From bf27805b9661a64e012862cc017cabd5b32b7b12 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 18:23:46 +0200 Subject: [PATCH 1/5] ci: run required Audit checks on every pull request Signed-off-by: PythonWoods --- .github/workflows/ci.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index af1f1fa..7b2be6c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,12 +13,6 @@ on: - 'uv.lock' - '.github/workflows/ci.yml' pull_request: - paths: - - 'src/**' - - 'tests/**' - - 'pyproject.toml' - - 'uv.lock' - - '.github/workflows/ci.yml' permissions: contents: read From e9581054b024d55a06a1d6334f36750cf4c53655 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 18:27:12 +0200 Subject: [PATCH 2/5] docs(changelog): record CI gate hardening for 0.10.4 Signed-off-by: PythonWoods --- CHANGELOG.it.md | 4 ++++ CHANGELOG.md | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.it.md b/CHANGELOG.it.md index 56d8782..f5c6b69 100644 --- a/CHANGELOG.it.md +++ b/CHANGELOG.it.md @@ -11,6 +11,10 @@ Le versioni seguono il [Versionamento Semantico](https://semver.org/). ## [Unreleased] +### Changed + +- **Hardening del gate CI core:** Rimossi i filtri `pull_request.paths` da `.github/workflows/ci.yml` in modo che i check `Audit` obbligatori vengano sempre creati su ogni PR, senza stati expected/pending dovuti a workflow saltati. + ### Fixed - **Gli URL di loopback non vengono più segnalati come link esterni:** Gli URL `http://localhost`, `http://127.0.0.1`, `http://0.0.0.0` e `http://::1` (su qualsiasi porta) vengono ora ignorati silenziosamente dal validatore. In precedenza venivano raccolti come link esterni e provocavano un ping di rete o un errore `EXTERNAL_LINK` spurio, rendendo inutilizzabile la validazione in ambienti Docker che referenziano URL di servizi locali negli esempi di configurazione. diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e7e06b..4f68e74 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,9 @@ Versions follow [Semantic Versioning](https://semver.org/). ## [Unreleased] -No changes yet. +### Changed + +- **Core CI gate hardening:** Removed `pull_request.paths` filters from `.github/workflows/ci.yml` so required `Audit` checks are always created for every PR and cannot remain in expected/pending due to skipped workflow runs. --- From abf1a18a28a7ba186dc7ad083865da48aac64d45 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 18:50:17 +0200 Subject: [PATCH 3/5] release: bump version to 0.10.4 Signed-off-by: PythonWoods --- .bumpversion.toml | 2 +- .github/ISSUE_TEMPLATE/security_vulnerability.yml | 2 +- .pre-commit-hooks.yaml | 2 +- CITATION.cff | 4 ++-- RELEASE.md | 10 +++++----- pyproject.toml | 2 +- src/zenzic/__init__.py | 2 +- src/zenzic/cli/_standalone.py | 2 +- uv.lock | 2 +- 9 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.bumpversion.toml b/.bumpversion.toml index b109fb0..1682287 100644 --- a/.bumpversion.toml +++ b/.bumpversion.toml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: Apache-2.0 [tool.bumpversion] -current_version = "0.10.3" +current_version = "0.10.4" parse = "(?P\\d+)\\.(?P\\d+)\\.(?P\\d+)((?Pa|b|rc)(?P\\d+))?" serialize = [ "{major}.{minor}.{patch}{pre_l}{pre_n}", diff --git a/.github/ISSUE_TEMPLATE/security_vulnerability.yml b/.github/ISSUE_TEMPLATE/security_vulnerability.yml index f347f72..c35180f 100644 --- a/.github/ISSUE_TEMPLATE/security_vulnerability.yml +++ b/.github/ISSUE_TEMPLATE/security_vulnerability.yml @@ -29,7 +29,7 @@ body: attributes: label: Zenzic version description: Output of `zenzic --version` - placeholder: "0.10.3" + placeholder: "0.10.4" validations: required: true diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index 5609923..eb7feb6 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -7,7 +7,7 @@ # # repos: # - repo: https://github.com/PythonWoods/zenzic -# rev: v0.10.3 +# rev: v0.10.4 # hooks: # - id: zenzic-verify # quality gate — corrisponde a `just verify` lato zenzic # - id: zenzic-guard # fast staged-file credential scan diff --git a/CITATION.cff b/CITATION.cff index ac19dc1..1edb24d 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -15,8 +15,8 @@ abstract: >- performs deterministic