-
Carol v0.0.1-rc.4
Pre-releaseSome checks failedCommits / Conventional Commits (pull_request) Successful in 12sPR / Static analysis (pull_request) Successful in 45sPR / Lint (pull_request) Successful in 1m5sPR / OSV-Scanner (pull_request) Successful in 21sSecrets / gitleaks (pull_request) Successful in 20sPR / Typecheck (pull_request) Successful in 1m36sPR / npm audit (pull_request) Failing after 1m27sPR / Test (sqlite) (pull_request) Successful in 1m51sPR / Test (postgres) (pull_request) Successful in 1m56sPR / Trivy (image) (pull_request) Successful in 1m14sPR / Build (pull_request) Successful in 2m10sRelease / Build, sign, and publish (push) Successful in 44sreleased this
2026-06-18 02:33:23 +00:00 | 392 commits to main since this release0.0.1-rc.4 — 2026-06-18
Build / tooling
- apply install-script allowlist to Dockerfile npm ci (#69) (
15e3adf) - add actionlint pre-commit hook for workflow files (#88) (
cd08810)
CI
- post scanner findings as sticky PR comments (#68) (
1d0d83b) - enforce Conventional Commits via commit-msg hook and PR gate (#70) (
bab9138) - add actionlint check to PR static-analysis job (#89) (
0155422) - bump gitleaks to 8.30.1 (#86) (
47acafc)
Other
- Merge pull request 'ci(commits): enforce Conventional Commits via commit-msg hook and PR gate (#70)' (#93) from 70-conventional-commits into main (
d70a557) - Merge pull request 'ci(security): add actionlint check to PR static-analysis job (#89)' (#92) from 89-actionlint-ci into main (
1b82c7f) - Merge pull request 'build(security): apply install-script allowlist to Dockerfile npm ci (#69)' (#90) from 69-dockerfile-allow-scripts into main (
1dc3db3) - Merge pull request 'build(security): add actionlint pre-commit hook for workflow files (#88)' (#91) from 88-actionlint-prehook into main (
2b8fed4) - Merge pull request 'ci(security): bump gitleaks to 8.30.1 (#86)' (#87) from 85-gitleaks-broaden-forgejo-mcp into main (
c0c5ea6) - Merge pull request 'docs(release): cosign.pub URL must be anonymously fetchable + clarify verify "offline" (#83)' (#84) from 83-cosign-pub-public-docs into main (
e377f81)
Verifying the image
cosign verify \ --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \ forge.wynning.tech/james/carol@sha256:3a817504d2d400ddff884ba653f7236ec4f4b4f3d7033bfe58c54ae3f70b45a9 cosign verify-attestation \ --type slsaprovenance1 \ --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \ forge.wynning.tech/james/carol@sha256:3a817504d2d400ddff884ba653f7236ec4f4b4f3d7033bfe58c54ae3f70b45a9Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- apply install-script allowlist to Dockerfile npm ci (#69) (
-
Carol v0.0.1-rc.3
Pre-releaseAll checks were successfulSecrets / gitleaks (pull_request) Successful in 19sPR / OSV-Scanner (pull_request) Successful in 39sPR / npm audit (pull_request) Successful in 43sPR / Typecheck (pull_request) Successful in 43sPR / Static analysis (Semgrep) (pull_request) Successful in 45sPR / Lint (pull_request) Successful in 50sPR / Trivy (image) (pull_request) Successful in 51sPR / Test (sqlite) (pull_request) Successful in 1m1sPR / Test (postgres) (pull_request) Successful in 1m2sPR / Build (pull_request) Successful in 1m18sRelease / Build, sign, and publish (push) Successful in 16sreleased this
2026-06-17 21:50:11 +00:00 | 404 commits to main since this release0.0.1-rc.3 — 2026-06-17
Documentation
Other
- Merge pull request 'fix(release): publish cosign sigs to Sigstore Rekor (#81)' (#82) from 81-cosign-no-rekor into main (
c1097ae)
Verifying the image
