akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
2,036 Commits 11 Branches 107 Tags
b27fb306f7be3475fa8782009487ba8e815b1c1e
Commit Graph

577 Commits

Author SHA1 Message Date
GitHub Actions b27fb306f7 fix(ci): force push nightly branch to handle divergence from development 2026-02-02 13:47:36 +00:00
GitHub Actions f3ed1614c2 fix(ci): improve nightly build sync process by fetching both branches and preventing non-fast-forward errors 2026-02-02 13:45:21 +00:00
GitHub Actions 3261f5d7a1 fix(ci): normalize branch name for Docker tag in security PR workflow 2026-02-02 13:42:49 +00:00
GitHub Actions 60c3336725 COMMIT_MESSAGE_START 
fix(docker): update GeoLite2-Country.mmdb checksum + automation

Fixes critical Docker build failure caused by upstream GeoLite2 database
update without corresponding Dockerfile checksum update.

**Root Cause:**
- GeoLite2-Country.mmdb file updated upstream
- Dockerfile still referenced old SHA256 checksum
- Build aborted at checksum verification (line 352)
- Cascade "blob not found" errors for all COPY commands

**Changes:**
- Update Dockerfile ARG GEOLITE2_COUNTRY_SHA256 to current value
- Add automated weekly checksum update workflow (.github/workflows/update-geolite2.yml)
- Implement error handling: retry logic, format validation, failure notifications
- Document rollback decision matrix with 10 failure scenarios
- Create comprehensive maintenance guide (docs/maintenance/geolite2-checksum-update.md)
- Update CHANGELOG.md and README.md with maintenance references

**Verification:**
- Checksum verified against current upstream file: 436135ee...
- Pre-commit hooks: PASSED (EOF/whitespace auto-fixed)
- Trivy security scan: PASSED (no critical/high issues)
- Dockerfile syntax: VALID
- GitHub Actions YAML: VALID
- No hardcoded secrets or injection vulnerabilities

**Automation Features:**
- Weekly scheduled checks (Monday 2 AM UTC)
- Auto-PR creation when checksum changes
- GitHub issue creation on workflow failure
- Comprehensive error handling and retry logic

**Impact:**
- Unblocks all CI/CD Docker image builds
- Enables publishing to GHCR/Docker Hub
- Prevents future checksum failures via automation
- Zero application code changes (no regression risk)

**Documentation:**
- Implementation plan: docs/plans/geolite2_checksum_fix_spec.md
- QA report: docs/reports/qa_geolite2_checksum_fix.md
- Maintenance guide: docs/maintenance/geolite2-checksum-update.md

**Supervisor Recommendations Implemented:**
- #1: Checksum freshness verification before update
- #3: Rollback decision criteria (10 scenarios)
- #4: Automated workflow error handling

Resolves: https://github.com/Wikid82/Charon/actions/runs/21584236523/job/62188372617
COMMIT_MESSAGE_END
 2026-02-02 13:31:56 +00:00
Jeremy 01a7c7ffdf fix: add VCS_REF and BUILD_DATE to nightly build workflow 2026-01-30 23:22:44 +00:00
Jeremy a924b90caa fix(ci): remove failing GoReleaser job and fix propagation workflow 2026-01-30 22:32:25 +00:00
Jeremy a677b1306e fix: restore correct Renovate and Playwright workflow triggers 2026-01-30 22:17:04 +00:00
Jeremy 26f3183efc chore: simplify GoReleaser to Linux-only builds for Docker deployment 2026-01-30 21:40:49 +00:00
Jeremy 76440c8364 Merge branch 'development' into feature/beta-release 2026-01-30 10:21:48 -05:00
Jeremy ca80149faa fix(ci): skip Docker artifact steps for Renovate PRs 
The "Save Docker Image as Artifact" and "Upload Image Artifact" steps
were running even when skip_build=true, causing CI failures on Renovate
dependency update PRs.

Add skip_build check to artifact saving step condition
Add skip_build check to artifact upload step condition
Aligns artifact steps with existing build skip logic
 2026-01-30 15:07:32 +00:00
renovate[bot] 01c9ee2950 chore(deps): update renovatebot/github-action action to v46 2026-01-30 14:58:26 +00:00
Jeremy b43a5dbae8 choreci): add weekly nightly-to-main promotion workflow 
Adds automated workflow that creates a PR from nightly → main every
Monday at 9:00 AM UTC for scheduled release promotion.

