diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..f52f8bf --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# Default reviewers for deslicer/cli +* @deslicer/core diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ddfb48c..fa7a094 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,6 +20,8 @@ jobs: build: name: Build (${{ matrix.target }}) runs-on: ${{ matrix.os }} + env: + DESLICER_GIT_SHA: ${{ github.sha }} strategy: fail-fast: false matrix: @@ -90,7 +92,7 @@ jobs: install -d "dist/${TARGET}" cp "${BIN}" "dist/${TARGET}/${{ env.BINARY_NAME }}" tar -C "dist/${TARGET}" -czf "${ARTIFACT}" "${{ env.BINARY_NAME }}" - sha256sum "${ARTIFACT}" | awk '{print $1}' > "${ARTIFACT}.sha256" + sha256sum "${ARTIFACT}" > "${ARTIFACT}.sha256" echo "artifact=${ARTIFACT}" >> "$GITHUB_ENV" - name: Package archive (Windows) @@ -104,7 +106,7 @@ jobs: Copy-Item $bin "dist/$target/${{ env.BINARY_NAME }}.exe" Compress-Archive -Path "dist/$target/${{ env.BINARY_NAME }}.exe" -DestinationPath $artifact -Force $hash = (Get-FileHash $artifact -Algorithm SHA256).Hash.ToLower() - Set-Content -NoNewline -Path "$artifact.sha256" -Value $hash + Set-Content -NoNewline -Path "$artifact.sha256" -Value "$hash $artifact" "artifact=$artifact" | Out-File -FilePath $env:GITHUB_ENV -Append - name: Upload build artifact diff --git a/Cargo.lock b/Cargo.lock index 5840318..3436f62 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -263,7 +263,7 @@ dependencies = [ [[package]] name = "deslicer-cli" -version = "0.1.0" +version = "1.0.0" dependencies = [ "anyhow", "async-trait", diff --git a/Cargo.toml b/Cargo.toml index b7ec80e..4d45285 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "deslicer-cli" -version = "0.1.0" +version = "1.0.0" edition = "2021" rust-version = "1.88" authors = ["Deslicer "] diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..dac931d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,19 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | --------- | +| latest `v1.x` release | yes | +| older major/minor | no | + +## Reporting a Vulnerability + +Please report security issues **privately** — do not open a public GitHub issue. + +- **Email:** security@deslicer.ai (preferred) +- **Engineering contact:** engineering@deslicer.ai + +Include steps to reproduce, affected versions, and impact if known. We aim to acknowledge reports within **2 business days** and will coordinate disclosure once a fix is available. + +Signed release artifacts (cosign keyless + SLSA L3 provenance) are published on each [GitHub Release](https://github.com/deslicer/cli/releases). Verify downloads with the attached `.sig`, `.cert`, and `multiple.intoto.jsonl` before use in production pipelines. diff --git a/build.rs b/build.rs new file mode 100644 index 0000000..1e96122 --- /dev/null +++ b/build.rs @@ -0,0 +1,27 @@ +fn main() { + let sha = std::env::var("DESLICER_GIT_SHA") + .ok() + .filter(|s| !s.trim().is_empty()) + .or_else(git_short_sha) + .unwrap_or_else(|| "unknown".to_string()); + + println!("cargo:rustc-env=DESLICER_GIT_SHA={sha}"); + println!("cargo:rerun-if-env-changed=DESLICER_GIT_SHA"); + println!("cargo:rerun-if-changed=.git/HEAD"); +} + +fn git_short_sha() -> Option { + let output = std::process::Command::new("git") + .args(["rev-parse", "--short", "HEAD"]) + .output() + .ok()?; + if !output.status.success() { + return None; + } + let sha = String::from_utf8_lossy(&output.stdout).trim().to_string(); + if sha.is_empty() { + None + } else { + Some(sha) + } +} diff --git a/src/cli.rs b/src/cli.rs index 68d9863..773dbab 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -3,7 +3,17 @@ use clap::{Parser, Subcommand, ValueEnum}; use crate::ci::CiPlatform; #[derive(Parser)] -#[command(name = "deslicer", version, about)] +#[command( + name = "deslicer", + version, + long_version = concat!( + env!("CARGO_PKG_VERSION"), + " (", + env!("DESLICER_GIT_SHA"), + ")" + ), + about +)] pub struct Cli { #[arg( long,