v1.6.0
What's changed
This release adds full Prometheus observability for Jarvis itself and hardens the project's supply chain — signed images and charts, SLSA provenance, DCO-enforced commits, and a PR-only main branch.
Added
- Prometheus metrics endpoint (
/metrics) — Jarvis now instruments itself: poll cycles, poll errors and duration (jarvis_poll_cycles_total,jarvis_poll_errors_total,jarvis_poll_duration_seconds), alert lifecycle events (jarvis_alert_events_total), per-cluster Alertmanager health (jarvis_cluster_up) and fetch latency (jarvis_cluster_fetch_duration_seconds), WebSocket broadcasts, and standard HTTP request metrics. See docs/metrics.md. - ServiceMonitor support in the Helm chart plus
prometheus.io/*scrape annotations, so Prometheus Operator and annotation-based setups can scrape Jarvis out of the box. - Go native fuzz targets for parser functions, run in CI.
Fixed
jarvis_alert_events_totalno longer drifts from the database: the recorder now counts exactly the events the store actually inserts, fixing missed re-fires after silence expiry and over-counting after restarts.- Alert event metrics carry a
clusterlabel, so you can tell which Alertmanager is flapping.
Security
- Container images and Helm charts are signed keylessly with cosign; releases publish SLSA build provenance (verifiable via
gh attestation verify) and an SPDX SBOM. - All commits require a DCO sign-off, enforced in CI;
mainis protected and PR-only with no bypass actors. - OpenSSF Scorecard runs continuously; GitHub Actions are SHA-pinned; a coordinated vulnerability disclosure policy with private reporting is in place (SECURITY.md).
Changed
- Helm chart versioning is decoupled from the app version; charts are published and signed by a dedicated workflow with an immutability guard.
- Frontend linting (ESLint flat config) is now a hard CI gate.
Full diff: v1.5.3...v1.6.0
Container image
docker pull ghcr.io/kj187/jarvis:1.6.0Digest: sha256:b83243e7dac532057e573900b5baa5434459aee7461957fe00ce791766ee56ba
Verify image signature (cosign)
cosign verify ghcr.io/kj187/jarvis@sha256:b83243e7dac532057e573900b5baa5434459aee7461957fe00ce791766ee56ba \
--certificate-identity-regexp="https://github.com/kj187/jarvis/.*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"Verify build provenance (GitHub attestation)
gh attestation verify oci://ghcr.io/kj187/jarvis:1.6.0 --repo kj187/jarvisHelm chart
helm install jarvis oci://ghcr.io/kj187/charts/jarvis --version 1.6.0Verify chart signature (cosign)
cosign verify ghcr.io/kj187/charts/jarvis:1.6.0 \
--certificate-identity-regexp="https://github.com/kj187/jarvis/.*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"SBOM
The SPDX SBOM is attached to this release (sbom.spdx.json) and also
embedded in the image manifest (docker buildx imagetools inspect).