diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 19a6820..1f257e5 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -7,8 +7,8 @@ against a pinned submodule revision. Reusable workflows are sourced from [`NDDev-it-com/nddev-ci-workflows`](https://github.com/NDDev-it-com/nddev-ci-workflows) -release `0.5.1`, pinned to commit -`ac4d1f469f5974741c7449305ffcbd5f05a5a47f`. +release `0.8.1`, pinned to commit +`8b8e3ea6321c912b68eec831c2072a0173203433`. ## Workflows @@ -29,10 +29,11 @@ release `0.5.1`, pinned to commit - **`release.yml`** requires strict SemVer equality across the tag, every build contract, and both core-plugin version sources. The tagged commit must be an ancestor of freshly fetched `origin/main`. It then calls the shared - supply-chain workflow to publish one immutable release with a deterministic - source archive (including the root secret-boundary `.gitignore`), canonical - checksum-bound release notes, SPDX SBOM, build provenance, and SBOM - attestation. + supply-chain workflow to publish one immutable release with two attested + artifacts -- a deterministic source archive (including the root + secret-boundary `.gitignore`) and the minimal runtime bundle -- plus + canonical checksum-bound release notes, an SPDX SBOM, build provenance, and + SBOM attestations. - **`labeler.yml`** labels pull requests from `.github/labeler.yml` without checking out contributor code. Its hardened runner uses minimal egress and per-pull-request concurrency. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6502581..331bf27 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,9 @@ name: release on: push: tags: + # Stable numeric releases only. Prerelease tags (X.Y.Z-*) stay ruleset- + # protected but are cut manually: the shared supply-chain workflow + # publishes as the "latest" release without prerelease marking. - "[0-9]+.[0-9]+.[0-9]+" permissions: {} diff --git a/SECURITY.md b/SECURITY.md index 5467015..a2fe8e8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,8 +15,8 @@ Only the current exact numeric release tag receives security fixes. | Version | Supported | | --- | --- | -| Current exact tag `2.0.2` | yes | -| Older tags | no; upgrade to the current exact tag | +| Latest numeric release tag | yes | +| Older tags | no; upgrade to the latest release | ## Reporting a vulnerability diff --git a/build/release-evidence.json b/build/release-evidence.json index 061f2c4..8e762e9 100644 --- a/build/release-evidence.json +++ b/build/release-evidence.json @@ -2,11 +2,11 @@ "schema_version": 1, "module": { "repository": "NDDev-it-com/nddev-zcode-app", - "setup_digest": "sha256:1868c8955f0656cf02522ee177d04c53f08aa2a8d6cdb62d7b1610bcfe9ce54c" + "setup_digest": "sha256:cce7d277383831cbf002ab9ac3a75e0e03c31740b9e0c549f39d3fe13fec7a69" }, "harness": { "repository": "NDDev-it-com/nddev-harnesses", - "commit": "e17e5f403914a248a3b7d53a251ee5136d94f449" + "commit": "04ad9fedff4d9dbc8c3cd2991dc4c944fb7fd7c6" }, "adapter": { "id": "zcode", @@ -37,8 +37,8 @@ "benchmark:macos", "benchmark:ubuntu" ], - "generated_at_utc": "2026-07-11T22:04:47Z", - "expires_at_utc": "2027-01-07T22:04:47Z", + "generated_at_utc": "2026-07-12T00:14:03Z", + "expires_at_utc": "2027-01-08T00:14:03Z", "promotion": { "decision": "approved" }