Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions .github/workflows/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ against a pinned submodule revision.

Reusable workflows are sourced from
[`NDDev-it-com/nddev-ci-workflows`](https://github.com/NDDev-it-com/nddev-ci-workflows)
release `0.5.1`, pinned to commit
`ac4d1f469f5974741c7449305ffcbd5f05a5a47f`.
release `0.8.1`, pinned to commit
`8b8e3ea6321c912b68eec831c2072a0173203433`.

## Workflows

Expand All @@ -29,10 +29,11 @@ release `0.5.1`, pinned to commit
- **`release.yml`** requires strict SemVer equality across the tag, every build
contract, and both core-plugin version sources. The tagged commit must be an
ancestor of freshly fetched `origin/main`. It then calls the shared
supply-chain workflow to publish one immutable release with a deterministic
source archive (including the root secret-boundary `.gitignore`), canonical
checksum-bound release notes, SPDX SBOM, build provenance, and SBOM
attestation.
supply-chain workflow to publish one immutable release with two attested
artifacts -- a deterministic source archive (including the root
secret-boundary `.gitignore`) and the minimal runtime bundle -- plus
canonical checksum-bound release notes, an SPDX SBOM, build provenance, and
SBOM attestations.
- **`labeler.yml`** labels pull requests from `.github/labeler.yml` without
checking out contributor code. Its hardened runner uses minimal egress and
per-pull-request concurrency.
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: release
on:
push:
tags:
# Stable numeric releases only. Prerelease tags (X.Y.Z-*) stay ruleset-
# protected but are cut manually: the shared supply-chain workflow
# publishes as the "latest" release without prerelease marking.
- "[0-9]+.[0-9]+.[0-9]+"

permissions: {}
Expand Down
4 changes: 2 additions & 2 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ Only the current exact numeric release tag receives security fixes.

| Version | Supported |
| --- | --- |
| Current exact tag `2.0.2` | yes |
| Older tags | no; upgrade to the current exact tag |
| Latest numeric release tag | yes |
| Older tags | no; upgrade to the latest release |

## Reporting a vulnerability

Expand Down
8 changes: 4 additions & 4 deletions build/release-evidence.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@
"schema_version": 1,
"module": {
"repository": "NDDev-it-com/nddev-zcode-app",
"setup_digest": "sha256:1868c8955f0656cf02522ee177d04c53f08aa2a8d6cdb62d7b1610bcfe9ce54c"
"setup_digest": "sha256:cce7d277383831cbf002ab9ac3a75e0e03c31740b9e0c549f39d3fe13fec7a69"
},
"harness": {
"repository": "NDDev-it-com/nddev-harnesses",
"commit": "e17e5f403914a248a3b7d53a251ee5136d94f449"
"commit": "04ad9fedff4d9dbc8c3cd2991dc4c944fb7fd7c6"
},
"adapter": {
"id": "zcode",
Expand Down Expand Up @@ -37,8 +37,8 @@
"benchmark:macos",
"benchmark:ubuntu"
],
"generated_at_utc": "2026-07-11T22:04:47Z",
"expires_at_utc": "2027-01-07T22:04:47Z",
"generated_at_utc": "2026-07-12T00:14:03Z",
"expires_at_utc": "2027-01-08T00:14:03Z",
"promotion": {
"decision": "approved"
}
Expand Down
Loading