• v0.0.1-rc.0 f1179ef21d

    Carol v0.0.1-rc.0
    All checks were successful
    Secrets / gitleaks (pull_request) Successful in 14s
    PR / OSV-Scanner (pull_request) Successful in 40s
    PR / Trivy (image) (pull_request) Successful in 43s
    PR / Static analysis (Semgrep) (pull_request) Successful in 49s
    PR / Typecheck (pull_request) Successful in 51s
    PR / Lint (pull_request) Successful in 52s
    PR / npm audit (pull_request) Successful in 56s
    PR / Test (sqlite) (pull_request) Successful in 1m7s
    PR / Test (postgres) (pull_request) Successful in 1m9s
    PR / Build (pull_request) Successful in 1m14s
    Release / Build, sign, and publish (push) Successful in 15s
    Pre-release

    james released this 2026-06-17 17:55:35 +00:00 | 408 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.0 — 2026-06-17

    Bug fixes

    • pin to existing cosign binary version v2.5.3 (#79) (f1179ef)
    • push via forge.int.wynning.tech, sign + reference as forge.wynning.tech (#75) (31da8d1)
    • route workflow context through step env to avoid shell injection (#16) (0c16811)
    • fix workflow (eab610b)

    Build / tooling

    • allowlist documented hashes in forgejo-mcp.md (#77) (399b3e3)
    • add cosign public key (86f77d3)

