Tags: bokuweb/sakimori
Tags
v0.34.4
Patch release.
New subpath action `bokuweb/sakimori/job/stop@v0` — a 1-line
replacement for the verbose mid-job flush snippet that
`actions/upload-artifact` inside the same job needed:
before:
- if: always() && runner.os == 'Linux'
name: Flush sakimori daemon
run: |
sudo -n -E "$SAKIMORI_BIN" daemon stop \
--pid-file "$SAKIMORI_JOB_PIDFILE"
- uses: actions/upload-artifact@v4
...
after:
- uses: bokuweb/sakimori/job/stop@v0
- uses: actions/upload-artifact@v4
...
Idempotent + Linux-only-no-op so it drops cleanly into cross-OS
matrices. Reads SAKIMORI_BIN / SAKIMORI_JOB_PIDFILE that the
main `bokuweb/sakimori/job@v0` action already exports via
$GITHUB_ENV, so no inputs needed.
See PR #64 and README.
v0.34.3
Patch release.
`bokuweb/sakimori/proxy@v0` now works on Linux, macOS, AND Windows.
Three independent issues were stacked on top of each other:
- The action lived at `.github/actions/proxy/` but the README
pointed at `bokuweb/sakimori/proxy@v0` (= `<repo>/proxy/`),
so the documented incantation 404'd.
- The install bash assumed a flat tarball layout when the actual
layout is `sakimori-<triple>/<bin>`.
- On Windows, the action spawned `sakimori-win.exe proxy start`,
but sakimori-win is the ETW supervisor and has no proxy
subcommand. The release tarball didn't ship the main sakimori
binary on Windows at all.
The fix (PR #63):
- Action rewritten as a node20 subpath action at repo-root
`proxy/`, mirroring the layout of `bokuweb/sakimori/job@v0`
and `bokuweb/sakimori/comment@v0`.
- release.yml now also cross-builds the main sakimori crate on
Windows; the tarball ships both `sakimori-win.exe` (ETW) and
`sakimori.exe` (proxy + deps + actions + ...).
- CI proxy-action-smoke matrix exercises the action on all
three OSes against a locally-built binary.
See README for the updated usage example.
v0.34.2 Patch release. `bokuweb/sakimori/job@v0`'s pre.js was hard-failing on macOS / Windows matrix entries even when the consumer gated the action step with `if: runner.os == 'Linux'`. JS-action pre/post hooks fire on every matrix entry regardless of step-level `if:` (the only way to gate them is the action's own `pre-if`/`post-if`, which the consumer can't override). Exit cleanly on non-Linux instead, matching the composite `bokuweb/sakimori@v0` behaviour. See #61. Combined with v0.34.1's moving-tag install fix, consumer workflows with mixed-OS matrices that pin to `@v0` now work as expected.
v0.34.1 Patch release. Fixes the install path in both action surfaces (`bokuweb/sakimori@v0` composite and `bokuweb/sakimori/job@v0` JS wrapper) when invoked via the `@v0` moving tag from a consumer repo. The previous logic ran `gh release download v0`, but there is no Release object literally named "v0" — release.yml's moving-tag job only force-pushes the git ref. Resolves to the newest `v0.*` release instead. No behaviour change for users who pin to a concrete `@vX.Y.Z` tag or who pass `with: version: latest`. See #60.
v0.34.0 Highlights: - Job-scoped supervised mode: + new subpath JS action that supervises every step of a GitHub Actions job with a single eBPF daemon attached to the runner-worker's cgroup. Linux only. - daemon-mode tamper detection: / re-snapshot the workspace at SIGTERM and surface drift in the JSON log + step summary. Wrapper exposes `snapshot-workspace:` input. - `sakimori doctor --daemon-pidfile <FILE>` reports daemon liveness. See README and PRs #58 / #59 for the full story.
v0.32.0 Major: - rebrand: coronarium → sakimori (#45) - per-PID source attribution via /proc PPid chain (#49) - workspace tamper detection (#48) - `actions audit` SHA-pin static check (#47) - `policy suggest` from audit log + enriched step summary (#46) Plus the usual incremental fixes that landed on main since v0.31.0.
action: `bokuweb/sakimori/job/stop@v0` — 1-line mid-job flush (#64) The "flush the daemon before upload-artifact inside the same job" pattern was a 4-line snippet leaking implementation detail: - if: always() && runner.os == 'Linux' name: Flush sakimori daemon run: | sudo -n -E "$SAKIMORI_BIN" daemon stop \ --pid-file "$SAKIMORI_JOB_PIDFILE" Replace with a composite sub-action so the consumer never sees sudo, the binary path, or the pid-file env-var name: - uses: bokuweb/sakimori/job/stop@v0 - uses: actions/upload-artifact@v4 Properties: - Idempotent. Missing pid-file → no-op (the daemon already stopped, or never started). main `job@v0` post-hook also becomes a no-op against the same missing pid-file, so order of operations is safe either way. - Linux-only-no-op. Drops into cross-OS matrices unchanged; on macOS / Windows runners it just logs and exits 0, matching the main `job@v0` action's non-Linux behaviour. - Reads env (`SAKIMORI_BIN`, `SAKIMORI_JOB_PIDFILE`) that the main action already stashes via $GITHUB_ENV. No inputs needed. README updated with the new pattern. CLAUDE.md roadmap entry points at the sub-action for future-Claude context. Signed-off-by: bokuweb <[email protected]> Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
matcher: don't deny empty filenames under default: deny (#42) The eBPF ringbuf occasionally emits open events with an empty `filename` — typically anonymous mmaps, deleted files, or memfd-style opens where the kernel can't recover an absolute path. With `file.default: deny`, those would fall through every allow prefix check and get tagged as denied, inflating `stats.denied` and tripping block-mode exits on runs where nothing real was blocked. reg-viz/reg-cli#650 hit this immediately after switching to `default: deny`: 3 of 7925 denied opens had `filename: ""`, emitted by `bash` and `corepack` during normal startup. Once the network-side denies were resolved, the empty-path opens would have been the lone remaining cause of CI failure. Empty isn't actually a path we can meaningfully police — there is nothing to protect on it. Treat as not-denied at the matcher boundary. Signed-off-by: bokuweb <[email protected]> Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
PreviousNext