• v0.0.1-rc.4 1d0d83bb7c

    Carol v0.0.1-rc.4
    Some checks failed
    Commits / Conventional Commits (pull_request) Successful in 12s
    PR / Static analysis (pull_request) Successful in 45s
    PR / Lint (pull_request) Successful in 1m5s
    PR / OSV-Scanner (pull_request) Successful in 21s
    Secrets / gitleaks (pull_request) Successful in 20s
    PR / Typecheck (pull_request) Successful in 1m36s
    PR / npm audit (pull_request) Failing after 1m27s
    PR / Test (sqlite) (pull_request) Successful in 1m51s
    PR / Test (postgres) (pull_request) Successful in 1m56s
    PR / Trivy (image) (pull_request) Successful in 1m14s
    PR / Build (pull_request) Successful in 2m10s
    Release / Build, sign, and publish (push) Successful in 44s
    Pre-release

    james released this 2026-06-18 02:33:23 +00:00 | 392 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.4 — 2026-06-18

    Build / tooling

    • apply install-script allowlist to Dockerfile npm ci (#69) (15e3adf)
    • add actionlint pre-commit hook for workflow files (#88) (cd08810)

    CI

    • post scanner findings as sticky PR comments (#68) (1d0d83b)
    • enforce Conventional Commits via commit-msg hook and PR gate (#70) (bab9138)
    • add actionlint check to PR static-analysis job (#89) (0155422)
    • bump gitleaks to 8.30.1 (#86) (47acafc)

    Other

    • Merge pull request 'ci(commits): enforce Conventional Commits via commit-msg hook and PR gate (#70)' (#93) from 70-conventional-commits into main (d70a557)
    • Merge pull request 'ci(security): add actionlint check to PR static-analysis job (#89)' (#92) from 89-actionlint-ci into main (1b82c7f)
    • Merge pull request 'build(security): apply install-script allowlist to Dockerfile npm ci (#69)' (#90) from 69-dockerfile-allow-scripts into main (1dc3db3)
    • Merge pull request 'build(security): add actionlint pre-commit hook for workflow files (#88)' (#91) from 88-actionlint-prehook into main (2b8fed4)
    • Merge pull request 'ci(security): bump gitleaks to 8.30.1 (#86)' (#87) from 85-gitleaks-broaden-forgejo-mcp into main (c0c5ea6)
    • Merge pull request 'docs(release): cosign.pub URL must be anonymously fetchable + clarify verify "offline" (#83)' (#84) from 83-cosign-pub-public-docs into main (e377f81)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:3a817504d2d400ddff884ba653f7236ec4f4b4f3d7033bfe58c54ae3f70b45a9
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:3a817504d2d400ddff884ba653f7236ec4f4b4f3d7033bfe58c54ae3f70b45a9
    
    Downloads