cosign verify \ --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \ forge.wynning.tech/james/carol@sha256:0cc2f5f6e6bdcfe00e77d9f7411004d82766927f4603a0264b97a96487b2212c cosign verify-attestation \ --type slsaprovenance1 \ --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \ forge.wynning.tech/james/carol@sha256:0cc2f5f6e6bdcfe00e77d9f7411004d82766927f4603a0264b97a96487b2212cDownloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- Merge pull request 'fix(release): publish cosign sigs to Sigstore Rekor (#81)' (#82) from 81-cosign-no-rekor into main (
-
Carol v0.0.1-rc.2
Pre-releaseAll checks were successfulSecrets / gitleaks (pull_request) Successful in 26sPR / Trivy (image) (pull_request) Successful in 38sPR / OSV-Scanner (pull_request) Successful in 40sPR / npm audit (pull_request) Successful in 45sPR / Lint (pull_request) Successful in 49sPR / Static analysis (Semgrep) (pull_request) Successful in 53sPR / Typecheck (pull_request) Successful in 1m0sPR / Test (sqlite) (pull_request) Successful in 1m3sPR / Test (postgres) (pull_request) Successful in 1m7sPR / Build (pull_request) Successful in 1m13sRelease / Build, sign, and publish (push) Successful in 21sreleased this
2026-06-17 20:35:37 +00:00 | 406 commits to main since this release0.0.1-rc.2 — 2026-06-17
Bug fixes
Other
- Merge pull request 'fix(release): pin to existing cosign binary version v2.5.3 (#79)' (#80) from 79-cosign-version-fix into main (
57cde21)
Verifying the image
cosign verify \ --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \ forge.wynning.tech/james/carol@sha256:c75cd166504aa2f05e358feb49d32d486af3ce88eaf2c788d02626c68bdd2657 cosign verify-attestation \ --type slsaprovenance1 \ --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \ forge.wynning.tech/james/carol@sha256:c75cd166504aa2f05e358feb49d32d486af3ce88eaf2c788d02626c68bdd2657Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- Merge pull request 'fix(release): pin to existing cosign binary version v2.5.3 (#79)' (#80) from 79-cosign-version-fix into main (
-
Carol v0.0.1-rc.1
Pre-releaseAll checks were successfulSecrets / gitleaks (pull_request) Successful in 26sPR / Trivy (image) (pull_request) Successful in 38sPR / OSV-Scanner (pull_request) Successful in 40sPR / npm audit (pull_request) Successful in 45sPR / Lint (pull_request) Successful in 49sPR / Static analysis (Semgrep) (pull_request) Successful in 53sPR / Typecheck (pull_request) Successful in 1m0sPR / Test (sqlite) (pull_request) Successful in 1m3sPR / Test (postgres) (pull_request) Successful in 1m7sPR / Build (pull_request) Successful in 1m13sRelease / Build, sign, and publish (push) Successful in 21sreleased this
2026-06-17 19:46:39 +00:00 | 406 commits to main since this release0.0.1-rc.1 — 2026-06-17
Bug fixes
Other
- Merge pull request 'fix(release): pin to existing cosign binary version v2.5.3 (#79)' (#80) from 79-cosign-version-fix into main (
57cde21)
Verifying the image
cosign verify \ --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \ forge.wynning.tech/james/carol@sha256:7cf4937ed1434e79f9bbfc8f0a731d60724940414a42c5893985840ce51061e8 cosign verify-attestation \ --type slsaprovenance1 \ --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \ forge.wynning.tech/james/carol@sha256:7cf4937ed1434e79f9bbfc8f0a731d60724940414a42c5893985840ce51061e8Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- Merge pull request 'fix(release): pin to existing cosign binary version v2.5.3 (#79)' (#80) from 79-cosign-version-fix into main (
