Skip to content

feat: v0.3.0 — OpenZiti Overlay, XDP Edge Protection, System Attestation #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PenguinzTech wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat: v0.3.0 — OpenZiti Overlay, XDP Edge Protection, System Attestation #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
3cf65d1
feat: Unified Networking Layer — v0.1.0
PenguinzTech Feb 25, 2026
81acea6
feat: Identity-Aware Networking — v0.2.0
PenguinzTech Feb 25, 2026
32a8cf7
feat: OpenZiti overlay rework + XDP edge protection — v0.3.0
PenguinzTech Feb 26, 2026
ee1b289
docs: note desktop+mobile client migration to penguin unified client
PenguinzTech Feb 26, 2026
879f994
docs: clarify unified modular client covers all platforms (desktop+mo…
PenguinzTech Feb 26, 2026
34ec932
feat: Input validation, Squawk DNS, WaddlePerf, default-deny NetworkP…
PenguinzTech Feb 26, 2026
066ffd6
docs: scope native client to server/infrastructure use
PenguinzTech Feb 26, 2026
93fb1b6
feat: System attestation for infrastructure clients — TPM, cloud IID,…
PenguinzTech Feb 28, 2026
06f1d64
chore: pin all dependencies to immutable SHA references
PenguinzTech Mar 25, 2026
04e6db4
chore: pre-wipe backup
PenguinzTech Apr 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 39 additions & 35 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ on:

env:
REGISTRY: ghcr.io
IMAGE_NAME_MANAGER: ${{ github.repository }}/manager
IMAGE_NAME_HEADEND: ${{ github.repository }}/headend
IMAGE_NAME_HUB_API: ${{ github.repository }}/hub-api
IMAGE_NAME_HUB_ROUTER: ${{ github.repository }}/hub-router
IMAGE_NAME_CLIENT: ${{ github.repository }}/client
GO_VERSION: '1.23'
PYTHON_VERSION: '3.12'
GO_VERSION: '1.24'
PYTHON_VERSION: '3.13'
NODE_VERSION: '18'

jobs:
Expand All @@ -23,7 +23,7 @@ jobs:
runs-on: ubuntu-24.04
strategy:
matrix:
python-version: [3.12]
python-version: [3.13]

steps:
- uses: actions/checkout@v4
Expand All @@ -37,36 +37,36 @@ jobs:
uses: actions/cache@v3
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('manager/requirements.txt') }}
key: ${{ runner.os }}-pip-${{ hashFiles('services/hub-api/requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-

- name: Install dependencies
run: |
cd manager
cd services/hub-api
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install pytest pytest-cov pytest-asyncio

- name: Lint with pylint
run: |
cd manager
cd services/hub-api
python -m pylint --rcfile=.pylintrc . || exit 0

- name: Type check with mypy
run: |
cd manager
cd services/hub-api
python -m mypy . || exit 0

- name: Test with pytest
run: |
cd manager
cd services/hub-api
python -m pytest tests/ -v --cov=. --cov-report=xml || exit 0

- name: Upload coverage reports
uses: codecov/codecov-action@v3
with:
file: ./manager/coverage.xml
file: ./services/hub-api/coverage.xml
flags: manager
name: manager-coverage

Expand All @@ -75,7 +75,7 @@ jobs:
runs-on: ubuntu-24.04
strategy:
matrix:
go-version: [1.23]
go-version: [1.24]

steps:
- uses: actions/checkout@v4
Expand All @@ -89,31 +89,31 @@ jobs:
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('headend/go.sum') }}
key: ${{ runner.os }}-go-${{ hashFiles('services/hub-router/go.sum') }}
restore-keys: |
${{ runner.os }}-go-

- name: Install dependencies
run: |
cd headend
cd services/hub-router
go mod download

- name: Lint with golangci-lint
uses: golangci/golangci-lint-action@v6
uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
with:
version: latest
working-directory: headend
working-directory: services/hub-router
args: --timeout=5m --out-format=colored-line-number

- name: Test with go test
run: |
cd headend
cd services/hub-router
go test -v -race -coverprofile=coverage.out ./...

