dependabot[bot]
de1a188fa7
chore(deps): bump actions/upload-artifact from 4 to 7
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v7 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:25:48 +00:00
fb0f80ac5a
ci: move scan/release to self-hosted, use NORA for cache and images
...
- Add NORA (localhost:5000) as internal registry for image push and cache
- Replace type=gha cache with type=registry pointing to NORA
- Move scan and release jobs from ubuntu-latest to self-hosted runner
- Upload binary as artifact in build, download in release (no docker pull)
- Generate SBOM from NORA image instead of ghcr.io
- Add driver-opts: network=host to buildx for localhost registry access
2026-02-25 00:19:37 +00:00
b153bc0c5b
ci: restore Astra Linux SE build, scan, and release image
2026-02-24 17:01:14 +00:00
c7f9d5c036
ci: fix binary path in image (/usr/local/bin/nora)
2026-02-24 14:03:16 +00:00
b41bfd9a88
ci: pin build job to nora runner label to avoid wrong runner
2026-02-24 13:18:11 +00:00
3a6d3eeb9a
feat: add binary + sha256 to GitHub Release artifacts
2026-02-24 12:14:29 +00:00
dependabot[bot]
2c7c497c30
chore(deps): bump softprops/action-gh-release from 1 to 2 ( #5 )
...
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) from 1 to 2.
- [Release notes](https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2 )
---
updated-dependencies:
- dependency-name: softprops/action-gh-release
dependency-version: '2'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:23 +01:00
dependabot[bot]
6b6f88ab9c
chore(deps): bump actions/checkout from 4 to 6 ( #4 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v4...v6 )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:19 +01:00
dependabot[bot]
1255e3227b
chore(deps): bump docker/build-push-action from 5 to 6 ( #3 )
...
Bumps [docker/build-push-action](https://github.com/docker/build-push-action ) from 5 to 6.
- [Release notes](https://github.com/docker/build-push-action/releases )
- [Commits](https://github.com/docker/build-push-action/compare/v5...v6 )
---
updated-dependencies:
- dependency-name: docker/build-push-action
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:16 +01:00
dependabot[bot]
aabd0b76fb
chore(deps): bump aquasecurity/trivy-action from 0.30.0 to 0.34.1 ( #2 )
...
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action ) from 0.30.0 to 0.34.1.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases )
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.30.0...0.34.1 )
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.34.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:20:12 +01:00
ac14405af3
ci: restore scan gate on release, block on HIGH/CRITICAL CVE
2026-02-24 10:53:28 +00:00
5f385dce45
ci: add dependabot, pin trivy-action@0.30.0, release no longer waits on scan
2026-02-24 10:48:06 +00:00
761e08f168
ci: upgrade codeql-action v3 -> v4
2026-02-24 10:41:37 +00:00
fc1288820d
ci: remove astra build for now
2026-02-24 00:39:16 +00:00
a17a75161b
ci: consolidate all docker builds into single job to fix runner network issues
2026-02-24 00:07:44 +00:00
0b3ef3ab96
ci: use shared runner filesystem instead of artifact API to avoid network upload
2026-02-23 23:41:41 +00:00
99e290d30c
ci: fix SBOM image tag and registry credentials
2026-02-23 18:53:17 +00:00
f74b781d1f
ci: build musl static binary, fix cargo path (hardcode github-runner home)
2026-02-23 18:08:57 +00:00
05c765627f
ci: fix trivy image tag (strip v prefix)
2026-02-23 16:47:18 +00:00
1813546bee
ci: move trivy image scan to separate ubuntu-latest job to avoid self-hosted timeout
2026-02-23 16:15:03 +00:00
196c313f20
ci: add cargo cache to build-binary job, remove nora proxy (no sparse protocol)
2026-02-23 14:17:39 +00:00
aece2d739d
ci: add registry credentials to trivy image scan
2026-02-23 14:01:31 +00:00
b7e11da2da
ci: replace gitleaks action with CLI to avoid license requirement
2026-02-23 13:59:12 +00:00
dd3813edff
ci: use github-runner own rust toolchain instead of ai-user path
2026-02-23 13:54:23 +00:00
6ad710ff32
ci: add security scanning and SBOM to release pipeline
...
- ci.yml: add security job (gitleaks, cargo-audit, cargo-deny, trivy fs)
- release.yml: restructure into build-binary + build-docker matrix + release
- build binary once on self-hosted, reuse across all Docker builds
- trivy image scan per matrix variant, results to GitHub Security tab
- SBOM generation in SPDX and CycloneDX formats attached to release
- deny.toml: cargo-deny policy (allowed licenses, banned openssl, crates.io only)
- Dockerfile: remove Rust build stage, use pre-built binary
- Dockerfile.astra, Dockerfile.redos: FROM scratch for Russian certified OS support
2026-02-23 11:37:27 +00:00
1e01d4df56
ci: add Astra Linux and RedOS parallel builds
...
Add Dockerfile.astra (astralinux/alse) and Dockerfile.redos (redos/redos)
for FSTEC-certified Russian OS targets. Update release.yml with a matrix
strategy that produces three image variants per release:
- ghcr.io/.../nora:0.x.x (Alpine, default)
- ghcr.io/.../nora:0.x.x-astra (Astra Linux SE)
- ghcr.io/.../nora:0.x.x-redos (RED OS)
Build stage is shared (musl static binary) across all variants.
2026-02-23 08:24:48 +00:00
ab5ed3f488
ci: remove unnecessary QEMU step for amd64-only builds
2026-02-23 08:05:54 +00:00
1152308f6c
Use self-hosted runner for release builds
...
16-core runner should be 3-4x faster than GitHub's 2-core runners
2026-01-26 10:39:04 +00:00
6c53b2da84
Speed up release workflow
...
- Remove duplicate tests (already run on push to main)
- Build only for amd64 (arm64 rarely needed for VPS)
2026-01-26 10:18:11 +00:00
97eaa364ae
ci: split workflows - CI for tests, Release for tags only
2026-01-26 08:17:57 +00:00
95a2b5333e
fix: correct rust-toolchain action name
2026-01-26 00:35:45 +00:00
a19477c424
ci: add GitHub Actions workflow for Docker releases
...
- Run tests on PR and push
- Build multi-arch images (amd64, arm64)
- Push to ghcr.io on main branch and tags
- Auto-create GitHub Release on version tags
- Use BuildKit cache for faster builds
2026-01-26 00:34:00 +00:00
