akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
2,266 Commits 11 Branches 107 Tags
aec12a2e68bc2425dc5bd89f2f6fff8dc317afb8
Commit Graph

30 Commits

Author SHA1 Message Date
renovate[bot] e54650095c fix(deps): update weekly-non-major-updates 2026-02-04 17:55:36 +00:00
GitHub Actions c94642a594 chore: update Go version references from 1.25.6 to 1.25.7 across documentation and scripts 2026-02-04 16:52:52 +00:00
GitHub Actions 4178910eac refactor: streamline supply chain workflows by removing Syft and Grype installations and utilizing official Anchore actions for SBOM generation and vulnerability scanning 2026-02-03 07:09:54 +00:00
GitHub Actions f64e3feef8 chore: clean .gitignore cache 2026-01-26 19:22:05 +00:00
GitHub Actions e5f0fec5db chore: clean .gitignore cache 2026-01-26 19:21:33 +00:00
GitHub Actions ba900e20c5 chore(ci): add Docker Hub as secondary container registry 
Publish Docker images to both Docker Hub (docker.io/wikid82/charon) and
GitHub Container Registry (ghcr.io/wikid82/charon) for maximum reach.

Add Docker Hub login with secret existence check for graceful fallback
Update docker/metadata-action to generate tags for both registries
Add Cosign keyless signing for both GHCR and Docker Hub images
Attach SBOM to Docker Hub via cosign attach sbom
Add Docker Hub signature verification to supply-chain-verify workflow
Update README with Docker Hub badges and dual registry examples
Update getting-started.md with both registry options
Supply chain security maintained: identical tags, signatures, and SBOMs
on both registries. PR images remain GHCR-only.
 2026-01-25 16:04:42 +00:00
renovate[bot] dfffa66e36 fix(deps): update weekly-non-major-updates 2026-01-25 14:42:45 +00:00
GitHub Actions 55fe64b7ae fix(ci): sanitize branch names in Docker image tags 
Fix "invalid reference format" error in GitHub Actions workflows when
branch names contain forward slashes (e.g., feature/beta-release).

Add sanitization step to playwright.yml converting / to -
Update supply-chain-verify.yml with dynamic branch sanitization
Add sanitization step to supply-chain-pr.yml for artifact names
Branch feature/beta-release → tag feature-beta-release
Fixes Playwright E2E and supply chain security scan workflow failures
 2026-01-25 14:39:40 +00:00
GitHub Actions 4adcd9eda1 feat: add nightly branch workflow 2026-01-13 22:11:35 +00:00
renovate[bot] 9d25ca7f09 chore(deps): update github artifact actions to v6 2026-01-12 06:11:30 +00:00
Jeremy e4d3acf3c1 Merge branch 'feature/beta-release' into renovate/feature/beta-release-major-5-github-artifact-actions 2026-01-12 01:09:21 -05:00
Jeremy 63d4cfae39 Merge pull request #504 from Wikid82/renovate/feature/beta-release-actions-github-script-8.x 
chore(deps): update actions/github-script action to v8 (feature/beta-release)
 2026-01-12 01:08:51 -05:00
renovate[bot] e7e42655f2 chore(deps): update github artifact actions to v5 2026-01-12 06:08:41 +00:00
Jeremy f9e1a59640 Merge branch 'feature/beta-release' into renovate/feature/beta-release-actions-checkout-6.x 2026-01-12 01:08:04 -05:00
renovate[bot] ee5a19810b chore(deps): update actions/checkout action to v6 2026-01-12 06:07:25 +00:00
Jeremy e25aa6270e Merge pull request #500 from Wikid82/renovate/feature/beta-release-actions-upload-artifact-4.x 
chore(deps): update actions/upload-artifact action to v4.6.2 (feature/beta-release)
 2026-01-12 01:06:38 -05:00
renovate[bot] 0759ddeab6 chore(deps): update actions/github-script action to v8 2026-01-12 06:00:39 +00:00
renovate[bot] 9d8730f41f chore(deps): update actions/checkout action to v5 2026-01-12 06:00:24 +00:00
renovate[bot] d9e5e8001e chore(deps): update actions/upload-artifact action to v4.6.2 2026-01-12 06:00:18 +00:00
Jeremy 7f7e4c6ff7 Merge pull request #489 from Wikid82/renovate/feature/beta-release-actions-github-script-7.x 
chore(deps): update actions/github-script action to v7.1.0 (feature/beta-release)
 2026-01-12 00:54:27 -05:00
Jeremy b71082145b Merge pull request #487 from Wikid82/renovate/feature/beta-release-actions-checkout-4.x 
chore(deps): update actions/checkout action to v4.3.1 (feature/beta-release)
 2026-01-12 00:53:50 -05:00
renovate[bot] 69d527682a chore(deps): update actions/github-script action to v7.1.0 2026-01-12 05:04:02 +00:00
renovate[bot] b1fd466e20 chore(deps): update actions/checkout action to v4.3.1 2026-01-12 05:03:51 +00:00
renovate[bot] b44ff56283 chore(deps): update peter-evans/create-or-update-comment action to v5 2026-01-12 05:02:31 +00:00
GitHub Actions 622f5a48e4 fix: Enhance supply chain security with updated PR comments, remediation plan, scan analysis, and detailed vulnerability reporting 
- Implemented a new workflow for supply chain security that updates PR comments with current scan results, replacing stale data.
- Created a remediation plan addressing high-severity vulnerabilities in CrowdSec binaries, including action items and timelines.
- Developed a discrepancy analysis document to investigate differences between local and CI vulnerability scans, identifying root causes and remediation steps.
- Enhanced vulnerability reporting in PR comments to include detailed findings, collapsible sections for readability, and artifact uploads for compliance tracking.
 2026-01-11 20:13:15 +00:00
GitHub Actions db7490d763 feat: Enhance supply chain verification by excluding PR builds and add Docker image artifact handling 2026-01-11 07:17:12 +00:00
GitHub Actions 93ff3cb16a fix: CI/CD workflow improvements 
- Mark current specification as complete and ready for the next task.
- Document completed work on CI/CD workflow fixes, including implementation summary and QA report links.
- Archive previous planning documents related to GitHub security warnings.
- Revise QA report to reflect the successful validation of CI workflow documentation updates, with zero high/critical issues found.
- Add new QA report for Grype SBOM remediation implementation, detailing security scans, validation results, and recommendations.
 2026-01-11 04:00:30 +00:00
GitHub Actions 6c99372c52 fix(ci): add workflow orchestration for supply chain verification 
Resolves issue where supply-chain-verify.yml ran before docker-build.yml
completed, causing verification to skip on PRs because Docker image
didn't exist yet.

