Skip to content

Commit b7a6490

Browse files
committed
Harden hashavatar-api 1.1.2 security controls
1 parent cd87d88 commit b7a6490

22 files changed

Lines changed: 1205 additions & 175 deletions

.github/dependabot.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,3 +37,18 @@ updates:
3737
commit-message:
3838
prefix: "chore"
3939
include: scope
40+
41+
- package-ecosystem: docker
42+
directory: /
43+
schedule:
44+
interval: weekly
45+
day: monday
46+
time: "06:30"
47+
timezone: Europe/Stockholm
48+
open-pull-requests-limit: 5
49+
labels:
50+
- dependencies
51+
- containers
52+
commit-message:
53+
prefix: "chore"
54+
include: scope

.github/workflows/ci.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,20 +19,20 @@ jobs:
1919
timeout-minutes: 45
2020
steps:
2121
- name: Checkout
22-
uses: actions/checkout@v7.0.0
22+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2323

2424
- name: Install Rust
25-
uses: dtolnay/rust-toolchain@1.97.0
25+
uses: dtolnay/rust-toolchain@1a3a6d54512beeaffd394f8d516ca16f2c506a20 # 1.97.0
2626
with:
2727
components: clippy, rustfmt
2828

2929
- name: Cache cargo
30-
uses: Swatinem/rust-cache@v2.9.1
30+
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
3131
with:
3232
cache-on-failure: true
3333

3434
- name: Install security tools
35-
uses: taiki-e/install-action@v2.83.0
35+
uses: taiki-e/install-action@c7eb1735f09259a5035e8e5d44b1406b1cddc0fb # v2.83.0
3636
with:
3737
tool: cargo-deny,cargo-audit,cargo-sbom
3838

.github/workflows/images.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,16 +28,16 @@ jobs:
2828

2929
steps:
3030
- name: Checkout repository
31-
uses: actions/checkout@v7.0.0
31+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3232

3333
- name: Set up QEMU
34-
uses: docker/setup-qemu-action@v4.2.0
34+
uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # v4.2.0
3535

3636
- name: Set up Buildx
37-
uses: docker/setup-buildx-action@v4.2.0
37+
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
3838

3939
- name: Log in to GitHub Container Registry
40-
uses: docker/login-action@v4.4.0
40+
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
4141
with:
4242
registry: ghcr.io
4343
username: ${{ github.actor }}
@@ -75,12 +75,14 @@ jobs:
7575
} >> "${GITHUB_OUTPUT}"
7676
7777
- name: Build and publish Wolfi image
78-
uses: docker/build-push-action@v7.3.0
78+
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
7979
with:
8080
context: .
8181
file: Dockerfile
8282
platforms: ${{ inputs.platforms || 'linux/amd64' }}
8383
push: true
84+
sbom: true
85+
provenance: mode=max
8486
cache-from: type=gha,scope=wolfi
8587
cache-to: type=gha,mode=max,scope=wolfi
8688
labels: |

CONTRIBUTING.md

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
# Contributing
22

3-
Thanks for helping improve `hashavatar`.
3+
Thanks for helping improve `hashavatar-api`.
44

55
## Development
66

7-
Use Rust 1.95 or newer.
7+
Use Rust 1.97 or newer.
88

99
```bash
1010
scripts/checks.sh
@@ -19,4 +19,7 @@ scripts/checks.sh
1919

2020
## Visual Stability
2121

22-
`hashavatar` is deterministic. Changes to shape generation, colors, hashing, randomization, or encoder behavior can affect downstream users. When a change intentionally affects output, document it in the changelog.
22+
The API delegates deterministic rendering to `hashavatar`. Changes to request
23+
normalization, namespace handling, cache keys, style options, or encoder
24+
selection can still affect downstream users. Document intentional output or URL
25+
contract changes in the release notes.

0 commit comments

Comments
 (0)