io/dependabot/github_actions/docker/build-push-action-6
...
chore(deps): bump docker/build-push-action from 5 to 6
2026-03-03 12:14:56 +03:00
6c5f0dda30
Merge pull request #14 from getnora-io/dependabot/github_actions/aquasecurity/trivy-action-0.34.2
...
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.2
2026-03-03 12:14:42 +03:00
fb058302c8
Merge pull request #13 from getnora-io/dependabot/github_actions/softprops/action-gh-release-2
...
chore(deps): bump softprops/action-gh-release from 1 to 2
2026-03-03 12:14:29 +03:00
79565aec47
Merge pull request #12 from getnora-io/dependabot/github_actions/actions/upload-artifact-7
...
chore(deps): bump actions/upload-artifact from 4 to 7
2026-03-03 12:14:16 +03:00
dependabot[bot]
c8793a4b60
chore(deps): bump docker/build-push-action from 5 to 6
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 5 to 6.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:58 +00:00
dependabot[bot]
fd4a7b0b0f
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.2
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.30.0 to 0.34.2.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.30.0...0.34.2 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.34.2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:55 +00:00
dependabot[bot]
7af1e7462c
chore(deps): bump softprops/action-gh-release from 1 to 2
...
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) from 1 to 2.
- [Release notes](https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2 )
---
updated-dependencies:
- dependency-name: softprops/action-gh-release
dependency-version: '2'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:51 +00:00
dependabot[bot]
de1a188fa7
chore(deps): bump actions/upload-artifact from 4 to 7
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v7 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:48 +00:00
dependabot[bot]
36d0749bb3
chore(deps): bump actions/checkout from 4 to 6
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v4...v6 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:43 +00:00
fb0f80ac5a
ci: move scan/release to self-hosted, use NORA for cache and images
...
- Add NORA (localhost:5000) as internal registry for image push and cache
- Replace type=gha cache with type=registry pointing to NORA
- Move scan and release jobs from ubuntu-latest to self-hosted runner
- Upload binary as artifact in build, download in release (no docker pull)
- Generate SBOM from NORA image instead of ghcr.io
- Add driver-opts: network=host to buildx for localhost registry access
2026-02-25 00:19:37 +00:00
b153bc0c5b
ci: restore Astra Linux SE build, scan, and release image
2026-02-24 17:01:14 +00:00
c7f9d5c036
ci: fix binary path in image (/usr/local/bin/nora)
2026-02-24 14:03:16 +00:00
b41bfd9a88
ci: pin build job to nora runner label to avoid wrong runner
2026-02-24 13:18:11 +00:00
3a6d3eeb9a
feat: add binary + sha256 to GitHub Release artifacts
2026-02-24 12:14:29 +00:00
dependabot[bot]
2c7c497c30
chore(deps): bump softprops/action-gh-release from 1 to 2 ( #5 )
...
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) from 1 to 2.
- [Release notes](https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2 )
---
updated-dependencies:
- dependency-name: softprops/action-gh-release
dependency-version: '2'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:23 +01:00
dependabot[bot]
6b6f88ab9c
chore(deps): bump actions/checkout from 4 to 6 ( #4 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v4...v6 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:19 +01:00
dependabot[bot]
1255e3227b
chore(deps): bump docker/build-push-action from 5 to 6 ( #3 )
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 5 to 6.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:16 +01:00
dependabot[bot]
aabd0b76fb
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.1 ( #2 )
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.30.0 to 0.34.1.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.30.0...0.34.1 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.34.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:12 +01:00
ac14405af3
ci: restore scan gate on release, block on HIGH/CRITICAL CVE
2026-02-24 10:53:28 +00:00
5f385dce45
ci: add dependabot, pin trivy-action@0.30.0, release no longer waits on scan
2026-02-24 10:48:06 +00:00
761e08f168
ci: upgrade codeql-action v3 -> v4
2026-02-24 10:41:37 +00:00
fc1288820d
ci: remove astra build for now
2026-02-24 00:39:16 +00:00
a17a75161b
ci: consolidate all docker builds into single job to fix runner network issues
2026-02-24 00:07:44 +00:00
0b3ef3ab96
ci: use shared runner filesystem instead of artifact API to avoid network upload
2026-02-23 23:41:41 +00:00
99e290d30c
ci: fix SBOM image tag and registry credentials
2026-02-23 18:53:17 +00:00
