release: v1.1.0#123
Closed
VijitSingh97 wants to merge 6 commits into
Closed
Conversation
…ain branch model (#120) * ci: supply-chain & secrets hardening — gitleaks, Dependabot, zizmor (#117) Adds the three cross-cutting gates from #117 on top of RigForge's existing SHA-pinned actions and commit-verified XMRig build. Scope is only the gaps, not a redo of that work. - gitleaks: new Security workflow scans the full git history for committed secrets (pool creds, tokens, the #113 stratum access-password) on every push and PR, with a matching pre-commit hook. Binary is version+checksum pinned, mirroring the shellcheck/shfmt installs. - Dependabot: .github/dependabot.yml for the github-actions ecosystem only (RigForge has no pip/npm/docker deps) — keeps the action pins current and surfaces advisories. - zizmor: audits the workflows for template injection, over-broad GITHUB_TOKEN, and credential persistence. Hardened ci.yml/release.yml to a read-only default token and persist-credentials: false on checkout so the audit is clean. The broader pre-commit hook set (shellcheck/shfmt/yamllint/markdownlint + freebies) is left to #118, which extends .pre-commit-config.yaml. Validated locally: gitleaks clean over full history, zizmor reports no findings. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci(security): enable zizmor online audits + weekly schedule Run zizmor with online audits on (its default) so the known-vulnerable-actions audit cross-references the actions we pin against the GitHub Advisory Database — a CVE disclosed against a pinned action now fails the gate, not just structural issues. GH_TOKEN is the built-in read-only token (advisory data is public; it's only for API access). Add a weekly schedule so a freshly-published advisory trips against main even with no open PRs (the online audit is time-varying by design). gitleaks is skipped on the scheduled tick — history doesn't change between pushes. Complements Dependabot: zizmor blocks the merge, Dependabot opens the bump. Validated: zizmor online reports no findings against the current pins. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci: adopt the develop/main branch model (mirrors Pithead) Pithead uses develop as the default integration branch and main as the release branch; mirror that here (develop is now the repo default). - ci.yml + security.yml: run on push to [main, develop] (PRs already run on any base via the unfiltered pull_request trigger). - coverage: diff-cover now compares against the PR's actual base branch (github.base_ref, falling back to the pushed branch) instead of a hardcoded origin/main — so patch coverage stays correct once develop diverges from main. - CONTRIBUTING: document the two-branch model; PRs target develop. - RELEASING: build the release commit on develop, fast-forward into main, tag from main. develop is merged to main at each release (1.1 onward). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…markdownlint, lychee) (#118) (#122) Rounds out the non-shell tooling around RigForge's existing shellcheck/shfmt + kcov core, finishing the tooling epic (#116). - .editorconfig: encodes the whitespace house style (shfmt -i 4, LF, final newline) so editors match CI. - pre-commit: .pre-commit-config.yaml now orchestrates `make lint` (shellcheck + shfmt via the Makefile's SHELL_FILES — single source of truth, no duplicated list), the existing gitleaks hook, and freebie hygiene hooks (detect-private-key, check-added-large-files, end-of-file-fixer, trailing-whitespace). - yamllint + markdownlint: new CI jobs in ci.yml (and `make lint-yaml` / `make lint-md`), each with a tuned config (.yamllint, .markdownlint-cli2.yaml) matching the repo's house style. Pinned via pipx / npx like diff-cover/zizmor. - lychee: new scheduled workflow (links.yml) + `make lint-links`, kept off the PR path since external links are flaky-by-nature. Pinned + checksum-verified binary. - docs: small fixes to satisfy the structural markdown rules (blank lines around headings/lists/fences via --fix; code-fence languages; fenced donation block; README hero subtitle as <h3> to keep the heading hierarchy clean). - CONTRIBUTING: document the hooks + the config/docs lint targets. Validated locally: yamllint --strict, markdownlint, zizmor (online), lychee (198 links OK), and `pre-commit run --all-files` all green. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Roll up the Unreleased changelog under 1.1.0 and bump VERSION. v1.1 is the tooling/code-quality + repo-hardening release: supply-chain & secrets gates (#117), DX glue + config/docs lint (#118), the develop/main branch model, and the MIT-licensing contributing note (#119). Stratum auth/TLS (#113/#115) were deferred to v1.6. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Moderate style pass across the README, the docs/ guides, and the meta docs (CONTRIBUTING, SECURITY, RELEASING, issue/PR templates): trim em-dash density, drop gratuitous bold and italics-for-emphasis, soften marketing cadence and the recurring "X, not Y" construction, and cut filler/virtue words. Prose-only. Verified no code blocks, command tokens, flags, env vars, numbers, link targets, or table rows changed; emoji section headers kept; markdownlint clean across all 18 files. CHANGELOG left in the standard Keep-a-Changelog style. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The v1.1 work is dev tooling (gitleaks/zizmor/Dependabot, pre-commit, the lint configs, the develop/main branch model) plus a docs copy-edit. None of the tooling is in the release bundle (release.yml ships rigforge.sh/util/systemd/ config templates/README/docs/images/LICENSE/VERSION — not tests/, .github/, or the dotfiles), and rigforge.sh is unchanged, so there's nothing user-facing to release. Bumping to 1.1.0 (MINOR) would signal new functionality that isn't there. Revert the premature VERSION bump (back to 1.0.1) and the changelog rollup; the entries stay under [Unreleased] and will ship with the next release that actually changes something for users. main stays at the last release (1.0.1). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Holding this — not cutting a 1.1.0. The v1.1 work is all dev tooling (gitleaks/zizmor/Dependabot, pre-commit, lint configs, the develop/main branch model) plus a docs copy-edit. None of the tooling is in the release bundle ( Reverted the version bump + changelog rollup on |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promote
develop→mainfor the v1.1.0 release.v1.1 is the tooling / code-quality + repo-hardening release — no change to the miner's runtime behavior.
What's in it
github-actions), zizmor (online advisory audit + weekly schedule);ci.yml/release.ymlhardened to a read-only default token +persist-credentials: false..editorconfig, pre-commit (make lint+ gitleaks + freebies), yamllint + markdownlint CI gates, lychee link-check (scheduled).develop(9 required checks).Commits promoted: #120, #121, #122, plus the release commit (CHANGELOG rollup + VERSION → 1.1.0).
Deferred (not in v1.1)
Stratum auth (#113) and stratum-over-TLS (#115) were moved to v1.6 — their security payoff is confined to untrusted-network/remote deployments, so they don't front this release.
Merge + tag
mainstays in sync withdevelop.mainis protected by the "Main Branch" ruleset (review required); merge via OrganizationAdmin bypass.main:git tag -a v1.1.0 -m "RigForge v1.1.0" && git push origin main --follow-tags— that triggersrelease.yml(verifies the tag matches VERSION, builds the bundle, drafts the GitHub Release).🤖 Generated with Claude Code