7766a2f02c
fix: add image-ref to Trivy scan in release pipeline ( #102 )
...
Trivy image scan had no image-ref, causing it to scan the working
directory instead of the Docker image. Also set exit-code: 0 so
known vulnerabilities in base images do not block the release.
2026-04-06 01:43:41 +03:00
237a8c9e75
fix: smoke test image tag v-prefix mismatch ( #101 )
...
* fix: smoke test uses semver tag (0.4.0) not git ref (v0.4.0)
github.ref_name = v0.4.0 but Docker metadata strips the v prefix,
so the image is tagged 0.4.0. Use steps.meta-alpine.outputs.version
which matches the actual image tag.
* ci: add actionlint to catch workflow syntax errors on PRs
Prevents broken release.yml from reaching main. Catches: syntax errors
in run scripts, invalid step output references, missing image names,
and other GitHub Actions misconfigurations.
2026-04-06 01:33:33 +03:00
45997c0abb
fix: smoke test syntax error — missing image name in docker run ( #100 )
...
The docker run command was truncated, missing the image reference.
This caused a bash syntax error (unexpected do token) when the for
loop was parsed as part of the docker run arguments.
2026-04-06 01:15:25 +03:00
25b216d593
fix: remove local NORA from release push targets ( #99 )
...
Push images only to ghcr.io. Local NORA (localhost:5000) rate limiter
returns 429 during parallel image builds, failing the entire release.
Also remove NORA cache-from/cache-to lines (same 429 issue).
2026-04-06 01:07:56 +03:00
0f9be2fa48
fix: add ignore-error to cache-to in release workflow ( #98 )
...
Local NORA rate limiter returns 429 when 3 Docker builds push cache
layers in quick succession. Adding ignore-error=true so cache write
failure does not fail the entire release pipeline.
2026-04-06 01:01:23 +03:00
dependabot[bot]
d396206526
chore(deps): bump sigstore/cosign-installer from 3.8.0 to 4.1.1 ( #71 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 3.8.0 to 4.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](c56c2d3e59...cad07c2e89support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: DevITWay | Pavel Volkov <devitway@gmail.com >
2026-04-02 12:32:22 +00:00
9709471485
fix: address code review findings
...
- Pin slsa-github-generator and codeql-action by SHA (not tag)
- Replace anonymous tuple with GroupedActivity struct for readability
- Replace unwrap() with if-let for safety
- Add warning message on attestation failure instead of silent || true
- Fix clippy: map_or -> is_some_and
2026-03-20 22:14:16 +00:00
79fa8e0d4a
chore: add CODEOWNERS, CHANGELOG v0.2.33, SLSA provenance, QA scripts
2026-03-19 12:39:58 +00:00
b23765bebd
fix: update cosign-installer SHA to v3.8.0
2026-03-19 11:42:53 +00:00
f76dab1184
fix: pin ClusterFuzzLite base image by SHA, fix Docker tag double-suffix
2026-03-18 13:20:35 +00:00
ccaf543bcc
security: pin Docker base images by SHA, cosign signing in release, branch protection
...
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies)
- Add cosign keyless signing for Docker images and binary (Signed-Releases)
- Enable branch protection: strict status checks, linear history, no force push
- Add .sig and .pem to GitHub Release assets
2026-03-18 09:49:45 +00:00
7df118d488
security: harden OpenSSF Scorecard compliance
...
- Pin all GitHub Actions by SHA hash (Pinned-Dependencies)
- Add top-level permissions: read-all (Token-Permissions)
- Add explicit job-level permissions (least privilege)
- Add OpenSSF Scorecard workflow with weekly schedule
- Publish scorecard results to scorecard.dev and GitHub Security tab
2026-03-17 10:30:15 +00:00
68f4bb2168
fix: clean up stale smoke test container before run
2026-03-15 22:25:37 +00:00
cf5d84ef0a
fix: smoke test port mapping (4000, not 5000)
2026-03-15 21:54:13 +00:00
314c038d94
feat: add integration tests, release runbook, cache fallback
...
- CI: integration job — build NORA, docker push/pull, npm publish/install, API checks
- release: cache-from with ignore-error=true (no dependency on localhost:5000)
- RELEASE_RUNBOOK.md: rollback procedure, deploy order, verification steps
2026-03-15 19:36:38 +00:00
233b83f902
security: make CI gates blocking, add smoke test, clean up dead code
...
- gitleaks, cargo audit, trivy fs now block pipeline on findings
- add smoke test (docker run + curl /health) in release workflow
- deny.toml: add review date to RUSTSEC-2025-0119 ignore
- remove unused validation functions (maven, npm, crate)
- replace blanket #![allow(dead_code)] with targeted allows
2026-03-15 19:25:00 +00:00
058fc41f1c
Merge pull request #24 from getnora-io/dependabot/github_actions/docker/metadata-action-6
...
chore(deps): bump docker/metadata-action from 5 to 6
2026-03-12 22:13:55 +03:00
7f5a3c7c8a
Merge pull request #23 from getnora-io/dependabot/github_actions/aquasecurity/trivy-action-0.35.0
...
chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0
2026-03-12 22:13:49 +03:00
5b57cc5913
Merge pull request #22 from getnora-io/dependabot/github_actions/docker/login-action-4
...
chore(deps): bump docker/login-action from 3 to 4
2026-03-12 22:13:45 +03:00
aa844d851d
Merge pull request #21 from getnora-io/dependabot/github_actions/docker/build-push-action-7
...
chore(deps): bump docker/build-push-action from 6 to 7
2026-03-12 22:13:41 +03:00
dependabot[bot]
2c886040d7
chore(deps): bump docker/metadata-action from 5 to 6
...
