fix: Implement dependency digest tracking for nightly builds
- Updated Docker Compose files to use digest-pinned images for CI contexts. - Enhanced Dockerfile to pin Go tool installations and verify external downloads with SHA256 checksums. - Added Renovate configuration for tracking Go tool versions and digest updates. - Introduced a new design document outlining the architecture and data flow for dependency tracking. - Created tasks and requirements documentation to ensure compliance with the new digest pinning policy. - Updated security documentation to reflect the new digest pinning policy and exceptions.
This commit is contained in:
GitHub Actions
@@ -0,0 +1,18 @@
|
||||
# Tasks - Dependency Digest Tracking Plan
|
||||
|
||||
## Phase 2 - Pinning & Verification Updates
|
||||
|
||||
- [x] Pin `dlv` and `xcaddy` versions in Dockerfile.
|
||||
- [x] Add checksum verification for CrowdSec fallback tarball.
|
||||
- [x] Add checksum verification for GeoLite2 database download.
|
||||
- [x] Pin CI compose images by digest.
|
||||
- [x] Default Playwright CI compose to workflow digest output with tag override for local runs.
|
||||
- [x] Pin whoami test service image by digest in docker-build workflow.
|
||||
- [x] Propagate nightly image digest to smoke tests and scans.
|
||||
- [x] Pin `govulncheck` and `gopls` versions in scripts.
|
||||
- [x] Add Renovate regex managers for pinned tool versions and go.work.
|
||||
|
||||
## Follow-ups
|
||||
|
||||
- [ ] Add policy linting to detect unpinned tags in CI-critical files.
|
||||
- [ ] Update security documentation for digest policy and exceptions.
|
||||
Reference in New Issue
Block a user