diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b93e4a..78c0d12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,28 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## [v1.15.2] - 2026-03-30 + +### Features + +- Build custom Kingfisher container from sporked deploy branch, replacing upstream image with locally-built version including --clone-url-base patch. +- Add Kingfisher secret scanner as a weekly CronJob scanning all Forgejo repos, with HTML and JSON reports written to sifaka NFS. +- Add MongoDB Kingfisher secret scanner as a prek hook alongside TruffleHog for comparative coverage evaluation. +- Add spork strategy: floating-branch soft-fork tooling (`mise run spork-create`) and documentation for maintaining local patches against upstream projects. + +### Infrastructure + +- Add compensating controls framework: tracking file, review mise task, and how-to doc. Map all Prowler mutelist entries to named controls with CC: prefixes. +- Add Prowler mutelist to suppress expected findings from system components, operator-managed pods, and accepted operational needs. Fix missing seccomp profile on kube-state-metrics. +- Borgmatic photos backup: restrict to library/ and upload/ (skip regenerable dirs), add SSH keepalives and checkpoint interval to prevent broken pipe failures on large initial syncs. +- Upgrade forgejo-runner from 12.7.0 to 12.7.3 (bug fixes, security dep update). Add service reference card. + +### Documentation + +- Add service reference documentation for Kingfisher secret scanner. +- Review and update Ansible reference doc: add missing roles, sibling playbooks, and clarify Ansible's role in the IaC stack. + + ## [v1.15.1] - 2026-03-28 ### Features diff --git a/argocd/manifests/docs/deployment.yaml b/argocd/manifests/docs/deployment.yaml index 9b61fb0..3224a23 100644 --- a/argocd/manifests/docs/deployment.yaml +++ b/argocd/manifests/docs/deployment.yaml @@ -30,7 +30,7 @@ spec: name: http env: - name: DOCS_RELEASE_URL - value: "https://forge.eblu.me/eblume/blumeops/releases/download/v1.15.1/docs-v1.15.1.tar.gz" + value: "https://forge.eblu.me/eblume/blumeops/releases/download/v1.15.2/docs-v1.15.2.tar.gz" resources: requests: memory: "64Mi" diff --git a/docs/changelog.d/+ansible-doc-review.doc.md b/docs/changelog.d/+ansible-doc-review.doc.md deleted file mode 100644 index 976517a..0000000 --- a/docs/changelog.d/+ansible-doc-review.doc.md +++ /dev/null @@ -1 +0,0 @@ -Review and update Ansible reference doc: add missing roles, sibling playbooks, and clarify Ansible's role in the IaC stack. diff --git a/docs/changelog.d/+borgmatic-photos-hardening.infra.md b/docs/changelog.d/+borgmatic-photos-hardening.infra.md deleted file mode 100644 index c68580a..0000000 --- a/docs/changelog.d/+borgmatic-photos-hardening.infra.md +++ /dev/null @@ -1 +0,0 @@ -Borgmatic photos backup: restrict to library/ and upload/ (skip regenerable dirs), add SSH keepalives and checkpoint interval to prevent broken pipe failures on large initial syncs. diff --git a/docs/changelog.d/+forgejo-runner-12.7.3.infra.md b/docs/changelog.d/+forgejo-runner-12.7.3.infra.md deleted file mode 100644 index 379ca3e..0000000 --- a/docs/changelog.d/+forgejo-runner-12.7.3.infra.md +++ /dev/null @@ -1 +0,0 @@ -Upgrade forgejo-runner from 12.7.0 to 12.7.3 (bug fixes, security dep update). Add service reference card. diff --git a/docs/changelog.d/+kingfisher-docs.doc.md b/docs/changelog.d/+kingfisher-docs.doc.md deleted file mode 100644 index 42fe085..0000000 --- a/docs/changelog.d/+kingfisher-docs.doc.md +++ /dev/null @@ -1 +0,0 @@ -Add service reference documentation for Kingfisher secret scanner. diff --git a/docs/changelog.d/+kingfisher-prek.feature.md b/docs/changelog.d/+kingfisher-prek.feature.md deleted file mode 100644 index dadedc1..0000000 --- a/docs/changelog.d/+kingfisher-prek.feature.md +++ /dev/null @@ -1 +0,0 @@ -Add MongoDB Kingfisher secret scanner as a prek hook alongside TruffleHog for comparative coverage evaluation. diff --git a/docs/changelog.d/+spork-strategy.feature.md b/docs/changelog.d/+spork-strategy.feature.md deleted file mode 100644 index 1f47bc1..0000000 --- a/docs/changelog.d/+spork-strategy.feature.md +++ /dev/null @@ -1 +0,0 @@ -Add spork strategy: floating-branch soft-fork tooling (`mise run spork-create`) and documentation for maintaining local patches against upstream projects. diff --git a/docs/changelog.d/compensating-controls.infra.md b/docs/changelog.d/compensating-controls.infra.md deleted file mode 100644 index c865a90..0000000 --- a/docs/changelog.d/compensating-controls.infra.md +++ /dev/null @@ -1 +0,0 @@ -Add compensating controls framework: tracking file, review mise task, and how-to doc. Map all Prowler mutelist entries to named controls with CC: prefixes. diff --git a/docs/changelog.d/feature-kingfisher-container.feature.md b/docs/changelog.d/feature-kingfisher-container.feature.md deleted file mode 100644 index 9054e81..0000000 --- a/docs/changelog.d/feature-kingfisher-container.feature.md +++ /dev/null @@ -1 +0,0 @@ -Build custom Kingfisher container from sporked deploy branch, replacing upstream image with locally-built version including --clone-url-base patch. diff --git a/docs/changelog.d/feature-kingfisher-cronjob.feature.md b/docs/changelog.d/feature-kingfisher-cronjob.feature.md deleted file mode 100644 index 871c9d8..0000000 --- a/docs/changelog.d/feature-kingfisher-cronjob.feature.md +++ /dev/null @@ -1 +0,0 @@ -Add Kingfisher secret scanner as a weekly CronJob scanning all Forgejo repos, with HTML and JSON reports written to sifaka NFS. diff --git a/docs/changelog.d/prowler-mutelist.infra.md b/docs/changelog.d/prowler-mutelist.infra.md deleted file mode 100644 index a8bf246..0000000 --- a/docs/changelog.d/prowler-mutelist.infra.md +++ /dev/null @@ -1 +0,0 @@ -Add Prowler mutelist to suppress expected findings from system components, operator-managed pods, and accepted operational needs. Fix missing seccomp profile on kube-state-metrics.