chore(release): bump version to 1.3.5

.bumpversion.toml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 [tool.bumpversion]
-current_version = "1.3.4"
+current_version = "1.3.5"
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<patch>\\d+)"
 serialize = ["{major}.{minor}.{patch}"]
 
@@ -28,4 +28,4 @@ regex = true
 # bump-my-version does NOT manage these files; they are listed here for discoverability.
 # ---------------------------------------------------------------------------
 [tool.bumpversion.custom_variables.core_version]
-current = "0.10.3"
+current = "0.10.4"

.github/workflows/self-check.yml

@@ -111,6 +111,7 @@ jobs:
           repository: PythonWoods/zenzic
           ref: ${{ steps.resolve-branch.outputs.core_ref }}
           path: _zenzic_core
+          fetch-tags: true
 
       - name: Install just
         uses: taiki-e/install-action@ea85faa6acd705ad6d40586db99f1a70b09c2929 # just

CHANGELOG.md

@@ -15,17 +15,27 @@ No changes yet.
 
 ---
 
-## [1.3.4] - 2026-06-07
+## [1.3.5] - 2026-06-09
+
+### Changed
+
+- **Operational governance docs:** Added explicit branch-protection policy to `README.md` and `README.it.md`, including required checks for `main` (`Verify (ubuntu-latest, true)`, `Lint PR Title`, `Check DCO`) and fail-closed workflow selection rules.
+- **Core pin:** Zenzic Core pinned to `0.10.4`.
+
+---
+
+## [1.3.5] - 2026-06-07
 
 ### Changed
 
 - Disabled dependency caching in `setup-uv` to prevent noisy warnings on non-Python repositories.
 
 ---
 
-## [1.3.4] - 2026-06-07
+## [1.3.5] - 2026-06-07
 
 ### Deprecated
+
 - **Versions v1.3.0 and older are officially deprecated.** They contained a critical bug in the bash wrapper that injected an invalid `--config` flag, causing false-positive Exit 2 crashes. Users pinned to exact patch versions must upgrade to `v1.3.1` or use the major tag `@v1`.
 
 ### Added

CONTRIBUTING.it.md

@@ -53,6 +53,19 @@ uvx pre-commit install               # commit-stage: hygiene + zenzic self-check
 uvx pre-commit install -t pre-push   # pre-push: 🛡️ Final Guard runs `just verify`
 ```
 
+Configura la firma SSH dei commit (obbligatoria — tutti i commit devono apparire come **Verified** su GitHub):
+
+```bash
+# Configurazione globale una-tantum (salta se già configurata)
+git config --global gpg.format ssh
+git config --global user.signingkey ~/.ssh/id_ed25519.pub   # adatta il percorso se necessario
+git config --global commit.gpgsign true
+```
+
+Registra poi la tua chiave pubblica come **Signing Key** (non Authentication Key) su
+<https://github.com/settings/ssh>. I commit firmati con una chiave non registrata
+verranno rifiutati dal ruleset del branch.
+
 ## Verifica Locale
 
 Usa `just` per eseguire i self-test prima di aprire una PR:

CONTRIBUTING.md

@@ -52,6 +52,19 @@ uvx pre-commit install               # commit-stage: hygiene + zenzic self-check
 uvx pre-commit install -t pre-push   # pre-push: 🛡️ Final Guard runs `just verify`
 ```
 
+Configure SSH commit signing (required — all commits must appear **Verified** on GitHub):
+
+```bash
+# One-time global setup (skip if already configured)
+git config --global gpg.format ssh
+git config --global user.signingkey ~/.ssh/id_ed25519.pub   # adjust path if different
+git config --global commit.gpgsign true
+```
+
+Then register your public key as a **Signing Key** (not Authentication Key) at
+<https://github.com/settings/ssh>. Commits signed with an unregistered key will
+be rejected by the branch ruleset.
+
 ## Local Verification
 
 Use `just` to run the self-tests before opening a PR:

README.it.md

@@ -19,7 +19,6 @@
   <img src="https://img.shields.io/badge/%F0%9F%9B%A1%EF%B8%8F_zenzic--audit-passing-22c55e?style=flat-square" alt="zenzic-audit">
   <!-- zenzic:score-badge -->
   <img src="https://img.shields.io/badge/%F0%9F%9B%A1%EF%B8%8F_zenzic--score-100_%2F_100-4f46e5?style=flat-square" alt="zenzic-score">
-
   <a href="https://github.com/PythonWoods/zenzic-action/releases"><img alt="action version" src="https://img.shields.io/github/v/release/PythonWoods/zenzic-action?label=action&color=4f46e5&style=flat-square"></a>
   <a href="https://pypi.org/project/zenzic"><img alt="zenzic on PyPI" src="https://img.shields.io/pypi/v/zenzic?label=zenzic&color=0284c7&style=flat-square"></a>
   <a href="LICENSE"><img alt="license" src="https://img.shields.io/badge/license-Apache--2.0-0d9488?style=flat-square"></a>
@@ -55,7 +54,7 @@ La configurazione minimale — zero setup Python, SARIF su Code Scanning in un s
 - name: Run Zenzic Documentation Quality Gate
   uses: PythonWoods/zenzic-action@v1
   with:
-    version: "0.10.3"
+    version: "0.10.4"
     format: sarif
     upload-sarif: "true"
   permissions:
@@ -69,11 +68,33 @@ Per la configurazione avanzata (Configuration Discovery, Override Sovrano, scori
 