Features:

Pre-flight health check verifies critical workflows are passing
Skips PR creation if nightly has no new commits
Detects existing PRs and adds comments instead of duplicates
Labels PRs with 'automated' and 'weekly-promotion'
Creates GitHub issue on failure for visibility
Manual trigger via workflow_dispatch with reason input
NO auto-merge - requires human review and approval
This gives early-week visibility into nightly changes and prevents
Friday surprises from untested code reaching main.
 2026-01-30 14:32:17 +00:00
Jeremy 14859df9a6 fix(ci): use local image tag instead of bare digest for E2E tests 2026-01-30 13:03:21 +00:00
GitHub Actions 2427b25940 fix: resolve three CI workflow failures blocking deployments 2026-01-30 07:13:59 +00:00
GitHub Actions 6675f2a169 fix: Implement dependency digest tracking for nightly builds 
- Updated Docker Compose files to use digest-pinned images for CI contexts.
- Enhanced Dockerfile to pin Go tool installations and verify external downloads with SHA256 checksums.
- Added Renovate configuration for tracking Go tool versions and digest updates.
- Introduced a new design document outlining the architecture and data flow for dependency tracking.
- Created tasks and requirements documentation to ensure compliance with the new digest pinning policy.
- Updated security documentation to reflect the new digest pinning policy and exceptions.
 2026-01-30 06:39:26 +00:00
renovate[bot] 55cf3427a6 chore(deps): update weekly-non-major-updates 2026-01-30 02:08:00 +00:00
GitHub Actions 51ac383576 fix(e2e): update E2E test workflow to use per-shard HTML reports for improved debugging 2026-01-30 01:35:45 +00:00
GitHub Actions 98eae4afd9 fix(docs): update Grype version to v0.107.0 in scripts and documentation 2026-01-30 01:04:46 +00:00
GitHub Actions b5db4682d7 fix(ci): correct Playwright blob report merging in E2E workflow 2026-01-30 00:55:38 +00:00
renovate[bot] 74bb7d711d fix(deps): update weekly-non-major-updates 2026-01-28 21:36:35 +00:00
GitHub Actions d9024545ee chore: integrate GORM Security Scanner into CI pipeline and update documentation 2026-01-28 10:34:27 +00:00
renovate[bot] 300e89aa9a fix(deps): update weekly-non-major-updates 2026-01-27 23:26:52 +00:00
GitHub Actions 0da6f7620c fix: restore PATCH endpoints used by E2E + emergency-token fallback 
register PATCH /api/v1/settings and PATCH /api/v1/security/acl (E2E expectations)
add emergency-token-aware shortcut handlers (validate X-Emergency-Token → set admin context → invoke handler)
preserve existing POST handlers and backward compatibility
rebuild & redeploy E2E image, verified backend build success
Why: unblocked failing Playwright E2E tests that returned 404s and were blocking the hotfix release
 2026-01-27 22:43:33 +00:00
GitHub Actions 949eaa243d fix(e2e): update condition for coverage generation to use vars.PLAYWRIGHT_COVERAGE 2026-01-27 05:28:19 +00:00
GitHub Actions cbd9612af5 fix(ci): add e2e-tests.yml to push event path filters for workflow triggers 2026-01-27 05:23:49 +00:00
GitHub Actions 436b5f0817 chore: re-enable security e2e scaffolding and triage gaps 2026-01-27 04:53:38 +00:00
GitHub Actions f9f4ebfd7a fix(e2e): enhance error handling and reporting in E2E tests and workflows 2026-01-27 02:17:46 +00:00
GitHub Actions 22aee0362d fix(ci): resolve E2E test failures - emergency server ports and deterministic ACL disable 2026-01-27 01:50:36 +00:00
GitHub Actions 00fe63b8f4 fix(e2e): disable E2E coverage collection and remove Vite dev server for diagnostic purposes 2026-01-26 23:08:06 +00:00
GitHub Actions a43086e061 fix(e2e): remove reporter override to enable E2E coverage generation 2026-01-26 22:53:16 +00:00
GitHub Actions f0f7e60e5d fix(ci): update Go cache path in e2e-tests workflow to improve build efficiency 2026-01-26 22:35:25 +00:00
Jeremy e01750ac81 Merge branch 'feature/beta-release' into renovate/feature/beta-release-major-6-github-artifact-actions 2026-01-26 17:33:38 -05:00
renovate[bot] 883c15a3d8 chore(deps): update actions/upload-artifact action to v6 2026-01-26 22:33:26 +00:00
Jeremy c68ea14792 Merge branch 'feature/beta-release' into renovate/feature/beta-release-actions-checkout-6.x 2026-01-26 17:32:55 -05:00
Jeremy a1ef68c2f6 Merge branch 'feature/beta-release' into renovate/feature/beta-release-weekly-non-major-updates 2026-01-26 17:32:10 -05:00
renovate[bot] 3b24f9459c chore(deps): update actions/checkout action to v6 2026-01-26 22:31:28 +00:00
renovate[bot] 859d987d1e fix(deps): update weekly-non-major-updates 2026-01-26 22:31:20 +00:00
renovate[bot] 21134f9b23 chore(deps): pin dependencies 2026-01-26 22:31:03 +00:00
GitHub Actions 54ebba2246 chore(ci): capture prune log and upload artifact (dry-run default) 2026-01-26 20:48:26 +00:00
GitHub Actions 2fbf92f569 chore(ci): add container prune workflow (GHCR + Docker Hub) with dry-run script 2026-01-26 20:47:55 +00:00
GitHub Actions ac803fd411 fix(ci): add CHARON_EMERGENCY_TOKEN to E2E test workflows 
Add missing emergency token environment variable to all E2E test workflows to
fix security teardown failures in CI. Without this token, the emergency reset
endpoint returns 501 "not configured", causing test teardown to fail and
leaving ACL enabled, which blocks 83 subsequent tests.

