Release 2026-07: aria (develop → main) #11

Merged
hiveiq merged 12 commits from develop into main 2026-07-15 21:20:13 -04:00

12 Commits

Author SHA1 Message Date
johannes c7278d4364 chore(aria): bump hiveops-bom parent -> 1.0.8 (log4j CVE-2026-34479, fleet-wide)
CD - Develop / build-and-scan (push) Has started running
2026-07-15 15:59:19 -04:00
johannes a7cff6898d ci: post a #hiveops-dev-deploy card when cd-develop finishes
CD - Develop / build-and-scan (push) Failing after 10m10s
cd-develop built and pushed the image, then said nothing. With no Slack step and
no Gitea webhook, the only way to know a build ran was to poll the Actions API
(whose run status is unreliable) or list registry tags. 21 of 24 repos were silent
this way; only devices, guide and incident notified.

Ports the notify step from hiveops-devices verbatim, adapted for a build-only
pipeline: the card says built & pushed (not deployed) and names the tag to deploy.

if: always() so failures are announced too, and continue-on-error so a Slack hiccup
can never fail a build. Short SHA is derived inside the step from github.sha, as most
repos have no Short SHA step. No new secret: SLACK_WEBHOOK_URL is already an org secret.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-14 14:58:12 -04:00
hiveiq 9873d37d36 Merge pull request 'fix(security): bump hiveops-bom 1.0.5 -> 1.0.7 — clears httpcore5 + postgresql CVEs' (#10) from fix/aria-bom-1.0.7-cves into develop
CD - Develop / build-and-scan (push) Failing after 44m9s
2026-07-12 09:57:00 -04:00
johannes 8c7874e37a fix(security): bump hiveops-bom 1.0.5 -> 1.0.7 — clears httpcore5 + postgresql CVEs
OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream
patches (no suppressions):

  postgresql 42.7.11 -> 42.7.13   CVE-2026-54291 (CVSS4 8.2) — channelBinding=require could be
                                  silently downgraded from SCRAM-SHA-256-PLUS, defeating MITM
                                  protection. Affects 42.7.4-42.7.11.
  httpcore5  5.3.6   -> 5.4.3     CVE-2026-54399 (7.5) HTTP/1.1 parser DoS
                                  CVE-2026-54428 (7.5) HTTP/2 HPACK unbounded allocation

httpcore5 arrives transitively via httpclient5, and Apache ships them as a matched pair, so bom 1.0.7
bumps httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core 5.4.3.

Verified locally on this service: builds and tests pass on 1.0.7, and it resolves the patched
versions.

Refs bom#6

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-12 09:54:32 -04:00
johannes 4c6d7c6df7 chore(aria): bump hiveops-bom 1.0.4 -> 1.0.5 (CVE remediation, bom#6)
CD - Develop / build-and-scan (push) Successful in 14m27s
Clears 2026-07 NVD batch (spring-framework 6.2.19 / spring-security 6.5.11 / tomcat 10.1.56).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-05 07:52:40 -04:00
johannes ceda5ff546 ci(aria): pre-baked toolchain + trivy --skip-db-update (fix gpg /dev/tty + trivy cache)
CD - Develop / build-and-scan (push) Successful in 3m34s
2026-07-02 17:48:53 -04:00
johannes e83869c180 ci: retrigger build-and-scan (post-IPv4-fix CVE verification; hiveops-bom#3)
CD - Develop / build-and-scan (push) Failing after 19s
2026-07-02 17:00:57 -04:00
johannes 15c76ba2bf ci(aria): build+push only, drop deploy + embedded sonar (manual deploy; #12) 2026-07-02 14:03:51 -04:00
johannes 54a7328599 chore(security): bump hiveops-bom parent to 1.0.4 — CVE remediation (#3)
Boot 3.5.14 + netty/tomcat/jackson/spring-kafka/spring-cloud/spring-ai/commons/
bcprov overrides. Validated via Phase-1 fan-out: builds clean, backend Trivy 0
HIGH/CRITICAL. (Frontend npm axios/form-data handled separately where present.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 13:40:15 -04:00
johannes 1b8ac53dd8 docs(claude): slim CLAUDE.md to thin standard, defer architecture to the Guide
Keeps operating essentials (template gate, ports, build/deploy, env, What's New,\nrepo-specific quirks); moves architecture/endpoints/tables/topics to the HiveIQ\nGuide (guide.bcos.dev) which is kept in sync with code. Part of the guide-KB rollout.\n\nCo-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-01 21:31:29 -04:00
johannes c7e6165117 chore: back-merge main → develop (sync) 2026-07-01 09:59:30 -04:00
johannes b21e029711 docs(claude): add hiveops-template usage pointer (copy canonical, header=text-only)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 18:09:39 -04:00