diff --git a/.bumpversion.toml b/.bumpversion.toml index 218412b..550e519 100644 --- a/.bumpversion.toml +++ b/.bumpversion.toml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 [tool.bumpversion] -current_version = "2.5.1" +current_version = "2.5.2" parse = "(?P\\d+)\\.(?P\\d+)\\.(?P\\d+)" serialize = ["{major}.{minor}.{patch}"] diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d3b2bc..c61208c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,15 @@ All notable changes to zenzic-action are documented in this file. The project ad ## [Unreleased] +## [2.5.2] - 2026-07-04 + +### 🔒 Security Advisory +- **Core Update**: Bumped Zenzic core dependency to `>=0.19.6` to mitigate the DQS Evasion (leading space bypass), TOML Bomb crash, and duplicate suppression consumption vulnerabilities. + +### Changed +- **Dependencies**: Pinned Zenzic core to `0.19.6`. +- **Automation**: Fixed the `pin-core` recipe in the `justfile` to correctly align the core pin in `action.yml`. + ## [2.5.1] - 2026-07-03 ### 🔒 Security Advisory diff --git a/RELEASE.md b/RELEASE.md index f5d7496..4bc7c9d 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -6,8 +6,8 @@ | Field | Value | | :------ | :--------- | -| Version | v2.5.1 | -| Date | 2026-07-03 | +| Version | v2.5.2 | +| Date | 2026-07-04 | | Status | Stable | ## Release Checklist @@ -15,7 +15,7 @@ Before tagging, every item must be green: - [ ] `action.yml` — `default:` pin updated to the latest Zenzic core version (`0.19.6`) -- [ ] `package.json` version bumped to `2.5.1` +- [ ] `package.json` version bumped to `2.5.2` - [ ] `pyproject.toml` — synchronized with core pin (`zenzic>=0.19.6`) - [ ] `just versions` — returns `✅ Ecosystem alignment verified.` - [ ] `just verify` — exits 0 @@ -32,15 +32,15 @@ git pull origin main just release # 3. Create the release tag and push -git tag v2.5.1 +git tag v2.5.2 git push && git push --tags # 4. Move the floating v2 tag to the new release: -git tag -fa v2 v2.5.1^{} -m "release: v2.5.1" +git tag -fa v2 v2.5.2^{} -m "release: v2.5.2" git push origin v2 --force # Verification (Atomic Parity Check): -git rev-parse v2^{} v2.5.1^{} +git rev-parse v2^{} v2.5.2^{} # SUCCESS: Both hashes must be identical. ``` diff --git a/SECURITY.md b/SECURITY.md index fe8750b..824c4ec 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -75,8 +75,8 @@ by the wrapper script — it is consumed exclusively by `github/codeql-action/up | Version | Support status | |---------|----------------| -| `2.5.1` (current) | ✅ All security fixes | -| `< 2.5.1` | ❌ End of life — no support | +| `2.5.2` (current) | ✅ All security fixes | +| `< 2.5.2` | ❌ End of life — no support | --- diff --git a/package.json b/package.json index 1d37a19..bd0945b 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "zenzic-action", - "version": "2.5.1", + "version": "2.5.2", "private": true, "description": "Official GitHub Action for Zenzic — Documentation Quality Gate", "license": "Apache-2.0",