Skip to content

feat: add changelog grouping and supply chain hooks to goreleaser config#72

Open
nsportsman wants to merge 1 commit into
mainfrom
feat/goreleaser-improvements-v2
Open

feat: add changelog grouping and supply chain hooks to goreleaser config#72
nsportsman wants to merge 1 commit into
mainfrom
feat/goreleaser-improvements-v2

Conversation

@nsportsman

Copy link
Copy Markdown
Contributor

Summary

Improves the GoReleaser config with supply chain hooks and structured changelogs.

  • Before hooks: go mod tidy -diff + go mod verify run before every release build. tidy -diff fails fast if modules are dirty (never modifies files mid-release). verify validates cached dependency checksums against go.sum.
  • Changelog grouping: Release notes organized by conventional commit type (Breaking Changes, Features, Bug Fixes, Other) using the GitHub API for PR links and author handles. Scope regex supports hyphens. Breaking regex handles GoReleaser's SHA-prefixed entry format.

Incorporates 3 rounds of multi-model review feedback (Claude, Gemini, Codex).

Supersedes #70.

Test plan

  • goreleaser check passes
  • Verify next release produces grouped changelog

🤖 Generated with Claude Code

- Before hooks: go mod tidy -diff (fails fast if modules dirty without
  modifying files — safe for release time) + go mod verify (validates
  cached dep checksums against go.sum for supply chain integrity)
- Changelog: grouped by conventional commit type using GitHub API for
  richer data (PR links, author handles). Groups: Breaking Changes →
  Features → Bug Fixes → Other Changes. Scope regex supports hyphens.
  Breaking regex handles GoReleaser's SHA-prefixed entry format.
  docs/test/chore commits excluded via filters.

Incorporates 3 rounds of multi-model review feedback (Claude, Gemini,
Codex) on regex correctness, SHA prefix handling, and tidy -diff safety.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented May 30, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: da3f4561-0f1f-4e4c-91c6-ab41d0ec72de

📥 Commits

Reviewing files that changed from the base of the PR and between 5b0c01d and 4f8da2c.

📒 Files selected for processing (1)
  • .goreleaser.yaml

Walkthrough

The .goreleaser.yaml file receives two enhancements. A pre-release before hook now validates Go module hygiene by running go mod tidy -diff and go mod verify. The changelog configuration extends to organize entries into categorized groups—Breaking Changes, Features, Bug Fixes, and Other Changes—using regex-based matching while maintaining ascending sort order.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/goreleaser-improvements-v2

Comment @coderabbitai help to get the list of available commands and usage tips.

nsportsman added a commit to praetorian-inc/public-workflows that referenced this pull request May 30, 2026
* fix(codex-code): don't pre-disable sudo on codex-review job

The codex-review job ran Harden-Runner with `disable-sudo-and-containers: true`
(added in #56 / v2.1.0, applied uniformly to all 22 instances). But
openai/codex-action manages sudo itself: it runs `sudo chmod 444` / `sudo chown
root` to lock its responses-api-proxy server-info file, then irreversibly drops
sudo via `safety-strategy: drop-sudo` before the untrusted Codex CLI runs.

With sudo pre-disabled by Harden-Runner, that chmod fails with "sudo: a password
is required" and the action exits 1 before any review runs. This broke every
caller pinned to v2.1.0+ whenever a real (non-docs) PR actually invoked Codex —
e.g. praetorian-inc/augustus#135, praetorian-inc/pius#72.

Fix: set `disable-sudo-and-containers: false` on the codex-review job only and
document why. `safety-strategy: drop-sudo` already provides the equivalent
secret-protection guarantee (removes sudo before untrusted code runs). The
post-feedback job (no codex-action) keeps `disable-sudo-and-containers: true`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(codex-code): preserve CVE-2025-32955 container lockdown on codex-review

Addresses review feedback on #80: re-enabling sudo via
`disable-sudo-and-containers: false` (needed because codex-action chmod/chown-
locks its proxy server-info file then drops sudo itself) ALSO re-enabled
container access, because Harden-Runner has no container-only control and
codex-action's drop-sudo strips the runner's sudo/admin group but not its
`docker` group. That reopened CVE-2025-32955: a prompt-injected Codex could
`docker run --privileged -v /:/host` to regain root before review output posts.

Fix: add a dedicated step that stops+masks docker/containerd and removes the
docker socket, running while sudo is still available and BEFORE Codex executes.
After codex-action drops sudo, Codex has neither sudo nor a container runtime —
restoring the container half of the lockdown without breaking the sudo the
action requires (all codex-action versions still need it). The step logs
evidence (socket removed, daemon unreachable) before the review runs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant