Skip to content

v0.10.0-rc.1

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 25 Jun 20:52
· 3 commits to main since this release
v0.10.0-rc.1
This tag was signed with the committer’s verified signature.
fheikens Frank Heikens
SSH Key Fingerprint: joKs3uOwuc1bCYgiABcVQqXU/OVfWYWN0yScIoSBXlo
Verified
Learn about vigilant mode.
3b1e049
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release candidate. Closes the launch-readiness items found in the
deploy/onboarding review: the AWS/Azure/GCP passwordless onboarding
templates are runnable as documented, image tags are unified, the
extended-statistics-data collectors degrade cleanly under a
least-privilege role, the Terraform modules are validated in CI, and the
AWS aws_rds_iam path is live-validated against an IAM-auth RDS.

Added

  • CI: terraform validate for the cloud onboarding modules (#202). A new
    Terraform Validate workflow runs fmt -check + init -backend=false +
    terraform validate across deploy/{aws,azure,gcp}/terraform on every PR
    that touches those modules. Backend-free, so no cloud credentials are used
    and nothing is provisioned. All three modules validate clean; the earlier
    failure was an environment-specific provider-plugin issue, not a template
    defect.
  • Operator-gated AWS aws_rds_iam live-smoke workflow + runbook (#201).
    A workflow_dispatch-only AWS RDS IAM Live Smoke workflow does
    terraform apply against an IAM-auth RDS instance, transiently grants the
    collector role SSM to reach the loopback-only API, forces a collection,
    asserts a passwordless snapshot, then always terraform destroys. It is
    not part of default CI — nothing runs and no cloud cost is incurred
    until an operator dispatches it with an AWS_LIVE_SMOKE_ROLE_ARN (GitHub→AWS
    OIDC, no long-lived keys). See deploy/aws/LIVE-SMOKE.md. Azure/GCP variants
    follow the same shape (follow-up).

Changed

  • Swept all deploy assets to image tag 0.10.0-beta.7 (#199). The Helm
    chart (Chart.yaml version/appVersion, values.yaml image.tag) had
    drifted to beta.6 and the Azure/GCP Terraform + Azure Bicep to beta.5;
    all now pin the smoke-tested beta.7. (AWS templates are bumped in #198.)

Fixed

  • AWS onboarding templates are now runnable as documented (#198). The
    CloudFormation and Terraform templates ran the image as
    ${ImageUri} --config …, which replaced the signals CMD so tini tried to
    exec --config; they now pass the signals subcommand explicitly. User-data
    mints a control-plane API token and passes it via SIGNALS_API_TOKEN (stored
    root-only at /root/signals-api-token, outside the bind mount) so the
    documented signalsctl status / export verification can authenticate, makes
    the bind-mounted config world-readable for the non-root container, and pins the
    AWS image-tag defaults to 0.10.0-beta.7.
  • Azure and GCP onboarding templates are now runnable as documented (#205).
    The Azure (Terraform + Bicep) and GCP (Terraform) templates carried the same
    defects fixed for AWS in #198: they ran the image as ${image} --config …,
    which replaced the signals CMD so tini exec'd --config; they now pass
    the signals subcommand explicitly. Cloud-init mints a control-plane API
    token and passes it via SIGNALS_API_TOKEN (stored root-only at
    /root/signals-api-token, outside the bind mount) so the documented
    signalsctl status / export verification can authenticate, and makes the
    bind-mounted config world-readable for the non-root container.
  • Extended-statistics-data collectors degrade as skipped under a
    least-privilege role, and stop the repeated (incorrect) pg_monitor
    advisory (#200).     pg_statistic_ext_data has PUBLIC SELECT revoked, so
    pg_statistic_ext_data_v1 / pg_statistic_ext_data_mcv_v1 return
    SQLSTATE 42501 for a pg_monitor role (the LEFT JOIN does not rescue
    it; access needs superuser or an explicit GRANT). These collectors now
    record status=skipped, reason=privilege_owner_only instead of
    failed, so the cycle is no longer reported partial for an expected
    privilege boundary. The operator advisory is corrected (the missing
    privilege is not pg_monitor) and logged once per (target, collector)
    per daemon run instead of every poll. Spec:
    specifications/owner_only_privilege_degradation.md (R116, R117);
    corrects the prior pg_statistic_ext_data_v1 FC-03 / AT-02, which
    wrongly assumed the LEFT JOIN yields available=false rows for a
    non-owner role.

Supply chain

  • Images (same manifest digest in both registries):
    • GHCR: ghcr.io/elevarq/signals:0.10.0-rc.1
    • Docker Hub: elevarq/signals:0.10.0-rc.1 (when configured)
  • Digest: sha256:83ab91a5736382eba841c5f4b18a65c463536504ce920ec9c8c401b66596f509
  • Architectures: linux/amd64, linux/arm64
  • Cosign-signed in both registries (keyless, GitHub OIDC)
  • SBOM attached as OCI attestation and as sbom.spdx.json release asset
  • SLSA build provenance attestation (mode=max)

Quick signature verification (GHCR):

cosign verify ghcr.io/elevarq/signals:0.10.0-rc.1   --certificate-identity-regexp='github.com/Elevarq/(Signals|signals)/.github/workflows/release.yml@'   --certificate-oidc-issuer='https://token.actions.githubusercontent.com'

Same command works against elevarq/signals:0.10.0-rc.1 — the certificate identity is bound to the workflow, not the registry.

Full verification checklist (manifest, SBOM, provenance, Trivy):
docs/release-verification.md

Assets 12
Loading