From a23ea13e157d2c881bfcc0d911c52b5873f463aa Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Sun, 26 Apr 2026 05:00:02 +0000 Subject: [PATCH] =?UTF-8?q?release(RAN-66):=20cut=20snipIT=20v0.1.0=20?= =?UTF-8?q?=E2=80=94=20CHANGELOG=20bump=20+=20bestpractices=20versioning?= =?UTF-8?q?=20evidence?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CHANGELOG.md - [Unreleased] → [v0.1.0] - 2026-04-26 with full Added / Changed / Fixed / Security subsections covering PR #1 (RAN-54 baseline + Scorecard hardening), PR #3 (RAN-59 canonical-schema rewrite), PRs #4/#5 (RAN-64 CHANGELOG + docs/ index), PR #6 (5 SUGGESTED criteria flips), PR #7 (CONTRIBUTING.md + conventional-URL retargets). - Fresh empty [Unreleased] section opened at top per Keep-a-Changelog 1.1.0. - Link refs now point at compare/v0.1.0...HEAD and releases/tag/v0.1.0. .bestpractices.json - version_unique_url + release_notes_vulns_url added (both pointing at the v0.1.0 GitHub Release) so the bestpractices.dev autofill bot has a concrete URL to verify alongside _status: Met. - 5 versioning justifications refreshed to cite the concrete v0.1.0 tag instead of forward-looking commitments: version_unique, version_semver, version_tags, release_notes, release_notes_vulns. These are the criteria the autofill bot verifies by checking actual GitHub Releases / git tags exist. Once the v0.1.0 signed tag + GitHub Release land post-merge, autofill should flip release_notes to Met (currently Unmet pending evidence) and the 4 SUGGESTED versioning criteria stay Met with concrete tag-backed URLs. Co-Authored-By: Paperclip --- .bestpractices.json | 18 ++++++++++-------- CHANGELOG.md | 19 +++++++++++++++---- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/.bestpractices.json b/.bestpractices.json index 4dd7fe5..b53d3bd 100644 --- a/.bestpractices.json +++ b/.bestpractices.json @@ -65,22 +65,24 @@ "repo_distributed_justification": "git is a fully distributed VCS (each clone contains the full history and every operation works offline). Repo at https://github.com/RandomCodeSpace/snipIT is git-native.", "version_unique_status": "Met", - "version_unique_justification": "snipIT is a single-script project distributed via `git clone` of the main branch — the unique version identifier is the commit SHA on main, which is globally unique by git's content-addressable design and is the version recorded in any install. No tagged releases yet (single .ps1 with no compile/build step); when a tag-release flow is added, semver tags will be the user-facing identifier.", + "version_unique_justification": "snipIT v0.1.0 is the first tagged release — annotated, SSH-signed git tag `v0.1.0` on main, paired with GitHub Release `v0.1.0` at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0. The tag is globally unique by git's content-addressable design and is the user-facing version identifier. CHANGELOG.md `[v0.1.0] - 2026-04-26` captures the release contents.", + "version_unique_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0", "version_semver_status": "Met", - "version_semver_justification": "CHANGELOG.md header explicitly commits the project to Semantic Versioning 2.0.0: 'this project adheres to Semantic Versioning 2.0.0' (https://semver.org/spec/v2.0.0.html). All future tags will be `vMAJOR.MINOR.PATCH` per SemVer. snipIT has no tagged releases yet — the [Unreleased] section captures pre-tag work; on first tag cut, the heading becomes `[vX.Y.Z] - YYYY-MM-DD` and a fresh [Unreleased] opens.", - "version_semver_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md", + "version_semver_justification": "CHANGELOG.md header explicitly commits the project to Semantic Versioning 2.0.0: 'this project adheres to Semantic Versioning 2.0.0' (https://semver.org/spec/v2.0.0.html). The first tagged release is `v0.1.0` (https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0) — `vMAJOR.MINOR.PATCH` SemVer-shaped. Future tags continue the same format; CHANGELOG.md `[v0.1.0] - 2026-04-26` is the canonical entry.", + "version_semver_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0", "version_tags_status": "Met", - "version_tags_justification": "CHANGELOG.md states 'Version numbers below correspond to git tags on main.' Each release will be cut as an