Skip to content

v1.6.0

Choose a tag to compare

@kj187 kj187 released this 04 Jul 14:21
3560128

What's changed

This release adds full Prometheus observability for Jarvis itself and hardens the project's supply chain — signed images and charts, SLSA provenance, DCO-enforced commits, and a PR-only main branch.

Added

  • Prometheus metrics endpoint (/metrics) — Jarvis now instruments itself: poll cycles, poll errors and duration (jarvis_poll_cycles_total, jarvis_poll_errors_total, jarvis_poll_duration_seconds), alert lifecycle events (jarvis_alert_events_total), per-cluster Alertmanager health (jarvis_cluster_up) and fetch latency (jarvis_cluster_fetch_duration_seconds), WebSocket broadcasts, and standard HTTP request metrics. See docs/metrics.md.
  • ServiceMonitor support in the Helm chart plus prometheus.io/* scrape annotations, so Prometheus Operator and annotation-based setups can scrape Jarvis out of the box.
  • Go native fuzz targets for parser functions, run in CI.

Fixed

  • jarvis_alert_events_total no longer drifts from the database: the recorder now counts exactly the events the store actually inserts, fixing missed re-fires after silence expiry and over-counting after restarts.
  • Alert event metrics carry a cluster label, so you can tell which Alertmanager is flapping.

Security

  • Container images and Helm charts are signed keylessly with cosign; releases publish SLSA build provenance (verifiable via gh attestation verify) and an SPDX SBOM.
  • All commits require a DCO sign-off, enforced in CI; main is protected and PR-only with no bypass actors.
  • OpenSSF Scorecard runs continuously; GitHub Actions are SHA-pinned; a coordinated vulnerability disclosure policy with private reporting is in place (SECURITY.md).

Changed

  • Helm chart versioning is decoupled from the app version; charts are published and signed by a dedicated workflow with an immutability guard.
  • Frontend linting (ESLint flat config) is now a hard CI gate.

Full diff: v1.5.3...v1.6.0


Container image

docker pull ghcr.io/kj187/jarvis:1.6.0

Digest: sha256:b83243e7dac532057e573900b5baa5434459aee7461957fe00ce791766ee56ba

Verify image signature (cosign)

cosign verify ghcr.io/kj187/jarvis@sha256:b83243e7dac532057e573900b5baa5434459aee7461957fe00ce791766ee56ba \
  --certificate-identity-regexp="https://github.com/kj187/jarvis/.*" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

Verify build provenance (GitHub attestation)

gh attestation verify oci://ghcr.io/kj187/jarvis:1.6.0 --repo kj187/jarvis

Helm chart

helm install jarvis oci://ghcr.io/kj187/charts/jarvis --version 1.6.0

Verify chart signature (cosign)

cosign verify ghcr.io/kj187/charts/jarvis:1.6.0 \
  --certificate-identity-regexp="https://github.com/kj187/jarvis/.*" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

SBOM

The SPDX SBOM is attached to this release (sbom.spdx.json) and also
embedded in the image manifest (docker buildx imagetools inspect).