diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7b04c4a..5f6b2bd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,24 +1,19 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for more information: -# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates -# https://containers.dev/guide/dependabot - version: 2 updates: - - package-ecosystem: "cargo" - directory: "/" - schedule: - interval: "weekly" - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" - - package-ecosystem: "rust-toolchain" - directory: "/" - schedule: - interval: "weekly" - - package-ecosystem: "devcontainers" - directory: "/" - schedule: - interval: "weekly" + - package-ecosystem: "cargo" + directory: "/" + schedule: + interval: "weekly" + rebase-strategy: "disabled" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + rebase-strategy: "disabled" + + - package-ecosystem: "devcontainers" + directory: "/" + schedule: + interval: "weekly" + rebase-strategy: "disabled" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d4b7675..89282f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,33 +21,6 @@ env: GITHUB_ACTIONS: true jobs: - # Detect if Rust code has changed - changes: - runs-on: ubuntu-latest - outputs: - rust: ${{ steps.filter.outputs.rust }} - docs: ${{ steps.filter.outputs.docs }} - steps: - - uses: actions/checkout@v6 - - uses: dorny/paths-filter@v3 - id: filter - with: - filters: | - rust: - - '**/*.rs' - - '**/Cargo.toml' - - '**/Cargo.lock' - - '**/build.rs' - - 'justfile' - - 'rust-toolchain.toml' - - 'deny.toml' - docs: - - 'docs/**' - - '*.md' - - '.kiro/**' - - 'spec/**' - - # Code quality checks - always run quality: runs-on: ubuntu-latest steps: @@ -68,11 +41,8 @@ jobs: - name: Run clippy (all features) run: cargo clippy --all-targets --all-features -- -D warnings - # MSRV (Minimum Supported Rust Version) check msrv: runs-on: ubuntu-latest - needs: changes - if: needs.changes.outputs.rust == 'true' steps: - uses: actions/checkout@v6 - uses: dtolnay/rust-toolchain@1.91.0 @@ -85,8 +55,6 @@ jobs: test: runs-on: ubuntu-latest - needs: changes - if: needs.changes.outputs.rust == 'true' steps: - uses: actions/checkout@v6 @@ -106,27 +74,18 @@ jobs: - name: Build release run: cargo build --release --all-features - # Test cross-platform - only run when Rust code changes test-cross-platform: strategy: matrix: include: - # Primary Support - Linux - os: ubuntu-latest platform: "Linux" - # Disabled due to lack of ARM runners on GitHub Actions, will re-enable when available - # - os: arm - # platform: "Linux" - # Primary Support - macOS (using available runners) - os: macos-latest platform: "macOS" - # Primary Support - Windows - os: windows-latest platform: "Windows" runs-on: ${{ matrix.os }} - needs: changes - if: needs.changes.outputs.rust == 'true' steps: - uses: actions/checkout@v6 @@ -138,15 +97,12 @@ jobs: with: tool: cargo-nextest - # Run tests and build the release binary - run: cargo nextest run --all-features - run: cargo build --release --all-features - # Generate coverage for TLS-enabled builds - only run when Rust code changes coverage: runs-on: ubuntu-latest - needs: [changes, test, test-cross-platform] - if: needs.changes.outputs.rust == 'true' + needs: [test, test-cross-platform] steps: - uses: actions/checkout@v6 @@ -177,48 +133,3 @@ jobs: with: token: ${{ secrets.QLTY_COVERAGE_TOKEN }} files: target/lcov.info - - # Gate job for branch protection - always runs and reports aggregate status - # Use this as the required status check instead of individual jobs - ci-gate: - name: CI Gate - runs-on: ubuntu-latest - needs: [quality, msrv, test, test-cross-platform, coverage] - if: always() - steps: - - name: Check job results - run: | - echo "Quality: ${{ needs.quality.result }}" - echo "MSRV: ${{ needs.msrv.result }}" - echo "Test: ${{ needs.test.result }}" - echo "Test Cross-Platform: ${{ needs.test-cross-platform.result }}" - echo "Coverage: ${{ needs.coverage.result }}" - - # Fail if any required job failed - # Jobs that were skipped (due to path filters) are OK - if [[ "${{ needs.quality.result }}" == "failure" || "${{ needs.quality.result }}" == "cancelled" ]]; then - echo "::error::Quality checks failed" - exit 1 - fi - - if [[ "${{ needs.msrv.result }}" == "failure" || "${{ needs.msrv.result }}" == "cancelled" ]]; then - echo "::error::MSRV check failed" - exit 1 - fi - - if [[ "${{ needs.test.result }}" == "failure" || "${{ needs.test.result }}" == "cancelled" ]]; then - echo "::error::Tests failed" - exit 1 - fi - - if [[ "${{ needs.test-cross-platform.result }}" == "failure" || "${{ needs.test-cross-platform.result }}" == "cancelled" ]]; then - echo "::error::Cross-platform tests failed" - exit 1 - fi - - if [[ "${{ needs.coverage.result }}" == "failure" || "${{ needs.coverage.result }}" == "cancelled" ]]; then - echo "::error::Coverage generation failed" - exit 1 - fi - - echo "All CI checks passed (or were skipped due to no relevant changes)" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..9290e73 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,50 @@ +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: "36 23 * * 3" + push: + branches: ["main"] + +# Declare default permissions as read-only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + if: github.event.repository.default_branch == github.ref_name + permissions: + # Needed to upload the results to the code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@v6 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@v2.4.3 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@v6 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: results.sarif diff --git a/.gitignore b/.gitignore index 6657408..61f75f4 100644 --- a/.gitignore +++ b/.gitignore @@ -131,3 +131,4 @@ megalinter-reports/* target/* stringy-output/* tests/fixtures/* +.claude.local.md diff --git a/.mergify.yml b/.mergify.yml new file mode 100644 index 0000000..19b8c72 --- /dev/null +++ b/.mergify.yml @@ -0,0 +1,89 @@ +queue_rules: + - name: default + merge_method: squash + merge_conditions: + - check-success = quality + - check-success = msrv + - check-success = test + - "check-success = test-cross-platform (ubuntu-latest, Linux)" + - "check-success = test-cross-platform (macos-latest, macOS)" + - "check-success = test-cross-platform (windows-latest, Windows)" + - check-success = coverage + +pull_request_rules: + # Tier 1: Maintainer PRs -- queue when maintainer adds 'lgtm' label + - name: Queue maintainer PRs with lgtm label + conditions: + - base = main + - "author=@maintainers" + - label = lgtm + - label != do-not-merge + actions: + queue: + name: default + + # Tier 2: Trusted bot PRs -- auto-queue when checks pass + - name: Auto-approve and queue dependabot PRs + conditions: + - base = main + - author = dependabot[bot] + - label != do-not-merge + - -files~=\.github/workflows/release\.yml + actions: + review: + type: APPROVE + message: Automatically approved by Mergify + queue: + name: default + + # Tier 3: All other PRs (external contributors, copilot) -- require maintainer approval + - name: Queue external PRs when approved by maintainer + conditions: + - base = main + - "-author=@maintainers" + - author != dependabot[bot] + - "approved-reviews-by=@maintainers" + - label != do-not-merge + actions: + queue: + name: default + + - name: Keep PRs up to date with main + conditions: + - base = main + - -conflict + - -draft + - -author = dependabot[bot] + - label != do-not-merge + actions: + update: {} + +merge_protections: + - name: Enforce conventional commit + description: Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/ + if: + - base = main + success_conditions: + - "title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\\(.+\\))?:" + + - name: CI must pass + description: >- + All CI checks must pass. This protection prevents manual merges + that bypass the merge queue. + if: + - base = main + success_conditions: + - check-success = quality + - check-success = msrv + - check-success = test + - "check-success = test-cross-platform (ubuntu-latest, Linux)" + - "check-success = test-cross-platform (macos-latest, macOS)" + - "check-success = test-cross-platform (windows-latest, Windows)" + - check-success = coverage + + - name: Do not merge outdated PRs + description: Make sure PRs are within 10 commits of the base branch before merging + if: + - base = main + success_conditions: + - "#commits-behind <= 10" diff --git a/.serena/project.yml b/.serena/project.yml index f3f3374..7ad4314 100644 --- a/.serena/project.yml +++ b/.serena/project.yml @@ -84,6 +84,27 @@ excluded_tools: [] # initial prompt for the project. It will always be given to the LLM upon activating the project # (contrary to the memories, which are loaded on