 ---
 
+## Policy Branch Protection (Operativa)
+
+Per il repository `zenzic-action`, proteggi `main` e abilita **Require status checks to pass before merging**.
+
+Check obbligatori:
+
+- `Verify (ubuntu-latest, true)`
+- `Lint PR Title`
+- `Check DCO`
+
+Intento operativo:
+
+- `Verify (ubuntu-latest, true)` è il gate di integrità funzionale per runtime action e comportamento del wrapper.
+- `Lint PR Title` e `Check DCO` applicano governance e tracciabilità legale su ogni PR.
+
+Regola fail-closed:
+
+- Ogni check obbligatorio deve girare su `pull_request`.
+- Non configurare la branch protection con check obbligatori provenienti da workflow solo tag, solo release o solo schedule.
+
+---
+
 ## Inputs
 
 | Input | Default | Descrizione |
 |---|---|---|
-| `version` | `0.10.3` | Versione di Zenzic da installare. Pin a una release specifica per esecuzioni deterministiche. Imposta `latest` per valutazione continua. |
+| `version` | `0.10.4` | Versione di Zenzic da installare. Pin a una release specifica per esecuzioni deterministiche. Imposta `latest` per valutazione continua. |
 | `format` | `sarif` | Formato di output: `text`, `json`, o `sarif`. |
 | `sarif-file` | `zenzic-results.sarif` | Path di output SARIF (quando `format: sarif`). Deve essere un path **relativo** dentro il workspace. |
 | `upload-sarif` | `true` | Carica SARIF su GitHub Code Scanning. |

README.md

@@ -19,7 +19,6 @@
   <img src="https://img.shields.io/badge/%F0%9F%9B%A1%EF%B8%8F_zenzic--audit-passing-22c55e?style=flat-square" alt="zenzic-audit">
   <!-- zenzic:score-badge -->
   <img src="https://img.shields.io/badge/%F0%9F%9B%A1%EF%B8%8F_zenzic--score-100_%2F_100-4f46e5?style=flat-square" alt="zenzic-score">
-
   <a href="https://github.com/PythonWoods/zenzic-action/releases"><img alt="action version" src="https://img.shields.io/github/v/tag/PythonWoods/zenzic-action?sort=semver&label=action&color=4f46e5&style=flat-square"></a>
   <a href="https://pypi.org/project/zenzic"><img alt="zenzic on PyPI" src="https://img.shields.io/pypi/v/zenzic?label=zenzic&color=0284c7&style=flat-square"></a>
   <a href="LICENSE"><img alt="license" src="https://img.shields.io/badge/license-Apache--2.0-0d9488?style=flat-square"></a>
@@ -55,7 +54,7 @@ The minimal configuration — zero Python setup, SARIF to Code Scanning in one s
 - name: Run Zenzic Documentation Quality Gate
   uses: PythonWoods/zenzic-action@v1
   with:
-    version: "0.10.3"
+    version: "0.10.4"
     format: sarif
     upload-sarif: "true"
   permissions:
@@ -69,11 +68,33 @@ For advanced configuration (Configuration Discovery, Sovereign Override, Quality
 
 ---
 
+## Branch Protection Policy (Operational)
+
+For the `zenzic-action` repository, protect `main` and enable **Require status checks to pass before merging**.
+
+Required checks:
+
+- `Verify (ubuntu-latest, true)`
+- `Lint PR Title`
+- `Check DCO`
+
+Operational intent:
+
+- `Verify (ubuntu-latest, true)` is the functional integrity gate for the action runtime and wrapper behavior.
+- `Lint PR Title` and `Check DCO` enforce governance and legal traceability on every PR.
+
+Fail-closed rule:
+
+- Every required check must run on `pull_request`.
+- Do not configure branch protection with required checks that are tag-only, release-only, or schedule-only workflows.
+
+---
+
 ## Inputs
 
 | Input | Default | Description |
 |---|---|---|
-| `version` | `0.10.3` | Zenzic version to install. Pin to a specific release for reproducible CI. Set `latest` for continuous evaluation. |
+| `version` | `0.10.4` | Zenzic version to install. Pin to a specific release for reproducible CI. Set `latest` for continuous evaluation. |
 | `format` | `sarif` | Output format: `text`, `json`, or `sarif`. |
 | `sarif-file` | `zenzic-results.sarif` | SARIF output path (when `format: sarif`). Must be a **relative** path inside the workspace. |
 | `upload-sarif` | `true` | Upload SARIF to GitHub Code Scanning. |

RELEASE.md

@@ -7,7 +7,7 @@
 | Field   | Value      |
 | :------ | :--------- |
 | Version | v1.1.0     |
-| Date    | 2026-06-08 |
+| Date    | 2026-06-09 |
 | Status  | Stable     |
 
 ## Release Checklist

action.yml

@@ -16,7 +16,7 @@ inputs:
   version:
     description: "Zenzic version to use. Defaults to latest stable."
     required: false
-    default: "0.10.3" # x-zenzic-core-pin
+    default: "0.10.4" # x-zenzic-core-pin
   format:
     description: "Output format: 'text', 'json', or 'sarif'."
     required: false

package.json

@@ -1,6 +1,6 @@
 {
   "name": "zenzic-action",
-  "version": "1.3.4",
+  "version": "1.3.5",
   "private": true,
   "description": "Official GitHub Action for Zenzic — Documentation Quality Gate",
   "license": "Apache-2.0",