Skip to content

Commit 851bd3a

Browse files
release(RAN-66): cut snipIT v0.1.0 — CHANGELOG bump + bestpractices versioning evidence (#8)
CHANGELOG.md - [Unreleased] → [v0.1.0] - 2026-04-26 with full Added / Changed / Fixed / Security subsections covering PR #1 (RAN-54 baseline + Scorecard hardening), PR #3 (RAN-59 canonical-schema rewrite), PRs #4/#5 (RAN-64 CHANGELOG + docs/ index), PR #6 (5 SUGGESTED criteria flips), PR #7 (CONTRIBUTING.md + conventional-URL retargets). - Fresh empty [Unreleased] section opened at top per Keep-a-Changelog 1.1.0. - Link refs now point at compare/v0.1.0...HEAD and releases/tag/v0.1.0. .bestpractices.json - version_unique_url + release_notes_vulns_url added (both pointing at the v0.1.0 GitHub Release) so the bestpractices.dev autofill bot has a concrete URL to verify alongside _status: Met. - 5 versioning justifications refreshed to cite the concrete v0.1.0 tag instead of forward-looking commitments: version_unique, version_semver, version_tags, release_notes, release_notes_vulns. These are the criteria the autofill bot verifies by checking actual GitHub Releases / git tags exist. Once the v0.1.0 signed tag + GitHub Release land post-merge, autofill should flip release_notes to Met (currently Unmet pending evidence) and the 4 SUGGESTED versioning criteria stay Met with concrete tag-backed URLs. Co-authored-by: Paperclip <noreply@paperclip.ing>
1 parent 7a30cf0 commit 851bd3a

2 files changed

Lines changed: 25 additions & 12 deletions

File tree

.bestpractices.json

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -65,22 +65,24 @@
6565
"repo_distributed_justification": "git is a fully distributed VCS (each clone contains the full history and every operation works offline). Repo at https://github.com/RandomCodeSpace/snipIT is git-native.",
6666

6767
"version_unique_status": "Met",
68-
"version_unique_justification": "snipIT is a single-script project distributed via `git clone` of the main branch — the unique version identifier is the commit SHA on main, which is globally unique by git's content-addressable design and is the version recorded in any install. No tagged releases yet (single .ps1 with no compile/build step); when a tag-release flow is added, semver tags will be the user-facing identifier.",
68+
"version_unique_justification": "snipIT v0.1.0 is the first tagged release — annotated, SSH-signed git tag `v0.1.0` on main, paired with GitHub Release `v0.1.0` at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0. The tag is globally unique by git's content-addressable design and is the user-facing version identifier. CHANGELOG.md `[v0.1.0] - 2026-04-26` captures the release contents.",
69+
"version_unique_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0",
6970

7071
"version_semver_status": "Met",
71-
"version_semver_justification": "CHANGELOG.md header explicitly commits the project to Semantic Versioning 2.0.0: 'this project adheres to Semantic Versioning 2.0.0' (https://semver.org/spec/v2.0.0.html). All future tags will be `vMAJOR.MINOR.PATCH` per SemVer. snipIT has no tagged releases yet — the [Unreleased] section captures pre-tag work; on first tag cut, the heading becomes `[vX.Y.Z] - YYYY-MM-DD` and a fresh [Unreleased] opens.",
72-
"version_semver_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md",
72+
"version_semver_justification": "CHANGELOG.md header explicitly commits the project to Semantic Versioning 2.0.0: 'this project adheres to Semantic Versioning 2.0.0' (https://semver.org/spec/v2.0.0.html). The first tagged release is `v0.1.0` (https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0) — `vMAJOR.MINOR.PATCH` SemVer-shaped. Future tags continue the same format; CHANGELOG.md `[v0.1.0] - 2026-04-26` is the canonical entry.",
73+
"version_semver_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0",
7374

