What's new in v0.1.1
This release builds out the software supply-chain security (SSC) build pipeline for the CSSC Dashboard app and reorganizes the documentation around the CSSC stages.
Features
- CSSC Dashboard microservices (Acquisition stage) — new
apps/python-appmicroservices web dashboard (packages-service,issues-service,dashboard-web) with a sharedcssc_commonlibrary, umbrella Helm chart, and kind-based local dev. (#100) - OCI multi-arch builds with annotations — the dashboard images are now built with
buildxas OCI, multi-arch (linux/amd64+linux/arm64) images carrying standardorg.opencontainers.image.*and customcom.toddysm.*annotations at both the index and per-platform manifest scope. The base image is pinned by digest andcreatedis reproducible viaSOURCE_DATE_EPOCH. (#112) - SPDX SBOM attestation — an SPDX SBOM is generated per platform and published as an OCI 1.1 Referrers-API artifact. (#113, #119)
- SLSA build provenance attestation — SLSA build provenance is generated per platform and published as an OCI 1.1 Referrers-API artifact. (#114, #120)
- Semantic-version image tagging — images are tagged with the full semver set (
major,minor,patch, and an immutablepatch-<short-sha>build tag) derived from the latest published GitHub Release, pluscom.toddysm.image.lineageandcom.toddysm.image.tagsannotations. Nolatesttag is published. (#129)
Documentation
- Restructured
docs/architecture/anddocs/guides/around the five CSSC stages (Acquire / Build / Catalog / Deploy / Run). (#132) - Added the CSSC Dashboard microservices design and build-workflows architecture docs.
- Added user guides for image tagging, reading image annotations, and verifying image attestations, and corrected the attestation/referrer terminology in the reference docs. (#130, #131)
Contributors
Full changelog: v0.1.0...v0.1.1