c0e8f8d813
release: bump version to v0.2.35
2026-03-20 22:54:30 +00:00
1c342c2a19
feat: add anonymous read mode (NORA_AUTH_ANONYMOUS_READ)
...
When auth is enabled with anonymous_read=true, GET/HEAD requests
are allowed without credentials (pull/download), while write
operations (PUT/POST/DELETE/PATCH) still require authentication.
Use case: public demo registries, read-only mirrors.
Config: NORA_AUTH_ANONYMOUS_READ=true or auth.anonymous_read=true
2026-03-20 22:48:41 +00:00
12d4a28d34
fix: address code review findings
...
- Pin slsa-github-generator and codeql-action by SHA (not tag)
- Replace anonymous tuple with GroupedActivity struct for readability
- Replace unwrap() with if-let for safety
- Add warning message on attestation failure instead of silent || true
- Fix clippy: map_or -> is_some_and
2026-03-20 22:14:16 +00:00
a968016815
release: bump version to v0.2.34
2026-03-20 19:46:42 +00:00
281cc0418b
ui: fix table cell padding alignment
...
Add px-4 to all td cells in Mount Points and Activity tables
to match th header padding. Remove non-functional px-4 from
tbody elements (CSS padding does not apply to tbody).
2026-03-20 19:44:14 +00:00
4ec95fed43
fix(deps): update tar 0.4.44 -> 0.4.45
...
Fixes CVE-2026-33055 (PAX size header bypass) and
CVE-2026-33056 (symlink chmod directory traversal).
2026-03-20 19:32:46 +00:00
23d79e2465
ui: group consecutive identical activity entries
...
Repeated cache hits for the same artifact now show as
"artifact (x4)" instead of 4 identical rows.
Reduces visual noise in dashboard activity log.
2026-03-20 19:23:41 +00:00
1d31fddc6b
docs: remove hardcoded scorecard version from README
2026-03-20 11:35:14 +00:00
de3dae5d51
docs: restructure README for conversion
...
- Move badges from top to Security & Trust section
- Add dashboard GIF (EN/RU crossfade) as first visual
- Add "Why NORA" section with key differentiators
- Add "Used by" production reference
- Add binary install option
- Add Supported Registries table with mount points
- Streamline features into scannable list
- Remove emoji from footer
- Add comparison link placeholder
2026-03-20 11:25:32 +00:00
5517789300
test: add 82 unit tests across 7 modules
...
Coverage targets:
- activity_log: ActionType display, ActivityLog push/recent/all/bounded
- audit: AuditEntry, AuditLog write/read with tempdir
- config: defaults for all sub-configs, env overrides, TOML parsing
- dashboard_metrics: record_download/upload, cache_hit_rate, persistence
- error: constructors, Display, IntoResponse for all variants
- metrics: detect_registry for all protocol paths
- repo_index: paginate, RegistryIndex basics, RepoIndex invalidate
Total tests: 103 -> 185
2026-03-20 10:08:49 +00:00
4aedba9f9f
ci: add test coverage with tarpaulin and dynamic badge via gist
2026-03-20 09:32:22 +00:00
97c356fb36
chore: remove internal QA scripts from public repo
2026-03-19 12:42:53 +00:00
f4c9d1419e
chore: add CODEOWNERS, CHANGELOG v0.2.33, SLSA provenance, QA scripts
2026-03-19 12:39:58 +00:00
206bc06927
fix: update cosign-installer SHA to v3.8.0
2026-03-19 11:42:53 +00:00
32a0d97b2a
release: bump version to v0.2.33 ( #46 )
2026-03-19 11:41:06 +00:00
6fa5dfd534
release: bump version to v0.2.33
2026-03-19 11:08:51 +00:00
26e1e12e64
fix: use tag for codeql-action in scorecard (webapp rejects SHA pins)
2026-03-19 10:42:14 +00:00
29516f4ea3
fix: add repo_token and permissions to scorecard workflow
2026-03-19 10:35:57 +00:00
28ff719508
fix: revert scorecard-action to tag (Docker action incompatible with SHA pin)
2026-03-19 10:33:27 +00:00
d260ff8b5e
fix: use commit SHA for scorecard-action (not tag SHA)
2026-03-19 09:21:29 +00:00
578cdd7dd6
fix: correct scorecard-action SHA pin for v2.4.3
2026-03-19 09:19:41 +00:00
186855e892
ci: retrigger scorecard workflow
2026-03-19 09:18:00 +00:00
78dd91795d
ci: improve OpenSSF Scorecard rating ( #45 )
...
- Add CodeQL workflow for SAST analysis (Actions language)
- Pin scorecard-action and codeql-action by SHA in scorecard.yml
- Add cargo-audit SARIF upload for security tab integration
2026-03-19 11:51:11 +03:00
c1f6430aa9
security: harden Docker registry and container runtime
...
- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID)
- Reject sha512 digests (only sha256 supported)
- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL
- Bind upload sessions to repository name (prevent session fixation)
- Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion)
- Fix catalog to show namespaced images (library/alpine instead of library)
- Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Run containers as non-root user (USER nora) in all 3 Dockerfiles
- Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB
2026-03-19 08:29:28 +00:00
52e59a8272
fix: pin ClusterFuzzLite base image by SHA, fix Docker tag double-suffix
2026-03-18 13:20:35 +00:00
8b1b9c8401
fix: use project gitleaks config in CI, relax rules for documentation examples
2026-03-18 12:48:05 +00:00
62027c44dc
docs: add public roadmap, cosign verification in install script
2026-03-18 12:36:51 +00:00
68365dfe98
community: add issue/PR templates, code of conduct, update contributing guide
2026-03-18 12:22:10 +00:00
59cdd4530b
chore: remove unused crates and demo traffic scripts
...
