diff --git a/.bumpversion.toml b/.bumpversion.toml index 3b3161c..4dc7268 100644 --- a/.bumpversion.toml +++ b/.bumpversion.toml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 [tool.bumpversion] -current_version = "1.3.4" +current_version = "1.3.5" parse = "(?P\\d+)\\.(?P\\d+)\\.(?P\\d+)" serialize = ["{major}.{minor}.{patch}"] @@ -28,4 +28,4 @@ regex = true # bump-my-version does NOT manage these files; they are listed here for discoverability. # --------------------------------------------------------------------------- [tool.bumpversion.custom_variables.core_version] -current = "0.10.3" +current = "0.10.4" diff --git a/.github/workflows/self-check.yml b/.github/workflows/self-check.yml index 9b42ce2..7d2ab2b 100644 --- a/.github/workflows/self-check.yml +++ b/.github/workflows/self-check.yml @@ -111,6 +111,7 @@ jobs: repository: PythonWoods/zenzic ref: ${{ steps.resolve-branch.outputs.core_ref }} path: _zenzic_core + fetch-tags: true - name: Install just uses: taiki-e/install-action@ea85faa6acd705ad6d40586db99f1a70b09c2929 # just diff --git a/CHANGELOG.md b/CHANGELOG.md index 0778041..f2a15b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,16 @@ No changes yet. --- -## [1.3.4] - 2026-06-07 +## [1.3.5] - 2026-06-09 + +### Changed + +- **Operational governance docs:** Added explicit branch-protection policy to `README.md` and `README.it.md`, including required checks for `main` (`Verify (ubuntu-latest, true)`, `Lint PR Title`, `Check DCO`) and fail-closed workflow selection rules. +- **Core pin:** Zenzic Core pinned to `0.10.4`. + +--- + +## [1.3.5] - 2026-06-07 ### Changed @@ -23,9 +32,10 @@ No changes yet. --- -## [1.3.4] - 2026-06-07 +## [1.3.5] - 2026-06-07 ### Deprecated + - **Versions v1.3.0 and older are officially deprecated.** They contained a critical bug in the bash wrapper that injected an invalid `--config` flag, causing false-positive Exit 2 crashes. Users pinned to exact patch versions must upgrade to `v1.3.1` or use the major tag `@v1`. ### Added diff --git a/CONTRIBUTING.it.md b/CONTRIBUTING.it.md index f391f2d..f2f6a9e 100644 --- a/CONTRIBUTING.it.md +++ b/CONTRIBUTING.it.md @@ -53,6 +53,19 @@ uvx pre-commit install # commit-stage: hygiene + zenzic self-check uvx pre-commit install -t pre-push # pre-push: 🛡️ Final Guard runs `just verify` ``` +Configura la firma SSH dei commit (obbligatoria — tutti i commit devono apparire come **Verified** su GitHub): + +```bash +# Configurazione globale una-tantum (salta se già configurata) +git config --global gpg.format ssh +git config --global user.signingkey ~/.ssh/id_ed25519.pub # adatta il percorso se necessario +git config --global commit.gpgsign true +``` + +Registra poi la tua chiave pubblica come **Signing Key** (non Authentication Key) su +. I commit firmati con una chiave non registrata +verranno rifiutati dal ruleset del branch. + ## Verifica Locale Usa `just` per eseguire i self-test prima di aprire una PR: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index cac2e2d..819b3bf 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -52,6 +52,19 @@ uvx pre-commit install # commit-stage: hygiene + zenzic self-check uvx pre-commit install -t pre-push # pre-push: 🛡️ Final Guard runs `just verify` ``` +Configure SSH commit signing (required — all commits must appear **Verified** on GitHub): + +```bash +# One-time global setup (skip if already configured) +git config --global gpg.format ssh +git config --global user.signingkey ~/.ssh/id_ed25519.pub # adjust path if different +git config --global commit.gpgsign true +``` + +Then register your public key as a **Signing Key** (not Authentication Key) at +. Commits signed with an unregistered key will +be rejected by the branch ruleset. + ## Local Verification Use `just` to run the self-tests before opening a PR: diff --git a/README.it.md b/README.it.md index de8ec9f..f5737b8 100644 --- a/README.it.md +++ b/README.it.md @@ -19,7 +19,6 @@ zenzic-audit zenzic-score - action version zenzic on PyPI license @@ -55,7 +54,7 @@ La configurazione minimale — zero setup Python, SARIF su Code Scanning in un s - name: Run Zenzic Documentation Quality Gate uses: PythonWoods/zenzic-action@v1 with: - version: "0.10.3" + version: "0.10.4" format: sarif upload-sarif: "true" permissions: @@ -69,11 +68,33 @@ Per la configurazione avanzata (Configuration Discovery, Override Sovrano, scori --- +## Policy Branch Protection (Operativa) + +Per il repository `zenzic-action`, proteggi `main` e abilita **Require status checks to pass before merging**. + +Check obbligatori: + +- `Verify (ubuntu-latest, true)` +- `Lint PR Title` +- `Check DCO` + +Intento operativo: + +- `Verify (ubuntu-latest, true)` è il gate di integrità funzionale per runtime action e comportamento del wrapper. +- `Lint PR Title` e `Check DCO` applicano governance e tracciabilità legale su ogni PR. + +Regola fail-closed: + +- Ogni check obbligatorio deve girare su `pull_request`. +- Non configurare la branch protection con check obbligatori provenienti da workflow solo tag, solo release o solo schedule. + +--- + ## Inputs | Input | Default | Descrizione | |---|---|---| -| `version` | `0.10.3` | Versione di Zenzic da installare. Pin a una release specifica per esecuzioni deterministiche. Imposta `latest` per valutazione continua. | +| `version` | `0.10.4` | Versione di Zenzic da installare. Pin a una release specifica per esecuzioni deterministiche. Imposta `latest` per valutazione continua. | | `format` | `sarif` | Formato di output: `text`, `json`, o `sarif`. | | `sarif-file` | `zenzic-results.sarif` | Path di output SARIF (quando `format: sarif`). Deve essere un path **relativo** dentro il workspace. | | `upload-sarif` | `true` | Carica SARIF su GitHub Code Scanning. | diff --git a/README.md b/README.md index f7629db..ae65911 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,6 @@ zenzic-audit zenzic-score - action version zenzic on PyPI license @@ -55,7 +54,7 @@ The minimal configuration — zero Python setup, SARIF to Code Scanning in one s - name: Run Zenzic Documentation Quality Gate uses: PythonWoods/zenzic-action@v1 with: - version: "0.10.3" + version: "0.10.4" format: sarif upload-sarif: "true" permissions: @@ -69,11 +68,33 @@ For advanced configuration (Configuration Discovery, Sovereign Override, Quality --- +## Branch Protection Policy (Operational) + +For the `zenzic-action` repository, protect `main` and enable **Require status checks to pass before merging**. + +Required checks: + +- `Verify (ubuntu-latest, true)` +- `Lint PR Title` +- `Check DCO` + +Operational intent: + +- `Verify (ubuntu-latest, true)` is the functional integrity gate for the action runtime and wrapper behavior. +- `Lint PR Title` and `Check DCO` enforce governance and legal traceability on every PR. + +Fail-closed rule: + +- Every required check must run on `pull_request`. +- Do not configure branch protection with required checks that are tag-only, release-only, or schedule-only workflows. + +--- + ## Inputs | Input | Default | Description | |---|---|---| -| `version` | `0.10.3` | Zenzic version to install. Pin to a specific release for reproducible CI. Set `latest` for continuous evaluation. | +| `version` | `0.10.4` | Zenzic version to install. Pin to a specific release for reproducible CI. Set `latest` for continuous evaluation. | | `format` | `sarif` | Output format: `text`, `json`, or `sarif`. | | `sarif-file` | `zenzic-results.sarif` | SARIF output path (when `format: sarif`). Must be a **relative** path inside the workspace. | | `upload-sarif` | `true` | Upload SARIF to GitHub Code Scanning. | diff --git a/RELEASE.md b/RELEASE.md index d6eea4b..55a7d86 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -7,7 +7,7 @@ | Field | Value | | :------ | :--------- | | Version | v1.1.0 | -| Date | 2026-06-08 | +| Date | 2026-06-09 | | Status | Stable | ## Release Checklist diff --git a/action.yml b/action.yml index 4e85c56..b2de682 100644 --- a/action.yml +++ b/action.yml @@ -16,7 +16,7 @@ inputs: version: description: "Zenzic version to use. Defaults to latest stable." required: false - default: "0.10.3" # x-zenzic-core-pin + default: "0.10.4" # x-zenzic-core-pin format: description: "Output format: 'text', 'json', or 'sarif'." required: false diff --git a/package.json b/package.json index 2a567c0..4f1f260 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "zenzic-action", - "version": "1.3.4", + "version": "1.3.5", "private": true, "description": "Official GitHub Action for Zenzic — Documentation Quality Gate", "license": "Apache-2.0",