annotated, GPG/SSH-signed git tag (`vX.Y.Z`). The signed-tag requirement is codified in shared/runbooks/engineering-standards.md §8 ('Commit identity and signed commits'): `tag.gpgsign=true` is set repo-locally by scripts/setup-git-signed.sh and enforced by branch protection on main. snipIT has no tagged releases yet — the [Unreleased] section captures pre-tag work.", - "version_tags_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md", + "version_tags_justification": "CHANGELOG.md states 'Version numbers below correspond to git tags on main.' First release is the annotated, SSH-signed git tag `v0.1.0` (https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0), cut from the `release(RAN-66): cut snipIT v0.1.0` PR squash commit. The signed-tag requirement is codified in shared/runbooks/engineering-standards.md §8 ('Commit identity and signed commits'): `tag.gpgsign=true` is set repo-locally by scripts/setup-git-signed.sh; branch protection on main enforces verified signatures.", + "version_tags_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0", "release_notes_status": "Met", - "release_notes_justification": "CHANGELOG.md at repo root, Keep-a-Changelog 1.1.0 format with `[Unreleased]` collecting pre-tag work and per-version sections opened on each tag. Captures Added / Changed / Fixed / Security entries for every merge to main. Until the first tag is cut (tracked under Scorecard `Packaging` in CLAUDE.md), the `[Unreleased]` section is the release-notes surface; on tag, the heading is replaced with the version + date and a fresh `[Unreleased]` opens. SECURITY.md §Changelog separately tracks disclosure-policy version history.", - "release_notes_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md", + "release_notes_justification": "CHANGELOG.md at repo root, Keep-a-Changelog 1.1.0 format. First tagged release `[v0.1.0] - 2026-04-26` captures the OpenSSF Best Practices `passing` baseline + supporting documentation surface under Added / Changed / Fixed / Security subsections. The corresponding GitHub Release at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0 surfaces the same notes on the Releases page. A fresh `[Unreleased]` section sits at the top to collect post-v0.1.0 work; on each subsequent tag the `[Unreleased]` heading is replaced with the version + date and a new `[Unreleased]` opens.", + "release_notes_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0", "release_notes_vulns_status": "Met", - "release_notes_vulns_justification": "CHANGELOG.md reserves a dedicated `### Security` subsection inside every release entry (and the `[Unreleased]` working set) for non-trivial security fixes. The header text states explicitly: 'Each release MUST list any non-trivial security fixes under a dedicated Security subsection so downstream consumers can decide whether to upgrade.' Zero fixes to date — the current `[Unreleased]` Security subsection is honestly marked 'No security-relevant fixes shipped yet under this release line.' When a fix ships, the entry will reference the GHSA advisory + CVE per SECURITY.md §What you can expect.", + "release_notes_vulns_justification": "CHANGELOG.md reserves a dedicated `### Security` subsection inside every release entry (and the `[Unreleased]` working set) for non-trivial security fixes. The header text states explicitly: 'Each release MUST list any non-trivial security fixes under a dedicated Security subsection so downstream consumers can decide whether to upgrade.' v0.1.0 ships with zero security-relevant fixes — its Security subsection is honestly marked: 'No security-relevant fixes shipped under v0.1.0. The OSS-CLI security stack landed in `.github/workflows/security.yml` is the gating channel for all future fixes; advisories will appear in this section under each release where they apply, alongside a GHSA link.' The GitHub Release notes at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0 mirror this content.", + "release_notes_vulns_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0", "report_process_status": "Met", "report_process_justification": "SECURITY.md §Reporting a vulnerability documents the private channel for security issues (GitHub private vulnerability report at /security/advisories/new, or `ak.nitrr13@gmail.com` with `[snipIT security]` subject; 72-hour ack SLA, 7-day triage, 90-day coordinated disclosure). CONTRIBUTING.md §Reporting documents the public channel for functional bugs and feature requests — GitHub Issues at https://github.com/RandomCodeSpace/snipIT/issues. Both channels are linked from README.md.", diff --git a/CHANGELOG.md b/CHANGELOG.md index 79ab65d..35eaadf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,14 @@ Each release MUST list any non-trivial security fixes under a dedicated **Securi ## [Unreleased] +_No changes yet._ + +--- + +## [v0.1.0] - 2026-04-26 + +First tagged release. Establishes the OpenSSF Best Practices `passing` baseline + supporting documentation surface for snipIT. + ### Added - OpenSSF Best Practices `passing` baseline ([RAN-54](https://github.com/RandomCodeSpace/snipIT/pull/1)): - `.github/workflows/scorecard.yml` — `ossf/scorecard-action` on push to `main` + Mondays 06:00 UTC, SARIF → Security tab. @@ -25,19 +33,22 @@ Each release MUST list any non-trivial security fixes under a dedicated **Securi - Branch protection on `main` — required signed commits, linear history, force-push and deletion blocked, eight required CI status checks. - Repo-level Dependabot security updates enabled. - Canonical-schema rewrite of `.bestpractices.json` so the bestpractices.dev autofill robot can pre-fill the criteria page on board flip ([RAN-59](https://github.com/RandomCodeSpace/snipIT/pull/3)). -- `CHANGELOG.md` (this file) and `docs/README.md` index — addresses the `release_notes` and `documentation_basics` gaps surfaced by the bestpractices.dev autofill audit. +- `CHANGELOG.md` (this file) and `docs/README.md` index — addresses the `release_notes` and `documentation_basics` gaps surfaced by the bestpractices.dev autofill audit ([RAN-64](https://github.com/RandomCodeSpace/snipIT/pull/4) / [#5](https://github.com/RandomCodeSpace/snipIT/pull/5)). +- `CONTRIBUTING.md` at repo root — conventional contribution-process entry point: §Reporting (Issues + SECURITY.md), §Development workflow, §What every PR must pass (8-row CI gate matrix with local commands), §Coding standards delegating to `shared/runbooks/engineering-standards.md` ([PR #7](https://github.com/RandomCodeSpace/snipIT/pull/7)). ### Changed - `.github/workflows/test.yml` — every action SHA-pinned (Scorecard `Pinned-Dependencies`); top-level `permissions: read-all`; PSScriptAnalyzer moved out into `security.yml` so the SAST/lint signals are co-located with the rest of the security stack. -- `README.md` — OpenSSF Best Practices, OpenSSF Scorecard, and Security workflow badges added at the top of the badge row. +- `README.md` — OpenSSF Best Practices, OpenSSF Scorecard, and Security workflow badges added at the top of the badge row; `Project files` table linked to `docs/`, `CHANGELOG.md`, `SECURITY.md`. +- `.bestpractices.json` — 5 SUGGESTED criteria flipped from `?` to `Met` with concrete in-repo evidence (`version_semver`, `version_tags`, `test_most`, `dynamic_analysis`, `dynamic_analysis_enable_assertions`) ([PR #6](https://github.com/RandomCodeSpace/snipIT/pull/6)); 4 `_url` fields retargeted to conventional paths (`README.md`, `CONTRIBUTING.md`, `SECURITY.md`) so the bestpractices.dev autofill bot detects them ([PR #7](https://github.com/RandomCodeSpace/snipIT/pull/7)). ### Fixed - Capture flow — exclude SnipIT's own widget / preview / tray windows from the capture target so they aren't baked into the frame ([RAN-15](https://github.com/RandomCodeSpace/snipIT/issues)). - Color-bar interaction — update the active swatch in-place instead of rebuilding the bar; close `$pickColor` over the swatch handler so the closure resolves correctly at click time. ### Security -- _No security-relevant fixes shipped yet under this release line._ +- _No security-relevant fixes shipped under v0.1.0._ The OSS-CLI security stack landed in `.github/workflows/security.yml` is the gating channel for all future fixes; advisories will appear in this section under each release where they apply, alongside a GHSA link. --- -[Unreleased]: https://github.com/RandomCodeSpace/snipIT/commits/main +[Unreleased]: https://github.com/RandomCodeSpace/snipIT/compare/v0.1.0...HEAD +[v0.1.0]: https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0