Skip to content

v0.8.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 09 Jun 04:31
· 33 commits to main since this release
v0.8.0
This tag was signed with the committer’s verified signature.
CybotTM Sebastian Mendel
SSH Key Fingerprint: BsdGvKi3Med56Wy4VisZQhWin20c4hORHHUxNM9bVlw
Verified
Learn about vigilant mode.
d26cd8a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights

Custom Authorization schemes for the secure HTTP client — the vault's secure HTTP client could previously inject a secret only as a Bearer token or as the bare value of a custom header. APIs that expect a non-Bearer Authorization: <scheme> <secret> scheme — the TYPO3 FAL image providers use Key , DeepL uses DeepL-Auth-Key — could not use the client at all and had to assemble the header by hand from a plaintext key, defeating the point of the vault.

withAuthentication() now accepts a prefix option for Header placement that is prepended to the secret before injection:

$vault->http()->withAuthentication('deepl_api_key', SecretPlacement::Header, [
    'headerName' => 'Authorization',
    'prefix'     => 'DeepL-Auth-Key ',
]);
// → Authorization: DeepL-Auth-Key <secret>

These schemes now get the same audited, memory-scrubbed secret handling as Bearer: the plaintext secret never surfaces in calling code, and the combined prefixed value is zeroed alongside the raw secret once the request is built. The common no-prefix path is unchanged and keeps a single secret buffer (no extra allocation). This unblocks downstream consumers — such as nr-llm's FAL and DeepL services — that need to migrate off plaintext API keys onto audited vault injection.

Maintenance — the API reference now documents the prefix option and corrects the DeepL usage example (which previously showed Bearer, a scheme DeepL never used); plus routine SonarCloud cleanups and a Traefik image digest bump.

Full details are in the changelog.

Installation

composer require netresearch/nr-vault

Publication status

Security

All release artifacts are signed with Sigstore keyless signing.

Verify signatures

cosign verify-blob \
  --bundle nr-vault-0.8.0.zip.sigstore.json \
  --certificate-identity-regexp "https://github.com/netresearch/.*" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  nr-vault-0.8.0.zip

Verify checksums

sha256sum -c checksums.txt

Software Bill of Materials (SBOM)

SBOMs are provided in both SPDX and CycloneDX formats for supply chain transparency.

Assets 12
Loading