-
Carol v0.0.1-rc.0
Pre-releaseAll checks were successfulSecrets / gitleaks (pull_request) Successful in 14sPR / OSV-Scanner (pull_request) Successful in 40sPR / Trivy (image) (pull_request) Successful in 43sPR / Static analysis (Semgrep) (pull_request) Successful in 49sPR / Typecheck (pull_request) Successful in 51sPR / Lint (pull_request) Successful in 52sPR / npm audit (pull_request) Successful in 56sPR / Test (sqlite) (pull_request) Successful in 1m7sPR / Test (postgres) (pull_request) Successful in 1m9sPR / Build (pull_request) Successful in 1m14sRelease / Build, sign, and publish (push) Successful in 15sreleased this
2026-06-17 17:55:35 +00:00 | 408 commits to main since this release0.0.1-rc.0 — 2026-06-17
Bug fixes
- pin to existing cosign binary version v2.5.3 (#79) (
f1179ef) - push via forge.int.wynning.tech, sign + reference as forge.wynning.tech (#75) (
31da8d1) - route workflow context through step env to avoid shell injection (#16) (
0c16811) - fix workflow (
eab610b)
Build / tooling
CI
Other
- Merge pull request 'build(security): allowlist documented hashes in forgejo-mcp.md (#77)' (#78) from 77-gitleaks-allowlist-forgejo-mcp into main (
a175126) - Merge pull request 'OAuth2 authentication + account linking (#12)' (#73) from 12-oauth into main (
4715359) - Harden OAuth redirect helper against open-redirect (#12) (
7fe3bd9) - OAuth2 authentication + account linking (#12) (
90d6dfd) - Merge pull request 'fix(release): push via forge.int.wynning.tech, sign + reference as forge.wynning.tech (#75)' (#76) from 75-internal-registry-url into main (
907c674) - Merge pull request 'ci(release): tag-driven release pipeline with cosign + SLSA (#16)' (#74) from 16-release-pipeline into main (
3da4f78) - Merge pull request 'Auth UI: register, login, logout pages (#67)' (#71) from 67-auth-ui into main (
7e0fc74) - Auth UI: register, login, logout pages (#67) (
09f8ca2) - Merge pull request 'Main navigation shell (#20)' (#66) from 20-navigation into main (
5ea58d3) - Main navigation shell (#20) (
3358721) - Merge pull request 'Adopt TanStack Query/Form/Table + zod as the data layer (#43)' (#64) from 43-tanstack into main (
c3ac575) - Adopt TanStack Query/Form/Table + zod as the data layer (#43) (
2fccdfe) - Merge pull request 'Add gitleaks secret scanning to CI (#62)' (#65) from 62-gitleaks-ci into main (
b8b7bed) - Add gitleaks secret scanning to CI (#62) (
aed40f6) - Merge pull request 'CI: ignore install scripts, run only the allowlisted ones (#46)' (#63) from 46-ignore-scripts-allowlist into main (
dd09fd0) - ignore install scripts by default, run only the allowlisted ones (#46) (
9b8cbdc) - Merge pull request 'Add lefthook with gitleaks pre-commit hook (#39)' (#61) from 39-lefthook into main (
a633aa9) - Add lefthook with gitleaks pre-commit hook (#39) (
851db45) - Merge pull request 'Renovate config: grouped PRs, 7-day quarantine, lockfile-only (#44)' (#60) from 44-renovate into main (
1342d48) - Renovate config: grouped PRs, 7-day quarantine, lockfile-only (#44) (
6f3663c) - Merge pull request 'Theme system with light and dark themes (#19)' (#59) from 19-theme-system into main (
cca75e4) - Split server-only theme helpers out of lib/themes/cookie.ts (#19) (
71e22f5) - Theme system with light and dark themes (#19) (
fb9344b) - Merge pull request 'Pin Forgejo Actions by commit SHA (#45)' (#58) from 45-pin-actions-sha into main (
e8e2df1) - Pin Forgejo Actions by commit SHA (#45) (
428215f) - Merge pull request 'Upgrade to Next.js 16.x (#42)' (#57) from 42-nextjs-16-upgrade into main (
