From 65ffcebf6905427c1f34286005dff07596d2cd96 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 18:24:02 +0200 Subject: [PATCH 1/8] docs: add operational branch protection policy Signed-off-by: PythonWoods --- README.it.md | 22 ++++++++++++++++++++++ README.md | 22 ++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/README.it.md b/README.it.md index de8ec9f..0ae50d0 100644 --- a/README.it.md +++ b/README.it.md @@ -69,6 +69,28 @@ Per la configurazione avanzata (Configuration Discovery, Override Sovrano, scori --- +## Policy Branch Protection (Operativa) + +Per il repository `zenzic-action`, proteggi `main` e abilita **Require status checks to pass before merging**. + +Check obbligatori: + +- `Verify (ubuntu-latest, true)` +- `Lint PR Title` +- `Check DCO` + +Intento operativo: + +- `Verify (ubuntu-latest, true)` è il gate di integrità funzionale per runtime action e comportamento del wrapper. +- `Lint PR Title` e `Check DCO` applicano governance e tracciabilità legale su ogni PR. + +Regola fail-closed: + +- Ogni check obbligatorio deve girare su `pull_request`. +- Non configurare la branch protection con check obbligatori provenienti da workflow solo tag, solo release o solo schedule. + +--- + ## Inputs | Input | Default | Descrizione | diff --git a/README.md b/README.md index f7629db..6cc69f8 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,28 @@ For advanced configuration (Configuration Discovery, Sovereign Override, Quality --- +## Branch Protection Policy (Operational) + +For the `zenzic-action` repository, protect `main` and enable **Require status checks to pass before merging**. + +Required checks: + +- `Verify (ubuntu-latest, true)` +- `Lint PR Title` +- `Check DCO` + +Operational intent: + +- `Verify (ubuntu-latest, true)` is the functional integrity gate for the action runtime and wrapper behavior. +- `Lint PR Title` and `Check DCO` enforce governance and legal traceability on every PR. + +Fail-closed rule: + +- Every required check must run on `pull_request`. +- Do not configure branch protection with required checks that are tag-only, release-only, or schedule-only workflows. + +--- + ## Inputs | Input | Default | Description | From d11d8cc28d200703b62ee2d647888d6409a0037d Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 18:28:34 +0200 Subject: [PATCH 2/8] docs(changelog): record branch protection policy updates Signed-off-by: PythonWoods --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0778041..424eeb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,9 @@ Versions follow [Semantic Versioning](https://semver.org/). ## [Unreleased] -No changes yet. +### Changed + +- **Operational governance docs:** Added explicit branch-protection policy to `README.md` and `README.it.md`, including required checks for `main` (`Verify (ubuntu-latest, true)`, `Lint PR Title`, `Check DCO`) and fail-closed workflow selection rules. --- @@ -26,6 +28,7 @@ No changes yet. ## [1.3.4] - 2026-06-07 ### Deprecated + - **Versions v1.3.0 and older are officially deprecated.** They contained a critical bug in the bash wrapper that injected an invalid `--config` flag, causing false-positive Exit 2 crashes. Users pinned to exact patch versions must upgrade to `v1.3.1` or use the major tag `@v1`. ### Added From 911aab5b43082668d65121f5720b7a8f67bade9a Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 19:09:53 +0200 Subject: [PATCH 3/8] =?UTF-8?q?docs(changelog):=20prepare=20release=201.3.?= =?UTF-8?q?5=20=E2=80=94=20move=20unreleased=20to=20[1.3.4]=20block?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: PythonWoods --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 424eeb0..344380b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,9 +11,16 @@ Versions follow [Semantic Versioning](https://semver.org/). ## [Unreleased] +No changes yet. + +--- + +## [1.3.4] - 2026-06-09 + ### Changed - **Operational governance docs:** Added explicit branch-protection policy to `README.md` and `README.it.md`, including required checks for `main` (`Verify (ubuntu-latest, true)`, `Lint PR Title`, `Check DCO`) and fail-closed workflow selection rules. +- **Core pin:** Zenzic Core pinned to `0.10.4`. --- From c1e6d48a120aeafdedc56f770572fb5dacf67042 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 19:09:59 +0200 Subject: [PATCH 4/8] chore(deps): pin zenzic core to 0.10.4 Signed-off-by: PythonWoods --- .bumpversion.toml | 2 +- README.it.md | 4 ++-- README.md | 4 ++-- action.