From 6b647721fa61570bbb323d6f4f89a58c7e7ea381 Mon Sep 17 00:00:00 2001 From: Daniel Young <9008637+YoungDan@users.noreply.github.com> Date: Fri, 29 May 2026 14:29:05 +0200 Subject: [PATCH 1/2] release: prepare v1.0.0 (version bump, provenance polish, repo hygiene) Bump crate to 1.0.0, embed git SHA in --version via build.rs, emit shasum-compatible .sha256 sidecars, and add CODEOWNERS + SECURITY.md for Task 14 repo configuration. --- .github/CODEOWNERS | 2 ++ .github/workflows/release.yml | 6 ++++-- Cargo.lock | 2 +- Cargo.toml | 2 +- SECURITY.md | 19 +++++++++++++++++++ build.rs | 23 +++++++++++++++++++++++ src/cli.rs | 12 +++++++++++- 7 files changed, 61 insertions(+), 5 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 SECURITY.md create mode 100644 build.rs diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..f52f8bf --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,2 @@ +# Default reviewers for deslicer/cli +* @deslicer/core diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ddfb48c..fa7a094 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,6 +20,8 @@ jobs: build: name: Build (${{ matrix.target }}) runs-on: ${{ matrix.os }} + env: + DESLICER_GIT_SHA: ${{ github.sha }} strategy: fail-fast: false matrix: @@ -90,7 +92,7 @@ jobs: install -d "dist/${TARGET}" cp "${BIN}" "dist/${TARGET}/${{ env.BINARY_NAME }}" tar -C "dist/${TARGET}" -czf "${ARTIFACT}" "${{ env.BINARY_NAME }}" - sha256sum "${ARTIFACT}" | awk '{print $1}' > "${ARTIFACT}.sha256" + sha256sum "${ARTIFACT}" > "${ARTIFACT}.sha256" echo "artifact=${ARTIFACT}" >> "$GITHUB_ENV" - name: Package archive (Windows) @@ -104,7 +106,7 @@ jobs: Copy-Item $bin "dist/$target/${{ env.BINARY_NAME }}.exe" Compress-Archive -Path "dist/$target/${{ env.BINARY_NAME }}.exe" -DestinationPath $artifact -Force $hash = (Get-FileHash $artifact -Algorithm SHA256).Hash.ToLower() - Set-Content -NoNewline -Path "$artifact.sha256" -Value $hash + Set-Content -NoNewline -Path "$artifact.sha256" -Value "$hash $artifact" "artifact=$artifact" | Out-File -FilePath $env:GITHUB_ENV -Append - name: Upload build artifact diff --git a/Cargo.lock b/Cargo.lock index 5840318..3436f62 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -263,7 +263,7 @@ dependencies = [ [[package]] name = "deslicer-cli" -version = "0.1.0" +version = "1.0.0" dependencies = [ "anyhow", "async-trait", diff --git a/Cargo.toml b/Cargo.toml index b7ec80e..4d45285 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "deslicer-cli" -version = "0.1.0" +version = "1.0.0" edition = "2021" rust-version = "1.88" authors = ["Deslicer "] diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..dac931d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,19 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | --------- | +| latest `v1.x` release | yes | +| older major/minor | no | + +## Reporting a Vulnerability + +Please report security issues **privately** — do not open a public GitHub issue. + +- **Email:** security@deslicer.ai (preferred) +- **Engineering contact:** engineering@deslicer.ai + +Include steps to reproduce, affected versions, and impact if known. We aim to acknowledge reports within **2 business days** and will coordinate disclosure once a fix is available. + +Signed release artifacts (cosign keyless + SLSA L3 provenance) are published on each [GitHub Release](https://github.com/deslicer/cli/releases). Verify downloads with the attached `.sig`, `.cert`, and `multiple.intoto.jsonl` before use in production pipelines. diff --git a/build.rs b/build.rs new file mode 100644 index 0000000..cf4223d --- /dev/null +++ b/build.rs @@ -0,0 +1,23 @@ +fn main() { + let sha = std::env::var("DESLICER_GIT_SHA") + .ok() + .filter(|s| !s.trim().is_empty()) + .or_else(git_short_sha) + .unwrap_or_else(|| "unknown".to_string()); + + println!("cargo:rustc-env=DESLICER_GIT_SHA={sha}"); + println!("cargo:rerun-if-env-changed=DESLICER_GIT_SHA"); + println!("cargo:rerun-if-changed=.git/HEAD"); +} + +fn git_short_sha() -> Option { + let output = std::process::Command::new("git") + .args(["rev-parse", "--short", "HEAD"]) + .output() + .ok()?; + if !output.status.success() { + return None; + } + let sha = String::from_utf8_lossy(&output.stdout).trim().to_string(); + if sha.is_empty() { None } else { Some(sha) } +} diff --git a/src/cli.rs b/src/cli.rs index 68d9863..773dbab 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -3,7 +3,17 @@ use clap::{Parser, Subcommand, ValueEnum}; use crate::ci::CiPlatform; #[derive(Parser)] -#[command(name = "deslicer", version, about)] +#[command( + name = "deslicer", + version, + long_version = concat!( + env!("CARGO_PKG_VERSION"), + " (", + env!("DESLICER_GIT_SHA"), + ")" + ), + about +)] pub struct Cli { #[arg( long, From 9ac79d84985a8e43ec16d039323e0407fa10386e Mon Sep 17 00:00:00 2001 From: Daniel Young <9008637+YoungDan@users.noreply.github.com> Date: Fri, 29 May 2026 14:32:24 +0200 Subject: [PATCH 2/2] style: rustfmt build.rs --- build.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/build.rs b/build.rs index cf4223d..1e96122 100644 --- a/build.rs +++ b/build.rs @@ -19,5 +19,9 @@ fn git_short_sha() -> Option { return None; } let sha = String::from_utf8_lossy(&output.stdout).trim().to_string(); - if sha.is_empty() { None } else { Some(sha) } + if sha.is_empty() { + None + } else { + Some(sha) + } }