certctl

mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 21:41:39 +00:00

Files

T

shankar0123 360eaa75bc fix(compose): DEPL-002 — pin alpine/openssl + postgres:16-alpine by digest + H-002 CI guard

Sprint 3 unified-master-audit closure. The production-shaped compose
(deploy/docker-compose.yml) — explicitly self-described as
'PRODUCTION-SHAPED (Bundle 2)' in its header — pulled two images by
floating tag:

    image: alpine/openssl:latest
    image: postgres:16-alpine

The certctl Dockerfiles have been digest-pinned for two bundles
(see Bundle A / H-001 + the digest-validity.sh CI guard). Compose
shipped on the lower bar — a registry-side tag swap could change
what an operator deploys without their seeing the diff in their
infra repo.

Fix:
  - Pin both images by @sha256: (alpine/openssl looked up via Docker
    Hub tag API on 2026-05-16; postgres:16-alpine the same).
  - New scripts/ci-guards/H-002-bare-compose-image.sh — analogous
    to H-001 — fails the build if any 'image:' line in
    deploy/docker-compose.yml lacks a @sha256 digest. Test compose
    files (deploy/docker-compose.test.yml + the loadtest stack)
    and examples/ stay scoped out by design: those are throwaway
    development-loop tooling where floating tags are intentional.
  - The existing digest-validity.sh CI guard auto-discovers
    digests via grep across deploy/ so the new pins get verified
    on the same run that pulls them, without a separate change.

Closes DEPL-002.

2026-05-16 04:31:14 +00:00

helm

fix(helm): DEPL-003 + DEPL-006 — render viaHook env, sessionAffinity, HA backend default

2026-05-16 04:30:37 +00:00

test

fix(deploy): Hotfix #18 — apt-get retry loop in libest Dockerfile (transient mirror flake)

2026-05-14 20:57:24 +00:00

.env.example

fix(security): close BUNDLE 2 — safe first run, demo mode, agent bootstrap

2026-05-13 00:14:59 +00:00

demo-up.sh

fix(deploy): wire CERTCTL_DEMO_MODE_ACK_TS into the demo overlay path