The E2E workflow was failing during backend build because make build
was being executed from the backend/ directory, but the Makefile exists
at the root level.
Remove working-directory: backend from Build backend step
Allows make build to execute from root where Makefile is located
Verified with local test: frontend + backend build successfully
Related to PR #550 E2E workflow failures
The E2E workflow was failing during "Build frontend" because npm ci
was only run at root level. The frontend directory has its own
package.json with React, Tailwind, and other dependencies that were
never installed.
Add "Install frontend dependencies" step before build
Update Node.js version from 18 to 20 (required by markdownlint-cli2)
Fixes failing E2E tests in PR #550
GitHub Actions doesn't allow secrets context in step if expressions.
Add HAS_DOCKERHUB_TOKEN env var at job level that evaluates the secret
existence, then reference that env var in step conditions.
Fixes: "Unrecognized named-value: 'secrets'" workflow validation error
Publish Docker images to both Docker Hub (docker.io/wikid82/charon) and
GitHub Container Registry (ghcr.io/wikid82/charon) for maximum reach.
Add Docker Hub login with secret existence check for graceful fallback
Update docker/metadata-action to generate tags for both registries
Add Cosign keyless signing for both GHCR and Docker Hub images
Attach SBOM to Docker Hub via cosign attach sbom
Add Docker Hub signature verification to supply-chain-verify workflow
Update README with Docker Hub badges and dual registry examples
Update getting-started.md with both registry options
Supply chain security maintained: identical tags, signatures, and SBOMs
on both registries. PR images remain GHCR-only.
After migrating base image from Alpine to Debian Trixie (PR #550),
integration test scripts were using wget-style options with curl
that don't work correctly on Debian.
Changed curl -q -O- (wget syntax) to curl -sf (proper curl):
waf_integration.sh
cerberus_integration.sh
rate_limit_integration.sh
crowdsec_startup_test.sh
install-go-1.25.5.sh
Also added future phase to plan for Playwright security test helpers
to prevent ACL deadlock issues during E2E testing.
Refs: #550
Abort broken rebase (193 commits), use merge instead
Remove feature/beta-release from Renovate baseBranches
Simplify propagate workflow: main → development → feature/*
Fix duplicate lines in codeql.yml from corrupted merge
Fix duplicate entries in package.json
Resolve Dockerfile conflict (keep node:24.13.0-slim for Trixie)
Add .hadolint.yaml to ignore DL3008/DL3059 for Debian images
Refs: #550
Replace hardcoded CHARON_ENCRYPTION_KEY with environment variable
substitution using Docker Compose required variable syntax.
docker-compose.playwright.yml: use ${CHARON_ENCRYPTION_KEY:?...}
docker-compose.e2e.yml: use ${CHARON_ENCRYPTION_KEY:?...}
e2e-tests.yml: add ephemeral key generation per CI run
.env.test.example: document the requirement prominently
Security: The old key exists in git history and must never be used
in production. Each CI run now generates a unique ephemeral key.
Refs: OWASP A02:2021 - Cryptographic Failures
The previous pattern '/(feat|feat\\()/)' was too broad and could
match any commit containing 'feat' substring (like 'defeat', 'feature').
Changed to '/^feat(\\(.+\\))?:/' which properly matches only
Conventional Commits format: 'feat:' or 'feat(scope):'
- Change base image from debian:bookworm-slim to debian:trixie-slim
- Rename step id from 'caddy' to 'base-image' (more accurate)
- Update output reference from steps.caddy to steps.base-image
- Remove stale Alpine reference
On PRs, images are loaded locally but not pushed to registry.
Add --pull=never to prevent Docker from trying to fetch the
image from ghcr.io, which fails with 'manifest unknown'.
Modified 4 docker commands:
- Caddy version check (docker run)
- Caddy binary extraction (docker create)
- CrowdSec version check (docker run)
- CrowdSec binary extraction (docker create)
GitHub Actions
Jeremy
renovate[bot]