akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
45618efa030eafbb5f96c1631aecc5bb3a6cd5bc
Charon/docs/plans/tasks.md
GitHub Actions 6675f2a169 fix: Implement dependency digest tracking for nightly builds 
- Updated Docker Compose files to use digest-pinned images for CI contexts.
- Enhanced Dockerfile to pin Go tool installations and verify external downloads with SHA256 checksums.
- Added Renovate configuration for tracking Go tool versions and digest updates.
- Introduced a new design document outlining the architecture and data flow for dependency tracking.
- Created tasks and requirements documentation to ensure compliance with the new digest pinning policy.
- Updated security documentation to reflect the new digest pinning policy and exceptions.
2026-01-30 06:39:26 +00:00

824 B
Raw Blame History

Tasks - Dependency Digest Tracking Plan

Phase 2 - Pinning & Verification Updates

  • Pin dlv and xcaddy versions in Dockerfile.
  • Add checksum verification for CrowdSec fallback tarball.
  • Add checksum verification for GeoLite2 database download.
  • Pin CI compose images by digest.
  • Default Playwright CI compose to workflow digest output with tag override for local runs.
  • Pin whoami test service image by digest in docker-build workflow.
  • Propagate nightly image digest to smoke tests and scans.
  • Pin govulncheck and gopls versions in scripts.
  • Add Renovate regex managers for pinned tool versions and go.work.

Follow-ups

  • Add policy linting to detect unpinned tags in CI-critical files.
  • Update security documentation for digest policy and exceptions.
Reference in New Issue View Git Blame Copy Permalink