mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
878 Commits 67 Branches 4 Tags
cc5b108b2f75bde09971e0410594c2367f128bb0
Commit Graph

9 Commits

Author SHA1 Message Date
Jason Woltje
cc5b108b2f fix(security): bump minimatch override to >=10.2.3 (#528)
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details
ci/woodpecker/manual/infra Pipeline was successful
Details
ci/woodpecker/manual/coordinator Pipeline was successful
Details
ci/woodpecker/manual/orchestrator Pipeline was successful
Details
ci/woodpecker/manual/web Pipeline was successful
Details
ci/woodpecker/manual/api Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-27 01:48:38 +00:00
Jason Woltje
23d610ba5b chore: switch from develop/dev to main/latest image tags (#434)
All checks were successful
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/coordinator Pipeline was successful
Details
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-21 22:05:07 +00:00
Jason Woltje
bc4c1f9c70 Merge develop into main
All checks were successful
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/coordinator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details 
Consolidate all feature and fix branches into main:
- feat: orchestrator observability + mosaic rails integration (#422)
- fix: post-422 CI and compose env follow-up (#423)
- fix: orchestrator startup provider-key requirements (#425)
- fix: BetterAuth OAuth2 flow and compose wiring (#426)
- fix: BetterAuth UUID ID generation (#427)
- test: web vitest localStorage/file warnings (#428)
- fix: auth frontend remediation + review hardening (#421)
- Plus numerous Docker, deploy, and auth fixes from develop

Lockfile conflict resolved by regenerating from merged package.json.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-21 14:52:43 -06:00
Jason Woltje
d66451cf48 fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy (#431)
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
 2026-02-21 20:40:17 +00:00
Jason Woltje
fb609d40e3 fix: use Kaniko --snapshot-mode=redo to fix apt GPG errors in CI
Some checks failed
ci/woodpecker/push/coordinator Pipeline failed
Details
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details
ci/woodpecker/push/web Pipeline failed
Details 
Kaniko's default full-filesystem snapshots corrupt GPG verification
state, causing "invalid signature" errors during apt-get update on
Debian bookworm (node:24-slim). Using --snapshot-mode=redo avoids
this by recalculating layer diffs instead of taking full snapshots.

Also keeps the rm -rf /var/lib/apt/lists/* guard in Dockerfiles as
a defense-in-depth measure against stale base-image APT metadata.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-16 19:56:34 -06:00
Jason Woltje
44a44b5f56 fix(ci): remove SHA tags, use only dev/latest/vX.X.X
Some checks failed
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/coordinator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/api Pipeline failed
Details 
Align image tagging with semver convention:
- develop branch → :dev
- main branch → :latest
- git tags → :vX.X.X

Removes commit SHA tags from all 5 pipelines (api, web, orchestrator,
coordinator, infra) and updates Trivy scans to reference branch/tag.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-14 23:58:51 -06:00
Jason Woltje
0363a14098 fix(#367): migrate Node.js 20 → 24 LTS
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details 
Node.js 24 (Krypton) entered Active LTS on 2026-02-09. Update all
Dockerfiles, CI pipelines, and engine constraint from node:20-alpine
to node:24-alpine. Corrected .trivyignore: tar CVEs come from Next.js
16.1.6 bundled tar@7.5.2 (not npm). Orchestrator and API images are
clean; web image needs Next.js upstream fix.

Fixes #367

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-13 15:20:01 -06:00
Jason Woltje
08f62f1787 fix(ci): add .trivyignore for upstream CVEs in base images
Some checks failed
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/coordinator Pipeline failed
Details
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details 
All 16 suppressed CVEs are in upstream binaries/packages we don't control:
- Go stdlib CVEs in openbao bin/bao (Go 1.25.6) and postgres gosu (Go 1.24.6)
- OpenBao CVE false positives (Trivy reads Go pseudo-version, we run 2.5.0)
- npm bundled cross-spawn/glob/tar CVEs in node:20-alpine base image

Updated all 6 Trivy scan steps across 5 pipelines to use --ignorefile.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 17:05:11 -06:00
Jason Woltje
5a35fd69bc refactor(ci): split monolithic pipeline into per-package pipelines
Some checks failed
ci/woodpecker/push/infra Pipeline failed
Details
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/web Pipeline failed
Details
ci/woodpecker/push/coordinator Pipeline failed
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details 
Replace single build.yml with split pipelines per the CI/CD guide:
- api.yml: API with postgres, prisma, Trivy scan
- web.yml: Web with Trivy scan
- orchestrator.yml: Orchestrator with Trivy scan
- coordinator.yml: Python with ruff/mypy/bandit/pip-audit/Trivy
- infra.yml: postgres + openbao builds with Trivy

Adds path filtering (only affected packages rebuild), Trivy container
scanning for all images, and scoped per-package quality gates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 10:29:53 -06:00