Skip to content

Releases: Glyndor/.github

v1.10.0

Choose a tag to compare

@Jaro-c Jaro-c released this 17 Jul 17:04
Immutable release. Only release title and notes can be modified.
v1.10.0
b12b4c0

What's Changed

  • chore(deps): set an explicit Dependabot open-PR limit by @Jaro-c in #91
  • chore: relicense from Apache-2.0 to MIT by @Jaro-c in #93
  • docs: org profile says MIT, not Apache-2.0 by @Jaro-c in #94
  • ci: pin every tool the reusables install by @Jaro-c in #95
  • ci: harden the reusables against fork code and unverifiable merges by @Jaro-c in #96
  • ci: three new reusables, ps1 contract coverage, and collision-free namespacing by @Jaro-c in #97
  • ci(powershell): add an exclude-rules input for deliberate rule violations by @Jaro-c in #98

Full Changelog: v1.9.1...v1.10.0

v1.9.1

Choose a tag to compare

@Jaro-c Jaro-c released this 15 Jul 06:27
Immutable release. Only release title and notes can be modified.
v1.9.1
505d78d

Fixes v1.9.0's toolchain pin on Windows runners.

rust-ci (#90)

  • Pin test-extra's shell to bash.

Why

v1.9.0 replaced the literal stable with "$TOOLCHAIN" read from env:. On a Windows runner the default shell is PowerShell, where $TOOLCHAIN reads a PowerShell variable rather than the environment — so it expanded to the empty string and rustup failed:

error: invalid value '' for '[TOOLCHAIN]...': invalid toolchain name: ''

The literal never depended on the shell, so the bug arrived with the pin. test-extra is the only job that can land on a non-Linux runner (it's the one driven by extra-test-os); the other seven are ubuntu-latest, where bash is already the default. Same approach podup's release.yml already takes for its cross-OS matrix.

Upgrade note: if any consumer lists a Windows runner in extra-test-os, v1.9.0 is unusable for it — take v1.9.1 instead. Verified on podup, whose matrix covers macOS and Windows.

v1.9.0

Choose a tag to compare

@Jaro-c Jaro-c released this 15 Jul 06:11
Immutable release. Only release title and notes can be modified.
v1.9.0
e22b97f

Stop rust-ci from upgrading the Rust toolchain behind your back.

rust-ci (#89)

  • New toolchain input, default "1.97", used by the seven jobs that installed stable: lint, test, test-extra, coverage, package, semver and doc.
  • The msrv job is unchanged and keeps its own msrv input — the floor a user needs to compile is a separate question from which toolchain CI builds with.
  • The input goes through env:, not shell interpolation, matching rust-fuzz and the existing MSRV step.

Why

stable moves on its own the day upstream ships a release. Rust 1.97.0 landed on 2026-07-07 and widened clippy's question_mark lint to reach code that had been fine for months; with -D warnings that is fatal. Every open pull request in podup went red on Format & lint regardless of what it touched — blocking a security fix and a release — for a change nobody made.

This is the same pinning v1.8.0 gave python-ci's ruff/pytest, for the reason stated there: an unpinned tool changes lint and test behaviour for every consumer the day a new release ships, with no per-repo buffer. The Rust lane just missed it.

Upgrade note — adoption is a no-op today. 1.97 resolves to rustc 1.97.0 (2d8144b78 2026-07-07), which is exactly what CI already ran. Consumers get the compiler they already have and simply stop drifting. To adopt a newer toolchain, bump the pin here and cut a release: each repo then takes it deliberately, sees which lints it gained, and fixes them on its own schedule. Pass toolchain: to override per repo.

v1.8.0

Choose a tag to compare

@Jaro-c Jaro-c released this 15 Jul 04:08
Immutable release. Only release title and notes can be modified.
v1.8.0
6afe4d8

Give shell-ci a test lane, close a main-guard bypass, and stop python-ci from tracking latest.

shell-ci (#87)

  • New test-command input runs the repository's own shell test suite after the lint job; apt-packages installs whatever that suite needs.
  • The lane is skipped entirely when test-command is empty, so existing callers are unaffected.

main-guard (#87)

  • Require the pull request head to live in this repository, not just to be named develop. The branch name alone is forgeable — a fork can name any branch develop and satisfy the old check.

python-ci (#87)

  • ruff-version and pytest-version now default to pins (0.12.0 / 8.4.0) instead of the empty "use latest" value. An unpinned tool changes lint and test behaviour for every Python consumer the day a new release ships, with no per-repo buffer.
  • Only enable pip caching when a dependency file actually exists — cache: pip failed outright on repos without one.

