Skip to content

v0.3.6

Choose a tag to compare

View all tags
@github-actions github-actions released this 18 Apr 05:32
· 237 commits to main since this release
v0.3.6
This tag was signed with the committer’s verified signature.
tmatens Todd Matens
SSH Key Fingerprint: rXwV6kh4InD248G0NM3tcK2kJPaX3GqTj/Zdwm+F5Oo
Verified
Learn about vigilant mode.
4facca8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Fixed

  • Dockerfile FROM lines now pin the multi-arch OCI image index
    (manifest list) digest instead of the per-arch amd64 manifest
    digest. The 0.3.5 per-arch pins resolved correctly during the
    single-arch docker-smoke but failed in docker-publish's arm64
    leg because the pinned digest referenced an amd64-only manifest.

Changed

  • docker-smoke in publish.yml now runs as a native-runner matrix
    across linux/amd64 (ubuntu-latest) and linux/arm64
    (ubuntu-24.04-arm). Each leg builds the image without QEMU
    emulation and runs the full fixture battery (version check, clean,
    insecure, SARIF). Multi-arch regressions — per-arch digest pins,
    native-wheel mismatches, future base-image surprises — now fail
    the release-gate instead of surfacing mid-release during the
    production Docker Hub push.
  • New ci.yml job dockerfile-digests runs
    scripts/verify-dockerfile-digests.sh on every PR. The script
    HEADs each FROM ...@sha256: in the Dockerfile and fails if the
    Content-Type is not an OCI image index or Docker manifest list
    — catching the per-arch-pin mistake at review time rather than
    release time. No image pulls; ~1s total.

No CLI, config, or finding-shape changes. Exit codes (0/1/2) are
preserved. A Compose file that passed on 0.3.5 passes identically on
0.3.6.

Assets 2
Loading