harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
349 commits 1 branch 0 tags 7.8 MiB
Commit graph

30 commits

Author SHA1 Message Date
Chummy
ec39009048
Merge pull request #396 from fettpl/fix/365-release-signatures 
ci: add cosign keyless signing for release artifacts
 2026-02-17 01:11:06 +08:00
fettpl
fed1997f62 ci: add cosign keyless signing for release artifacts 
- Add sigstore/cosign keyless signing to the release workflow
- Each artifact gets a detached .sig signature and .pem certificate
- Uses GitHub Actions OIDC for keyless signing (no secret management)
- Adds id-token: write permission for OIDC token generation
- Signatures and certificates are uploaded alongside binaries

Users can verify artifacts with:
  cosign verify-blob --certificate <file>.pem --signature <file>.sig \
    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
    --certificate-identity-regexp="github.com/zeroclaw-labs/zeroclaw" \
    <file>

Closes #365

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-16 17:55:40 +01:00
fettpl
9df5a07640 ci: pin all GitHub Actions to full SHA digests 
Pin every third-party GitHub Action to its current commit SHA with a
version comment, eliminating supply chain risk from mutable version
tags. Mutable tags (v4, v2, etc.) can be force-pushed by upstream
maintainers; SHA digests are immutable.

18 unique actions pinned across 9 workflow files.

Closes #357

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-16 17:32:18 +01:00
Will Sarg
9d21e2b28c
ci: route trusted docker and release publish jobs to self-hosted (#371) 2026-02-16 11:00:25 -05:00
Will Sarg
7a66ce15c5
ci: route trusted security and workflow checks to self-hosted (#370) 2026-02-16 10:58:45 -05:00
Will Sarg
13d411cd2b
ci: route trusted pushes to self-hosted runner (#369) 2026-02-16 10:56:53 -05:00
Will Sarg
b76a3879a9
fix(ci): mitigate GitHub API rate-limit failures (#334) 
* fix(ci): mitigate GitHub API rate-limit failures in workflows

* fix(ci): resolve signature drift blocking Docker smoke
 2026-02-16 08:05:52 -05:00
dependabot[bot]
bd137c89fb
build(deps): bump DavidAnson/markdownlint-cli2-action from 20 to 22 (#312) 
Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 20 to 22.
- [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases)
- [Commits](https://github.com/davidanson/markdownlint-cli2-action/compare/v20...v22)

---
updated-dependencies:
- dependency-name: DavidAnson/markdownlint-cli2-action
  dependency-version: '22'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-16 07:42:22 -05:00
dependabot[bot]
1ec8b7e57a
build(deps): bump actions/github-script from 7 to 8 (#313) 
Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 8.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v7...v8)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-16 07:42:10 -05:00
dependabot[bot]
8338b9c7a7
build(deps): bump actions/upload-artifact from 4 to 6 (#314) 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-02-16 07:42:07 -05:00
Chummy
5410ce4afd ci(labeler): compact duplicate module labels across all prefixes 2026-02-16 20:20:55 +08:00
Chummy
140dad1f72 style(labeler): lock low-saturation ordered module palette 2026-02-16 20:01:36 +08:00
Chummy
3a25f4fa3a ci(labeler): enforce ordered gradient palette and compact module labels 2026-02-16 19:52:14 +08:00
Chummy
004fc4590f ci(labeler): compact noisy module labels for tool/provider/channel 2026-02-16 19:49:45 +08:00
Chummy
389496823d
ci(labeler): dedupe labels, add hover rules, and tune low-sat palette (#6) 
* ci(labeler): dedupe scope labels and prioritize risk/size

* ci(labeler): add hover rule descriptions and refresh label palette

* style(labeler): reduce label saturation for better readability
 2026-02-16 19:46:22 +08:00
Chummy
6d56a040ce
docs: strengthen collaboration governance and AGENTS engineering protocol (#263) 
* docs: harden collaboration policy and review automation

* ci(docs): remove unsupported lychee --exclude-mail flag

* docs(governance): reduce automation side-effects and tighten risk controls

* docs(governance): add backlog pruning and supersede protocol

* docs(agents): codify engineering principles and risk-tier workflow

* docs(readme): add centered star history section at bottom

* docs(agents): enforce privacy-safe and neutral test wording

* docs(governance): enforce privacy-safe and neutral collaboration checks

* fix(ci): satisfy rustfmt and discord schema test fields

* docs(governance): require ZeroClaw-native identity wording

* docs(agents): add ZeroClaw identity-safe naming palette

* docs(governance): codify code naming and architecture contracts

* docs(contributing): add naming and architecture good/bad examples

* docs(pr): reduce checkbox TODOs and shift to label-first metadata

* docs(pr): remove duplicate collaboration track field

* ci(labeler): auto-derive module labels and expand provider hints

* ci(labeler): auto-apply trusted contributor on PRs and issues

* fix(ci): apply rustfmt updates from latest main

* ci(labels): flatten namespaces and add contributor tiers

* chore: drop stale rustfmt-only drift

* ci: scope Rust and docs checks by change set

* ci: exclude non-markdown docs from docs-quality targets

* ci: satisfy actionlint shellcheck output style

* ci(labels): auto-correct manual contributor tier edits

* ci(labeler): auto-correct risk label edits

* ci(labeler): auto-correct size label edits

---------

Co-authored-by: Chummy <183474434+chumyin@users.noreply.github.com>
 2026-02-16 05:59:04 -05:00
Chummy
9428d3ab74
chore(ci): add PR hygiene nudge automation (#278) 2026-02-16 01:57:45 -05:00
Chummy
b442a07530
fix(memory): prevent autosave key collisions across runtime flows 
Fixes #221 - SQLite Memory Override bug.

