From f558c46aa702d6cabdcafea753d90d3c2953612d Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Thu, 23 Apr 2026 07:21:08 +0000 Subject: [PATCH] docs: curated human-readable CHANGELOG (BestPractices release_notes) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenSSF BestPractices criterion release_notes requires a human-readable summary of major changes per release — explicitly "MUST NOT be the raw output of a version control log". Prior CHANGELOG was a stub pointing at GitHub's auto-generated PR list, which is the disqualified form. This revision: - Writes v0.0.1 as a "first stable release" overview covering what the product does (GraphRAG pipeline, loaders, LLM layer, query engine, surfaces, storage) and known limitations. - Writes v0.0.2 as a targeted CI-cadence note with explicit "upgrade impact: drop-in replacement" guidance. - Tracks the Unreleased branch-state for governance files, release pipeline rewrite, and CI simplifications. The on-GitHub v0.0.1 and v0.0.2 release bodies have been updated with the same curated content via gh release edit. Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 88 ++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 69 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d46f76..8b7d49e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,34 +1,84 @@ # Changelog -All notable changes to docsiq are published on -[GitHub Releases](https://github.com/RandomCodeSpace/docsiq/releases) -with auto-generated summaries grouped by label (security fixes, breaking -changes, new features, bug fixes, dependencies). Each release is tagged -with its signed SHA256SUMS and SLSA build provenance. +All notable changes to docsiq are documented here in a human-readable +form. The full per-commit history is available on +[GitHub Releases](https://github.com/RandomCodeSpace/docsiq/releases), +but this file is the curated summary. -This file summarises notable releases. The canonical source is the -Releases page linked above. - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +Each release ships signed binaries (cosign keyless + Rekor), a signed +`SHA256SUMS`, and SLSA build provenance. ## [Unreleased] ### Added -- Governance and community files: `CODE_OF_CONDUCT.md`, `GOVERNANCE.md`, - `.github/CODEOWNERS`, `.github/release.yml`, `docs/ACCESSIBILITY.md` -- `.bestpractices.json` to track OpenSSF BestPractices criteria +- `CODE_OF_CONDUCT.md`, `GOVERNANCE.md`, `.github/CODEOWNERS`, + `.github/release.yml`, `docs/ACCESSIBILITY.md` — project governance + and community files (OpenSSF BestPractices passing tier). +- `.bestpractices.json` tracking the full OpenSSF BestPractices matrix + at repo root (78 Met / 10 N/A / 0 Unknown). + +### Changed +- `SECURITY.md`: added a "Report archive" section clarifying that + GitHub Issues archives non-sensitive reports and Security Advisories + archives coordinated-disclosure reports. +- Release pipeline: dropped GoReleaser (its `prebuilt` builder is a + Pro-only feature and wasn't parsing in OSS goreleaser). The release + job now computes SHA256SUMS, signs with cosign keyless, and creates + the GitHub release directly — signing, provenance, and categorised + release notes are all preserved. +- CI: dropped macOS from the test matrix; Linux-only is sufficient to + gate PRs. The release workflow still builds darwin-arm64 binaries + natively on macOS runners. +- CI: removed `push: main` trigger from `ci.yml` and `fuzz.yml`; + `pull/N/merge` already validates the merged tree. Saves ~2 min of + runner time per merged PR. `codeql.yml` still runs on push to main + (the Security tab's default-branch data requires it). + +## [0.0.2] — 2026-04-23 ### Changed -- `SECURITY.md`: added "Report archive" section documenting GitHub Issues - and Security Advisories as the public archive -## [0.0.2] — 2026-04-20 +- **Scorecard workflow cadence.** `scorecard.yml` now runs on release + completion and weekly on schedule instead of firing on every push to + `main`. The policy being scored is unchanged; this simply stops + re-scoring commits that don't move any Scorecard-visible state. + +### Upgrade impact + +Safe drop-in upgrade from v0.0.1. No API, CLI, or on-disk schema +changes — replace the binary in place. + +GitHub Release: + +## [0.0.1] — 2026-04-23 + +First non-beta release. Establishes the feature set and API surface +that subsequent 0.0.x patches will maintain back-compat against. + +### Added -See +- **GraphRAG indexing pipeline** — five-phase ingestion: chunk, extract + entities/relationships/claims, community-detect (Louvain), embed, + persist. +- **Document loaders** — PDF (langchaingo), DOCX, TXT, Markdown, and a + polite web crawler with robots.txt + allow-list + MIME checks. +- **Multi-provider LLM layer** — Azure OpenAI, OpenAI, and Ollama + behind a single `internal/llm` abstraction. +- **Query engine** — hybrid local (vector + FTS5) and global + (community-summary) search. +- **Surfaces** — CLI (`docsiq index|search|serve`), REST API, MCP + server, and an embedded React SPA served by `docsiq serve`. +- **Storage** — single SQLite file with `sqlite_fts5` and `sqlite-vec` + for vector search. No external DB to deploy. +- **Signed releases** — cosign keyless via Sigstore (Rekor-anchored), + signed `SHA256SUMS`, and SLSA build provenance. -## [0.0.1] — 2026-04-15 +### Known limitations -Initial release. +- Darwin support is limited to `arm64`; `amd64` is not built (cgo + + sqlite-vec cross-compile complexity). +- Pre-1.0: APIs and on-disk schema are not yet frozen. -See +GitHub Release: