chore: rename config files (minimal + reference)#127
Merged
Conversation
config.json.template -> config.minimal.json (the copy-me starter: just the pool URL) config.advanced.example.json -> config.reference.json (the full reference: every key with its default, enforced complete by the #23 test) Matches the same rename in Pithead for cross-repo consistency. Content unchanged — the the starter is still just the pool URL. Updated all references (rigforge.sh, RELEASING, docs/configuration, .gitignore, the release workflow + macOS e2e bundle, and the config tests). CHANGELOG keeps the old names (historical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
61c0659 to
9f6f19c
Compare
VijitSingh97
added a commit
that referenced
this pull request
Jul 2, 2026
* ci: supply-chain hardening (gitleaks, Dependabot, zizmor) + develop/main branch model (#120) * ci: supply-chain & secrets hardening — gitleaks, Dependabot, zizmor (#117) Adds the three cross-cutting gates from #117 on top of RigForge's existing SHA-pinned actions and commit-verified XMRig build. Scope is only the gaps, not a redo of that work. - gitleaks: new Security workflow scans the full git history for committed secrets (pool creds, tokens, the #113 stratum access-password) on every push and PR, with a matching pre-commit hook. Binary is version+checksum pinned, mirroring the shellcheck/shfmt installs. - Dependabot: .github/dependabot.yml for the github-actions ecosystem only (RigForge has no pip/npm/docker deps) — keeps the action pins current and surfaces advisories. - zizmor: audits the workflows for template injection, over-broad GITHUB_TOKEN, and credential persistence. Hardened ci.yml/release.yml to a read-only default token and persist-credentials: false on checkout so the audit is clean. The broader pre-commit hook set (shellcheck/shfmt/yamllint/markdownlint + freebies) is left to #118, which extends .pre-commit-config.yaml. Validated locally: gitleaks clean over full history, zizmor reports no findings. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci(security): enable zizmor online audits + weekly schedule Run zizmor with online audits on (its default) so the known-vulnerable-actions audit cross-references the actions we pin against the GitHub Advisory Database — a CVE disclosed against a pinned action now fails the gate, not just structural issues. GH_TOKEN is the built-in read-only token (advisory data is public; it's only for API access). Add a weekly schedule so a freshly-published advisory trips against main even with no open PRs (the online audit is time-varying by design). gitleaks is skipped on the scheduled tick — history doesn't change between pushes. Complements Dependabot: zizmor blocks the merge, Dependabot opens the bump. Validated: zizmor online reports no findings against the current pins. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci: adopt the develop/main branch model (mirrors Pithead) Pithead uses develop as the default integration branch and main as the release branch; mirror that here (develop is now the repo default). - ci.yml + security.yml: run on push to [main, develop] (PRs already run on any base via the unfiltered pull_request trigger). - coverage: diff-cover now compares against the PR's actual base branch (github.base_ref, falling back to the pushed branch) instead of a hardcoded origin/main — so patch coverage stays correct once develop diverges from main. - CONTRIBUTING: document the two-branch model; PRs target develop. - RELEASING: build the release commit on develop, fast-forward into main, tag from main. develop is merged to main at each release (1.1 onward). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs(contributing): state inbound contributions are MIT-licensed (closes #119) (#121) * ci: DX glue + config/docs lint (.editorconfig, pre-commit, yamllint, markdownlint, lychee) (#118) (#122) Rounds out the non-shell tooling around RigForge's existing shellcheck/shfmt + kcov core, finishing the tooling epic (#116). - .editorconfig: encodes the whitespace house style (shfmt -i 4, LF, final newline) so editors match CI. - pre-commit: .pre-commit-config.yaml now orchestrates `make lint` (shellcheck + shfmt via the Makefile's SHELL_FILES — single source of truth, no duplicated list), the existing gitleaks hook, and freebie hygiene hooks (detect-private-key, check-added-large-files, end-of-file-fixer, trailing-whitespace). - yamllint + markdownlint: new CI jobs in ci.yml (and `make lint-yaml` / `make lint-md`), each with a tuned config (.yamllint, .markdownlint-cli2.yaml) matching the repo's house style. Pinned via pipx / npx like diff-cover/zizmor. - lychee: new scheduled workflow (links.yml) + `make lint-links`, kept off the PR path since external links are flaky-by-nature. Pinned + checksum-verified binary. - docs: small fixes to satisfy the structural markdown rules (blank lines around headings/lists/fences via --fix; code-fence languages; fenced donation block; README hero subtitle as <h3> to keep the heading hierarchy clean). - CONTRIBUTING: document the hooks + the config/docs lint targets. Validated locally: yamllint --strict, markdownlint, zizmor (online), lychee (198 links OK), and `pre-commit run --all-files` all green. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * release: v1.1.0 Roll up the Unreleased changelog under 1.1.0 and bump VERSION. v1.1 is the tooling/code-quality + repo-hardening release: supply-chain & secrets gates (#117), DX glue + config/docs lint (#118), the develop/main branch model, and the MIT-licensing contributing note (#119). Stratum auth/TLS (#113/#115) were deferred to v1.6. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs: copy-edit for a more natural, less templated voice Moderate style pass across the README, the docs/ guides, and the meta docs (CONTRIBUTING, SECURITY, RELEASING, issue/PR templates): trim em-dash density, drop gratuitous bold and italics-for-emphasis, soften marketing cadence and the recurring "X, not Y" construction, and cut filler/virtue words. Prose-only. Verified no code blocks, command tokens, flags, env vars, numbers, link targets, or table rows changed; emoji section headers kept; markdownlint clean across all 18 files. CHANGELOG left in the standard Keep-a-Changelog style. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore: defer release — keep v1.1 tooling/docs under [Unreleased] The v1.1 work is dev tooling (gitleaks/zizmor/Dependabot, pre-commit, the lint configs, the develop/main branch model) plus a docs copy-edit. None of the tooling is in the release bundle (release.yml ships rigforge.sh/util/systemd/ config templates/README/docs/images/LICENSE/VERSION — not tests/, .github/, or the dotfiles), and rigforge.sh is unchanged, so there's nothing user-facing to release. Bumping to 1.1.0 (MINOR) would signal new functionality that isn't there. Revert the premature VERSION bump (back to 1.0.1) and the changelog rollup; the entries stay under [Unreleased] and will ship with the next release that actually changes something for users. main stays at the last release (1.0.1). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat: worker HTTP API open (read-only) by default (#125) ACCESS_TOKEN no longer defaults to the rig name. Left unset, the rig's :8080 xmrig API is served `restricted` (read-only) with NO token — which matches Pithead's new default no-auth stats probe, so a stock rig needs zero token coordination. Setting ACCESS_TOKEN re-enables Bearer auth (now validated only when non-empty); match it dashboard-side with workers.api_auth token|name. Pairs with pithead#171/#172 (the dashboard's single config-driven worker API probe). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> * ci(deps): bump actions/checkout in the github-actions group (#124) Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6.0.3 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@df4cb1c...9c091bb) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Vijit Singh <vijit.n.singh@gmail.com> * docs: rewrite for voice consistency (#126) * docs: rewrite CONTRIBUTING.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite README.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite RELEASING.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite SECURITY.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite docs/README.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite docs/benchmarks.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite docs/configuration.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite docs/faq.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite docs/getting-started.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite docs/hardware.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite docs/how-it-works.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite docs/operations.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite docs/pithead-integration.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: rewrite tests/README.md for voice consistency Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs. No technical facts, commands, flags, addresses, ports, or numbers changed (code fences and inline code verified byte-identical). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> * refactor: ponytail cleanup — drop dead duplicates + stdlib trims (#128) Behaviour-preserving cleanups from a ponytail (over-engineering) audit. The audit's headline finding is that rigforge is already lean; these are the few real cuts. rigforge.sh: - macOS tuning block re-set YIELD/PRIORITY/NUMA/HTTP_RESTRICTED to the exact values the shared defaults block already sets — dead no-ops (plus an orphaned priority comment duplicating the default's). Keep only the values that actually differ. - link_cli: fold the `ok` flag into the `if` it guards. util/proposed-grub.sh: - L3-cache + socket parsing: `lscpu | grep ... | awk` -> single `awk`; strip via bash builtin (`${L3_RAW//[!0-9]/}`) instead of `echo | sed`. - 1GB-pages read: `$(<file)` instead of `cat ... || echo 0` (the file is guarded by -f already, and the default is set to 0 above). No behaviour change; 614-test suite green. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> * chore: rename config files for clarity (minimal + reference) (#127) config.json.template -> config.minimal.json (the copy-me starter: just the pool URL) config.advanced.example.json -> config.reference.json (the full reference: every key with its default, enforced complete by the #23 test) Matches the same rename in Pithead for cross-repo consistency. Content unchanged — the the starter is still just the pool URL. Updated all references (rigforge.sh, RELEASING, docs/configuration, .gitignore, the release workflow + macOS e2e bundle, and the config tests). CHANGELOG keeps the old names (historical). Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> * test: cover the edge cases the suite was missing (#129) Adds ~58 assertions for previously-untested branches and degenerate inputs, all at the run.sh layer (stub-driven, hardware-independent, bash 3.2-safe) per tests/README.md — no new files, SHELL_FILES unchanged. Behaviours now covered: - check_prerequisites: the whole jq-bootstrap (apt/dnf/pacman/none/brew/ no-brew/already-present) — was entirely untested - install_dependencies: the dnf and pacman branches + the no-manager warn-not-abort path + the apt-cache-present linux-tools branch - install_service reboot-gate (#audit A2): enable-but-NOT-start when a reboot is pending, restart on rebuild, start on steady state, plus CPUPOWER_PATH substitution in ExecStartPre - compile_xmrig drops the clone (rm -rf) on a commit mismatch (#18) - config-gen round-trips: bracketed IPv6 url, single-pool tls, empty ACCESS_TOKEN -> JSON null - restore of a corrupt / config-less archive: fails AND leaves the existing config.json untouched (no silent clobber) - uninstall without --yes aborts cleanly on 'n' and reverts nothing - mac_start guard (no built worker -> "run setup first"); mac_stop launchd-owned delegation - numeric degenerate inputs: _median/_stddev/_mean on empty/single sample; _watts_from_energy backwards counter w/ no wrap-max; the no-power efficiency fallbacks in _accept_better and _autotune_score - compute_build_jobs sub-2GB floor; the 1G fstab line on a fresh write; the rest of the xmrig.service hardening block Verified: make lint clean; make test 664/664; make coverage 91.34% (floor 80); suite passes 687/687 on a real Ubuntu 24.04 / bash 5.2 rig. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> * fix(e2e-real): don't send an API Bearer when ACCESS_TOKEN is unset The worker HTTP API now defaults to open (read-only) with no token, so XMRig 401s the stale "Bearer $(hostname)" the verify warmup still sent. Under set -e + pipefail that surfaced as curl -f exit 22 aborting verify silently before any output. Send the header only when ACCESS_TOKEN is set. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(tune): don't send an API Bearer when ACCESS_TOKEN is unset _read_api_hashrate always sent "Bearer ${ACCESS_TOKEN:-}", so with the new open (no-token) API default it sent an empty Bearer, XMRig 401'd it, and curl -f (exit 22) aborted the caller under set -e — breaking every live-hashrate read: autotune (incl. the monthly timer), tune --live, tune --confirm, and the upgrade re-tune. Send the header only when ACCESS_TOKEN is set. The suites stub this via API_CMD, so only the real-hardware e2e gate exercised the curl path that regressed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * release: v1.1.0 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs(release): promote develop to main via a reviewable PR, not a direct push The develop->main promotion goes through a PR (release gate + audit trail); main is protected. Fast-forward/rebase-merge so the tag lands on develop's release commit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * test(tune): cover _read_api_hashrate's auth-header logic; harden for bash 3.2 Adds a unit test driving the real _read_api_hashrate with a stubbed curl — asserting no Authorization header when ACCESS_TOKEN is unset and a Bearer when set. This is the branch the rest of the suite stubs via API_CMD, so it was uncovered (diff-cover patch-coverage gate flagged the new lines) and is exactly where the open-API regression hid. Also swaps the empty-array curl arg for an if/else, since "${arr[@]}" on an empty array trips set -u on bash 3.2 (the macOS CI job). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Rename the two config files so the names say what they are — the same rename as Pithead #326, for cross-repo consistency.
config.json.templateconfig.minimal.jsonconfig.advanced.example.jsonconfig.reference.jsonContent
No content change needed:
config.reference.jsonis already complete — the#23unit test enforces that it documents every keyparse_configreads (and excludes the internalPOOL_HOST/WORKER_NAME/WORKER_CONFIG_FILEkeys). Still passes after the rename.config.minimal.jsonis still minimal — onepools[0].urlwith the<YOUR_POOL_HOST>placeholder, andparse_configstill rejects it unedited (no accidental deploy to a bogus host).References updated
rigforge.sh,docs/configuration.md,RELEASING.md,.gitignore, the release workflow (.github/workflows/release.yml), the macOS e2e bundle (tests/e2e/macos.sh), and the config unit tests (tests/run.sh).CHANGELOG.mdkeeps the old names (historical).Verification
jq— both files valid JSONtests/run.sh— 614 pass (incl. the renamedconfig.reference.json/config.minimal.jsonunit tests)shellcheck+shfmt,markdownlint, YAML parse of the release workflow — cleanNOTE: touches
docs/configuration.md, which the open voice-consistency PR (#126) also edits — a small filename-line conflict on whichever merges second.🤖 Generated with Claude Code