| Version | Status |
|---|---|
Current main + tagged semver releases |
✅ |
| Older tags / branches without a recent rebuild | ❌ |
A formal release / maintenance-branch split will be introduced once this repo is tagged for the first semver release.
Send reports to v@valdemar.ai. Encrypted email is preferred — the PGP public key is published at heyvaldemar.com/security.
You can expect an acknowledgment within 7 days. This project does not operate a bounty program; researchers who submit valid, responsibly disclosed reports receive public credit in the release notes and the changelog.
Please do not open public GitHub issues for security reports.
This repository publishes a deployment template, not a custom Docker image. It orchestrates well-known upstream images:
traefik— reverse proxy, official imagequay.io/keycloak/keycloak— Keycloak upstreampostgres— PostgreSQL, official image
Upstream image tags are pinned to tag@sha256:<digest> in .env.example. Dependabot's docker ecosystem tracks digest bumps weekly. CI's Deployment Verification workflow stands up the full compose stack on every push and every Monday at 06:00 UTC, catching upstream drift before it reaches users.
GitHub Actions are pinned by commit SHA with # vX.Y.Z version comments.
Prior to PR #12 (merged 2026-04-23), .env committed real values for three credentials:
KEYCLOAK_DB_PASSWORDKEYCLOAK_ADMIN_PASSWORDTRAEFIK_BASIC_AUTH(BCrypt hash)
Those values remain in git history but are no longer referenced by any live file. Anyone who deployed with the pre-rotation configuration should rotate their live credentials and regenerate the Traefik dashboard BCrypt hash. See PR #12 for details and the .env.example for the rotation procedure.