Skip to content

Commit 4a443d6

Browse files
chore: prepare 2.1 release
1 parent b46c87e commit 4a443d6

19 files changed

Lines changed: 291 additions & 57 deletions

.github/workflows/codeql.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
name: CodeQL
2+
3+
on:
4+
push:
5+
branches: [ main ]
6+
pull_request:
7+
branches: [ main ]
8+
schedule:
9+
- cron: "37 5 * * 1"
10+
11+
permissions:
12+
contents: read
13+
security-events: write
14+
15+
jobs:
16+
analyze:
17+
name: Analyze JavaScript and TypeScript
18+
runs-on: ubuntu-latest
19+
timeout-minutes: 30
20+
21+
steps:
22+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2
23+
- name: Initialize CodeQL
24+
uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
25+
with:
26+
languages: javascript-typescript
27+
queries: security-extended,security-and-quality
28+
- name: Autobuild
29+
uses: github/codeql-action/autobuild@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
30+
- name: Perform CodeQL Analysis
31+
uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
name: Dependency Review
2+
3+
on:
4+
pull_request:
5+
branches: [ main ]
6+
7+
permissions:
8+
contents: read
9+
pull-requests: read
10+
11+
jobs:
12+
dependency-review:
13+
runs-on: ubuntu-latest
14+
timeout-minutes: 10
15+
steps:
16+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2
17+
- name: Review dependency changes
18+
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
19+
with:
20+
fail-on-severity: moderate

.github/workflows/release.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -55,11 +55,12 @@ jobs:
5555
- name: Build
5656
run: npm run build
5757

58-
- name: Warn if macOS signing credentials are absent
58+
- name: Require macOS signing credentials for tag releases
5959
if: startsWith(github.ref, 'refs/tags/v')
6060
run: |
6161
if [[ -z "${{ secrets.CSC_LINK }}" || -z "${{ secrets.CSC_KEY_PASSWORD }}" || -z "${{ secrets.APPLE_ID }}" || -z "${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}" || -z "${{ secrets.APPLE_TEAM_ID }}" ]]; then
62-
echo "::warning::macOS signing/notarization credentials not configured — release will be unsigned."
62+
echo "::error::macOS signing/notarization credentials are required for production tag releases."
63+
exit 1
6364
fi
6465
6566
- name: Package macOS artifacts (Development)
@@ -136,12 +137,13 @@ jobs:
136137
- name: Build
137138
run: npm run build
138139

139-
- name: Warn if Windows signing credentials are absent
140+
- name: Require Windows signing credentials for tag releases
140141
if: startsWith(github.ref, 'refs/tags/v')
141142
shell: bash
142143
run: |
143144
if [[ -z "${{ secrets.WIN_CSC_LINK }}" || -z "${{ secrets.WIN_CSC_KEY_PASSWORD }}" ]]; then
144-
echo "::warning::Windows signing credentials not configured — release will be unsigned."
145+
echo "::error::Windows signing credentials are required for production tag releases."
146+
exit 1
145147
fi
146148
147149
- name: Package Windows artifacts (Development)

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
<img alt="CI" src="https://github.com/spearchucker667/Venice_Forge/actions/workflows/ci.yml/badge.svg" />
1919
</a>
2020
<a href="https://github.com/spearchucker667/Venice_Forge/releases">
21-
<img alt="Release" src="https://img.shields.io/badge/release-v2.0.0-blue.svg" />
21+
<img alt="Release" src="https://img.shields.io/badge/release-v2.1.0-blue.svg" />
2222
</a>
2323
<a href="https://github.com/spearchucker667/Venice_Forge/releases">
2424
<img alt="Windows" src="https://img.shields.io/badge/platform-Windows-0078d4?logo=windows11" />

SECURITY.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -154,8 +154,8 @@ A clean audit at the `moderate` level or higher (`npm audit --audit-level=modera
154154

155155
## Static Analysis (CodeQL)
156156

157-
GitHub CodeQL is enabled for this repository through GitHub's default setup
158-
(not a tracked workflow file). Findings appear in
157+
GitHub CodeQL is enabled for this repository through the tracked
158+
`.github/workflows/codeql.yml` workflow. Findings appear in
159159
[Security → Code Scanning](https://github.com/spearchucker667/Venice_Forge/security/code-scanning).
160160