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.bumpversion.toml b/.bumpversion.toml index 3b3161c..6f669f7 100644 --- a/.bumpversion.toml +++ b/.bumpversion.toml @@ -28,4 +28,4 @@ regex = true # bump-my-version does NOT manage these files; they are listed here for discoverability. # --------------------------------------------------------------------------- [tool.bumpversion.custom_variables.core_version] -current = "0.10.3" +current = "0.10.4" diff --git a/README.it.md b/README.it.md index 0ae50d0..a2ec1cd 100644 --- a/README.it.md +++ b/README.it.md @@ -55,7 +55,7 @@ La configurazione minimale — zero setup Python, SARIF su Code Scanning in un s - name: Run Zenzic Documentation Quality Gate uses: PythonWoods/zenzic-action@v1 with: - version: "0.10.3" + version: "0.10.4" format: sarif upload-sarif: "true" permissions: @@ -95,7 +95,7 @@ Regola fail-closed: | Input | Default | Descrizione | |---|---|---| -| `version` | `0.10.3` | Versione di Zenzic da installare. Pin a una release specifica per esecuzioni deterministiche. Imposta `latest` per valutazione continua. | +| `version` | `0.10.4` | Versione di Zenzic da installare. Pin a una release specifica per esecuzioni deterministiche. Imposta `latest` per valutazione continua. | | `format` | `sarif` | Formato di output: `text`, `json`, o `sarif`. | | `sarif-file` | `zenzic-results.sarif` | Path di output SARIF (quando `format: sarif`). Deve essere un path **relativo** dentro il workspace. | | `upload-sarif` | `true` | Carica SARIF su GitHub Code Scanning. | diff --git a/README.md b/README.md index 6cc69f8..7980829 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ The minimal configuration — zero Python setup, SARIF to Code Scanning in one s - name: Run Zenzic Documentation Quality Gate uses: PythonWoods/zenzic-action@v1 with: - version: "0.10.3" + version: "0.10.4" format: sarif upload-sarif: "true" permissions: @@ -95,7 +95,7 @@ Fail-closed rule: | Input | Default | Description | |---|---|---| -| `version` | `0.10.3` | Zenzic version to install. Pin to a specific release for reproducible CI. Set `latest` for continuous evaluation. | +| `version` | `0.10.4` | Zenzic version to install. Pin to a specific release for reproducible CI. Set `latest` for continuous evaluation. | | `format` | `sarif` | Output format: `text`, `json`, or `sarif`. | | `sarif-file` | `zenzic-results.sarif` | SARIF output path (when `format: sarif`). Must be a **relative** path inside the workspace. | | `upload-sarif` | `true` | Upload SARIF to GitHub Code Scanning. | diff --git a/action.yml b/action.yml index 4e85c56..b2de682 100644 --- a/action.yml +++ b/action.yml @@ -16,7 +16,7 @@ inputs: version: description: "Zenzic version to use. Defaults to latest stable." required: false - default: "0.10.3" # x-zenzic-core-pin + default: "0.10.4" # x-zenzic-core-pin format: description: "Output format: 'text', 'json', or 'sarif'." required: false From a7e446a2127d0070e9c02e02141cc98260aa4835 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 19:10:08 +0200 Subject: [PATCH 5/8] release: bump version to 1.3.5 Signed-off-by: PythonWoods --- .bumpversion.toml | 2 +- CHANGELOG.md | 6 +++--- RELEASE.md | 2 +- package.json | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.bumpversion.toml b/.bumpversion.toml index 6f669f7..4dc7268 100644 --- a/.bumpversion.toml +++ b/.bumpversion.toml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 [tool.bumpversion] -current_version = "1.3.4" +current_version = "1.3.5" parse = "(?P\\d+)\\.(?P\\d+)\\.(?P\\d+)" serialize = ["{major}.{minor}.