970374b4e2
chore: add clippy.toml, issue/PR templates, Helm OCI docs, logging env vars
...
- clippy.toml: cognitive-complexity=25, too-many-arguments=7
- Issue templates: bug report + feature request (YAML forms)
- PR template with checklist (fmt, clippy, test, unwrap, changelog)
- README: Helm OCI support documented, NORA_LOG_LEVEL/FORMAT env vars
- GitHub topic: helm-registry re-added (verified helm push/pull works)
2026-04-02 15:27:23 +03:00
dependabot[bot]
4df4aacc32
chore(deps): bump schneegans/dynamic-badges-action from 1.7.0 to 1.8.0 ( #67 )
...
Bumps [schneegans/dynamic-badges-action](https://github.com/schneegans/dynamic-badges-action ) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/schneegans/dynamic-badges-action/releases )
- [Changelog](https://github.com/Schneegans/dynamic-badges-action/blob/master/changelog.md )
- [Commits](e9a478b161...0e50b8bad3support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: DevITWay | Pavel Volkov <devitway@gmail.com >
2026-03-31 19:03:26 +00:00
5d1c07db51
docs: add Go module proxy support to README ( #62 )
...
* docs: add Go module proxy to README, update dashboard GIF
- Add Go Modules to supported registries table
- Add Go usage example (GOPROXY)
- Add Go config.toml example
- Add /go/ endpoint to endpoints table
- Update dashboard GIF with 6 registry cards in one row
- Fix registries count: 6 package registries
* feat(ui): add Raw storage to dashboard, sidebar, and list pages
- Raw Storage card on dashboard with file count and size
- Raw in sidebar navigation with file icon
- Raw list and detail pages (/ui/raw)
- Raw mount point in mount points table
- Grid updated to 7 columns for all registry cards
- README: 7 registries, add Go module proxy docs
* docs: add product badges (release, image size, downloads)
2026-03-27 22:01:41 +03:00
325f51822f
release: v0.3.0 ( #60 )
...
* release: bump version to v0.3.0, update dashboard GIF
New features in v0.3.0:
- Go module proxy (GOPROXY protocol) with caching
- Go in dashboard UI (sidebar, list, detail pages)
- Compact registry cards (6 in one row)
- Updated icons (Cargo crate, Go text mark)
- .gitleaks.toml restored
* security: update .gitignore and remove stale files
* security: update .gitignore to block dev tooling and process files
2026-03-27 21:30:41 +03:00
975264c353
fix(deps): update rustls-webpki 0.103.9 -> 0.103.10 (RUSTSEC-2026-0049)
...
Also revert codeql-action to tag pin in scorecard.yml —
scorecard webapp rejects SHA pins for this specific action.
2026-03-20 23:07:09 +00:00
9709471485
fix: address code review findings
...
- Pin slsa-github-generator and codeql-action by SHA (not tag)
- Replace anonymous tuple with GroupedActivity struct for readability
- Replace unwrap() with if-let for safety
- Add warning message on attestation failure instead of silent || true
- Fix clippy: map_or -> is_some_and
2026-03-20 22:14:16 +00:00
ef5f4e52c3
docs: restructure README for conversion
...
- Move badges from top to Security & Trust section
- Add dashboard GIF (EN/RU crossfade) as first visual
- Add "Why NORA" section with key differentiators
- Add "Used by" production reference
- Add binary install option
- Add Supported Registries table with mount points
- Streamline features into scannable list
- Remove emoji from footer
- Add comparison link placeholder
2026-03-20 11:25:32 +00:00
3246bd9ffd
ci: add test coverage with tarpaulin and dynamic badge via gist
2026-03-20 09:32:22 +00:00
79fa8e0d4a
chore: add CODEOWNERS, CHANGELOG v0.2.33, SLSA provenance, QA scripts
2026-03-19 12:39:58 +00:00
b23765bebd
fix: update cosign-installer SHA to v3.8.0
2026-03-19 11:42:53 +00:00
07aed45518
fix: use tag for codeql-action in scorecard (webapp rejects SHA pins)
2026-03-19 10:42:14 +00:00
4ec963d41c
fix: add repo_token and permissions to scorecard workflow
2026-03-19 10:35:57 +00:00
7f7e3e4986
fix: revert scorecard-action to tag (Docker action incompatible with SHA pin)
2026-03-19 10:33:27 +00:00
d51f176fd8
fix: use commit SHA for scorecard-action (not tag SHA)
2026-03-19 09:21:29 +00:00
34d30433cb
fix: correct scorecard-action SHA pin for v2.4.3
2026-03-19 09:19:41 +00:00
fbd2aa35e8
ci: improve OpenSSF Scorecard rating ( #45 )
...