7475
"version_tags_status": "Met",
75-
"version_tags_justification": "CHANGELOG.md states 'Version numbers below correspond to git tags on main.' Each release will be cut as an annotated, GPG/SSH-signed git tag (`vX.Y.Z`). The signed-tag requirement is codified in shared/runbooks/engineering-standards.md §8 ('Commit identity and signed commits'): `tag.gpgsign=true` is set repo-locally by scripts/setup-git-signed.sh and enforced by branch protection on main. snipIT has no tagged releases yet — the [Unreleased] section captures pre-tag work.",
76-
"version_tags_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md",
76+
"version_tags_justification": "CHANGELOG.md states 'Version numbers below correspond to git tags on main.' First release is the annotated, SSH-signed git tag `v0.1.0` (https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0), cut from the `release(RAN-66): cut snipIT v0.1.0` PR squash commit. The signed-tag requirement is codified in shared/runbooks/engineering-standards.md §8 ('Commit identity and signed commits'): `tag.gpgsign=true` is set repo-locally by scripts/setup-git-signed.sh; branch protection on main enforces verified signatures.",
77+
"version_tags_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0",
7778

7879
"release_notes_status": "Met",
79-
"release_notes_justification": "CHANGELOG.md at repo root, Keep-a-Changelog 1.1.0 format with `[Unreleased]` collecting pre-tag work and per-version sections opened on each tag. Captures Added / Changed / Fixed / Security entries for every merge to main. Until the first tag is cut (tracked under Scorecard `Packaging` in CLAUDE.md), the `[Unreleased]` section is the release-notes surface; on tag, the heading is replaced with the version + date and a fresh `[Unreleased]` opens. SECURITY.md §Changelog separately tracks disclosure-policy version history.",
80-
"release_notes_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md",
80+
"release_notes_justification": "CHANGELOG.md at repo root, Keep-a-Changelog 1.1.0 format. First tagged release `[v0.1.0] - 2026-04-26` captures the OpenSSF Best Practices `passing` baseline + supporting documentation surface under Added / Changed / Fixed / Security subsections. The corresponding GitHub Release at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0 surfaces the same notes on the Releases page. A fresh `[Unreleased]` section sits at the top to collect post-v0.1.0 work; on each subsequent tag the `[Unreleased]` heading is replaced with the version + date and a new `[Unreleased]` opens.",
81+
"release_notes_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0",
8182

8283
"release_notes_vulns_status": "Met",
83-
"release_notes_vulns_justification": "CHANGELOG.md reserves a dedicated `### Security` subsection inside every release entry (and the `[Unreleased]` working set) for non-trivial security fixes. The header text states explicitly: 'Each release MUST list any non-trivial security fixes under a dedicated Security subsection so downstream consumers can decide whether to upgrade.' Zero fixes to date — the current `[Unreleased]` Security subsection is honestly marked 'No security-relevant fixes shipped yet under this release line.' When a fix ships, the entry will reference the GHSA advisory + CVE per SECURITY.md §What you can expect.",
84+
"release_notes_vulns_justification": "CHANGELOG.md reserves a dedicated `### Security` subsection inside every release entry (and the `[Unreleased]` working set) for non-trivial security fixes. The header text states explicitly: 'Each release MUST list any non-trivial security fixes under a dedicated Security subsection so downstream consumers can decide whether to upgrade.' v0.1.0 ships with zero security-relevant fixes — its Security subsection is honestly marked: 'No security-relevant fixes shipped under v0.1.0. The OSS-CLI security stack landed in `.github/workflows/security.yml` is the gating channel for all future fixes; advisories will appear in this section under each release where they apply, alongside a GHSA link.' The GitHub Release notes at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0 mirror this content.",
85+
"release_notes_vulns_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0",
8486

8587
"report_process_status": "Met",
8688
"report_process_justification": "SECURITY.md §Reporting a vulnerability documents the private channel for security issues (GitHub private vulnerability report at /security/advisories/new, or `ak.nitrr13@gmail.com` with `[snipIT security]` subject; 72-hour ack SLA, 7-day triage, 90-day coordinated disclosure). CONTRIBUTING.md §Reporting documents the public channel for functional bugs and feature requests — GitHub Issues at https://github.com/RandomCodeSpace/snipIT/issues. Both channels are linked from README.md.",

CHANGELOG.md

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,14 @@ Each release MUST list any non-trivial security fixes under a dedicated **Securi
1212

