Skip to content

snipIT v0.1.0 — initial signed release

Choose a tag to compare

@aksOps aksOps released this 26 Apr 05:03
v0.1.0
851bd3a

First tagged release. Establishes the OpenSSF Best Practices passing baseline + supporting documentation surface for snipIT.

Added

  • OpenSSF Best Practices passing baseline (RAN-54):
    • .github/workflows/scorecard.ymlossf/scorecard-action on push to main + Mondays 06:00 UTC, SARIF → Security tab.
    • .github/workflows/security.yml — OSS-CLI security stack: Trivy filesystem scan, Semgrep (p/security-audit + p/owasp-top-ten), PSScriptAnalyzer (PowerShell language gate), Gitleaks full-history secret scan, jscpd duplication check, and SPDX + CycloneDX SBOM generation.
    • .github/dependabot.yml — weekly grouped GitHub Actions updates.
    • SECURITY.md — private vulnerability disclosure policy, supported versions, and scope.
    • .bestpractices.json — OpenSSF Best Practices self-assessment (project 12647).
    • CLAUDE.md — agent / contributor brief: build, test, run, conventions, OpenSSF Scorecard baseline + target.
    • shared/runbooks/engineering-standards.md — PowerShell variant of the company canonical engineering-standards runbook.
    • scripts/setup-git-signed.sh — one-shot signed-commit setup (SSH / OpenPGP / x509).
    • Branch protection on main — required signed commits, linear history, force-push and deletion blocked, eight required CI status checks.
    • Repo-level Dependabot security updates enabled.
  • Canonical-schema rewrite of .bestpractices.json so the bestpractices.dev autofill robot can pre-fill the criteria page on board flip (RAN-59).
  • CHANGELOG.md (this file) and docs/README.md index — addresses the release_notes and documentation_basics gaps surfaced by the bestpractices.dev autofill audit (RAN-64 / #5).
  • CONTRIBUTING.md at repo root — conventional contribution-process entry point: §Reporting (Issues + SECURITY.md), §Development workflow, §What every PR must pass (8-row CI gate matrix with local commands), §Coding standards delegating to shared/runbooks/engineering-standards.md (PR #7).

Changed

  • .github/workflows/test.yml — every action SHA-pinned (Scorecard Pinned-Dependencies); top-level permissions: read-all; PSScriptAnalyzer moved out into security.yml so the SAST/lint signals are co-located with the rest of the security stack.
  • README.md — OpenSSF Best Practices, OpenSSF Scorecard, and Security workflow badges added at the top of the badge row; Project files table linked to docs/, CHANGELOG.md, SECURITY.md.
  • .bestpractices.json — 5 SUGGESTED criteria flipped from ? to Met with concrete in-repo evidence (version_semver, version_tags, test_most, dynamic_analysis, dynamic_analysis_enable_assertions) (PR #6); 4 _url fields retargeted to conventional paths (README.md, CONTRIBUTING.md, SECURITY.md) so the bestpractices.dev autofill bot detects them (PR #7).

Fixed

  • Capture flow — exclude SnipIT's own widget / preview / tray windows from the capture target so they aren't baked into the frame (RAN-15).
  • Color-bar interaction — update the active swatch in-place instead of rebuilding the bar; close $pickColor over the swatch handler so the closure resolves correctly at click time.

Security

  • No security-relevant fixes shipped under v0.1.0. The OSS-CLI security stack landed in .github/workflows/security.yml is the gating channel for all future fixes; advisories will appear in this section under each release where they apply, alongside a GHSA link.