marcoallegretti/karapace
1
0
Fork 0
mirror of https://github.com/marcoallegretti/karapace.git synced 2026-03-27 05:53:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
41 commits 2 branches 0 tags 746 KiB
Commit graph

6 commits

Author SHA1 Message Date
Marco Allegretti
a05bb30e9c fix: supply chain credential test false positive, verify-docs SIGPIPE 
- Credential injection test: search for actual fake credential values
  instead of env var name patterns (AWS_SECRET_ACCESS_KEY is
  intentionally in security.rs denied_env_vars list)
- Verify-docs: add || true after head -50 pipe to prevent SIGPIPE
  exit code with pipefail enabled
 2026-02-22 21:08:10 +01:00
Marco Allegretti
9fcd08f012 fix supply chain: provenance paths to workspace, clean rebuild for .d test 
- Move provenance.json from /tmp/ to workspace root so all artifact
  paths share the same least-common-ancestor (fixes upload-artifact
  creating unusable paths like /home/runner/work/.../target/release/)
- Add cargo clean + rebuild before .d file tampering test to reset
  corrupted build state from rmeta tampering test
- All downstream supply chain jobs (verify, tamper, adversarial) were
  failing due to the artifact path issue
 2026-02-22 20:49:25 +01:00
Marco Allegretti
62b9b569be fix supply chain: bump cargo-cyclonedx 0.5.7, fix SBOM generation, fix rmeta test 
- Bump cargo-cyclonedx from 0.5.5 to 0.5.7 (supports lockfile v4)
- Generate SBOM for karapace-cli crate only (single predictable file)
- Fix --output-prefix → --override-filename (CLI change in 0.5.x)
- Fix rmeta tampering test: accept build failure as valid defense
  (cargo rejects corrupted .rmeta with compilation errors)
 2026-02-22 20:31:08 +01:00
Marco Allegretti
3091e5e932 fix CI: bump Rust 1.88→1.93 (lockfile v4 requires newer cargo) 
Cargo.lock version=4 format is not supported by older Rust toolchains.
Pin to 1.93 to match local dev toolchain and lockfile format.
 2026-02-22 19:45:33 +01:00
Marco Allegretti
3e4f2597c5 fix CI: bump Rust 1.82→1.88 (MSRV), fix lockfile check, add xz to opensuse 
- Bump RUST_TOOLCHAIN from 1.82 to 1.88 in ci.yml, release.yml,
  supply-chain-test.yml (darling/time crates require 1.88)
- Replace fragile cargo-update+diff lockfile check with cargo check --locked
- Add xz package to opensuse container deps (needed by rustup)
 2026-02-22 19:41:31 +01:00
Marco Allegretti
bb03d3adad ci: GitHub Actions CI/CD, supply chain hardening, reproducible builds 
- .github/workflows/ci.yml — 17 jobs: fmt, clippy, test, e2e, enospc, e2e-resolve,
  build-release (gnu+musl), smoke-test, reproducibility-check (gnu+musl),
  cross-run-reproducibility (gnu+musl), lockfile-check, cargo-deny, ci-contract
- .github/workflows/release.yml — 4 jobs: build, sign (cosign OIDC), verify, publish
- .github/workflows/supply-chain-test.yml — 11 adversarial jobs: build-and-sign,
  verify-signatures, tamper-binary, tamper-sbom, tamper-signature-removal,
  adversarial-env-injection, adversarial-artifact-tampering, adversarial-build-script,
  adversarial-credential-injection, adversarial-rustflags-bypass, verify-docs-executable
- .github/actions/karapace-build/action.yml — reusable build action
- .cargo/config.toml — SOURCE_DATE_EPOCH=0, local path remapping for reproducibility
- CI_CONTRACT.md — required jobs list enforced by ci-contract gate job
- scripts/generate-sbom.sh — CycloneDX SBOM generation
- CARGO_INCREMENTAL=0 globally, cargo clean before all release builds
- Cosign keyless signing with GitHub Actions OIDC
- 32 total CI jobs across 3 workflows
 2026-02-22 18:39:00 +01:00