cd-develop built and pushed the image, then said nothing. With no Slack step and
no Gitea webhook, the only way to know a build ran was to poll the Actions API
(whose run status is unreliable) or list registry tags. 21 of 24 repos were silent
this way; only devices, guide and incident notified.
Ports the notify step from hiveops-devices verbatim, adapted for a build-only
pipeline: the card says built & pushed (not deployed) and names the tag to deploy.
if: always() so failures are announced too, and continue-on-error so a Slack hiccup
can never fail a build. Short SHA is derived inside the step from github.sha, as most
repos have no Short SHA step. No new secret: SLACK_WEBHOOK_URL is already an org secret.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream
patches (no suppressions):
postgresql 42.7.11 -> 42.7.13 CVE-2026-54291 (CVSS4 8.2) — channelBinding=require could be
silently downgraded from SCRAM-SHA-256-PLUS, defeating MITM
protection. Affects 42.7.4-42.7.11.
httpcore5 5.3.6 -> 5.4.3 CVE-2026-54399 (7.5) HTTP/1.1 parser DoS
CVE-2026-54428 (7.5) HTTP/2 HPACK unbounded allocation
httpcore5 arrives transitively via httpclient5, and Apache ships them as a matched pair, so bom 1.0.7
bumps httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core 5.4.3.
Verified locally on this service: builds and tests pass on 1.0.7, and it resolves the patched
versions.
Refs bom#6
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Keeps operating essentials (template gate, ports, build/deploy, env, What's New,\nrepo-specific quirks); moves architecture/endpoints/tables/topics to the HiveIQ\nGuide (guide.bcos.dev) which is kept in sync with code. Part of the guide-KB rollout.\n\nCo-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>