From f99f0e0fc5d86f8f7fe70e00819f28d50c15f5bc Mon Sep 17 00:00:00 2001 From: erangel1 Date: Tue, 12 May 2026 22:51:04 +0200 Subject: [PATCH] random edits --- .env | 13 +++++++++++++ CHANGELOG.md | 31 ++++++++++++++++++++++++++++--- docker-compose.prod.yml | 2 ++ docker-compose.yml | 6 ++---- signing-key.pem | 5 +++++ 5 files changed, 50 insertions(+), 7 deletions(-) create mode 100644 signing-key.pem diff --git a/.env b/.env index ed90913..cffc9be 100644 --- a/.env +++ b/.env @@ -32,3 +32,16 @@ INSTANCE_NAME=ForgeBucket # ─── Dev only ───────────────────────────────────────────────────────────────── # Set to true to disable Secure cookies and enable verbose logging DEBUG=true + +# PEM-encoded ECDSA P-256 private key. If empty, an ephemeral key is generated +# at startup (signatures will not survive restart). Generate with: +# openssl ecparam -genkey -name prime256v1 -noout -out signing-key.pem +ARTIFACT_SIGNING_KEY="-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKGMjCu0NdczHQ7BRDeo0hTOLauF9vOenWl0HlyN4bzToAoGCCqGSM49 +AwEHoUQDQgAE+VL1HhQ1us0QfNH+5Var8lo5Oww83B+QDQ2obzHL4JZl0UM3kVAB +SePwUlkfdW6u4a0KYMYf3Op6wsXTp0kA2g== +-----END EC PRIVATE KEY-----" + +# ─── OCI Registry (Phase 4) ─────────────────────────────────────────────────── +# Root directory for the OCI Distribution Spec blob and upload storage. +OCI_ROOT=/var/lib/forgebucket/oci diff --git a/CHANGELOG.md b/CHANGELOG.md index e36f589..e503421 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,9 +9,9 @@ Versions follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] -### Planned — Phase 4 (Intelligence + Artifacts) -- AI failure diagnosis (pipeline failure root-cause analysis via Claude API) -- AI deployment risk scoring +### Planned — Phase 4 ( Artifacts + Git HTTP(S)/SSH Support + Releases Page) + +### 4A. Artifacts - Signed artifacts (Sigstore/Cosign) - SBOM generation (CycloneDX/SPDX) - OCI container registry @@ -19,6 +19,31 @@ Versions follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - Dependency vulnerability scanning - Cross-instance pull requests (ForgeFed ActivityPub extension) +### 4B. Git HTTP(S)/SSH Support + +### 4C. Releases Page +- Goal: + - Make releases operationally meaningful. +- Build: + - releases + - release notes + - release assets + - changelog generation + - release timelines + - release channels +- Add: + - signed artifacts + - rollback metadata + - deployment associations +- UI: + - Release page should show: + - version + - artifacts + - deployments + - timeline + - health + +> NOT just markdown notes. --- ## [0.9.0] — 2026-05-12 diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 81d7533..6f51c0d 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -27,7 +27,9 @@ services: - "8080:8080" volumes: - repo_data:/var/lib/forgebucket/repos + - oci_data:/var/lib/forgebucket/oci volumes: postgres_data: repo_data: + oci_data: diff --git a/docker-compose.yml b/docker-compose.yml index c5d6cf9..08221fc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,3 @@ -version: "3.9" - # Dev: only PostgreSQL runs here. Run the Go server locally with `make dev`. # Production: docker compose -f docker-compose.prod.yml up @@ -9,8 +7,8 @@ services: restart: unless-stopped command: ["-js", "-m", "8222"] ports: - - "4222:4222" # client connections - - "8222:8222" # monitoring HTTP + - "4222:4222" # client connections + - "8222:8222" # monitoring HTTP healthcheck: test: ["CMD", "wget", "--spider", "-q", "http://localhost:8222/healthz"] interval: 5s diff --git a/signing-key.pem b/signing-key.pem new file mode 100644 index 0000000..e355ea7 --- /dev/null +++ b/signing-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKGMjCu0NdczHQ7BRDeo0hTOLauF9vOenWl0HlyN4bzToAoGCCqGSM49 +AwEHoUQDQgAE+VL1HhQ1us0QfNH+5Var8lo5Oww83B+QDQ2obzHL4JZl0UM3kVAB +SePwUlkfdW6u4a0KYMYf3Op6wsXTp0kA2g== +-----END EC PRIVATE KEY-----