Changes:

Add CHARON_EMERGENCY_TOKEN to docker-build.yml test-image job
Add CHARON_EMERGENCY_TOKEN to e2e-tests.yml e2e-tests job
Add CHARON_EMERGENCY_TOKEN to playwright.yml playwright job
Verified:

Docker build strategy already optimal (build once, push to both GHCR + Docker Hub)
Testing strategy correct (test once by digest, validates both registries)
All workflows now have environment parity with local development setup
Requires GitHub repository secret:

Name: CHARON_EMERGENCY_TOKEN
Value: 64-char hex token (e.g., from openssl rand -hex 32)
Related:

Emergency endpoint rate limiting removal (proper fix)
Local emergency token configuration (.env, docker-compose.local.yml)
Security test suite teardown mechanism
Refs #550
 2026-01-26 20:03:30 +00:00
GitHub Actions f64e3feef8 chore: clean .gitignore cache 2026-01-26 19:22:05 +00:00
GitHub Actions e5f0fec5db chore: clean .gitignore cache 2026-01-26 19:21:33 +00:00
GitHub Actions cf279b0823 fix: Optimize E2E workflow by removing redundant build steps and improving caching strategies. Update Go version in e2e-tests.yml from 1.21 to 1.25.6, set GOTOOLCHAIN to auto across all workflows, and eliminate unnecessary npm installations to enhance CI performance by 30-40%. 2026-01-26 08:58:00 +00:00
GitHub Actions d703ef0171 fix(e2e): update branch names in workflow triggers to include 'development' 2026-01-26 08:24:49 +00:00
GitHub Actions c5f412dd05 fix(e2e): add frontend dependency installation step to E2E workflow 2026-01-26 08:09:01 +00:00
GitHub Actions bbdeedda5d fix: update Go installation scripts to version 1.25.6 and remove obsolete 1.25.5 script 2026-01-26 07:42:42 +00:00
Jeremy 689e559cf0 Merge branch 'feature/beta-release' into renovate/feature/beta-release-sigstore-cosign-installer-4.x 2026-01-26 01:34:57 -05:00
renovate[bot] 71c3cd917c chore(deps): update weekly-non-major-updates 2026-01-26 06:29:28 +00:00
renovate[bot] 3f341fadba chore(deps): update sigstore/cosign-installer action to v4 2026-01-26 05:00:59 +00:00