Tags

Tags give the ability to mark specific points in history as being important

  • v0.2.0

    protected
    5ab3a510 · Merge branch 'chore/badge-order' into 'main' ·
    Release: postern v0.2.0 
    postern v0.2.0 -- production readiness

Six capabilities for production deployment in regulated environments:

1. Async dispatch: channel-based worker pool decouples event
   acceptance from trigger execution. Push sources return 503 when
   queue full (cloud providers retry). Lifecycle context for workers
   (not request context). Graceful drain on shutdown.

2. Prometheus metrics: 9 app metrics (counters, histograms, gauges)
   plus Go runtime. /metrics endpoint. PipelinesTriggered,
   TriggerFailures, TriggerDuration, EventsInFlight, DispatchQueueDepth
   all wired in dispatch workers.

3. Rate limiting: per-source token bucket via x/time/rate. HTTP
   middleware returns 429. Global default with per-source override.
   SASL without TLS rejected at config validation.

4. AWS SQS poll adapter: SDK v2, long polling (20s), SNS envelope
   unwrap, S3 Records iteration. Only deletes message when dispatch
   accepts. MessageId for dedup (not ETag).

5. Kafka/OCI Streaming poll adapter: segmentio/kafka-go (pure Go),
   SASL_SSL (PLAIN for OCI, SCRAM for MSK), manual commit only
   after dispatch accepts. CloudEvents v0.1 normalization.

6. Helm chart: 10 templates. Deployment with securityContext
   (runAsNonRoot, readOnlyRootFilesystem, drop ALL), checksum/config
   annotation for rolling restart. Dual ConfigMap/Secret pattern.

CI: pipeline catalog v1.1.1 (buildah v1.43.0, cosign v2.6.3,
checksum-verified installs, log collapsing). SAST, Secret Detection,
Dependency Scanning, Container Scanning.

46 tests with race detector. 3 adversarial review rounds on v0.2
(28 issues found and fixed including dead-context bug, shutdown
ordering, double metrics, silent event loss paths).

  • v0.1.0

    protected
    7cc9ffb6 · docs: rewrite README for container-first sysadmin audience ·
    Release: postern v0.1.0 
    postern v0.1.0

Cross-platform event-to-pipeline multiplexer for GitLab.

Translates cloud storage events (Azure Event Grid, GCP Pub/Sub,
CloudEvents v1.0) into GitLab pipeline triggers. Config-driven
YAML routing with gjson dot-path variable extraction.

Adapters:
- Azure Event Grid: shared-secret auth, native + CloudEvents schema
  detection, SubscriptionValidation/Deletion handling, batch cap
- GCP Pub/Sub: OIDC JWT verification (idtoken.Validator), email_verified
- CloudEvents v1.0: bearer token auth, structured + binary mode via SDK

Security:
- Auth on all endpoints (constant-time comparison)
- gjson @-modifier injection blocked at config validation
- Body size limits on all adapters (1MB)
- GITLAB_URL required (no default, prevents token exfiltration)
- Bounded trigger concurrency (semaphore, default 10)
- Prescriptive errors (every failure names what to fix)

Container:
- UBI10-micro base (FedRAMP, Iron Bank compatible)
- Built with buildah (no Docker daemon)
- Cosign keyless signed via GitLab OIDC
- CycloneDX SBOM via container scanning
- Non-root (UID 1001)
- CI via public-sector-tools/pipeline catalog v1.0.0

37 tests with race detector. 6 rounds of adversarial review.