11 Commits

Author	SHA1	Message	Date
Jason Woltje	cc5b108b2f	fix(security): bump minimatch override to >=10.2.3 (#528) ... Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-02-27 01:48:38 +00:00
Jason Woltje	23d610ba5b	chore: switch from develop/dev to main/latest image tags (#434) ... Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-02-21 22:05:07 +00:00
Jason Woltje	bc4c1f9c70	Merge develop into main ... Consolidate all feature and fix branches into main: - feat: orchestrator observability + mosaic rails integration (#422) - fix: post-422 CI and compose env follow-up (#423) - fix: orchestrator startup provider-key requirements (#425) - fix: BetterAuth OAuth2 flow and compose wiring (#426) - fix: BetterAuth UUID ID generation (#427) - test: web vitest localStorage/file warnings (#428) - fix: auth frontend remediation + review hardening (#421) - Plus numerous Docker, deploy, and auth fixes from develop Lockfile conflict resolved by regenerating from merged package.json. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-21 14:52:43 -06:00
Jason Woltje	d66451cf48	fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy (#431) ... Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-02-21 20:40:17 +00:00
Jason Woltje	fb609d40e3	fix: use Kaniko --snapshot-mode=redo to fix apt GPG errors in CI ... Kaniko's default full-filesystem snapshots corrupt GPG verification state, causing "invalid signature" errors during apt-get update on Debian bookworm (node:24-slim). Using --snapshot-mode=redo avoids this by recalculating layer diffs instead of taking full snapshots. Also keeps the rm -rf /var/lib/apt/lists/* guard in Dockerfiles as a defense-in-depth measure against stale base-image APT metadata. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-16 19:56:34 -06:00
Jason Woltje	44a44b5f56	fix(ci): remove SHA tags, use only dev/latest/vX.X.X ... Align image tagging with semver convention: - develop branch → :dev - main branch → :latest - git tags → :vX.X.X Removes commit SHA tags from all 5 pipelines (api, web, orchestrator, coordinator, infra) and updates Trivy scans to reference branch/tag. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-14 23:58:51 -06:00
Jason Woltje	0363a14098	fix(#367): migrate Node.js 20 → 24 LTS ... Node.js 24 (Krypton) entered Active LTS on 2026-02-09. Update all Dockerfiles, CI pipelines, and engine constraint from node:20-alpine to node:24-alpine. Corrected .trivyignore: tar CVEs come from Next.js 16.1.6 bundled tar@7.5.2 (not npm). Orchestrator and API images are clean; web image needs Next.js upstream fix. Fixes #367 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-13 15:20:01 -06:00
Jason Woltje	e8a9a3087a	fix(ci): fix pipeline #366 — web @mosaic/ui build, Dockerfile find bug, event handler types ... Three root causes resolved: 1. .woodpecker/web.yml: build-shared step was missing @mosaic/ui build, causing 10 test suite failures + 20 typecheck errors (TS2307) 2. apps/orchestrator/Dockerfile: find -o without parentheses only deleted last pattern's matches, leaving spec files with test fixture secrets that triggered 5 Trivy false positives (3 CRITICAL, 2 HIGH) 3. 9 web files had untyped event handler parameters (e) causing 49 lint errors and 19 typecheck errors — added React.ChangeEvent<T> types Verification: lint 0 errors, typecheck 0 errors, tests 73/73 suites pass Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 17:50:41 -06:00
Jason Woltje	3b12adf8f7	fix(ci): fix pipeline #365 — web build-shared + orchestrator secret scan ... - Add build-shared step to web.yml so lint/typecheck/test can resolve @mosaic/shared types (same fix previously applied to api.yml) - Remove compiled .spec.js/.test.js files from orchestrator production image to prevent Trivy secret scanning false positives from test fixtures (fake AWS keys and RSA private keys in secret-scanner tests) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 17:25:49 -06:00
Jason Woltje	08f62f1787	fix(ci): add .trivyignore for upstream CVEs in base images ... All 16 suppressed CVEs are in upstream binaries/packages we don't control: - Go stdlib CVEs in openbao bin/bao (Go 1.25.6) and postgres gosu (Go 1.24.6) - OpenBao CVE false positives (Trivy reads Go pseudo-version, we run 2.5.0) - npm bundled cross-spawn/glob/tar CVEs in node:20-alpine base image Updated all 6 Trivy scan steps across 5 pipelines to use --ignorefile. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 17:05:11 -06:00
Jason Woltje	5a35fd69bc	refactor(ci): split monolithic pipeline into per-package pipelines ... Replace single build.yml with split pipelines per the CI/CD guide: - api.yml: API with postgres, prisma, Trivy scan - web.yml: Web with Trivy scan - orchestrator.yml: Orchestrator with Trivy scan - coordinator.yml: Python with ruff/mypy/bandit/pip-audit/Trivy - infra.yml: postgres + openbao builds with Trivy Adds path filtering (only affected packages rebuild), Trivy container scanning for all images, and scoped per-package quality gates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 10:29:53 -06:00