v2.1.0

v2.1.0 — Hardening de Segurança e Melhores Práticas

• Adicionado permissions: read-all no topo dos workflows para seguir o princípio do menor privilégio.
• Permissões de escrita agora são concedidas apenas nos jobs que realmente precisam.
• Actions do GitHub agora estão pinadas por SHA.
• Instalação de dependências Python agora utiliza arquivos requirements.txt com hashes, garantindo integridade e segurança.
• Ajustes gerais para atender recomendações do Scorecard e StepSecurity.

Essas mudanças aumentam a segurança do pipeline CI/CD, reduzem riscos de uso indevido do GITHUB_TOKEN e melhoram a rastreabilidade das dependências.

What's Changed

• chore(deps): bump actions/checkout from 3 to 4 by @dependabot in #63
• [ImgBot] Optimize images by @imgbot in #73
• chore(deps): bump docker/setup-buildx-action from 1 to 3 by @dependabot in #72
• chore(deps): bump docker/login-action from 2 to 3 by @dependabot in #69
• chore(deps): bump werkzeug from 3.0.3 to 3.0.4 by @dependabot in #68
• chore(deps): bump slsa-framework/slsa-github-generator from 1.4.0 to 2.0.0 by @dependabot in #71
• Implementação de Melhorias e Novas Funcionalidades by @nataliagranato in #74
• chore(deps): bump actions/upload-artifact from 97a0fba1372883ab732affbe8f94b823f91727db to c24449f33cd45d4826c6702db7e49f7cdb9b551d by @dependabot in #75
• chore(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.0 by @dependabot in #76
• chore(deps): bump actions/upload-artifact from 3.2.1.pre.node20 to 4.4.0 by @dependabot in #77
• chore(deps): bump azure/setup-helm from 1 to 4 by @dependabot in #78
• chore(deps): bump prometheus-client from 0.16.0 to 0.21.0 by @dependabot in #79
• chore(deps): bump sigstore/cosign-installer from 3.6.0 to 3.7.0 by @dependabot in #81
• chore(deps): bump actions/upload-artifact from 4.4.0 to 4.4.3 by @dependabot in #87
• chore(deps): bump aquasecurity/trivy-action from 0.24.0 to 0.28.0 by @dependabot in #89
• chore(deps): bump chainguard-dev/digestabot from 1.2.0 to 1.2.1 by @dependabot in #92
• chore(deps): bump redis from 5.1.0b7 to 5.2.0 by @dependabot in #91
• chore(deps): bump werkzeug from 3.0.4 to 3.1.3 by @dependabot in #98
• chore(deps): bump the pip group across 3 directories with 1 update by @dependabot in #93
• chore(deps): bump flask from 3.0.3 to 3.1.0 by @dependabot in #99
• [StepSecurity] Apply security best practices by @step-security-bot in #100
• chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @dependabot in #101
• chore(deps): bump prometheus-client from 0.16.0 to 0.21.0 in /chainguard/environments/dev by @dependabot in #102
• chore(deps): bump flask from 3.0.3 to 3.1.0 in /chainguard/environments/prd by @dependabot in #103
• chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #115
• chore(deps): bump prometheus-client from 0.16.0 to 0.21.1 in /chainguard/environments/prd by @dependabot in #133
• chore(deps): bump redis from 5.1.0b7 to 5.2.0 in /chainguard/environments/staging by @dependabot in #104
• chore(deps): bump redis from 5.1.0b7 to 5.2.0 in /chainguard/environments/dev by @dependabot in #105
• chore(deps): bump redis from 5.1.0b7 to 5.2.0 in /chainguard/environments/prd by @dependabot in #107
• chore(deps): bump werkzeug from 3.0.6 to 3.1.3 in /chainguard/environments/dev by @dependabot in #108
• chore(deps): bump flask from 3.0.3 to 3.1.0 in /chainguard/environments/dev by @dependabot in #109
• chore(deps): bump werkzeug from 3.0.6 to 3.1.3 in /chainguard/environments/staging by @dependabot in #111
• chore(deps): bump flask from 3.0.3 to 3.1.0 in /chainguard/environments/staging by @dependabot in #113
• chore(deps): bump werkzeug from 3.0.6 to 3.1.3 in /chainguard/environments/prd by @dependabot in #112
• chore(deps): bump actions/dependency-review-action from 4.4.0 to 4.5.0 by @dependabot in #114
• chore(deps): bump docker/build-push-action from 6.9.0 to 6.10.0 by @dependabot in #116
• chore(deps): bump prometheus-client from 0.21.0 to 0.21.1 in /chainguard by @dependabot in #134
• chore(deps): bump prometheus-client from 0.21.0 to 0.21.1 by @dependabot in #135
• chore(deps): bump github/codeql-action from 3.27.5 to 3.27.6 by @dependabot in #136
• chore(deps): bump prometheus-client from 0.16.0 to 0.21.1 in /chainguard/environments/staging by @dependabot in #137
• chore(deps): bump prometheus-client from 0.21.0 to 0.21.1 in /chainguard/environments/dev by @dependabot in #139
• chore(deps): bump redis from 5.2.0 to 5.2.1 in /chainguard/environments/dev by @dependabot in #140
• chore(deps): bump redis from 5.2.0 to 5.2.1 in /src by @dependabot in #141
• chore(deps): bump redis from 5.2.0 to 5.2.1 by @dependabot in #142
• chore(deps): bump redis from 5.2.0 to 5.2.1 in /chainguard/environments/prd by @dependabot in #143
• chore(deps): bump redis from 5.2.0 to 5.2.1 in /chainguard/environments/staging by @dependabot in #145
• chore(deps): bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot in #147
• chore(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0 by @dependabot in #148
• chore(deps): bump actions/upload-artifact from 4.4.3 to 4.5.0 by @dependabot in #149
• chore(deps): bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot in #150
• chore(deps): bump actions/upload-artifact from 4.5.0 to 4.6.0 by @dependabot in #154
• chore(deps): bump step-security/harden-runner from 2.10.2 to 2.10.4 by @dependabot in #157
• chore(deps): bump docker/build-push-action from 6.10.0 to 6.13.0 by @dependabot in #161
• chore(deps): bump docker/setup-qemu-action from 3.2.0 to 3.4.0 by @dependabot in #165
• chore(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0 by @dependabot in #167
• 🔒 Melhorias de Segurança e Otimização by @nataliagranato in #168
• Create SECURITY.md by @nataliagranato in #182
• Update and rename OWNERS to CODEOWNERS by @nataliagranato in #183
• chore(deps): bump sigstore/cosign-installer from 3.7.0 to 3.8.0 by @dependabot in #184
• chore(deps): bump step-security/harden-runner from 2.10.4 to 2.11.0 by @dependabot in #185
• chore(deps): bump docker/build-push-action from 6.13.0 to 6.14.0 by @dependabot in #186
• chore(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @dependabot in #188
• chore(deps): bump sigstore/cosign-installer from 3.8.0 to 3.8.1 by @dependabot in #187
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in #189
• chore(deps): bump github/codeql-action ...