- Add CodeQL workflow for SAST analysis (Actions language)
- Pin scorecard-action and codeql-action by SHA in scorecard.yml
- Add cargo-audit SARIF upload for security tab integration
2026-03-19 11:51:11 +03:00
f76dab1184
fix: pin ClusterFuzzLite base image by SHA, fix Docker tag double-suffix
2026-03-18 13:20:35 +00:00
e6043a6e2f
fix: use project gitleaks config in CI, relax rules for documentation examples
2026-03-18 12:48:05 +00:00
a36287a627
community: add issue/PR templates, code of conduct, update contributing guide
2026-03-18 12:22:10 +00:00
ccaf543bcc
security: pin Docker base images by SHA, cosign signing in release, branch protection
...
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies)
- Add cosign keyless signing for Docker images and binary (Signed-Releases)
- Enable branch protection: strict status checks, linear history, no force push
- Add .sig and .pem to GitHub Release assets
2026-03-18 09:49:45 +00:00
bc9604bac3
fix: use tags for scorecard webapp verification
2026-03-17 11:04:48 +00:00
15d12d073a
fix: use scorecard-action by tag for webapp verification
2026-03-17 11:02:14 +00:00
7df118d488
security: harden OpenSSF Scorecard compliance
...
- Pin all GitHub Actions by SHA hash (Pinned-Dependencies)
- Add top-level permissions: read-all (Token-Permissions)
- Add explicit job-level permissions (least privilege)
- Add OpenSSF Scorecard workflow with weekly schedule
- Publish scorecard results to scorecard.dev and GitHub Security tab
2026-03-17 10:30:15 +00:00
68f4bb2168
fix: clean up stale smoke test container before run
2026-03-15 22:25:37 +00:00
cf5d84ef0a
fix: smoke test port mapping (4000, not 5000)
2026-03-15 21:54:13 +00:00
028e98759a
fix: integration tests match actual protocol support
...
- Docker, Maven: full push/pull (write support exists)
- npm, PyPI, Cargo: endpoint checks only (read-only proxy, no publish yet)
2026-03-15 19:58:36 +00:00
c351ce3534
feat: add Maven, PyPI, Cargo integration tests
...
- Maven: PUT artifact, GET and verify checksum
- PyPI: twine upload + pip install
- Cargo: API endpoint check
- Now testing all 5 protocols: Docker, npm, Maven, PyPI, Cargo
2026-03-15 19:53:27 +00:00
61c3f07aac
fix: add npm auth token for integration test publish
2026-03-15 19:49:54 +00:00
314c038d94
feat: add integration tests, release runbook, cache fallback
...
- CI: integration job — build NORA, docker push/pull, npm publish/install, API checks
- release: cache-from with ignore-error=true (no dependency on localhost:5000)
- RELEASE_RUNBOOK.md: rollback procedure, deploy order, verification steps
2026-03-15 19:36:38 +00:00
233b83f902
security: make CI gates blocking, add smoke test, clean up dead code
...
- gitleaks, cargo audit, trivy fs now block pipeline on findings
- add smoke test (docker run + curl /health) in release workflow
- deny.toml: add review date to RUSTSEC-2025-0119 ignore
- remove unused validation functions (maven, npm, crate)
- replace blanket #![allow(dead_code)] with targeted allows
2026-03-15 19:25:00 +00:00
058fc41f1c
Merge pull request #24 from getnora-io/dependabot/github_actions/docker/metadata-action-6
...
chore(deps): bump docker/metadata-action from 5 to 6
2026-03-12 22:13:55 +03:00
7f5a3c7c8a
Merge pull request #23 from getnora-io/dependabot/github_actions/aquasecurity/trivy-action-0.35.0
...
chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0
2026-03-12 22:13:49 +03:00
5b57cc5913
Merge pull request #22 from getnora-io/dependabot/github_actions/docker/login-action-4
...
chore(deps): bump docker/login-action from 3 to 4
2026-03-12 22:13:45 +03:00
aa844d851d
Merge pull request #21 from getnora-io/dependabot/github_actions/docker/build-push-action-7
...
chore(deps): bump docker/build-push-action from 6 to 7
2026-03-12 22:13:41 +03:00
dependabot[bot]
2c886040d7
chore(deps): bump docker/metadata-action from 5 to 6
...
Bumps [docker/metadata-action](https://github.com/docker/metadata-action ) from 5 to 6.
- [Release notes](https://github.com/docker/metadata-action/releases )
- [Commits](https://github.com/docker/metadata-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/metadata-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:36 +00:00
dependabot[bot]
9ab6ccc594
chore(deps): bump aquasecurity/trivy-action from 0.34.2 to 0.35.0
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.34.2 to 0.35.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.34.2...0.35.0 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.35.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:33 +00:00
dependabot[bot]
679b36b986
chore(deps): bump docker/login-action from 3 to 4
...
Bumps [docker/login-action](https://github.com/docker/login-action ) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](https://github.com/docker/login-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/login-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:27 +00:00
dependabot[bot]
da8c473e02
chore(deps): bump docker/build-push-action from 6 to 7
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 6 to 7.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v6...v7 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:23 +00:00
dependabot[bot]
3dc8b81261
chore(deps): bump docker/setup-buildx-action from 3 to 4
...
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action ) from 3 to 4.
- [Release notes](https://github.com/docker/setup-buildx-action/releases )
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:20 +00:00
03a3bf9197
Merge pull request #15 from getnora-io/dependabot/github_actions/docker/build-push-action-6
...
chore(deps): bump docker/build-push-action from 5 to 6
2026-03-03 12:14:56 +03:00
6c5f0dda30
Merge pull request #14 from getnora-io/dependabot/github_actions/aquasecurity/trivy-action-0.34.2
...
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.2
2026-03-03 12:14:42 +03:00
fb058302c8
Merge pull request #13 from getnora-io/dependabot/github_actions/softprops/action-gh-release-2
...
chore(deps): bump softprops/action-gh-release from 1 to 2
2026-03-03 12:14:29 +03:00
79565aec47
Merge pull request #12 from getnora-io/dependabot/github_actions/actions/upload-artifact-7
...
chore(deps): bump actions/upload-artifact from 4 to 7
2026-03-03 12:14:16 +03:00
dependabot[bot]
c8793a4b60
chore(deps): bump docker/build-push-action from 5 to 6
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 5 to 6.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:58 +00:00
dependabot[bot]
fd4a7b0b0f
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.2
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.30.0 to 0.34.2.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.30.0...0.34.2 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.34.2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:55 +00:00
dependabot[bot]
7af1e7462c
chore(deps): bump softprops/action-gh-release from 1 to 2
...
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) from 1 to 2.
- [Release notes](https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2 )
---
updated-dependencies:
- dependency-name: softprops/action-gh-release
dependency-version: '2'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:51 +00:00
dependabot[bot]
de1a188fa7
chore(deps): bump actions/upload-artifact from 4 to 7
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v7 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:48 +00:00
dependabot[bot]
36d0749bb3
chore(deps): bump actions/checkout from 4 to 6
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v4...v6 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:43 +00:00
fb0f80ac5a
ci: move scan/release to self-hosted, use NORA for cache and images
...
- Add NORA (localhost:5000) as internal registry for image push and cache
- Replace type=gha cache with type=registry pointing to NORA
- Move scan and release jobs from ubuntu-latest to self-hosted runner
- Upload binary as artifact in build, download in release (no docker pull)
- Generate SBOM from NORA image instead of ghcr.io
- Add driver-opts: network=host to buildx for localhost registry access
2026-02-25 00:19:37 +00:00
b153bc0c5b
ci: restore Astra Linux SE build, scan, and release image
2026-02-24 17:01:14 +00:00
