The Dockerfile already centralizes all version pins into top-level ARGs
(GO_VERSION, ALPINE_IMAGE, CROWDSEC_VERSION, EXPR_LANG_VERSION, XNET_VERSION).
This change closes the remaining gaps so those ARGs are the single source of
truth end-to-end:
- nightly-build.yml now resolves the Alpine image digest at build time and
passes ALPINE_IMAGE as a build-arg, matching the docker-build.yml pattern.
Previously, nightly images were built with the Dockerfile ARG default and
without a pinned digest, making runtime Alpine differ from docker-build.yml.
- six CI workflows (quality-checks, codecov-upload, benchmark, e2e-tests-split,
release-goreleaser, codeql) declared a GO_VERSION env var but their setup-go
steps ignored it and hardcoded the version string directly. They now reference
${{ env.GO_VERSION }}, so Renovate only needs to update one value per file
and the env var actually serves its purpose.
- codeql.yml had no GO_VERSION env var at all; one is now added alongside the
existing GOTOOLCHAIN: auto entry.
When Renovate bumps Go, it updates the env var at the top of each workflow and
the Dockerfile ARG — zero manual hunting required.
The scheduled weekly rebuild was failing because GitHub Actions froze
github.sha at job-queue time. When the Sunday cron queued a job on
March 1 with Feb 23 code (CADDY_VERSION=2.11.0-beta.2), that job ran
two days later on March 3 still using the old code, missing the caddy
version fix that had since landed on main.
Additionally, caddy-security was unpinned, so xcaddy auto-resolved it
to v1.1.36 which requires caddy/v2@v2.11.1 — conflicting with xcaddy's
internally bundled v2.11.0-beta.2 reference.
- Add ref: github.ref_name to checkout step so the rebuild always
fetches current branch HEAD at run time, not the SHA frozen at queue
time
- Add CADDY_SECURITY_VERSION=1.1.36 ARG to pin the caddy-security
plugin to a known-compatible version; pass it via --with so xcaddy
picks up the pinned release
- Add --with github.com/caddyserver/caddy/v2@v${CADDY_TARGET_VERSION}
to force xcaddy to use the declared Caddy version, overriding its own
internal go.sum pin for caddy
- Add Renovate custom manager for CADDY_SECURITY_VERSION so future
caddy-security releases trigger an automated PR instead of silently
breaking the build
Fixes weekly security rebuild CI failures introduced ~Feb 22 when
caddy-security v1.1.36 was published.
- Updated GO_VERSION to 1.25.7 across all GitHub Actions workflows to fix immediate build failures
- Added custom regex manager to `.github/renovate.json` to explicitly track `GO_VERSION` in YAML files
- Ensures Renovate detects and automerges Go updates for workflows alongside the main project
- Updated Docker Compose files to use digest-pinned images for CI contexts.
- Enhanced Dockerfile to pin Go tool installations and verify external downloads with SHA256 checksums.
- Added Renovate configuration for tracking Go tool versions and digest updates.
- Introduced a new design document outlining the architecture and data flow for dependency tracking.
- Created tasks and requirements documentation to ensure compliance with the new digest pinning policy.
- Updated security documentation to reflect the new digest pinning policy and exceptions.
Migrated all Docker stages from Alpine 3.23 to Debian Trixie (13) to
address critical CVE in Alpine's gosu package and improve security
update frequency.
Key changes:
Updated CADDY_IMAGE to debian:trixie-slim
Added gosu-builder stage to compile gosu 1.17 from source with Go 1.25.6
Migrated all builder stages to golang:1.25-trixie
Updated package manager from apk to apt-get
Updated user/group creation to use groupadd/useradd
Changed nologin path from /sbin/nologin to /usr/sbin/nologin
Security impact:
Resolved gosu Critical CVE (built from source eliminates vulnerable Go stdlib)
Reduced overall CVE count from 6 (bookworm) to 2 (trixie)
Remaining 2 CVEs are glibc-related with no upstream fix available
All Go binaries verified vulnerability-free by Trivy and govulncheck
Verification:
E2E tests: 243 passed (5 pre-existing failures unrelated to migration)
Backend coverage: 87.2%
Frontend coverage: 85.89%
Pre-commit hooks: 13/13 passed
TypeScript: 0 errors
Refs: CVE-2026-0861 (glibc, no upstream fix - accepted risk)
- Created `pr_461_remediation_complete.md` detailing the final remediation status, including bug fixes, test results, and coverage metrics.
- Added `pr_461_vulnerability_comment.md` summarizing the supply chain vulnerabilities accepted for PR #461, including risk assessments and mitigation strategies.
- Established `VULNERABILITY_ACCEPTANCE.md` to formally document the acceptance of 9 vulnerabilities in Alpine Linux packages, outlining the rationale, monitoring plans, and compliance with industry standards.
These documents ensure transparency and provide a clear audit trail for the vulnerability management process associated with PR #461.
- Added custom manager in renovate.json to track Go dependencies patched in Dockerfile for Caddy CVE fixes.
- Updated Dockerfile to pre-fetch and override vulnerable module versions for dependencies (expr, quic-go, smallstep/certificates) during the build process.
- Improved build resilience by implementing a fallback mechanism for Caddy versioning.
- Introduced tests for user SMTP audit, covering invite token security, input validation, authorization, and SMTP config security.
- Enhanced user invite functionality with duplicate email protection and case-insensitive checks.
- Updated go.work.sum to include new dependencies and ensure compatibility.
- Added API integration for access lists including listing, creating, updating, deleting, and testing IPs against access lists.
- Created AccessListForm component for creating and editing access lists with validation.
- Developed AccessListSelector component for selecting access lists with detailed display of selected ACL.
- Implemented hooks for managing access lists and handling API interactions.
- Added tests for AccessListSelector and useAccessLists hooks to ensure functionality.
- Enhanced AccessLists page with UI for managing access lists, including create, edit, delete, and test IP features.
- Implemented `docker-build.yml` for building and pushing Docker images with multi-platform support, Trivy security scanning, and conditional builds based on commit messages.
- Created `docker-publish.yml` for streamlined Docker image publishing with Trivy vulnerability scanning on push events.
- Added `docs.yml` to automate documentation deployment to GitHub Pages, including a custom HTML structure and markdown conversion.
- Introduced `propagate-changes.yml` to automate PR creation for synchronizing changes between main, development, and feature branches.
- Established `quality-checks.yml` for running backend (Go) and frontend (React) quality checks, including tests and linting.
- Developed `release.yml` for generating changelogs and creating GitHub releases upon version tag pushes.
- Set up `renovate.yml` for automated dependency updates on a daily schedule.
- Deleted Settings.tsx and Setup.tsx pages, which included functionality for changing passwords and setting up an admin account.
- Removed associated test files for Setup page.
- Eliminated API service definitions related to proxy hosts, remote servers, import functionality, and health checks.
- Cleaned up mock data and test setup files.
- Removed configuration files for TypeScript, Vite, and Tailwind CSS.
- Deleted scripts for testing coverage, release management, Dockerfile validation, and Python compilation checks.
- Removed Sourcery pre-commit wrapper script.