v2.0.0

Release Notes

Dockerização de Aplicação

• Implementação de multi-stage build para otimização da imagem Docker.

Pipeline de Publicação

• Configuração de pipeline para publicação de imagem Docker em um repositório privado.

Manifestos do Kubernetes

• Criação de manifestos para:
  • Deployment
  • Service
  • PersistentVolume (PV)
  • PersistentVolumeClaim (PVC)
  • Ingress
  • Secret

Pacote Helm

• Desenvolvimento de pacotes Helm para ambientes de desenvolvimento, staging e produção.

Segurança e Compliance

• Scan de segurança e correção de vulnerabilidades utilizando:
  • Trivy
  • Docker Scout
  • Snyk
• Criação de políticas de segurança e compliance com Kyverno.
• Assinatura de imagens com Cosign.

Monitoramento e Alertas

• Instalação do Prometheus e Grafana.
• Monitoramento da aplicação com ServiceMonitor e PodMonitor.
• Criação de alertas com o Alertmanager integrado ao Grafana.
• Desenvolvimento de dashboards no Grafana para monitoramento da aplicação.

Construção de Imagem

• Construção de imagem com uma única camada utilizando APKO e Melange.

Pipelines

• Construção de imagem Docker.
• Geração de tag única para imagem.
• Scan de segurança com Trivy e integração com o GitHub Security.
• Assinatura de imagem com Cosign.
• Scan de qualidade de Dockerfile com Hadolint e integração com o Git.
• Utilização do Digestabot.
• Utilização do Dependabot.
• Implementação do Scorecard Supply-Chain Security.
• Deploy de aplicação usando repositórios helm e docker privados.

v1.5.0

What's Changed

• Melhorias no Locust e Documentação by @nataliagranato in #66

Full Changelog: v.1.4.0...v1.5.0

v.1.4.0

What's Changed

• chore(deps): bump azure/setup-kubectl from 3 to 4 by @dependabot in #64

Full Changelog: v.1.3.0...v.1.4.0

v.1.3.0

Full Changelog: v1.2.0...v.1.3.0

v1.2.0

Full Changelog: v1.1.0...v1.2.0

v1.1.0

What's Changed

• build(deps): Bump docker/metadata-action from 4 to 5 by @dependabot in #57
• build(deps): Bump github/codeql-action from 2 to 3 by @dependabot in #58
• build(deps): Bump docker/build-push-action from 4 to 6 by @dependabot in #59
• chore(deps): bump redis from 5.0.0b1 to 5.1.0b7 by @dependabot in #60
• chore(deps): bump chainguard-dev/digestabot from 1.1.0 to 1.2.0 by @dependabot in #61
• [ImgBot] Optimize images by @imgbot in #62

Full Changelog: v1.0.0...v1.1.0

v1.0.0

Full Changelog: https://github.com/Tech-Preta/giropops-senhas/commits/v1.0.0