Concurrency (#87)

  • bun-ci, go-audit, go-ci, go-fuzz, python-ci, rust-audit, rust-ci, rust-fuzz, rust-supply-chain and shell-ci now key their concurrency group on working-directory. Two directories in the same repo no longer cancel each other's runs.

Repo-local (no consumer impact)

  • Run the DCO gate on this repository's own pull requests (#78).
  • Retire the profile-versions bot (#84); refresh and restructure the org profile (#83, #85, #88); trim the README (#77).

Upgrade note: python-ci consumers that relied on the previous "empty = latest" default now get the pins above. Pass ruff-version / pytest-version explicitly to override, and bump the pins through a new .github release so the change is reviewable per repo.

v1.7.0

Choose a tag to compare

@Jaro-c Jaro-c released this 29 Jun 23:32
Immutable release. Only release title and notes can be modified.
v1.7.0
367c665

Harden the reusable CI gates and bootstrap the repo's own license/ownership.

Reusable CI gates (#76)

  • rust-ci: build/test and clippy now run with --locked, so a drifted Cargo.lock fails the PR.
  • rust-audit: cargo audit --deny warnings — unmaintained, unsound and yanked advisories now fail, not just vulnerabilities.
  • rust-supply-chain: collect workspace-member SBOMs with a recursive glob.
  • line-limit: stop counting Rust attributes (#[...]) as comments.
  • shell-ci: also lint extensionless scripts with a shell shebang.
  • profile-versions: drop the unused pull-requests grant, add a concurrency group.
  • rust-fuzz/go-fuzz: pass caller inputs through env: instead of shell interpolation.

Repo bootstrap (#75)

  • Add the Apache-2.0 LICENSE and a CODEOWNERS.

rust-debian (#74)

  • Split the offline cargo args without tripping shellcheck SC2086.

Upgrade note: the stricter Rust gates (--locked, --deny warnings) can newly fail a consumer whose Cargo.lock has drifted or that carries warning-class advisories. Bump deliberately and fix what surfaces.

v1.6.0

Choose a tag to compare

@Jaro-c Jaro-c released this 28 Jun 20:09
Immutable release. Only release title and notes can be modified.
61be27a

Add actionlint self-CI for the reusables. Fix shellcheck findings in python-ci and rust-debian (quoting/glob robustness; no behaviour change). Consumers' Dependabot will bump the SHA pin to this release.

v1.5.0

Choose a tag to compare

@Jaro-c Jaro-c released this 28 Jun 19:35
Immutable release. Only release title and notes can be modified.
88d4062

Bump pinned actions in the reusables (setup-go v6.5.0, setup-python v6.3.0, actions/cache v6.0.0). Additive editorconfig + .gitignore hygiene. Consumers' Dependabot will bump the SHA pin to this release.

v1.4.0

Choose a tag to compare

@Jaro-c Jaro-c released this 28 Jun 18:53
Immutable release. Only release title and notes can be modified.
c628c93

Add go-fuzz and rust-fuzz reusable workflows (additive). Consumers replace inline fuzz workflows with thin callers pinned to this release.

v1.3.0

Choose a tag to compare

@Jaro-c Jaro-c released this 28 Jun 03:30
Immutable release. Only release title and notes can be modified.
aba530b

Added

  • go-audit.yml reusable — Go security audit (govulncheck + gosec), the counterpart to rust-audit.yml. Tools run via go install (no third-party actions); Go version read from the caller's go.mod.

v1.2.0

Choose a tag to compare

@Jaro-c Jaro-c released this 19 Jun 11:37
Immutable release. Only release title and notes can be modified.
8052342

feat(line-limit): the file-size check counts code lines only — blank lines and comment-only lines (including the required public-item doc comments) no longer count toward the 300/500 limit. Backward-compatible relaxation (code lines ≤ total). Consumers: bump the pinned line-limit.yml SHA via Dependabot.