1313
## [Unreleased]
1414

15+
_No changes yet._
16+
17+
---
18+
19+
## [v0.1.0] - 2026-04-26
20+
21+
First tagged release. Establishes the OpenSSF Best Practices `passing` baseline + supporting documentation surface for snipIT.
22+
1523
### Added
1624
- OpenSSF Best Practices `passing` baseline ([RAN-54](https://github.com/RandomCodeSpace/snipIT/pull/1)):
1725
- `.github/workflows/scorecard.yml``ossf/scorecard-action` on push to `main` + Mondays 06:00 UTC, SARIF → Security tab.
@@ -25,19 +33,22 @@ Each release MUST list any non-trivial security fixes under a dedicated **Securi
2533
- Branch protection on `main` — required signed commits, linear history, force-push and deletion blocked, eight required CI status checks.
2634
- Repo-level Dependabot security updates enabled.
2735
- Canonical-schema rewrite of `.bestpractices.json` so the bestpractices.dev autofill robot can pre-fill the criteria page on board flip ([RAN-59](https://github.com/RandomCodeSpace/snipIT/pull/3)).
28-
- `CHANGELOG.md` (this file) and `docs/README.md` index — addresses the `release_notes` and `documentation_basics` gaps surfaced by the bestpractices.dev autofill audit.
36+
- `CHANGELOG.md` (this file) and `docs/README.md` index — addresses the `release_notes` and `documentation_basics` gaps surfaced by the bestpractices.dev autofill audit ([RAN-64](https://github.com/RandomCodeSpace/snipIT/pull/4) / [#5](https://github.com/RandomCodeSpace/snipIT/pull/5)).
37+
- `CONTRIBUTING.md` at repo root — conventional contribution-process entry point: §Reporting (Issues + SECURITY.md), §Development workflow, §What every PR must pass (8-row CI gate matrix with local commands), §Coding standards delegating to `shared/runbooks/engineering-standards.md` ([PR #7](https://github.com/RandomCodeSpace/snipIT/pull/7)).
2938

3039
### Changed
3140
- `.github/workflows/test.yml` — every action SHA-pinned (Scorecard `Pinned-Dependencies`); top-level `permissions: read-all`; PSScriptAnalyzer moved out into `security.yml` so the SAST/lint signals are co-located with the rest of the security stack.
32-
- `README.md` — OpenSSF Best Practices, OpenSSF Scorecard, and Security workflow badges added at the top of the badge row.
41+
- `README.md` — OpenSSF Best Practices, OpenSSF Scorecard, and Security workflow badges added at the top of the badge row; `Project files` table linked to `docs/`, `CHANGELOG.md`, `SECURITY.md`.
42+
- `.bestpractices.json` — 5 SUGGESTED criteria flipped from `?` to `Met` with concrete in-repo evidence (`version_semver`, `version_tags`, `test_most`, `dynamic_analysis`, `dynamic_analysis_enable_assertions`) ([PR #6](https://github.com/RandomCodeSpace/snipIT/pull/6)); 4 `_url` fields retargeted to conventional paths (`README.md`, `CONTRIBUTING.md`, `SECURITY.md`) so the bestpractices.dev autofill bot detects them ([PR #7](https://github.com/RandomCodeSpace/snipIT/pull/7)).
3343

3444
### Fixed
3545
- Capture flow — exclude SnipIT's own widget / preview / tray windows from the capture target so they aren't baked into the frame ([RAN-15](https://github.com/RandomCodeSpace/snipIT/issues)).
3646
- Color-bar interaction — update the active swatch in-place instead of rebuilding the bar; close `$pickColor` over the swatch handler so the closure resolves correctly at click time.
3747

3848
### Security
39-
- _No security-relevant fixes shipped yet under this release line._
49+
- _No security-relevant fixes shipped under v0.1.0._ The OSS-CLI security stack landed in `.github/workflows/security.yml` is the gating channel for all future fixes; advisories will appear in this section under each release where they apply, alongside a GHSA link.
4050

4151
---
4252

43-
[Unreleased]: https://github.com/RandomCodeSpace/snipIT/commits/main
53+
[Unreleased]: https://github.com/RandomCodeSpace/snipIT/compare/v0.1.0...HEAD
54+
[v0.1.0]: https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0

0 commit comments

Comments
 (0)