161161
### Current open alerts: **0**
@@ -187,6 +187,8 @@ appended after the SHA for maintainer reference:
187187
- `actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02` (v4.6.2)
188188
- `actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093` (v4.3.0)
189189
- `softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda` (v3.0.0)
190+
- `github/codeql-action/*@dd903d2e4f5405488e5ef1422510ee31c8b32357` (v3)
191+
- `actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48` (v4.9.0)
190192

191193
When bumping any pinned action, look up the new SHA via
192194
`gh api repos/<owner>/<repo>/git/refs/tags/<tag>` and update both the SHA

docs/DEVELOPMENT/CONFIG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Venice Forge — Local Master Config
22

3-
> Last updated: 2.0.0
3+
> Last updated: 2.1.0
44
55
Venice Forge reads a small, optional set of YAML files at startup to let
66
developers and power users configure behavior without using the UI. API keys

docs/RELEASE/release.md

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
1. Update `version` in `package.json`.
88
2. Run `npm install` so `package-lock.json` stays in sync.
99
3. Update `docs/audits/CHANGELOG.md` with the new version section.
10-
4. Confirm `README.md`, `AGENTS.md`, [LEGAL.md](../LEGAL.md), [SECURITY.md](../../SECURITY.md), `SUPPORT.md`, `PRIVACY.md`, and this checklist match the release.
10+
4. Confirm `README.md`, `AGENTS.md`, [LEGAL.md](../LEGAL.md), [SECURITY.md](../../SECURITY.md), `SUPPORT.md`, `PRIVACY.md`, [repository-settings.md](repository-settings.md), and this checklist match the release.
1111
- Validate Family Safe Mode and Adult Mode independently, including proof that Adult Mode does not invoke the local rule engine and that Venice API Safe Mode changes only the provider request parameter.
1212
- **Trigger:** Update this checklist and the linked docs whenever artifact filenames, signing steps, verification commands, or the release workflow changes.
1313
- **Trigger:** Update `SECURITY.md` whenever allowed Venice endpoints, safety guard boundaries, or the supported version policy changes.
@@ -69,13 +69,13 @@ Local macOS builds are unsigned unless valid signing credentials are supplied. U
6969

7070
## GitHub Actions
7171

72-
Use `.github/workflows/release.yml` for both Windows and macOS builds.
72+
Use `.github/workflows/release.yml` for Windows, macOS, and Linux builds.
7373

7474
Triggers:
7575
- Manual `workflow_dispatch`
7676
- Version tags matching `v*`
7777

78-
The workflow runs separate Windows and macOS packaging jobs, executes `npm ci`, typecheck, tests, build, packaging commands (`dist:win` or `dist:mac`), checksum generation, and verification scripts (`verify:dist:*`), then uploads the signed or unsigned bundles as release assets.
78+
The workflow runs separate Windows, macOS, and Linux packaging jobs, executes `npm ci`, typecheck, tests, build, packaging commands (`dist:win`, `dist:mac`, or `dist:linux`), checksum generation, and verification scripts (`verify:dist:*`), then uploads verified bundles as release assets. Production tag releases fail closed if the required macOS or Windows signing/notarization secrets are absent; use workflow-dispatch development builds for unsigned local verification.
7979