{patch}"] diff --git a/CHANGELOG.md b/CHANGELOG.md index 344380b..f2a15b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ No changes yet. --- -## [1.3.4] - 2026-06-09 +## [1.3.5] - 2026-06-09 ### Changed @@ -24,7 +24,7 @@ No changes yet. --- -## [1.3.4] - 2026-06-07 +## [1.3.5] - 2026-06-07 ### Changed @@ -32,7 +32,7 @@ No changes yet. --- -## [1.3.4] - 2026-06-07 +## [1.3.5] - 2026-06-07 ### Deprecated diff --git a/RELEASE.md b/RELEASE.md index d6eea4b..55a7d86 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -7,7 +7,7 @@ | Field | Value | | :------ | :--------- | | Version | v1.1.0 | -| Date | 2026-06-08 | +| Date | 2026-06-09 | | Status | Stable | ## Release Checklist diff --git a/package.json b/package.json index 2a567c0..4f1f260 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "zenzic-action", - "version": "1.3.4", + "version": "1.3.5", "private": true, "description": "Official GitHub Action for Zenzic — Documentation Quality Gate", "license": "Apache-2.0", From 7959a26da664295b69d034247d190cfb4d70e3e6 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 19:34:13 +0200 Subject: [PATCH 6/8] =?UTF-8?q?style(readme):=20fix=20badge=20centering=20?= =?UTF-8?q?=E2=80=94=20remove=20blank=20line=20inside=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: PythonWoods --- README.it.md | 1 - README.md | 1 - 2 files changed, 2 deletions(-) diff --git a/README.it.md b/README.it.md index a2ec1cd..f5737b8 100644 --- a/README.it.md +++ b/README.it.md @@ -19,7 +19,6 @@ zenzic-audit zenzic-score - action version zenzic on PyPI license diff --git a/README.md b/README.md index 7980829..ae65911 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,6 @@ zenzic-audit zenzic-score - action version zenzic on PyPI license From 1f1841406e5109c9f2e111bac8b840e7526dee1e Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 19:51:54 +0200 Subject: [PATCH 7/8] fix(ci): fetch tags in zenzic core clone for check-core-pin-local The check-core-pin-local recipe validates the pinned core version by looking for either pyproject.toml version or a git tag (v0.10.4). A shallow clone without fetch-tags:true makes the tag invisible, causing the check to fail even when the tag exists on the remote. Signed-off-by: PythonWoods --- .github/workflows/self-check.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/self-check.yml b/.github/workflows/self-check.yml index 9b42ce2..7d2ab2b 100644 --- a/.github/workflows/self-check.yml +++ b/.github/workflows/self-check.yml @@ -111,6 +111,7 @@ jobs: repository: PythonWoods/zenzic ref: ${{ steps.resolve-branch.outputs.core_ref }} path: _zenzic_core + fetch-tags: true - name: Install just uses: taiki-e/install-action@ea85faa6acd705ad6d40586db99f1a70b09c2929 # just From 8d1298d3f4bf6b328496197696e6f7bca66f6515 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 20:08:49 +0200 Subject: [PATCH 8/8] docs(contributing): add SSH signing setup instructions Signed-off-by: PythonWoods --- CONTRIBUTING.it.md | 13 +++++++++++++ CONTRIBUTING.md | 13 +++++++++++++ 2 files changed, 26 insertions(+) diff --git a/CONTRIBUTING.it.md b/CONTRIBUTING.it.md index f391f2d..f2f6a9e 100644 --- a/CONTRIBUTING.it.md +++ b/CONTRIBUTING.it.md @@ -53,6 +53,19 @@ uvx pre-commit install # commit-stage: hygiene + zenzic self-check uvx pre-commit install -t pre-push # pre-push: 🛡️ Final Guard runs `just verify` ``` +Configura la firma SSH dei commit (obbligatoria — tutti i commit devono apparire come **Verified** su GitHub): + +```bash +# Configurazione globale una-tantum (salta se già configurata) +git config --global gpg.format ssh +git config --global user.signingkey ~/.ssh/id_ed25519.pub # adatta il percorso se necessario +git config --global commit.gpgsign true +``` + +Registra poi la tua chiave pubblica come **Signing Key** (non Authentication Key) su +. I commit firmati con una chiave non registrata +verranno rifiutati dal ruleset del branch. + ## Verifica Locale Usa `just` per eseguire i self-test prima di aprire una PR: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index cac2e2d..819b3bf 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -52,6 +52,19 @@ uvx pre-commit install # commit-stage: hygiene + zenzic self-check uvx pre-commit install -t pre-push # pre-push: 🛡️ Final Guard runs `just verify` ``` +Configure SSH commit signing (required — all commits must appear **Verified** on GitHub): + +```bash +# One-time global setup (skip if already configured) +git config --global gpg.format ssh +git config --global user.signingkey ~/.ssh/id_ed25519.pub # adjust path if different +git config --global commit.gpgsign true +``` + +Then register your public key as a **Signing Key** (not Authentication Key) at +. Commits signed with an unregistered key will +be rejected by the branch ruleset. + ## Local Verification Use `just` to run the self-tests before opening a PR: