snipIT v0.1.0 — initial signed release
First tagged release. Establishes the OpenSSF Best Practices passing baseline + supporting documentation surface for snipIT.
Added
- OpenSSF Best Practices
passingbaseline (RAN-54):.github/workflows/scorecard.yml—ossf/scorecard-actionon push tomain+ Mondays 06:00 UTC, SARIF → Security tab..github/workflows/security.yml— OSS-CLI security stack: Trivy filesystem scan, Semgrep (p/security-audit+p/owasp-top-ten), PSScriptAnalyzer (PowerShell language gate), Gitleaks full-history secret scan, jscpd duplication check, and SPDX + CycloneDX SBOM generation..github/dependabot.yml— weekly grouped GitHub Actions updates.SECURITY.md— private vulnerability disclosure policy, supported versions, and scope..bestpractices.json— OpenSSF Best Practices self-assessment (project 12647).CLAUDE.md— agent / contributor brief: build, test, run, conventions, OpenSSF Scorecard baseline + target.shared/runbooks/engineering-standards.md— PowerShell variant of the company canonical engineering-standards runbook.scripts/setup-git-signed.sh— one-shot signed-commit setup (SSH / OpenPGP / x509).- Branch protection on
main— required signed commits, linear history, force-push and deletion blocked, eight required CI status checks. - Repo-level Dependabot security updates enabled.
- Canonical-schema rewrite of
.bestpractices.jsonso the bestpractices.dev autofill robot can pre-fill the criteria page on board flip (RAN-59). CHANGELOG.md(this file) anddocs/README.mdindex — addresses therelease_notesanddocumentation_basicsgaps surfaced by the bestpractices.dev autofill audit (RAN-64 / #5).CONTRIBUTING.mdat repo root — conventional contribution-process entry point: §Reporting (Issues + SECURITY.md), §Development workflow, §What every PR must pass (8-row CI gate matrix with local commands), §Coding standards delegating toshared/runbooks/engineering-standards.md(PR #7).
Changed
.github/workflows/test.yml— every action SHA-pinned (ScorecardPinned-Dependencies); top-levelpermissions: read-all; PSScriptAnalyzer moved out intosecurity.ymlso the SAST/lint signals are co-located with the rest of the security stack.README.md— OpenSSF Best Practices, OpenSSF Scorecard, and Security workflow badges added at the top of the badge row;Project filestable linked todocs/,CHANGELOG.md,SECURITY.md..bestpractices.json— 5 SUGGESTED criteria flipped from?toMetwith concrete in-repo evidence (version_semver,version_tags,test_most,dynamic_analysis,dynamic_analysis_enable_assertions) (PR #6); 4_urlfields retargeted to conventional paths (README.md,CONTRIBUTING.md,SECURITY.md) so the bestpractices.dev autofill bot detects them (PR #7).
Fixed
- Capture flow — exclude SnipIT's own widget / preview / tray windows from the capture target so they aren't baked into the frame (RAN-15).
- Color-bar interaction — update the active swatch in-place instead of rebuilding the bar; close
$pickColorover the swatch handler so the closure resolves correctly at click time.
Security
- No security-relevant fixes shipped under v0.1.0. The OSS-CLI security stack landed in
.github/workflows/security.ymlis the gating channel for all future fixes; advisories will appear in this section under each release where they apply, alongside a GHSA link.