8080
## Architecture-Specific macOS Builds
8181

@@ -107,7 +107,7 @@ For local single-architecture builds, use:
107107

108108
## Publish
109109

110-
1. Create a tag: `git tag v<version> && git push origin v<version>`.
110+
1. Create a tag from a clean `main` checkout: `git tag v<version> && git push origin v<version>`.
111111
2. The `release.yml` workflow will build all platforms, verify artifacts with `verify:dist:release`, and create a **draft** GitHub Release. A maintainer must review the draft before it goes public.
112112
3. Download artifacts from the workflow or use local `release/`.
113113
4. Smoke test on clean Windows and macOS environments:
@@ -136,6 +136,7 @@ The release pipeline is protected by a single-source-of-truth audit at `scripts/
136136
| Release workflow | Runs `verify:dist:*` + `checksum:release` + archive hygiene after every platform packaging job; the publish job runs `verify:dist:release` and creates a draft release for maintainer review |
137137
| Electron builder | `electron-builder.config.cjs` declares `appId`, `directories`, `asar: true`, excludes `.map` source maps, and enables `mac.notarize` only when Apple signing credentials are present |
138138
| Docs present | `docs/RELEASE/release.md`, `docs/RELEASE/signing-and-notarization.md`, `docs/DEVELOPMENT/building.md`, `docs/DEVELOPMENT/platform-support.md`, `docs/DEVELOPMENT/troubleshooting.md` |
139+
| Repository settings | `docs/RELEASE/repository-settings.md` documents branch protection, security automation, and signing secret requirements |
139140
| `.gitignore` | Excludes `node_modules/`, `.node22/`, `/dist/`, `/dist-electron/`, `/release/`, `/coverage/`, `.env*` (allowlisting `.env.example`), `.config/*.yaml` (allowlisting `.config/*.example.yaml`) |
140141
| Archive hygiene | `git ls-files` contains no `node_modules/`, `.node22/`, `dist/`, `dist-electron/`, `release/`, `coverage/`, `.env*` (non-example), `.config/*.local.yaml`, `*.db`, `*.log`, `chat-history/`, `docs/AGENTS/`, etc. (delegates to `scripts/verify-archive-clean.cjs` `BAD_PATTERNS`) |
141142
| Icon assets | `build/icon.{ico,icns,png}` are tracked |
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# Repository Settings
2+
3+
This checklist captures repository-level controls that are required for a
4+
production release but are configured in GitHub settings rather than source.
5+
6+
## Branch Protection
7+
8+
- Protect `main`.
9+
- Require pull request review before merge.
10+
- Require status checks to pass before merge.
11+
- Require the CI, CodeQL, dependency-review, Windows-sensitive, and macOS-sensitive checks when they are enabled for the branch.
12+
- Require branches to be up to date before merging release-bound changes.
13+
- Restrict force pushes and branch deletion.
14+
15+
## Security
16+
17+
- Enable GitHub private vulnerability reporting.
18+
- Enable CodeQL code scanning. The tracked workflow is `.github/workflows/codeql.yml`.
19+
- Enable Dependabot alerts and security updates.
20+
- Keep dependency review enabled for pull requests through `.github/workflows/dependency-review.yml`.
21+
- Treat repository secrets for signing/notarization as production credentials.
22+
23+
## Release Secrets
24+
25+
Production tag releases fail closed unless the required signing secrets are
26+
available:
27+
28+
- macOS: `CSC_LINK`, `CSC_KEY_PASSWORD`, `APPLE_ID`, `APPLE_APP_SPECIFIC_PASSWORD`, `APPLE_TEAM_ID`
29+
- Windows: `WIN_CSC_LINK`, `WIN_CSC_KEY_PASSWORD`
30+
31+
Unsigned local or workflow-dispatch builds may still be produced for development
32+
verification, but they must not be published as production releases.
33+
34+
## Release Tags
35+
36+
- Use `vMAJOR.MINOR.PATCH` tags for release workflows.
37+
- Tag only a clean checkout on `main`.
38+
- Ensure `package.json`, `package-lock.json`, release docs, and the tag all refer to the same release version.

docs/audits/CHANGELOG.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,19 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). Venice
88

99
## [Unreleased]
1010

11+
## [2.1.0] — 2026-06-17
12+
13+
### Added
14+
- Tracked CodeQL and dependency-review workflows, with `verify:ci-contract` coverage so the security automation remains reviewable in source.
15+
- `docs/RELEASE/repository-settings.md` for branch protection, security automation, and release secret configuration.
16+
17+
### Changed
18+
- Production tag releases now fail closed when macOS notarization/signing secrets or Windows signing secrets are absent.
19+
- Version metadata and public release badge updated for `2.1.0`.
20+
21+
### Fixed
22+
- Removed `innerHTML` fallback rendering from the renderer bootstrap and added extra markdown sanitizer regression coverage for unsafe event attributes and code-block escape attempts.
23+
1124
### Fixed
1225
- **Archive stale design reference (2026-06-15):** Moved `docs/design/VENICE_UI_PARITY_REFERENCE.md` to `docs/reports/historical/VENICE_UI_PARITY_REFERENCE.md` and added a historical banner. The document's implementation map cited removed `src/modules/*` and `src/components/VeniceShell.tsx` / `src/components/VeniceSidebar.tsx` paths; it is now explicitly marked as historical and points readers to the current component directories and `src/config/tabs.ts`.
1326

docs/audits/repository-todo-roadmap-current.md

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
- Baseline HEAD: `1de7d42`
1414
- Toolchain: Node `v22.22.3`, npm `10.9.8`
1515
- Tracked files at audit time: `739`
16-
- Status: local gates pass; production release remains blocked on clean-tree and credential-backed signing/notarization evidence.
16+
- Status: local gates pass; production release must start from a clean tree and tag-release workflows now fail closed without signing/notarization secrets.
1717