    CI

    Other

    • Merge pull request 'build(security): allowlist documented hashes in forgejo-mcp.md (#77)' (#78) from 77-gitleaks-allowlist-forgejo-mcp into main (a175126)
    • Merge pull request 'OAuth2 authentication + account linking (#12)' (#73) from 12-oauth into main (4715359)
    • Harden OAuth redirect helper against open-redirect (#12) (7fe3bd9)
    • OAuth2 authentication + account linking (#12) (90d6dfd)
    • Merge pull request 'fix(release): push via forge.int.wynning.tech, sign + reference as forge.wynning.tech (#75)' (#76) from 75-internal-registry-url into main (907c674)
    • Merge pull request 'ci(release): tag-driven release pipeline with cosign + SLSA (#16)' (#74) from 16-release-pipeline into main (3da4f78)
    • Merge pull request 'Auth UI: register, login, logout pages (#67)' (#71) from 67-auth-ui into main (7e0fc74)
    • Auth UI: register, login, logout pages (#67) (09f8ca2)
    • Merge pull request 'Main navigation shell (#20)' (#66) from 20-navigation into main (5ea58d3)
    • Main navigation shell (#20) (3358721)
    • Merge pull request 'Adopt TanStack Query/Form/Table + zod as the data layer (#43)' (#64) from 43-tanstack into main (c3ac575)
    • Adopt TanStack Query/Form/Table + zod as the data layer (#43) (2fccdfe)
    • Merge pull request 'Add gitleaks secret scanning to CI (#62)' (#65) from 62-gitleaks-ci into main (b8b7bed)
    • Add gitleaks secret scanning to CI (#62) (aed40f6)
    • Merge pull request 'CI: ignore install scripts, run only the allowlisted ones (#46)' (#63) from 46-ignore-scripts-allowlist into main (dd09fd0)
    • ignore install scripts by default, run only the allowlisted ones (#46) (9b8cbdc)
    • Merge pull request 'Add lefthook with gitleaks pre-commit hook (#39)' (#61) from 39-lefthook into main (a633aa9)
    • Add lefthook with gitleaks pre-commit hook (#39) (851db45)
    • Merge pull request 'Renovate config: grouped PRs, 7-day quarantine, lockfile-only (#44)' (#60) from 44-renovate into main (1342d48)
    • Renovate config: grouped PRs, 7-day quarantine, lockfile-only (#44) (6f3663c)
    • Merge pull request 'Theme system with light and dark themes (#19)' (#59) from 19-theme-system into main (cca75e4)
    • Split server-only theme helpers out of lib/themes/cookie.ts (#19) (71e22f5)
    • Theme system with light and dark themes (#19) (fb9344b)
    • Merge pull request 'Pin Forgejo Actions by commit SHA (#45)' (#58) from 45-pin-actions-sha into main (e8e2df1)
    • Pin Forgejo Actions by commit SHA (#45) (428215f)
    • Merge pull request 'Upgrade to Next.js 16.x (#42)' (#57) from 42-nextjs-16-upgrade into main (e182d75)
    • Re-add bundled-picomatch ignore: Next 16.2.9 still ships picomatch 4.0.3 (#42) (caed303)
    • Upgrade to Next.js 16.x (#42) (310fa1a)
    • Merge pull request 'CI static analysis: typescript-eslint strict + Semgrep (#15)' (#41) from 15-static-analysis into main (31289b7)
    • Run Semgrep in the standard runner image, pip-install the CLI (8c95cf4)
    • CI static analysis: typescript-eslint strict + Semgrep (#15) (ff2eefb)
    • Merge pull request 'PWA configuration (manifest, service worker, offline shell) (#18)' (#40) from 18-pwa-configuration into main (35fc772)
    • PWA configuration (manifest, service worker, offline shell) (#18) (cf9337f)
    • Merge pull request 'Add CI security scanning (#14)' (#37) from 14-ci-security-scanning into main (aa309e1)
    • Add .trivyignore for unfixable Debian base + bundled Next.js CVEs (f6a8101)
    • Roll back to default action resolution (9a6e7df)
    • Pull actions over the CF-bypassing internal hostname (3d3811a)
    • Revert "Stop using uses: actions, inline checkout instead" (095f431)
    • Stop using uses: actions, inline checkout instead (6eef008)
    • Fix scanner install URLs and bump to current stable tags (1647964)
    • Bump pinned action tags to current releases (5324605)
    • Use full https:// URL for the mirrored action sources (bfa7ea1)
    • Pull CI actions from the local forgejo mirror (80facfd)
    • Add CI security scanning (#14) (c9e9a5a)
    • Merge pull request 'Local user authentication: register, login, logout, sessions (#11)' (#38) from 11-local-user-auth into main (4fd536e)
    • Local user authentication: register, login, logout, sessions (#11) (09db4d9)
    • Merge pull request 'Authorization middleware with explicit public allowlist (#10)' (#36) from 10-authorization-middleware into main (a01ce50)
    • Authorization middleware with explicit public allowlist (#10) (9bfee3e)
    • Merge pull request 'Containerize service + unauthenticated /api/health (#9)' (#35) from 9-containerize-service into main (27daa98)
    • Containerize service + unauthenticated /api/health (#9) (ee925c9)
    • Merge pull request 'Forgejo Actions PR pipeline (#13)' (#34) from 13-ci-pipeline into main (7964ab7)
    • Wait for Postgres explicitly in CI instead of via service health check (f25e558)
    • Add Forgejo Actions PR pipeline (#13) (5843034)
    • Merge pull request 'Kysely-based DB abstraction over SQLite + Postgres (#8)' (#33) from 8-db-abstraction into main (d39c64d)
    • Add at-rest encryption guidance doc (2a24897)
    • Adopt Architecture Decision Records (4ace80e)
    • Add Kysely-based DB abstraction over SQLite + Postgres (#8) (b402709)
    • Merge pull request 'Scaffold Next.js + TypeScript service (#7)' (#32) from 7-scaffold-nextjs-service into main (bdecba0)
    • Scaffold Next.js + TypeScript service (#7) (ae961c0)
    • Document multi-user scope in CLAUDE.md (3f214ac)
    • added forgejo-mcp docuemntation (8d6677d)
    • Add CLAUDE.md with project conventions and stack guidance (86f5350)
    • initial idea (c9bf767)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:31980a03242069736d6686498d00c8638872ed32565cc51b8a34c9c6d6875e3d
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:31980a03242069736d6686498d00c8638872ed32565cc51b8a34c9c6d6875e3d
    
    Downloads