Bumps [docker/metadata-action](https://github.com/docker/metadata-action ) from 5 to 6.
- [Release notes](https://github.com/docker/metadata-action/releases )
- [Commits](https://github.com/docker/metadata-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/metadata-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:36 +00:00
dependabot[bot]
9ab6ccc594
chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.34.2 to 0.35.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.34.2...0.35.0 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:33 +00:00
dependabot[bot]
679b36b986
chore(deps): bump docker/login-action from 3 to 4
...
Bumps [docker/login-action](https://github.com/docker/login-action ) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](https://github.com/docker/login-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/login-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:27 +00:00
dependabot[bot]
da8c473e02
chore(deps): bump docker/build-push-action from 6 to 7
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v6...v7 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:23 +00:00
dependabot[bot]
3dc8b81261
chore(deps): bump docker/setup-buildx-action from 3 to 4
...
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action ) from 3 to 4.
- [Release notes](https://github.com/docker/setup-buildx-action/releases )
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:20 +00:00
03a3bf9197
Merge pull request #15 from getnora-io/dependabot/github_actions/docker/build-push-action-6
...
chore(deps): bump docker/build-push-action from 5 to 6
2026-03-03 12:14:56 +03:00
6c5f0dda30
Merge pull request #14 from getnora-io/dependabot/github_actions/aquasecurity/trivy-action-0.34.2
...
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.2
2026-03-03 12:14:42 +03:00
fb058302c8
Merge pull request #13 from getnora-io/dependabot/github_actions/softprops/action-gh-release-2
...
chore(deps): bump softprops/action-gh-release from 1 to 2
2026-03-03 12:14:29 +03:00
79565aec47
Merge pull request #12 from getnora-io/dependabot/github_actions/actions/upload-artifact-7
...
chore(deps): bump actions/upload-artifact from 4 to 7
2026-03-03 12:14:16 +03:00
dependabot[bot]
c8793a4b60
chore(deps): bump docker/build-push-action from 5 to 6
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 5 to 6.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:58 +00:00
dependabot[bot]
fd4a7b0b0f
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.2
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.30.0 to 0.34.2.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.30.0...0.34.2 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.34.2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:55 +00:00
dependabot[bot]
7af1e7462c
chore(deps): bump softprops/action-gh-release from 1 to 2
...
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) from 1 to 2.
- [Release notes](https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2 )
---
updated-dependencies:
- dependency-name: softprops/action-gh-release
dependency-version: '2'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:51 +00:00
dependabot[bot]
de1a188fa7
chore(deps): bump actions/upload-artifact from 4 to 7
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v7 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:48 +00:00
dependabot[bot]
36d0749bb3
chore(deps): bump actions/checkout from 4 to 6
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v4...v6 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:43 +00:00
fb0f80ac5a
ci: move scan/release to self-hosted, use NORA for cache and images
...
- Add NORA (localhost:5000) as internal registry for image push and cache
- Replace type=gha cache with type=registry pointing to NORA
- Move scan and release jobs from ubuntu-latest to self-hosted runner
- Upload binary as artifact in build, download in release (no docker pull)
- Generate SBOM from NORA image instead of ghcr.io
- Add driver-opts: network=host to buildx for localhost registry access
2026-02-25 00:19:37 +00:00
b153bc0c5b
ci: restore Astra Linux SE build, scan, and release image
2026-02-24 17:01:14 +00:00
c7f9d5c036
ci: fix binary path in image (/usr/local/bin/nora)
2026-02-24 14:03:16 +00:00
b41bfd9a88
ci: pin build job to nora runner label to avoid wrong runner
2026-02-24 13:18:11 +00:00
3a6d3eeb9a
feat: add binary + sha256 to GitHub Release artifacts
2026-02-24 12:14:29 +00:00
dependabot[bot]
2c7c497c30
chore(deps): bump softprops/action-gh-release from 1 to 2 ( #5 )
...
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) from 1 to 2.
- [Release notes](https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2 )
---
updated-dependencies:
- dependency-name: softprops/action-gh-release
dependency-version: '2'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:23 +01:00
dependabot[bot]
6b6f88ab9c
chore(deps): bump actions/checkout from 4 to 6 ( #4 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v4...v6 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:19 +01:00
dependabot[bot]
1255e3227b
chore(deps): bump docker/build-push-action from 5 to 6 ( #3 )
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 5 to 6.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:16 +01:00
dependabot[bot]
aabd0b76fb
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.1 ( #2 )
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.30.0 to 0.34.1.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.30.0...0.34.1 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.34.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:12 +01:00
ac14405af3
ci: restore scan gate on release, block on HIGH/CRITICAL CVE
2026-02-24 10:53:28 +00:00
5f385dce45
ci: add dependabot, pin trivy-action@0.30.0, release no longer waits on scan
2026-02-24 10:48:06 +00:00
761e08f168
ci: upgrade codeql-action v3 -> v4
2026-02-24 10:41:37 +00:00
fc1288820d
ci: remove astra build for now
2026-02-24 00:39:16 +00:00
a17a75161b
ci: consolidate all docker builds into single job to fix runner network issues
2026-02-24 00:07:44 +00:00
0b3ef3ab96
ci: use shared runner filesystem instead of artifact API to avoid network upload
2026-02-23 23:41:41 +00:00
99e290d30c
ci: fix SBOM image tag and registry credentials
2026-02-23 18:53:17 +00:00
