Skip to content

v0.1.1

Latest

Choose a tag to compare

@toddysm toddysm released this 02 Jul 04:26
9eeee6c

What's new in v0.1.1

This release builds out the software supply-chain security (SSC) build pipeline for the CSSC Dashboard app and reorganizes the documentation around the CSSC stages.

Features

  • CSSC Dashboard microservices (Acquisition stage) — new apps/python-app microservices web dashboard (packages-service, issues-service, dashboard-web) with a shared cssc_common library, umbrella Helm chart, and kind-based local dev. (#100)
  • OCI multi-arch builds with annotations — the dashboard images are now built with buildx as OCI, multi-arch (linux/amd64 + linux/arm64) images carrying standard org.opencontainers.image.* and custom com.toddysm.* annotations at both the index and per-platform manifest scope. The base image is pinned by digest and created is reproducible via SOURCE_DATE_EPOCH. (#112)
  • SPDX SBOM attestation — an SPDX SBOM is generated per platform and published as an OCI 1.1 Referrers-API artifact. (#113, #119)
  • SLSA build provenance attestation — SLSA build provenance is generated per platform and published as an OCI 1.1 Referrers-API artifact. (#114, #120)
  • Semantic-version image tagging — images are tagged with the full semver set (major, minor, patch, and an immutable patch-<short-sha> build tag) derived from the latest published GitHub Release, plus com.toddysm.image.lineage and com.toddysm.image.tags annotations. No latest tag is published. (#129)

Documentation

  • Restructured docs/architecture/ and docs/guides/ around the five CSSC stages (Acquire / Build / Catalog / Deploy / Run). (#132)
  • Added the CSSC Dashboard microservices design and build-workflows architecture docs.
  • Added user guides for image tagging, reading image annotations, and verifying image attestations, and corrected the attestation/referrer terminology in the reference docs. (#130, #131)

Contributors

Full changelog: v0.1.0...v0.1.1