- Remove nora-cli (unimplemented stub)
- Remove nora-storage (standalone S3 server, not used)
- Remove demo traffic generator and systemd service
2026-03-18 12:19:58 +00:00
1cc5c8cc86
security: simplify public gitleaks config to generic network rules only
2026-03-18 11:57:21 +00:00
e2919b83de
security: extend leak detection — dev process patterns, soft warnings for borderline content
2026-03-18 11:49:25 +00:00
c035561fd2
security: custom gitleaks rules for internal information leak prevention
2026-03-18 11:42:52 +00:00
1a38902b0c
style: clean up code comments
2026-03-18 11:23:11 +00:00
3b9b2ee0a0
chore: repo cleanup — remove dead crates from workspace, stale files, duplicate assets
...
- Remove nora-cli and nora-storage from workspace (stub crates, not used)
- Remove root install.sh (duplicate of dist/install.sh)
- Remove root logo.jpg (duplicate of ui/logo.jpg)
- Remove committed SBOM .cdx.json files (generated by CI in release)
- Remove stale .githooks/ (real hook is in .git/hooks/)
- Update version in docs-ru to 0.2.32
- Add *.cdx.json to .gitignore
2026-03-18 11:20:22 +00:00
b7cb458edf
test: E2E smoke tests + Playwright browser tests (23 tests)
...
smoke.sh:
- Full E2E smoke test: health, npm proxy/publish/security, Maven, PyPI, Docker, Raw, UI, mirror CLI
- Self-contained: starts NORA, runs tests, cleans up
Playwright (tests/e2e/):
- Dashboard: page load, registry sections visible, npm count > 0, Docker stats
- npm: URL rewriting, scoped packages, tarball download, publish, immutability, security
- Docker: v2 check, catalog, manifest push/pull, tags list
- Maven: proxy download, upload
- PyPI: simple index, package page
- Raw: upload and download
- Health, metrics, OpenAPI endpoints
All 23 tests pass in 4.7s against live NORA instance.
2026-03-18 11:04:19 +00:00
e1a1d80a77
docs: add CII Best Practices passing badge
2026-03-18 10:46:51 +00:00
b50dd6386e
security: pin Docker base images by SHA, cosign signing in release, branch protection
...
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies)
- Add cosign keyless signing for Docker images and binary (Signed-Releases)
- Enable branch protection: strict status checks, linear history, no force push
- Add .sig and .pem to GitHub Release assets
2026-03-18 09:49:45 +00:00
6b5a397862
docs: changelog v0.2.32
2026-03-18 09:43:49 +00:00
6b4d627fa2
fix: allow NCSA license for libfuzzer-sys in cargo-deny
2026-03-18 09:27:30 +00:00
659e7730de
fix: add MIT license to nora-fuzz crate (cargo-deny compliance)
2026-03-18 09:23:31 +00:00
d0441f31d1
fix: correct cargo-deny key for unused license allowance
2026-03-18 09:19:50 +00:00
1956401932
fix: allow unused license entries in cargo-deny config
2026-03-18 09:15:25 +00:00
e415f0f1ce
fix: Docker dashboard for namespaced images, library/ auto-prepend for Hub official images (v0.2.32)
...
Docker dashboard:
- build_docker_index now finds manifests segment by position, not fixed index
- Correctly indexes library/alpine, grafana/grafana, and other namespaced images
Docker proxy:
- Auto-prepend library/ for single-segment names when upstream returns 404
- Applies to both manifests and blobs
- nginx, alpine, node now work without explicit library/ prefix
- Cached under original name for future local hits
2026-03-18 08:07:53 +00:00
aa86633a04
security: add cargo-fuzz targets and ClusterFuzzLite config
...
Fuzz targets:
- fuzz_validation: storage key, Docker name, digest, reference validators
- fuzz_docker_manifest: Docker/OCI manifest media type detection
Infrastructure:
- lib.rs exposing validation module and docker_fuzz for fuzz harnesses
- ClusterFuzzLite project config (libfuzzer + ASan)
2026-03-17 11:20:17 +00:00
31afa1f70b
fix: use tags for scorecard webapp verification
2026-03-17 11:04:48 +00:00
f36abd82ef
fix: use scorecard-action by tag for webapp verification
2026-03-17 11:02:14 +00:00
ea6a86b0f1
docs: add OpenSSF Scorecard badge
2026-03-17 10:41:00 +00:00
638f99d8dc
Merge pull request #32 from getnora-io/dependabot/cargo/tracing-subscriber-0.3.23
...
chore(deps): bump tracing-subscriber from 0.3.22 to 0.3.23
2026-03-17 13:38:22 +03:00
c55307a3af
Merge pull request #31 from getnora-io/dependabot/cargo/clap-4.6.0
...
chore(deps): bump clap from 4.5.60 to 4.6.0
2026-03-17 13:38:20 +03:00
cc416f3adf
Merge pull request #30 from getnora-io/dependabot/cargo/tempfile-3.27.0
...
chore(deps): bump tempfile from 3.26.0 to 3.27.0
2026-03-17 13:38:17 +03:00
