Skip to content

Commit f0147b1

Browse files
authored
Merge pull request #921 from Wikid82/feature/beta-release
fix: resolve 5 HIGH-severity CVEs blocking nightly container image scan
2 parents 241c0d1 + 615e5a9 commit f0147b1

27 files changed

Lines changed: 1701 additions & 665 deletions

.github/renovate.json

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -232,9 +232,24 @@
232232
"datasourceTemplate": "github-releases",
233233
"versioningTemplate": "semver",
234234
"extractVersionTemplate": "^v(?<version>.*)$"
235+
},
236+
{
237+
"customType": "regex",
238+
"description": "Track go-version in skill example workflows",
239+
"managerFilePatterns": ["/^\\.github/skills/examples/.*\\.yml$/"],
240+
"matchStrings": [
241+
"go-version: [\"']?(?<currentValue>[\\d\\.]+)[\"']?"
242+
],
243+
"depNameTemplate": "golang/go",
244+
"datasourceTemplate": "golang-version",
245+
"versioningTemplate": "semver"
235246
}
236247
],
237248

249+
"github-actions": {
250+
"fileMatch": ["^\\.github/skills/examples/.*\\.ya?ml$"]
251+
},
252+
238253
"packageRules": [
239254
{
240255
"description": "THE MEGAZORD: Group ALL non-major updates (NPM, Docker, Go, Actions) into one PR",

.github/skills/examples/gorm-scanner-ci-workflow.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ jobs:
2525
- name: Setup Go
2626
uses: actions/setup-go@v5
2727
with:
28-
go-version: "1.26.1"
28+
go-version: "1.26.2"
2929

3030
- name: Run GORM Security Scanner
3131
id: gorm-scan

.github/skills/security-scan-docker-image-scripts/run.sh

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ fi
3535
# Check Grype
3636
if ! command -v grype >/dev/null 2>&1; then
3737
log_error "Grype not found - install from: https://github.com/anchore/grype"
38-
log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.110.0"
38+
log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.111.0"
3939
error_exit "Grype is required for vulnerability scanning" 2
4040
fi
4141

@@ -50,8 +50,8 @@ SYFT_INSTALLED_VERSION=$(syft version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\
5050
GRYPE_INSTALLED_VERSION=$(grype version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "unknown")
5151

5252
# Set defaults matching CI workflow
53-
set_default_env "SYFT_VERSION" "v1.42.3"
54-
set_default_env "GRYPE_VERSION" "v0.110.0"
53+
set_default_env "SYFT_VERSION" "v1.42.4"
54+
set_default_env "GRYPE_VERSION" "v0.111.0"
5555
set_default_env "IMAGE_TAG" "charon:local"
5656
set_default_env "FAIL_ON_SEVERITY" "Critical,High"
5757

.github/workflows/auto-changelog.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,6 @@ jobs:
2424
with:
2525
ref: ${{ github.event.workflow_run.head_sha || github.sha }}
2626
- name: Draft Release
27-
uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7
27+
uses: release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32 # v7
2828
env:
2929
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/benchmark.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ concurrency:
1212
cancel-in-progress: true
1313

1414
env:
15-
GO_VERSION: '1.26.1'
15+
GO_VERSION: '1.26.2'
1616
GOTOOLCHAIN: auto
1717

1818
# Minimal permissions at workflow level; write permissions granted at job level for push only

.github/workflows/codecov-upload.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ concurrency:
2323
cancel-in-progress: true
2424

2525
env:
26-
GO_VERSION: '1.26.1'
26+
GO_VERSION: '1.26.2'
2727
NODE_VERSION: '24.12.0'
2828
GOTOOLCHAIN: auto
2929

.github/workflows/codeql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ concurrency:
1515

1616
env:
1717
GOTOOLCHAIN: auto
18-
GO_VERSION: '1.26.1'
18+
GO_VERSION: '1.26.2'
1919

2020
permissions:
2121
contents: read

.github/workflows/e2e-tests-split.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ on:
8383

8484
env:
8585
NODE_VERSION: '20'
86-
GO_VERSION: '1.26.1'
86+
GO_VERSION: '1.26.2'
8787
GOTOOLCHAIN: auto
8888
DOCKERHUB_REGISTRY: docker.io
8989
IMAGE_NAME: ${{ github.repository_owner }}/charon

.github/workflows/nightly-build.yml

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ on:
1515
default: "false"
1616

1717
env:
18-
GO_VERSION: '1.26.1'
18+
GO_VERSION: '1.26.2'
1919
NODE_VERSION: '24.12.0'
2020
GOTOOLCHAIN: auto
2121
GHCR_REGISTRY: ghcr.io
@@ -285,7 +285,7 @@ jobs:
285285
286286
echo "Primary SBOM generation failed or produced missing/invalid output; using deterministic Syft fallback"
287287
288-
SYFT_VERSION="v1.42.3"
288+
SYFT_VERSION="v1.42.4"
289289
OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
290290
ARCH="$(uname -m)"
291291
case "$ARCH" in
@@ -394,14 +394,28 @@ jobs:
394394
-p 8080:8080 \
395395
"${IMAGE_REF}"
396396
397-
# Wait for container to start
398-
sleep 10
399-
400-
# Check container is running
401-
docker ps | grep charon-nightly
402-
403-
# Basic health check
404-
curl -f http://localhost:8080/health || exit 1
397+
# Wait for container to become healthy
398+
echo "⏳ Waiting for Charon to be healthy..."
399+
MAX_ATTEMPTS=30
400+
ATTEMPT=0
401+
while [[ ${ATTEMPT} -lt ${MAX_ATTEMPTS} ]]; do
402+
ATTEMPT=$((ATTEMPT + 1))
403+
echo "Attempt ${ATTEMPT}/${MAX_ATTEMPTS}..."
404+
if docker exec charon-nightly wget -qO- http://127.0.0.1:8080/health > /dev/null 2>&1; then
405+
echo "✅ Charon is healthy!"
406+
docker exec charon-nightly wget -qO- http://127.0.0.1:8080/health
407+
break
408+
fi
409+
sleep 2
410+
done
411+
412+
if [[ ${ATTEMPT} -ge ${MAX_ATTEMPTS} ]]; then
413+
echo "❌ Health check failed after ${MAX_ATTEMPTS} attempts"
414+
docker logs charon-nightly
415+
docker stop charon-nightly
416+
docker rm charon-nightly
417+
exit 1
418+
fi
405419
406420
# Cleanup
407421
docker stop charon-nightly

.github/workflows/quality-checks.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ permissions:
1616
checks: write
1717

1818
env:
19-
GO_VERSION: '1.26.1'
19+
GO_VERSION: '1.26.2'
2020
NODE_VERSION: '24.12.0'
2121
GOTOOLCHAIN: auto
2222

0 commit comments

Comments
 (0)