Release 2026-07: aria (develop → main) #11

Merged
hiveiq merged 12 commits from develop into main 2026-07-15 21:20:13 -04:00
Owner

2026-07 production release — Phase A (safe batch: no migration).

Ships aria to main for tonight's cut. Includes hiveops-bom 1.0.8 (log4j-api CVE-2026-34479, fleet-wide fix).

SOC2 flow: Johannes approves in the Gitea UI → Claude merges via API → PAUSE → hand-build (registry.bcos.cloud, immutable :sha) + deploy, gated per RELEASE-RUNBOOK-TONIGHT.md. Merge does not trigger a prod deploy.

Changes (12 commits ahead of main):

  • chore(aria): bump hiveops-bom parent -> 1.0.8 (log4j CVE-2026-34479, fleet-wide)
  • ci: post a #hiveops-dev-deploy card when cd-develop finishes
  • fix(security): bump hiveops-bom 1.0.5 -> 1.0.7 — clears httpcore5 + postgresql CVEs
  • chore(aria): bump hiveops-bom 1.0.4 -> 1.0.5 (CVE remediation, bom#6)
  • ci(aria): pre-baked toolchain + trivy --skip-db-update (fix gpg /dev/tty + trivy cache)
  • ci: retrigger build-and-scan (post-IPv4-fix CVE verification; hiveops-bom#3)
  • ci(aria): build+push only, drop deploy + embedded sonar (manual deploy; #12)
  • chore(security): bump hiveops-bom parent to 1.0.4 — CVE remediation (#3)
  • docs(claude): slim CLAUDE.md to thin standard, defer architecture to the Guide
  • chore: back-merge main → develop (sync)
  • docs(claude): add hiveops-template usage pointer (copy canonical, header=text-only)
**2026-07 production release — Phase A (safe batch: no migration).** Ships `aria` to `main` for tonight's cut. Includes **hiveops-bom 1.0.8** (log4j-api CVE-2026-34479, fleet-wide fix). SOC2 flow: **Johannes approves in the Gitea UI → Claude merges via API → PAUSE → hand-build (`registry.bcos.cloud`, immutable `:sha`) + deploy**, gated per `RELEASE-RUNBOOK-TONIGHT.md`. Merge does not trigger a prod deploy. Changes (12 commits ahead of main): - chore(aria): bump hiveops-bom parent -> 1.0.8 (log4j CVE-2026-34479, fleet-wide) - ci: post a #hiveops-dev-deploy card when cd-develop finishes - fix(security): bump hiveops-bom 1.0.5 -> 1.0.7 — clears httpcore5 + postgresql CVEs - chore(aria): bump hiveops-bom 1.0.4 -> 1.0.5 (CVE remediation, bom#6) - ci(aria): pre-baked toolchain + trivy --skip-db-update (fix gpg /dev/tty + trivy cache) - ci: retrigger build-and-scan (post-IPv4-fix CVE verification; hiveops-bom#3) - ci(aria): build+push only, drop deploy + embedded sonar (manual deploy; #12) - chore(security): bump hiveops-bom parent to 1.0.4 — CVE remediation (#3) - docs(claude): slim CLAUDE.md to thin standard, defer architecture to the Guide - chore: back-merge main → develop (sync) - docs(claude): add hiveops-template usage pointer (copy canonical, header=text-only)
hiveiq added 12 commits 2026-07-15 21:13:38 -04:00
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Keeps operating essentials (template gate, ports, build/deploy, env, What's New,\nrepo-specific quirks); moves architecture/endpoints/tables/topics to the HiveIQ\nGuide (guide.bcos.dev) which is kept in sync with code. Part of the guide-KB rollout.\n\nCo-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Boot 3.5.14 + netty/tomcat/jackson/spring-kafka/spring-cloud/spring-ai/commons/
bcprov overrides. Validated via Phase-1 fan-out: builds clean, backend Trivy 0
HIGH/CRITICAL. (Frontend npm axios/form-data handled separately where present.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
chore(aria): bump hiveops-bom 1.0.4 -> 1.0.5 (CVE remediation, bom#6)
CD - Develop / build-and-scan (push) Successful in 14m27s
4c6d7c6df7
Clears 2026-07 NVD batch (spring-framework 6.2.19 / spring-security 6.5.11 / tomcat 10.1.56).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream
patches (no suppressions):

  postgresql 42.7.11 -> 42.7.13   CVE-2026-54291 (CVSS4 8.2) — channelBinding=require could be
                                  silently downgraded from SCRAM-SHA-256-PLUS, defeating MITM
                                  protection. Affects 42.7.4-42.7.11.
  httpcore5  5.3.6   -> 5.4.3     CVE-2026-54399 (7.5) HTTP/1.1 parser DoS
                                  CVE-2026-54428 (7.5) HTTP/2 HPACK unbounded allocation

httpcore5 arrives transitively via httpclient5, and Apache ships them as a matched pair, so bom 1.0.7
bumps httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core 5.4.3.

Verified locally on this service: builds and tests pass on 1.0.7, and it resolves the patched
versions.

Refs bom#6

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ci: post a #hiveops-dev-deploy card when cd-develop finishes
CD - Develop / build-and-scan (push) Failing after 10m10s
a7cff6898d
cd-develop built and pushed the image, then said nothing. With no Slack step and
no Gitea webhook, the only way to know a build ran was to poll the Actions API
(whose run status is unreliable) or list registry tags. 21 of 24 repos were silent
this way; only devices, guide and incident notified.

Ports the notify step from hiveops-devices verbatim, adapted for a build-only
pipeline: the card says built & pushed (not deployed) and names the tag to deploy.

if: always() so failures are announced too, and continue-on-error so a Slack hiccup
can never fail a build. Short SHA is derived inside the step from github.sha, as most
repos have no Short SHA step. No new secret: SLACK_WEBHOOK_URL is already an org secret.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
johannes approved these changes 2026-07-15 21:14:17 -04:00
hiveiq merged commit dfeb9a9510 into main 2026-07-15 21:20:13 -04:00
Sign in to join this conversation.
No Reviewers
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: hiveiq-src/hiveops-aria#11