Publish Docker images to both Docker Hub (docker.io/wikid82/charon) and
GitHub Container Registry (ghcr.io/wikid82/charon) for maximum reach.
Add Docker Hub login with secret existence check for graceful fallback
Update docker/metadata-action to generate tags for both registries
Add Cosign keyless signing for both GHCR and Docker Hub images
Attach SBOM to Docker Hub via cosign attach sbom
Add Docker Hub signature verification to supply-chain-verify workflow
Update README with Docker Hub badges and dual registry examples
Update getting-started.md with both registry options
Supply chain security maintained: identical tags, signatures, and SBOMs
on both registries. PR images remain GHCR-only.
After migrating base image from Alpine to Debian Trixie (PR #550),
integration test scripts were using wget-style options with curl
that don't work correctly on Debian.
Changed curl -q -O- (wget syntax) to curl -sf (proper curl):
waf_integration.sh
cerberus_integration.sh
rate_limit_integration.sh
crowdsec_startup_test.sh
install-go-1.25.5.sh
Also added future phase to plan for Playwright security test helpers
to prevent ACL deadlock issues during E2E testing.
Refs: #550
Replace hardcoded CHARON_ENCRYPTION_KEY with environment variable
substitution using Docker Compose required variable syntax.
docker-compose.playwright.yml: use ${CHARON_ENCRYPTION_KEY:?...}
docker-compose.e2e.yml: use ${CHARON_ENCRYPTION_KEY:?...}
e2e-tests.yml: add ephemeral key generation per CI run
.env.test.example: document the requirement prominently
Security: The old key exists in git history and must never be used
in production. Each CI run now generates a unique ephemeral key.
Refs: OWASP A02:2021 - Cryptographic Failures
The previous pattern '/(feat|feat\\()/)' was too broad and could
match any commit containing 'feat' substring (like 'defeat', 'feature').
Changed to '/^feat(\\(.+\\))?:/' which properly matches only
Conventional Commits format: 'feat:' or 'feat(scope):'
- Change base image from debian:bookworm-slim to debian:trixie-slim
- Rename step id from 'caddy' to 'base-image' (more accurate)
- Update output reference from steps.caddy to steps.base-image
- Remove stale Alpine reference
On PRs, images are loaded locally but not pushed to registry.
Add --pull=never to prevent Docker from trying to fetch the
image from ghcr.io, which fails with 'manifest unknown'.
Modified 4 docker commands:
- Caddy version check (docker run)
- Caddy binary extraction (docker create)
- CrowdSec version check (docker run)
- CrowdSec binary extraction (docker create)
Debian-based image takes longer to start than Alpine due to:
- Larger base image
- gosu and CrowdSec built from source
- Additional package dependencies
Increase timeout from 120s to 180s to accommodate slower startup.
Update nightly-build.yml to automatically merge changes from development
branch to nightly before running the build. This enables a workflow where
PRs only need to target development, and nightly builds propagate
automatically.
Add sync-development-to-nightly job that runs first
Remove push trigger on nightly branch (sync handles updates)
All jobs now explicitly checkout nightly branch after sync
Uses fast-forward merge or hard reset if diverged
GHCR stores images with lowercase names only. The SBOM action was using
the mixed-case github.repository value which caused Syft to fail when
trying to pull the image.
Add IMAGE_NAME_LC environment variable with lowercase image name
Update SBOM action, Trivy scan, and docker commands to use lowercase
Applied to all jobs: build-and-push-nightly, test-nightly-image,
verify-nightly-supply-chain
Fixes nightly-build.yml workflow failure in "Generate SBOM" step
- Updated WafConfig.tsx to correct regex for common bad bots.
- Modified cerberus_integration.sh to use curl instead of wget for backend readiness check.
- Changed coraza_integration.sh to utilize curl for checking httpbin backend status.
- Updated crowdsec_startup_test.sh to use curl for LAPI health check.
- Replaced wget with curl in install-go-1.25.5.sh for downloading Go.
- Modified rate_limit_integration.sh to use curl for backend readiness check.
- Updated waf_integration.sh to replace wget with curl for checking httpbin backend status.
Integrate @bgotink/playwright-coverage for E2E test coverage tracking:
Install @bgotink/playwright-coverage package
Update playwright.config.js with coverage reporter
Update test file imports to use coverage-enabled test function
Add e2e-tests.yml coverage artifact upload and merge job
Create codecov.yml with e2e flag configuration
Add E2E coverage skill and VS Code task
Coverage outputs: HTML, LCOV, JSON to coverage/e2e/
CI uploads merged coverage to Codecov with 'e2e' flag
Enables unified coverage view across unit and E2E tests
Migrated all Docker stages from Alpine 3.23 to Debian Trixie (13) to
address critical CVE in Alpine's gosu package and improve security
update frequency.
Key changes:
Updated CADDY_IMAGE to debian:trixie-slim
Added gosu-builder stage to compile gosu 1.17 from source with Go 1.25.6
Migrated all builder stages to golang:1.25-trixie
Updated package manager from apk to apt-get
Updated user/group creation to use groupadd/useradd
Changed nologin path from /sbin/nologin to /usr/sbin/nologin
Security impact:
Resolved gosu Critical CVE (built from source eliminates vulnerable Go stdlib)
Reduced overall CVE count from 6 (bookworm) to 2 (trixie)
Remaining 2 CVEs are glibc-related with no upstream fix available
All Go binaries verified vulnerability-free by Trivy and govulncheck
Verification:
E2E tests: 243 passed (5 pre-existing failures unrelated to migration)
Backend coverage: 87.2%
Frontend coverage: 85.89%
Pre-commit hooks: 13/13 passed
TypeScript: 0 errors
Refs: CVE-2026-0861 (glibc, no upstream fix - accepted risk)
Add comprehensive E2E testing infrastructure including:
docker-compose.playwright.yml for test environment orchestration
TestDataManager utility for per-test namespace isolation
Wait helpers for flaky test prevention
Role-based auth fixtures for admin/user/guest testing
GitHub Actions e2e-tests.yml with 4-shard parallelization
Health check utility for service readiness validation
Phase 0 of 10-week E2E testing plan (Supervisor approved 9.2/10)
All 52 existing E2E tests pass with new infrastructure
Remove unused pull-requests: write permission from auto-versioning workflow.
The workflow uses GitHub Release API which only requires contents: write
permission. This follows the principle of least privilege.
Changes:
- Removed unused pull-requests: write permission
- Added documentation for cancel-in-progress: false setting
- Created backup of original workflow file
- QA verification complete with all security checks passing
Security Impact:
- Reduces attack surface by removing unnecessary permission
- Maintains functionality (no breaking changes)
- Follows OWASP and CIS security best practices
Related Issues:
- Fixes GH013 repository rule violation on tag creation
- CVE-2024-45337 in build cache (fix available, not in production)
- CVE-2025-68156 in CrowdSec awaiting upstream fix
QA Report: docs/reports/qa_report.md
Linter Configuration Updates:
Add version: 2 to .golangci.yml for golangci-lint v2 compatibility
Scope errcheck exclusions to test files only via path-based rules
Maintain production code error checking while allowing test flexibility
CI/CD Documentation:
Fix CodeQL action version comment in security-pr.yml (v3.28.10 → v4)
Create workflow modularization specification (docs/plans/workflow_modularization_spec.md)
Document GitHub environment protection setup for releases
Verification:
Validated linter runs successfully with properly scoped rules
Confirmed all three workflows (playwright, security-pr, supply-chain-pr) are properly modularized