static analysis using a two-pass reference pipeline and a RE2-backed credential scanner, with zero subprocess calls and full SARIF 2.1.0 support for CI/CD integration. -version: 0.10.3 -date-released: 2026-06-08 +version: 0.10.4 +date-released: 2026-06-09 url: "https://zenzic.dev" repository-code: "https://github.com/PythonWoods/zenzic" repository-artifact: "https://pypi.org/project/zenzic/" diff --git a/RELEASE.md b/RELEASE.md index d5fde92..8e24ad9 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -8,9 +8,9 @@ | Field | Value | | :------- | :--------- | -| Version | v0.10.3 | +| Version | v0.10.4 | | Codename | Magnetite | -| Date | 2026-06-08 | +| Date | 2026-06-09 | | Status | Stable | ## Release Checklist @@ -21,7 +21,7 @@ Before tagging, every item must be green: - [ ] `zenzic lab all` — all 20 scenarios exit with expected code - [ ] `zenzic score --stamp` committed — badge in README.md and README.it.md reflects current score - [ ] `zenzic check all .` — zero findings in the repo root -- [ ] `pyproject.toml` version matches the tag (`0.10.3`) +- [ ] `pyproject.toml` version matches the tag (`0.10.4`) - [ ] `CITATION.cff` version and date updated - [ ] `CHANGELOG.md` — `[Unreleased]` section moved to the new version heading - [ ] Update SECURITY.md support table (Add new release, demote previous to Critical/EOL). @@ -54,11 +54,11 @@ git checkout main git pull origin main # 3. Tag the main branch and push -git tag v0.10.3 +git tag v0.10.4 git push origin main --tags ``` -- [ ] Create GitHub Release from the tag, using the `## v0.10.3` CHANGELOG section as the release body. +- [ ] Create GitHub Release from the tag, using the `## v0.10.4` CHANGELOG section as the release body. ## Changelog Reference diff --git a/pyproject.toml b/pyproject.toml index 8bba29b..68b1471 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -13,7 +13,7 @@ build-backend = "hatchling.build" [project] name = "zenzic" -version = "0.10.3" +version = "0.10.4" description = "Engineering-grade, engine-agnostic static analyzer and credential scanner for Markdown documentation" readme = "README.md" requires-python = ">=3.10" diff --git a/src/zenzic/__init__.py b/src/zenzic/__init__.py index 23e70d4..ca0a11e 100644 --- a/src/zenzic/__init__.py +++ b/src/zenzic/__init__.py @@ -2,5 +2,5 @@ # SPDX-License-Identifier: Apache-2.0 """Zenzic — engine-agnostic static analyzer and credential scanner for Markdown documentation.""" -__version__ = "0.10.3" +__version__ = "0.10.4" __version_name__ = "Basalt" # Release codename stored separately from the package version. diff --git a/src/zenzic/cli/_standalone.py b/src/zenzic/cli/_standalone.py index 94d2a9e..33ff61f 100644 --- a/src/zenzic/cli/_standalone.py +++ b/src/zenzic/cli/_standalone.py @@ -1270,7 +1270,7 @@ def _scaffold_plugin(repo_root: Path, plugin_name: str, force: bool) -> None: description = "Custom Zenzic plugin rule package" readme = "README.md" requires-python = ">=3.11" -dependencies = ["zenzic>=0.10.3"] +dependencies = ["zenzic>=0.10.4"] [project.entry-points."zenzic.rules"] {project_slug} = "{module_name}.rules:{class_name}" diff --git a/uv.lock b/uv.lock index 58d8304..be5c22d 100644 --- a/uv.lock +++ b/uv.lock @@ -2163,7 +2163,7 @@ wheels = [ [[package]] name = "zenzic" -version = "0.10.3" +version = "0.10.4" source = { editable = "." } dependencies = [ { name = "google-re2" }, From 982f81c279f2f139f463d9be2047a0c2a1b9fb6b Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 19:21:28 +0200 Subject: [PATCH 4/5] fix(deps): patch urllib3, idna, pip and bump GHA actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - urllib3 2.6.3 → 2.7.0 (CVE-2026-44431, CVE-2026-44432) - idna 3.11 → 3.18 (CVE-2026-45409) - pip 26.0.1 → 26.1.2 (CVE-2026-6357, CVE-2026-3219) - actions/checkout SHA → v6.0.3 (closes dependabot #98) - amannn/action-semantic-pull-request SHA → v6.1.1 (closes dependabot #99) Signed-off-by: PythonWoods --- .github/workflows/compliance.yml | 4 ++-- uv.lock | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index 8bbc586..af3ada9 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Validate PR Title - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 + uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 diff --git a/uv.lock b/uv.lock index be5c22d..6388a06 100644 --- a/uv.lock +++ b/uv.lock @@ -596,11 +596,11 @@ wheels = [ [[package]] name = "idna" -version = "3.11" +version = "3.18" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/6f/6d/0703ccc57f3a7233505399edb88de3cbd678da106337b9fcde432b65ed60/idna-3.11.tar.gz", hash = "sha256:795dafcc9c04ed0c1fb032c2aa73654d8e8c5023a7df64a53f39190ada629902", size = 194582, upload-time = "2025-10-12T14:55:20.501Z" } +sdist = { url = "https://files.pythonhosted.org/packages/cd/63/9496c57188a2ee585e0f1db071d75089a11e98aa86eb99d9d7618fc1edce/idna-3.18.tar.gz", hash = "sha256:ffb385a7e039654cef1ab9ef32c6fafe283c0c0467bba1d9029738ce4a14a848", size = 196711, upload-time = "2026-06-02T14:34:07.794Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/0e/61/66938bbb5fc52dbdf84594873d5b51fb1f7c7794e9c0f5bd885f30bc507b/idna-3.11-py3-none-any.whl", hash = "sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea", size = 71008, upload-time = "2025-10-12T14:55:18.883Z" }, + { url = "https://files.pythonhosted.org/packages/1e/5e/d4e9f1a599fb8e573b7b87160658329fbf28d19eac2718f51fc3def3aa5a/idna-3.18-py3-none-any.whl", hash = "sha256:7f952cbe720b688055e3f87de14f5c3e5fdaa8bc3928985c4077ca689de849a2", size = 65455, upload-time = "2026-06-02T14:34:06.319Z" }, ] [[package]] @@ -1154,11 +1154,11 @@ wheels = [ [[package]] name = "pip" -version = "26.0.1" +version = "26.1.2" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/48/83/0d7d4e9efe3344b8e2fe25d93be44f64b65364d3c8d7bc6dc90198d5422e/pip-26.0.1.tar.gz", hash = "sha256:c4037d8a277c89b320abe636d59f91e6d0922d08a05b60e85e53b296613346d8", size = 1812747, upload-time = "2026-02-05T02:20:18.702Z" } +sdist = { url = "https://files.pythonhosted.org/packages/01/91/47e7d486260f618783899587af63ccf7980fb60245c3e63dd4571c6b57ad/pip-26.1.2.tar.gz", hash = "sha256:f49cd134c61cf2fd75e0ce2676db03e4054504a5a4986d00f8299ae632dc4605", size = 1840799, upload-time = "2026-05-31T17:33:58.56Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/de/f0/c81e05b613866b76d2d1066490adf1a3dbc4ee9d9c839961c3fc8a6997af/pip-26.0.1-py3-none-any.whl", hash = "sha256:bdb1b08f4274833d62c1aa29e20907365a2ceb950410df15fc9521bad440122b", size = 1787723, upload-time = "2026-02-05T02:20:16.416Z" }, + { url = "https://files.pythonhosted.org/packages/5d/95/6b5cb3461ea5673ba0995989746db58eb18b91b54dbf331e72f569540946/pip-26.1.2-py3-none-any.whl", hash = "sha256:382ff9f685ee3bc25864f820aa50505825f10f5458ffff07e30a6d96e5715cab", size = 1813144, upload-time = "2026-05-31T17:33:56.772Z" }, ] [[package]] @@ -2117,11 +2117,11 @@ wheels = [ [[package]] name = "urllib3" -version = "2.6.3" +version = "2.7.0" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" } +sdist = { url = "https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz", hash = "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c", size = 433602, upload-time = "2026-05-07T16:13:18.596Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" }, + { url = "https://files.pythonhosted.org/packages/7f/3e/5db95bcf282c52709639744ca2a8b149baccf648e39c8cc87553df9eae0c/urllib3-2.7.0-py3-none-any.whl", hash = "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897", size = 131087, upload-time = "2026-05-07T16:13:17.151Z" }, ] [[package]] From e4af75aa8a3f9ead537ccc501221596a54ce3a39 Mon Sep 17 00:00:00 2001 From: PythonWoods Date: Tue, 9 Jun 2026 19:34:11 +0200 Subject: [PATCH 5/5] =?UTF-8?q?style(readme):=20fix=20badge=20centering=20?= =?UTF-8?q?=E2=80=94=20remove=20blank=20line=20inside=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: PythonWoods --- README.it.md | 1 - README.md | 1 - 2 files changed, 2 deletions(-) diff --git a/README.it.md b/README.it.md index 14442ab..d71e294 100644 --- a/README.it.md +++ b/README.it.md @@ -21,7 +21,6 @@ SPDX-License-Identifier: Apache-2.0 zenzic-audit zenzic-score - REUSE 3.x compliant diff --git a/README.md b/README.md index 7cd0d8a..60ce99f 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,6 @@ SPDX-License-Identifier: Apache-2.0 zenzic-audit zenzic-score - REUSE 3.x compliant