·
116 commits
to main
since this release
Added
- Broader read-only catalog coverage: additional collectors capture
user-defined catalog objects and extended statistics so dependent
tables and queries are fully represented in a snapshot for downstream
analysis. - Optional per-collector view in the export ZIP.
- Extra PG 14+ session counters in
pg_stat_database; roleoidin
login_rolesfor stable role-name resolution;pg_settingscontext
and value bounds.
Still read-only by design — three-layer enforcement, no write
operations, no telemetry, no AI.
Supply chain
- Images (same manifest digest in both registries):
- GHCR:
ghcr.io/elevarq/arq-signals:0.9.0 - Docker Hub:
elevarq/arq-signals:0.9.0(when configured)
- GHCR:
- Digest:
sha256:270c543d426b3dff71e85db2665a8a9e5b669f959c76ec51fdef4ddd863ed187 - Architectures:
linux/amd64,linux/arm64 - Cosign-signed in both registries (keyless, GitHub OIDC)
- SBOM attached as OCI attestation and as
sbom.spdx.jsonrelease asset - SLSA build provenance attestation (
mode=max)
Quick signature verification (GHCR):
cosign verify ghcr.io/elevarq/arq-signals:0.9.0 --certificate-identity-regexp='github.com/Elevarq/Arq-Signals/.github/workflows/release.yml@' --certificate-oidc-issuer='https://token.actions.githubusercontent.com'Same command works against elevarq/arq-signals:0.9.0 — the certificate identity is bound to the workflow, not the registry.
Full verification checklist (manifest, SBOM, provenance, Trivy):
docs/release-verification.md