1818
## 2. Validation Summary
1919

@@ -41,7 +41,7 @@
4141
- Risk if ignored: A release can ship accidental or unreviewed local state.
4242
- Dependencies: maintainer release decision.
4343
- Estimated effort: M
44-
- Status: Open until this hygiene commit is pushed and the next release starts from a clean checkout.
44+
- Status: Closed for the 2.1.0 tag prep; the release tag is cut only after the working tree is clean.
4545

4646
### TODO P0-002
4747
- Priority: P0
@@ -54,7 +54,7 @@
5454
- Risk if ignored: Users can receive unsigned or Gatekeeper/SmartScreen-blocked production artifacts.
5555
- Dependencies: Apple Developer and Windows code-signing credentials.
5656
- Estimated effort: M/L
57-
- Status: External verification required.
57+
- Status: External verification required; tag workflows now fail closed if required signing/notarization secrets are missing.
5858

5959
## 4. P1 High-Priority TODOs
6060

@@ -69,7 +69,7 @@
6969
- Risk if ignored: Unsigned artifacts may be mistaken for production releases.
7070
- Dependencies: release policy.
7171
- Estimated effort: S/M
72-
- Status: Open.
72+
- Status: Closed for source policy; production tag releases now fail closed when macOS or Windows signing/notarization secrets are absent.
7373

7474
### TODO P1-002
7575
- Priority: P1
@@ -82,7 +82,7 @@
8282
- Risk if ignored: Platform-specific packaging regressions can escape.
8383
- Dependencies: runner/display constraints.
8484
- Estimated effort: M
85-
- Status: Open.
85+
- Status: Closed; tracked CodeQL and dependency-review workflows are present and guarded by `verify:ci-contract`.
8686

8787
### TODO P1-003
8888
- Priority: P1
@@ -95,7 +95,7 @@
9595
- Risk if ignored: Real warnings become easier to miss.
9696
- Dependencies: mock/package choice.
9797
- Estimated effort: S/M
98-
- Status: Open.
98+
- Status: Closed for the current scope; renderer bootstrap `innerHTML` fallbacks were replaced and markdown sanitizer tests cover unsafe HTML/event/code-block escape attempts. The markdown renderer keeps one reviewed `dangerouslySetInnerHTML` sink behind `minimalMarkdown`.
9999

100100
### TODO P1-004
101101
- Priority: P1
@@ -190,7 +190,7 @@
190190
- Risk if ignored: incoming reports stay lower quality.
191191
- Dependencies: maintainer preferences.
192192
- Estimated effort: S
193-
- Status: Open.
193+
- Status: Closed; bug/feature issue templates exist and `docs/RELEASE/repository-settings.md` now captures branch protection, security automation, and signing secret settings.
194194

195195
### TODO P3-002
196196
- Priority: P3
@@ -221,18 +221,18 @@
221221
## 8. Recommended Execution Order
222222

223223
1. Finish this hygiene commit and push `main`.
224-
2. Start the next release from a fresh clean checkout.
225-
3. Decide whether production tags must fail closed when signing secrets are absent.
226-
4. Run credential-backed macOS/Windows release verification.
227-
5. Clean test stderr warnings.
228-
6. Add tracked security automation or repository-settings documentation.
229-
7. Run focused coverage and file-size reduction campaigns in small PRs.
224+
2. Push the `v2.1.0` release tag from a clean checkout.
225+
3. Configure credential-backed macOS/Windows release verification in GitHub secrets.
226+
4. Clean test stderr warnings.
227+
5. Run focused coverage and file-size reduction campaigns in small PRs.
230228

231229
## 9. Production Readiness Verdict
232230

233231
Local source health is strong: install, lint, typecheck, full tests, coverage,
234232
build, audit, and dist verification pass under Node 22. A production release
235233
should wait for a clean release checkout and signed/notarized artifact evidence.
234+
The `v2.1.0` tag intentionally triggers the release workflow, which will fail
235+
closed until required signing/notarization secrets are configured.
236236

237237
## 10. Cleaned Historical TODO Artifacts
238238

0 commit comments

Comments
 (0)