- name: Upload coverage reports
uses: codecov/codecov-action@v3
with:
file: ./headend/coverage.out
file: ./services/hub-router/coverage.out
flags: headend
name: headend-coverage

Expand All @@ -122,7 +122,7 @@ jobs:
runs-on: ubuntu-24.04
strategy:
matrix:
go-version: [1.23]
go-version: [1.24]

steps:
- uses: actions/checkout@v4
Expand Down Expand Up @@ -161,7 +161,7 @@ jobs:
go mod download

- name: Lint with golangci-lint
uses: golangci/golangci-lint-action@v6
uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
with:
version: latest
working-directory: clients/native
Expand Down Expand Up @@ -190,37 +190,39 @@ jobs:
- uses: actions/checkout@v4

- name: Set up Python for bandit
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: ${{ env.PYTHON_VERSION }}

- name: Set up Go for gosec
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: ${{ env.GO_VERSION }}

- name: Run bandit (Python security scanner)
run: |
pip install bandit[toml]
bandit -r manager --format json --output bandit-results.json || true
bandit -r services/hub-api --format json --output bandit-results.json || true
continue-on-error: true

- name: Run gosec (Go security scanner)
uses: securego/gosec@master
with:
args: '-no-fail -fmt json -out gosec-results.json ./headend ./clients/native ./k8s-cni'
args: '-no-fail -fmt json -out gosec-results.json ./services/hub-router ./clients/native ./k8s-cni'
continue-on-error: true

- name: Run Trivy filesystem scanning
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
trivy-version: 'v0.69.3'
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'

- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
Expand All @@ -240,7 +242,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Read version from .version file
id: version
Expand All @@ -257,11 +259,11 @@ jobs:
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

- name: Log in to Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
Expand All @@ -285,7 +287,7 @@ jobs:
if: matrix.component == 'manager'
uses: docker/build-push-action@v5
with:
context: ./manager
context: ./services/hub-api
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand All @@ -296,11 +298,11 @@ jobs:
BUILD_TIME=${{ github.run_id }}
GIT_COMMIT=${{ github.sha }}

- name: Build and push Docker image - Headend
- name: Build and push Docker image - Headend
if: matrix.component == 'headend'
uses: docker/build-push-action@v5
with:
context: ./headend
context: ./services/hub-router
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand Down Expand Up @@ -367,7 +369,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: 1.23
go-version: 1.24

- name: Cache Go modules
uses: actions/cache@v3
Expand Down Expand Up @@ -465,7 +467,9 @@ jobs:
- uses: actions/checkout@v4

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
trivy-version: 'v0.69.3'
with:
scan-type: 'fs'
scan-ref: '.'
Expand Down Expand Up @@ -508,7 +512,7 @@ jobs:
version: '3.8'
services:
manager:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_MANAGER }}:latest
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_HUB_API }}:latest
environment:
- REDIS_URL=redis://redis:6379
- LOG_LEVEL=debug
Expand Down
44 changes: 22 additions & 22 deletions .github/workflows/docker-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,27 +27,27 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

- name: Log in to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-manager
images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-hub-api
tags: |
type=ref,event=branch
type=ref,event=pr
Expand All @@ -58,7 +58,7 @@ jobs:
- name: Build and push Manager Docker image
uses: docker/build-push-action@v5
with:
context: ./manager
context: ./services/hub-api
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand All @@ -72,41 +72,41 @@ jobs:
permissions:
contents: read
packages: write

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

- name: Log in to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-headend
images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-hub-router
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest,enable={{is_default_branch}}

- name: Build and push Headend Docker image
uses: docker/build-push-action@v5
with:
context: ./headend
context: ./services/hub-router
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
Expand All @@ -123,25 +123,25 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

- name: Log in to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-client
tags: |
Expand Down
Loading
Loading