**Root Cause:**
Both workflows triggered independently on PR events with no dependency,
running concurrently instead of sequentially.

**Solution:**
Add workflow_run trigger to supply-chain-verify that waits for
docker-build to complete successfully before running.

**Changes:**
- Remove pull_request trigger from supply-chain-verify.yml
- Add workflow_run trigger for "Docker Build, Publish & Test"
- Add job conditional checking workflow_run.conclusion == 'success'
- Update tag determination to handle workflow_run context
- Extract PR number from workflow_run metadata
- Update PR comment logic for workflow_run events
- Add debug logging for workflow_run context
- Document workflow_run depth limitation

**Behavior:**
- PRs: docker-build → supply-chain-verify (sequential)
- Push to main: docker-build → supply-chain-verify (sequential)
- Failed builds: verification skipped (correct behavior)
- Manual triggers: preserved via workflow_dispatch
- Scheduled runs: preserved for weekly scans

**Security:**
- Workflow security validated: LOW risk
- workflow_run runs in default branch context (prevents privilege escalation)
- No secret exposure in logs or comments
- Proper input sanitization for workflow metadata
- YAML validation passed
- Pre-commit hooks passed

**Testing:**
- YAML syntax validated
- All references verified correct
- Regression testing completed (no breaking changes)
- Debug instrumentation added for validation

**Documentation:**
- Implementation summary created
- QA report with security audit
- Plan archived for reference
- Testing guidelines provided

Related: #461 (PR where issue was discovered)
Resolves: Supply chain verification skipping on PRs

Co-authored-by: GitHub Copilot <copilot@github.com>
 2026-01-11 00:59:10 +00:00
GitHub Actions e95590a727 fix: Update security remediation plan and QA report for Grype SBOM implementation 
- Removed outdated security remediation plan for DoD failures, indicating no active specifications.
- Documented recent completion of Grype SBOM remediation, including implementation summary and QA report.
- Updated QA report to reflect successful validation of security scans with zero HIGH/CRITICAL findings.
- Deleted the previous QA report file as its contents are now integrated into the current report.
 2026-01-10 05:40:56 +00:00
GitHub Actions 8bcfe28709 docs: comprehensive supply chain security QA audit report 
Complete security audit covering:
- CodeQL analysis (0 Critical/High issues)
- Trivy vulnerability scanning (clean)
- Shellcheck linting (2 issues fixed)
- Supply chain skill testing
- GitHub Actions workflow validation
- Regression testing

All critical checks PASSED. Ready for deployment.
 2026-01-10 03:33:38 +00:00