Skip to content

chore(ci): align workflow tags with custom docker action standards#29

Merged
OscarLlamas6 merged 1 commit into
mainfrom
add-workflow-refactor
Dec 8, 2025
Merged

chore(ci): align workflow tags with custom docker action standards#29
OscarLlamas6 merged 1 commit into
mainfrom
add-workflow-refactor

Conversation

@OscarLlamas6

Copy link
Copy Markdown
  • Update metadata-action tags to use v0.0.0- prefix for branches/PRs
  • Add semver pattern with v prefix for releases
  • Update kustomize bundle workflow to v1.8.1 with image overlay support
  • Add explicit dependency between build and kustomize jobs
  • Add paths-ignore to skip builds for documentation changes

- Update metadata-action tags to use v0.0.0- prefix for branches/PRs
- Add semver pattern with v prefix for releases
- Update kustomize bundle workflow to v1.8.1 with image overlay support
- Add explicit dependency between build and kustomize jobs
- Add paths-ignore to skip builds for documentation changes
@OscarLlamas6 OscarLlamas6 self-assigned this Dec 8, 2025
@OscarLlamas6 OscarLlamas6 marked this pull request as ready for review December 8, 2025 05:54
@OscarLlamas6 OscarLlamas6 merged commit c9157ea into main Dec 8, 2025
2 of 3 checks passed
@OscarLlamas6

Copy link
Copy Markdown
Author

Work needed for https://github.com/datum-cloud/infra/issues/1219

@ecv ecv deleted the add-workflow-refactor branch May 13, 2026 02:40
yahyafakhroji added a commit that referenced this pull request Jul 5, 2026
Fixes 31 of 32 confirmed findings from the adversarially-verified ultracode audit
of the auth-ui rebuild; #16 is partially fixed with a documented residual. All
changes typecheck clean and pass the mirrored cypress component specs. See
docs/AUDIT-FINDINGS.md for the full per-finding detail and status.

Highlights by subsystem:
- session/device: device-authorization grants no longer auto-complete from the
  forgeable GET /signed-in; they route to the CSRF-protected /device/authorize
  consent screen (explicit Approve showing app + scope). (#10)
- rate-limit: limiters mount on '*' and self-guard on a normalized (lowercased,
  .data-stripped) path, closing the case-variant and single-fetch bypasses. (#1, #11)
- verify: email-code resend is gated on server-verified session ownership and never
  500s / enumerates; requestId validated + encoded into the /authorize hand-back.
  (#9, #25, #30)
- signup: registration policy (allowRegister/allowPassword/passkeysType) enforced in
  the actions; duplicate-email responses emit a Set-Cookie (presence oracle closed,
  content/size residual documented — #16); fingerprintId used instead of the MaxMind
  token; requestId resumed on email-link complete. (#3, #4, #14, #16, #17)
- sso: guarded getSession/startIdpIntent (graceful branded errors, not 500s); LDAP
  reauth cookie cleared; ProviderError on sign-in mapped to the branded page;
  deviceTrackingToken threaded on auto-link. (#2, #5, #6, #13, #19, #20, #21)
- providers/mappers: U2F factor derived from the webAuthN proto factor (fixes the
  U2F login loop); failedAttempts extracted with the proper schema; forceMfaLocalOnly
  kept distinct from forceMfa. (#0, #7, #22)
- session cookie: dual-format (ISO/epoch) timestamp parsing in the eviction pre-pass
  so the 2KB budget is respected. (#8)
- webauthn: real browsers without WebAuthn see the unsupported message instead of
  submitting the Cypress fake credential. (#27)
- fraud: MaxMind token falls back to the cookie when it lands after the poll budget;
  default-org cache keyed per service URL. (#28, #29)
- audit logging: raw loginName replaced with hashActor across OTP/webauthn/password
  reset events. (#23, #24, #26)
- setup: safeParse on tampered skip params; TOTP register guarded. (#12, #31)

Verification (2026-07-04): the 12 findings applied in the prior batch were
independently re-verified (verifier + adversary per finding). 9 closed cleanly;
#10 (device-auth) was incomplete and #30 (resend test) was a regression — both
re-fixed here; #16 (signup enumeration) is partial, with the residual documented
and full closure (sessions-cookie encryption) deferred by owner decision.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017UhyUkaSmoNFax5wu2aHfi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants