Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions .github/workflows/docker-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ jobs:
restore-keys: trivy-db-${{ runner.os }}-

- name: Scan image for vulnerabilities (Trivy)
uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
Expand Down Expand Up @@ -371,6 +371,30 @@ jobs:
echo "Created and pushed git tag ${GIT_TAG}"
fi

# Create a GitHub Release with notes extracted from CHANGELOG.md.
# Idempotent: if the release already exists (e.g. workflow re-run) the step
# succeeds without overwriting it.
- name: Create GitHub Release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
GIT_TAG="${{ steps.version.outputs.git_tag }}"
VERSION="${{ steps.version.outputs.version }}"

# Extract the section for this version from CHANGELOG.md.
# Matches lines between "## [X.Y.Z]" and the next "## [" heading.
NOTES=$(awk "/^## \[${VERSION}\]/{found=1; next} found && /^## \[/{exit} found{print}" CHANGELOG.md)

if gh release view "${GIT_TAG}" > /dev/null 2>&1; then
echo "GitHub Release ${GIT_TAG} already exists — skipping."
else
echo "$NOTES" | gh release create "${GIT_TAG}" \
--title "${GIT_TAG}" \
--notes-file - \
--verify-tag
echo "Created GitHub Release ${GIT_TAG}"
fi

# Remove the intermediate arch-suffixed staging tags from the registry.
# These are implementation artefacts and should not be publicly visible.
# Uses the GHCR REST API: GET versions to find the ID, then DELETE by ID.
Expand Down Expand Up @@ -597,7 +621,7 @@ jobs:
# HIGH + CRITICAL are reported to the GitHub Security tab via SARIF.
# CRITICAL findings fail the PR check; HIGH are informational only.
- name: Scan PR image for vulnerabilities (Trivy)
uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
Expand Down
112 changes: 112 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

## [2.5.5] - unreleased

### Added
- Property-based fuzz tests using `fast-check` and `@fast-check/vitest` (#58)
- `CONTRIBUTING.md` contribution guide (#60)

### Fixed
- API list filters now use bracket notation (`filter[key]=value`) in `getPages` and `getChapters` (#50)
- Delete tests clean up correctly on failure (#49)

### Security
- Top-level `permissions: read-all` added to all CI workflows for least-privilege token scopes (#57)
- Updated `SECURITY.md` with real vulnerability reporting link and supported version policy (#59)

### Dependencies
- Bumped `node` base image from 24-alpine to 25-alpine (#43)
- Bumped `typescript` to 5.9.3 (#33)
- Bumped `@types/node` to 25.3.5 (#54)
- Bumped `tsx` to 4.21.0 (#39)
- Bumped `actions/checkout` to v6 (#46), `actions/setup-node` to v6 (#47), `actions/cache` to v5 (#45)
- Bumped `github/codeql-action` to v4 (#44), `ossf/scorecard-action` to 2.4.3 (#42)
- Applied StepSecurity hardening to workflow runners (#41)

## [2.5.4] - 2025-05-14

### Fixed
- API list filters now use bracket notation (`filter[key]=value`) in `getPages` and `getChapters` (#50)

## [2.5.3] - 2025-04-28

### Fixed
- API list filters now use bracket notation (`filter[key]=value`) in `getBooks`, `getShelves`, and `getAttachments` (#40)

### Added
- Credential-free unit tests for `BookStackClient` (13 tests, `vi.stubGlobal` pattern) (#27)
- OpenSSF Scorecard workflow (#26)
- 429 retry with backoff in `BookStackClient.request()` honouring `Retry-After` header (#28)
- npm and Trivy DB caching in CI (#24)

### Changed
- Release pipeline now gated on version bump detection — pipeline-only merges skip release steps cleanly (#25)

### Dependencies
- Bumped `actions/attest-build-provenance` to v4 (#32), `actions/upload-artifact` to v7 (#31)
- Bumped `aquasecurity/trivy-action` to 0.34.1 (#30), `actions/checkout` to v6 (#29)

## [2.5.2] - 2025-03-15

### Added
- Full security scanning suite: npm audit, Dependabot, Trivy, CodeQL, OSV Scanner (#20)
- SLSA Level 2 provenance attestation for Docker images (#20)
- Pre-merge CD check job for same-repo PRs — validates Docker images build and push before merge (#19)
- Trivy database caching using GHCR source with ECR fallback (#22)

### Changed
- Upgraded base image to Node 24 (#20)

## [2.5.0] - 2025-02-20

### Changed
- Refactored to monorepo structure: `packages/core` (BookStack API client, native `fetch`) and `packages/stdio` (MCP server, stdio transport)
- Removed axios dependency — all HTTP via native `fetch` only
- Error handling now uses `error.status` / `error.response` (no axios patterns)

### Added
- Multi-arch Docker image (amd64 + arm64) published to GHCR

## [2.4.0] - 2025-01-30

### Added
- System and admin read-only tools (system info, maintenance, audit log, users, roles, webhooks, content permissions, recycle bin)

## [2.3.0] - 2025-01-15

### Added
- Comments API support: list, create, update, delete comments on pages

## [2.2.0] - 2024-12-20

### Added
- Complete CRUD operations: create/update/delete for books, chapters, pages, shelves, attachments
- Functional test suite with global setup/teardown and seed data management
- Write operations gated behind `BOOKSTACK_ENABLE_WRITE=true` environment variable

## [2.1.0] - 2024-12-01

### Added
- Initial release: BookStack MCP server with stdio transport
- Read tools: list and get books, shelves, chapters, pages, attachments, search
- Export tools: PDF, HTML, plain text, Markdown page exports
- Response enhancement: URLs, content previews, human-friendly dates, word counts
- LibreChat and Claude Desktop integration

[Unreleased]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.5.4...HEAD
[2.5.5]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.5.4...v2.5.5
[2.5.4]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.5.3...v2.5.4
[2.5.3]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.5.2...v2.5.3
[2.5.2]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.5.0...v2.5.2
[2.5.0]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.4.0...v2.5.0
[2.4.0]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.3.0...v2.4.0
[2.3.0]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.2.0...v2.3.0
[2.2.0]: https://github.com/paradoxbound/bookstack-mcp/compare/v2.1.0...v2.2.0
[2.1.0]: https://github.com/paradoxbound/bookstack-mcp/releases/tag/v2.1.0