e182d75) - Re-add bundled-picomatch ignore: Next 16.2.9 still ships picomatch 4.0.3 (#42) (
caed303) - Upgrade to Next.js 16.x (#42) (
310fa1a) - Merge pull request 'CI static analysis: typescript-eslint strict + Semgrep (#15)' (#41) from 15-static-analysis into main (
31289b7) - Run Semgrep in the standard runner image, pip-install the CLI (
8c95cf4) - CI static analysis: typescript-eslint strict + Semgrep (#15) (
ff2eefb) - Merge pull request 'PWA configuration (manifest, service worker, offline shell) (#18)' (#40) from 18-pwa-configuration into main (
35fc772) - PWA configuration (manifest, service worker, offline shell) (#18) (
cf9337f) - Merge pull request 'Add CI security scanning (#14)' (#37) from 14-ci-security-scanning into main (
aa309e1) - Add .trivyignore for unfixable Debian base + bundled Next.js CVEs (
f6a8101) - Roll back to default action resolution (
9a6e7df) - Pull actions over the CF-bypassing internal hostname (
3d3811a) - Revert "Stop using uses: actions, inline checkout instead" (
095f431) - Stop using uses: actions, inline checkout instead (
6eef008) - Fix scanner install URLs and bump to current stable tags (
1647964) - Bump pinned action tags to current releases (
5324605) - Use full https:// URL for the mirrored action sources (
bfa7ea1) - Pull CI actions from the local forgejo mirror (
80facfd) - Add CI security scanning (#14) (
c9e9a5a) - Merge pull request 'Local user authentication: register, login, logout, sessions (#11)' (#38) from 11-local-user-auth into main (
4fd536e) - Local user authentication: register, login, logout, sessions (#11) (
09db4d9) - Merge pull request 'Authorization middleware with explicit public allowlist (#10)' (#36) from 10-authorization-middleware into main (
a01ce50) - Authorization middleware with explicit public allowlist (#10) (
9bfee3e) - Merge pull request 'Containerize service + unauthenticated /api/health (#9)' (#35) from 9-containerize-service into main (
27daa98) - Containerize service + unauthenticated /api/health (#9) (
ee925c9) - Merge pull request 'Forgejo Actions PR pipeline (#13)' (#34) from 13-ci-pipeline into main (
7964ab7) - Wait for Postgres explicitly in CI instead of via service health check (
f25e558) - Add Forgejo Actions PR pipeline (#13) (
5843034) - Merge pull request 'Kysely-based DB abstraction over SQLite + Postgres (#8)' (#33) from 8-db-abstraction into main (
d39c64d) - Add at-rest encryption guidance doc (
2a24897) - Adopt Architecture Decision Records (
4ace80e) - Add Kysely-based DB abstraction over SQLite + Postgres (#8) (
b402709) - Merge pull request 'Scaffold Next.js + TypeScript service (#7)' (#32) from 7-scaffold-nextjs-service into main (
bdecba0) - Scaffold Next.js + TypeScript service (#7) (
ae961c0) - Document multi-user scope in CLAUDE.md (
3f214ac) - added forgejo-mcp docuemntation (
8d6677d) - Add CLAUDE.md with project conventions and stack guidance (
86f5350) - initial idea (
c9bf767)
Verifying the image
cosign verify \ --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \ forge.wynning.tech/james/carol@sha256:31980a03242069736d6686498d00c8638872ed32565cc51b8a34c9c6d6875e3d cosign verify-attestation \ --type slsaprovenance1 \ --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \ forge.wynning.tech/james/carol@sha256:31980a03242069736d6686498d00c8638872ed32565cc51b8a34c9c6d6875e3dDownloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads
- pin to existing cosign binary version v2.5.3 (#79) (