This PR resolves memory overwrite behavior in autosave paths by replacing fixed memory keys with unique keys, and improves short-horizon recall quality in channel runtime.

**Root Cause**
SQLite memory uses a unique constraint on `memories.key` and writes with `ON CONFLICT(key) DO UPDATE`.
Several autosave paths reused fixed keys (or sender-stable keys), so newer messages overwrote earlier conversation entries.

**Changes**
- Channel runtime: autosave key changed from `channel_sender` to `channel_sender_messageId`
- Added memory-context injection before provider calls (aligned with agent loop behavior)
- Agent loop: autosave keys changed from fixed `user_msg`/`assistant_resp` to UUID-suffixed keys
- Gateway: Webhook/WhatsApp autosave keys changed to UUID-suffixed keys

All CI checks passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-15 22:55:52 -05:00
Will Sarg
82ffb36f90
chore(ci): document and harden workflow pipeline (#241) 
* docs(ci): add CI workflow map and cross-links

* chore(ci): harden workflow determinism and safety

* chore(ci): address workflow review feedback

* style(ci): normalize workflow and ci-map formatting
 2026-02-15 20:42:47 -05:00
Will Sarg
8eb57836d8
chore: update Docker and release workflows for improved efficiency and security (#239) 2026-02-15 19:43:46 -05:00
Will Sarg
b367d41b63
fix(ci): speed up main Docker builds by using amd64 except tags (#237) 2026-02-15 18:44:53 -05:00
Will Sarg
28ec4ae826
fix(ci): reduce Docker Actions cost without weakening PR gates (#232) 
* fix(docker): update workflow to improve Docker image build and push process, add timeout

* fix(licenses): allow Apache-2.0 WITH LLVM-exception
 2026-02-15 18:15:38 -05:00
Chummy
c80b118963
fix(docker): pin builder to bookworm to avoid glibc runtime mismatch 
* fix(docker): pin builder to bookworm for glibc compatibility

* ci: skip rust lint on non-Rust PRs and allow 0BSD

* ci: pin actionlint action to existing release tag

* ci: make docs-only matcher shellcheck-clean

---------

Co-authored-by: chumyin <chumyin@users.noreply.github.com>
 2026-02-15 15:03:29 -05:00
Chummy
dfe648d5ae
chore(ci): establish PR governance for agent collaboration (#177) 
* chore(ci): establish PR governance for agent collaboration

* docs: add AGENTS playbook and strengthen agent collaboration workflow

---------

Co-authored-by: chumyin <183474434+chumyin@users.noreply.github.com>
 2026-02-15 12:41:16 -05:00
Argenis
5cc02c5813
fix: add WhatsApp webhook signature verification (X-Hub-Signature-256) 
Closes #51

- Add HMAC-SHA256 signature verification for WhatsApp webhooks
- Prevents message spoofing attacks (CWE-345)
- Add whatsapp_app_secret config field with ZEROCLAW_WHATSAPP_APP_SECRET env override
- Add 13 comprehensive unit tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-15 06:17:24 -05:00
Argenis
658b9fa4fc
Update CI workflow to simplify steps and add build 
Removed unnecessary steps for formatting and clippy checks, and added a build step.
 2026-02-14 17:53:39 -05:00
argenis de la rosa
860b6acc31 ci: make test job non-blocking to unblock PRs 2026-02-14 17:41:09 -05:00
argenis de la rosa
9c10338c7c feat: add Docker publish workflow for GHCR 
- Add .github/workflows/docker.yml for automated Docker builds
- Publishes to ghcr.io/theonlyhennygod/zeroclaw
- Builds on push to main and tags (v*)
- Multi-platform support (linux/amd64, linux/arm64)
- Update docker-compose.yml to use GHCR image

Part of #45
 2026-02-14 17:34:22 -05:00
argenis de la rosa
76074cb789 fix: run Docker container as non-root user (closes #34) 
- Switch to gcr.io/distroless/cc-debian12:nonroot
- Add explicit USER 65534:65534 directive
- Add Docker security CI job verifying non-root UID, :nonroot base, and USER directive
- Document CIS Docker Benchmark compliance in SECURITY.md
- Add tests and edge cases for container security
 2026-02-14 13:16:33 -05:00
argenis de la rosa
05cb353f7f feat: initial release — ZeroClaw v0.1.0 
- 22 AI providers (OpenRouter, Anthropic, OpenAI, Mistral, etc.)
- 7 channels (CLI, Telegram, Discord, Slack, iMessage, Matrix, Webhook)
- 5-step onboarding wizard with Project Context personalization
- OpenClaw-aligned system prompt (SOUL.md, IDENTITY.md, USER.md, AGENTS.md, etc.)
- SQLite memory backend with auto-save
- Skills system with on-demand loading
- Security: autonomy levels, command allowlists, cost limits
- 532 tests passing, 0 clippy warnings
 2026-02-13 12:19:14 -05:00