diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index afa2f63..a1341e9 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -5,7 +5,7 @@ name: Draft changelog # requests merged since that train's last tag, then opens a pull request so a human # can review it (and delete any benefit the model inferred rather than found) # before merging. The trains version independently and keep separate changelogs: -# lib -> CHANGELOG.md (FirstClassErrors + FirstClassErrors.Testing) +# lib -> CHANGELOG.md (FirstClassErrors + FirstClassErrors.Testing + FirstClassErrors.RequestBinder) # cli -> FirstClassErrors.Cli/CHANGELOG.md (the fce .NET tool) # dum -> Dummies/CHANGELOG.md (the standalone Dummies library) on: @@ -94,7 +94,7 @@ jobs: echo "Collected $(jq 'length' prs.json) ${COMPONENT}-facing pull request(s) for this changelog." # COMPONENT is a choice input (lib|cli|dum only), safe to pass straight through. # from_ref is free text, so it travels via the environment (never inlined - # into the script) and is only ever handed to `git log`. + # into the script) and is only ever passed to git (rev-parse, then log) as a ref argument. - name: Draft the changelog entry with Claude if: steps.collect.outputs.count != '0' diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 8ad32e8..78d315e 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -1,6 +1,6 @@ name: dependabot-automerge -# Palier A of the Dependabot automation policy: for Dependabot PRs, enable +# The low-friction lane of the Dependabot automation policy: for Dependabot PRs, enable # GitHub auto-merge on patch and minor updates so they merge on their own once # the required checks pass. Major updates are deliberately left untouched for # human review. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ab9de28..95444a9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,7 +3,7 @@ name: release on: push: # Publish on a train-prefixed semantic-version tag. The trains version independently: - # lib-v1.2.3 -> FirstClassErrors + FirstClassErrors.Testing + # lib-v1.2.3 -> FirstClassErrors + FirstClassErrors.Testing + FirstClassErrors.RequestBinder # cli-v1.2.3 -> FirstClassErrors.Cli (the fce .NET tool) # dum-v1.2.3 -> Dummies (the standalone arbitrary-test-value library) tags: @@ -27,12 +27,13 @@ on: # pack, SBOM generation, OIDC and the attestation permissions only ever execute in production # conditions. Three defects were found here that were invisible from the repository (the # +metadata regex, the nuget.org re-signing mismatch, the dispatch-tag target). Dry run makes - # all of it testable on demand: everything runs up to AND INCLUDING the attestation — which - # deliberately stays in, since OIDC/permission failures are exactly what it rehearses — while - # NuGet login, the push and the GitHub Release are skipped. Defaults to true so an accidental - # dispatch publishes nothing; publishing requires explicitly unticking it. + # all of it testable on demand: everything runs up to AND INCLUDING the attestation and the OIDC + # login — both deliberately stay in, since OIDC/permission failures are exactly what a dry run + # rehearses — while the steps that actually publish (the NuGet push, the GitHub Release, and, + # on the cli train, the error-catalog baseline refresh) are skipped. Defaults to true so an + # accidental dispatch publishes nothing; publishing requires explicitly unticking it. dry_run: - description: 'Dry run: stop after pack + attestation; skip NuGet push and the GitHub Release' + description: 'Dry run: stop after pack + attestation; skip the publish steps (NuGet push, GitHub Release, cli catalog-baseline refresh)' type: boolean default: true @@ -59,7 +60,9 @@ jobs: # build + test + pack + attest + push is ~4 min; cap a hung release rather than the 6-hour default. timeout-minutes: 20 permissions: - # Create the GitHub Release and upload the attested .nupkg/.snupkg as its assets (see the publish step). + # Two uses of the write scope: create the GitHub Release and upload the attested .nupkg/.snupkg as its + # assets (the publish step), and — on a cli release — push the refreshed error-catalog baseline straight + # to main (the baseline-refresh step, the one direct-to-main write in this pipeline). contents: write # Request a GitHub OIDC token, exchanged for a short-lived NuGet API key via trusted publishing # (no long-lived NUGET_API_KEY secret is stored). @@ -186,9 +189,10 @@ jobs: fi echo "ok: GenDoc's error catalog has a breaking change since $PREVIOUS_TAG, matched by the major version bump ($PREVIOUS_MAJOR -> $NEW_MAJOR)." - # Pack only the train this release targets (lib -> FirstClassErrors + .Testing; cli -> the fce - # tool; dum -> Dummies), so a lib release never republishes the CLI and vice versa. The analyzer is bundled inside the main - # package and the GenDoc worker inside the CLI tool; the samples are not published. + # Pack only the train this release targets (lib -> FirstClassErrors + .Testing + .RequestBinder; + # cli -> the fce tool; dum -> Dummies), so a lib release never republishes the CLI and vice versa. + # The analyzer is bundled inside the main package and the GenDoc worker inside the CLI tool; the + # samples are not published. # GenerateSBOM activates Microsoft.Sbom.Targets in each packable project: each package embeds its SPDX # inventory at _manifest/spdx_2.2/manifest.spdx.json. tools/packaging/pack.sh is the single source of # truth (packed projects per train, flags, embedded SBOM, and the SBOM-present check); the @@ -233,9 +237,10 @@ jobs: # trusted-publishing policy, so rehearsing it here makes a dry run fail red when the policy or # NUGET_USER is missing/misconfigured — instead of only ever finding out during a real release. It # mints a short-lived, single-use key that a dry run never spends (the push below is skipped). Only the - # steps that actually PUBLISH — the push and the GitHub Release — are gated off on a dry run: a tag - # push always publishes (inputs.* is empty on push, so the event check short-circuits first); a manual - # dispatch publishes only with dry_run explicitly unticked. + # steps that actually PUBLISH — the push, the GitHub Release, and (on the cli train) the error-catalog + # baseline refresh — are gated off on a dry run: a tag push always publishes (inputs.* is empty on + # push, so the event check short-circuits first); a manual dispatch publishes only with dry_run + # explicitly unticked. - name: NuGet login (OIDC) id: nuget-login uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1