mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
811 Commits 67 Branches 4 Tags
23d610ba5b61dda4fb7a4f86b3381e072e7fe251
Commit Graph

5 Commits

Author SHA1 Message Date
Jason Woltje
23d610ba5b chore: switch from develop/dev to main/latest image tags (#434)
All checks were successful
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/coordinator Pipeline was successful
Details
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-21 22:05:07 +00:00
Jason Woltje
fb609d40e3 fix: use Kaniko --snapshot-mode=redo to fix apt GPG errors in CI
Some checks failed
ci/woodpecker/push/coordinator Pipeline failed
Details
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details
ci/woodpecker/push/web Pipeline failed
Details 
Kaniko's default full-filesystem snapshots corrupt GPG verification
state, causing "invalid signature" errors during apt-get update on
Debian bookworm (node:24-slim). Using --snapshot-mode=redo avoids
this by recalculating layer diffs instead of taking full snapshots.

Also keeps the rm -rf /var/lib/apt/lists/* guard in Dockerfiles as
a defense-in-depth measure against stale base-image APT metadata.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-16 19:56:34 -06:00
Jason Woltje
44a44b5f56 fix(ci): remove SHA tags, use only dev/latest/vX.X.X
Some checks failed
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/coordinator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/api Pipeline failed
Details 
Align image tagging with semver convention:
- develop branch → :dev
- main branch → :latest
- git tags → :vX.X.X

Removes commit SHA tags from all 5 pipelines (api, web, orchestrator,
coordinator, infra) and updates Trivy scans to reference branch/tag.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-14 23:58:51 -06:00
Jason Woltje
08f62f1787 fix(ci): add .trivyignore for upstream CVEs in base images
Some checks failed
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/coordinator Pipeline failed
Details
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details 
All 16 suppressed CVEs are in upstream binaries/packages we don't control:
- Go stdlib CVEs in openbao bin/bao (Go 1.25.6) and postgres gosu (Go 1.24.6)
- OpenBao CVE false positives (Trivy reads Go pseudo-version, we run 2.5.0)
- npm bundled cross-spawn/glob/tar CVEs in node:20-alpine base image

Updated all 6 Trivy scan steps across 5 pipelines to use --ignorefile.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 17:05:11 -06:00
Jason Woltje
5a35fd69bc refactor(ci): split monolithic pipeline into per-package pipelines
Some checks failed
ci/woodpecker/push/infra Pipeline failed
Details
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/coordinator Pipeline failed
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details 
Replace single build.yml with split pipelines per the CI/CD guide:
- api.yml: API with postgres, prisma, Trivy scan
- web.yml: Web with Trivy scan
- orchestrator.yml: Orchestrator with Trivy scan
- coordinator.yml: Python with ruff/mypy/bandit/pip-audit/Trivy
- infra.yml: postgres + openbao builds with Trivy

Adds path filtering (only affected packages rebuild), Trivy container
scanning for all images, and scoped per-package quality gates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 10:29:53 -06:00