Publish Docker images to both Docker Hub (docker.io/wikid82/charon) and
GitHub Container Registry (ghcr.io/wikid82/charon) for maximum reach.
Add Docker Hub login with secret existence check for graceful fallback
Update docker/metadata-action to generate tags for both registries
Add Cosign keyless signing for both GHCR and Docker Hub images
Attach SBOM to Docker Hub via cosign attach sbom
Add Docker Hub signature verification to supply-chain-verify workflow
Update README with Docker Hub badges and dual registry examples
Update getting-started.md with both registry options
Supply chain security maintained: identical tags, signatures, and SBOMs
on both registries. PR images remain GHCR-only.
On PRs, images are loaded locally but not pushed to registry.
Add --pull=never to prevent Docker from trying to fetch the
image from ghcr.io, which fails with 'manifest unknown'.
Modified 4 docker commands:
- Caddy version check (docker run)
- Caddy binary extraction (docker create)
- CrowdSec version check (docker run)
- CrowdSec binary extraction (docker create)
Debian-based image takes longer to start than Alpine due to:
- Larger base image
- gosu and CrowdSec built from source
- Additional package dependencies
Increase timeout from 120s to 180s to accommodate slower startup.
- Updated WafConfig.tsx to correct regex for common bad bots.
- Modified cerberus_integration.sh to use curl instead of wget for backend readiness check.
- Changed coraza_integration.sh to utilize curl for checking httpbin backend status.
- Updated crowdsec_startup_test.sh to use curl for LAPI health check.
- Replaced wget with curl in install-go-1.25.5.sh for downloading Go.
- Modified rate_limit_integration.sh to use curl for backend readiness check.
- Updated waf_integration.sh to replace wget with curl for checking httpbin backend status.
Migrated all Docker stages from Alpine 3.23 to Debian Trixie (13) to
address critical CVE in Alpine's gosu package and improve security
update frequency.
Key changes:
Updated CADDY_IMAGE to debian:trixie-slim
Added gosu-builder stage to compile gosu 1.17 from source with Go 1.25.6
Migrated all builder stages to golang:1.25-trixie
Updated package manager from apk to apt-get
Updated user/group creation to use groupadd/useradd
Changed nologin path from /sbin/nologin to /usr/sbin/nologin
Security impact:
Resolved gosu Critical CVE (built from source eliminates vulnerable Go stdlib)
Reduced overall CVE count from 6 (bookworm) to 2 (trixie)
Remaining 2 CVEs are glibc-related with no upstream fix available
All Go binaries verified vulnerability-free by Trivy and govulncheck
Verification:
E2E tests: 243 passed (5 pre-existing failures unrelated to migration)
Backend coverage: 87.2%
Frontend coverage: 85.89%
Pre-commit hooks: 13/13 passed
TypeScript: 0 errors
Refs: CVE-2026-0861 (glibc, no upstream fix - accepted risk)
Feature branch pushes were failing to save artifacts because the image
was pushed to GHCR but not loaded locally. Multi-platform builds
cannot use load:true, so feature branch pushes now build single-platform.
Update branch triggers and downstream workflow logic to support all
branches defined in docker-build.yml (main, development, feature/**).
Changes:
docker-build.yml: Expand branch glob to feature/**, use branch-based tags
playwright.yml: Replace is_beta_push with generic is_push detection
security-pr.yml: Same branch-agnostic pattern
supply-chain-pr.yml: Same pattern, skip PR comments for push events
The workflows now support any push that triggers docker-build:
main branch → tag: latest
development branch → tag: dev
feature/* branches → tag: {branch-name}
Pull requests → tag: pr-{number}
Dynamic artifact naming:
Push events: push-image (shared across all branches)
Pull requests: pr-image-{number}
This ensures CI/CD pipelines work for stable releases, bug fixes,
and new feature development without hardcoded branch names.
Separate PR-specific tests from docker-build.yml into dedicated workflows
that trigger via workflow_run. This creates a cleaner CI architecture where:
playwright.yml: E2E tests triggered after docker-build completes
security-pr.yml: Trivy binary scanning for PRs
supply-chain-pr.yml: SBOM generation + Grype vulnerability scanning
The skip condition used github.ref to detect the beta-release branch,
but for PRs github.ref is "refs/pull/N/merge", not the branch name.
Added github.head_ref to env variables for PR branch detection
Updated condition to check both REF and HEAD_REF
This ensures E2E tests run for PRs from feature/beta-release branch
The DNS provider API endpoints were returning 404 in CI because the
encryption service failed to initialize with an invalid key.
Changed CHARON_ENCRYPTION_KEY from plain text to valid base64 string
Key "dGVzdC1lbmNyeXB0aW9uLWtleS1mb3ItY2ktMzJieXQ=" decodes to 32 bytes
Without valid encryption key, DNS provider routes don't register
This was causing all dns-provider-types.spec.ts tests to fail
Root cause: AES-256-GCM requires exactly 32 bytes for the key
- Changed report title to reflect security audit focus
- Updated date and status to indicate approval for commit
- Enhanced executive summary with detailed validation results
- Included comprehensive test coverage results for backend and frontend
- Documented pre-commit hooks validation and known issues
- Added detailed security scan results, confirming absence of CVE-2025-68156
- Verified binary inspection for expr-lang dependency
- Provided risk assessment and recommendations for post-merge actions
- Updated compliance matrix and final assessment sections
- Improved overall report structure and clarity
- Mark current specification as complete and ready for the next task.
- Document completed work on CI/CD workflow fixes, including implementation summary and QA report links.
- Archive previous planning documents related to GitHub security warnings.
- Revise QA report to reflect the successful validation of CI workflow documentation updates, with zero high/critical issues found.
- Add new QA report for Grype SBOM remediation implementation, detailing security scans, validation results, and recommendations.
- Replace Go interface{} with any (Go 1.18+ standard)
- Add database indexes to frequently queried model fields
- Add JSDoc documentation to frontend API client methods
- Remove deprecated docker-compose version keys
- Add concurrency groups to all 25 GitHub Actions workflows
- Add YAML front matter and fix H1→H2 headings in docs
Coverage: Backend 85.5%, Frontend 87.73%
Security: No vulnerabilities detected
Refs: docs/plans/instruction_compliance_spec.md
