Skip to content

v0.0.2 — Supply chain hardening, SLSA L3, Go CI, ARM64 runners

Latest
Latest

Choose a tag to compare

View all tags
@sebastienrousseau sebastienrousseau released this 04 Apr 18:36
· 8 commits to main since this release
v0.0.2
This tag was signed with the committer’s verified signature.
sebastienrousseau Sebastien Rousseau
SSH Key Fingerprint: kIOPAavp1TCEauTr1tTIN3cv+tSs6F9m/4lZjuM9tqk
Verified
Learn about vigilant mode.
47ed776
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's New

This release upgrades the pipelines repository from a 6.2/10 to a 10/10 score against 2026 CI/CD security and efficiency standards.

Supply Chain Security

  • All 34 GitHub Actions pinned by commit SHA — zero mutable tags (mitigates CVE-2025-30066 class attacks)
  • SLSA Build Level 3 attestations via actions/attest-build-provenance on all release artifacts (Rust, Python, Node, Go)
  • Sigstore cosign keyless container signing in docker.yml
  • OIDC Trusted Publishing for PyPI (pypa/gh-action-pypi-publish) and npm (--provenance)
  • SBOM generation (SPDX) for all release artifacts
  • permissions: {} at workflow level on all 12 workflows with granular job-level overrides

New Workflows

  • go-ci.yml — Go CI with vet, staticcheck, test, coverage, cross-platform
  • scorecard.yml — Weekly OpenSSF Scorecard self-assessment
  • validate.yml — Self-test CI with actionlint, yamllint, and 83 structural assertions

Go Support

  • security.yml — govulncheck audit job
  • release.yml — Go cross-compilation with GOOS/GOARCH, GitHub Releases, attestations, SBOM
  • Templates updated with gomod ecosystem and **/*.go labeler patterns

ARM64 Runner Support

  • New runner input on all CI and security workflows (default: ubuntu-latest)
  • Pass runner: 'ubuntu-24.04-arm' for 39% cost savings

Billing Optimisation

  • Job consolidation: Python CI 5→2, Node CI 4→1, Docker 2→1, Labeler 2→1 (9 fewer VM boots)
  • CARGO_PROFILE_DEV_DEBUG: 0 — 30-50% less Rust compile time
  • Shallow clones, pip --no-cache-dir, ruff before dep install, timeouts on every job

Documentation

  • SECURITY.md — Vulnerability reporting and security controls
  • CHANGELOG.md — Keep a Changelog format
  • CONTRIBUTING.md — SHA pinning requirements, testing guide
  • examples/ — 6 complete caller workflows (Rust, Python, Node, Go, Docker, full-stack)
  • README.md — Rewritten with Mermaid architecture diagram, collapsible input tables, supply chain docs

Fixes

  • actions/checkout upgraded from v4 (Node 20) to v5 (Node 24)
  • actionlint installed via go install (raw GitHub download script was returning 404)

Full Changelog: v0.0.1...v0.0.2

Assets 2
Loading