From 6e78c5054327c0b64a626e09ef06e3606736d865 Mon Sep 17 00:00:00 2001 From: Danil Silantyev Date: Sun, 12 Jul 2026 02:33:39 +0700 Subject: [PATCH] feat(release): publish the minimal runtime bundle as a second asset Pass build/manifest.json:runtime_bundle.paths as runtime_paths to the shared release workflow so a tag publishes the attested minimal runtime bundle alongside the full source archive, and re-pin every shared nddev-ci-workflows workflow to 0.7.0 (which adds the runtime_paths capability). Regenerate build/release-evidence.json for the new content digest and record the change under CHANGELOG [Unreleased]. --- .github/workflows/actionlint.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/release.yml | 5 ++++- .github/workflows/scorecard.yml | 2 +- .github/workflows/secret-scan.yml | 2 +- .github/workflows/zizmor.yml | 2 +- CHANGELOG.md | 6 ++++++ build/release-evidence.json | 8 ++++---- 9 files changed, 20 insertions(+), 11 deletions(-) diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index f4ff425..25c06cd 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -19,4 +19,4 @@ jobs: name: actionlint permissions: contents: read - uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/actionlint.yml@ac4d1f469f5974741c7449305ffcbd5f05a5a47f # 0.5.1 + uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/actionlint.yml@eda8ff7eb970c05a219238b6e5fb7faad8f67c40 # 0.7.0 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 42242d5..7399240 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,7 +21,7 @@ jobs: contents: read security-events: write # Publish CodeQL analysis to code scanning. actions: read # Read workflow metadata for the actions language. - uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/public-codeql.yml@ac4d1f469f5974741c7449305ffcbd5f05a5a47f # 0.5.1 + uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/public-codeql.yml@eda8ff7eb970c05a219238b6e5fb7faad8f67c40 # 0.7.0 with: languages: '["actions"]' queries: security-and-quality diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 65a8bbb..d4cc0ce 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -16,4 +16,4 @@ jobs: permissions: contents: read pull-requests: write # Comment when dependency policy rejects a change. - uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/public-dependency-review.yml@ac4d1f469f5974741c7449305ffcbd5f05a5a47f # 0.5.1 + uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/public-dependency-review.yml@eda8ff7eb970c05a219238b6e5fb7faad8f67c40 # 0.7.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index da13222..a3457ec 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -179,7 +179,7 @@ jobs: contents: write # Create the immutable release and its exact assets. id-token: write # Exchange workflow identity for attestations. attestations: write # Publish provenance and SBOM attestations. - uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/release-supply-chain.yml@ac4d1f469f5974741c7449305ffcbd5f05a5a47f # 0.5.1 + uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/release-supply-chain.yml@eda8ff7eb970c05a219238b6e5fb7faad8f67c40 # 0.7.0 with: version: ${{ github.ref_name }} package_name: nddev-zcode-app @@ -187,3 +187,6 @@ jobs: README.md LICENSE NOTICE VERSION CHANGELOG.md SECURITY.md SUPPORT.md CODE_OF_CONDUCT.md CONTRIBUTING.md .gitignore .github build cli-tools config docs references zcode_tools + runtime_paths: >- + VERSION LICENSE NOTICE README.md build cli-tools config references + zcode_tools diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 4eee00f..3b44406 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -19,4 +19,4 @@ jobs: contents: read actions: read # Inspect workflow metadata for Scorecard checks. id-token: write # Obtain OIDC identity for the Scorecard artifact. - uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/public-scorecard-json.yml@ac4d1f469f5974741c7449305ffcbd5f05a5a47f # 0.5.1 + uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/public-scorecard-json.yml@eda8ff7eb970c05a219238b6e5fb7faad8f67c40 # 0.7.0 diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 69540ff..6ca2cc1 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -16,4 +16,4 @@ concurrency: jobs: secret-scan: name: Secret scan - uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/secret-scan.yml@ac4d1f469f5974741c7449305ffcbd5f05a5a47f # 0.5.1 + uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/secret-scan.yml@eda8ff7eb970c05a219238b6e5fb7faad8f67c40 # 0.7.0 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index ad5b042..86e7636 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -21,7 +21,7 @@ jobs: permissions: contents: read security-events: write # Publish workflow-analysis results to code scanning. - uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/zizmor-sarif.yml@ac4d1f469f5974741c7449305ffcbd5f05a5a47f # 0.5.1 + uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/zizmor-sarif.yml@eda8ff7eb970c05a219238b6e5fb7faad8f67c40 # 0.7.0 with: persona: pedantic min_severity: low diff --git a/CHANGELOG.md b/CHANGELOG.md index 6aceac2..72d7179 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,12 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). install-required tracked paths (installer, catalogs, build and runtime metadata, license) excluding governance, CI, and source-level documentation. +### Changed + +- The release workflow now publishes the minimal `runtime_bundle` as a second, + attested release asset (`runtime_paths`) alongside the full source archive, + and pins the shared supply-chain workflow to `0.7.0`. + ## [2.1.2] - 2026-07-10 ### Fixed diff --git a/build/release-evidence.json b/build/release-evidence.json index 2511624..e5d8d65 100644 --- a/build/release-evidence.json +++ b/build/release-evidence.json @@ -2,11 +2,11 @@ "schema_version": 1, "module": { "repository": "NDDev-it-com/nddev-zcode-app", - "setup_digest": "sha256:a4338b65f702404e0e2e9b91314063a980f0c803d0d84961839f12c656a2778b" + "setup_digest": "sha256:024e07675c09c94849000f18275727a6e4a1624be663264021aa7025ba64f08b" }, "harness": { "repository": "NDDev-it-com/nddev-harnesses", - "commit": "26f540414bbe6d4e7d0f9776057cac9e4c9d699f" + "commit": "d432aae15a3a3fe48dab5cb447ccc03abe5c78f8" }, "adapter": { "id": "zcode", @@ -37,8 +37,8 @@ "benchmark:macos", "benchmark:ubuntu" ], - "generated_at_utc": "2026-07-11T18:32:54Z", - "expires_at_utc": "2027-01-07T18:32:54Z", + "generated_at_utc": "2026-07-11T19:33:20Z", + "expires_at_utc": "2027-01-07T19:33:20Z", "promotion": { "decision": "approved" }