demand). initial_prompt: "" - +# the name by which the project can be referenced within Serena project_name: "Stringy" + +# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default) included_optional_tools: [] + +# list of mode names to that are always to be included in the set of active modes +# The full set of modes to be activated is base_modes + default_modes. +# If the setting is undefined, the base_modes from the global configuration (serena_config.yml) apply. +# Otherwise, this setting overrides the global configuration. +# Set this to [] to disable base modes for this project. +# Set this to a list of mode names to always include the respective modes for this project. +base_modes: + +# list of mode names that are to be activated by default. +# The full set of modes to be activated is base_modes + default_modes. +# If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply. +# Otherwise, this overrides the setting from the global configuration (serena_config.yml). +# This setting can, in turn, be overridden by CLI parameters (--mode). +default_modes: + +# fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools. +# This cannot be combined with non-empty excluded_tools or included_optional_tools. +fixed_tools: [] diff --git a/AGENTS.md b/AGENTS.md index 8f177d5..aa2f1be 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -94,3 +94,34 @@ Import from `stringy::extraction` or `stringy::types`, not deeply nested paths. **New string extractor**: Follow patterns in `extraction/` module **Splitting large files**: When a file exceeds 500 lines, convert to a module directory: `foo.rs` -> `foo/mod.rs` + `foo/submodule.rs`. Move related code to submodules while keeping public re-exports in `mod.rs`. + +## Open-Source Quality Standards (OSSF Best Practices) + +Maintain these standards for OSSF Scorecard compliance: + +### Every PR Must + +- Sign off commits with `git commit -s` (DCO enforced by GitHub App) +- Pass CI (clippy, rustfmt, tests, CodeQL, cargo-deny) before merge +- Include tests for new functionality -- this is policy, not optional +- Be reviewed (human or CodeRabbit) for correctness, safety, and style +- Not introduce `unwrap()` in library code, unchecked errors, or unvalidated input + +### Every Release Must + +- Have human-readable release notes via git-cliff (not raw git log) +- Use unique SemVer identifiers (`vX.Y.Z` tags) +- Be built reproducibly (pinned toolchain, committed `Cargo.lock`, cargo-dist) + +### Security + +- Vulnerabilities go through private reporting (GitHub advisories or ), never public issues +- `cargo-deny` and `cargo-audit` run in CI -- fix findings promptly +- Medium+ severity vulnerabilities: we aim to release a fix within 90 days of confirmation (see SECURITY.md for canonical policy) + +### Documentation + +- Exported APIs require rustdoc comments with examples where appropriate +- CONTRIBUTING.md documents code review criteria, test policy, DCO, and governance +- SECURITY.md documents vulnerability reporting with scope, safe harbor, and PGP key +- AGENTS.md must accurately reflect implemented features (not aspirational) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 64a7366..37eb6a4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -10,7 +10,7 @@ Thanks for your interest in Stringy. This guide explains how to propose changes ## Development setup -Stringy uses Rust 2024 (MSRV 1.85+, see `rust-toolchain.toml`). We also use just for common tasks. +Stringy uses Rust 2024 (MSRV 1.91+, see `rust-toolchain.toml`). We also use just for common tasks. Recommended workflow: @@ -28,7 +28,7 @@ If you do not use just, the critical requirement is that: These rules are enforced by CI: -- No unsafe code +- No unsafe code (`#![forbid(unsafe_code)]`) - Zero warnings (`clippy -D warnings`) - ASCII only in code and documentation, unless explicitly working with Unicode handling - Keep files under 500-600 lines; split when needed @@ -45,22 +45,21 @@ Module layout: - `extraction/` handles string extraction, filtering, and deduplication - `classification/` handles semantic tagging and ranking - `output/` handles output formatters -- `types.rs` contains core data structures and error types +- `types/` contains core data structures and error types Key patterns: - Section weights: add new section weights in `container/*.rs` using existing match patterns. Higher weight means more likely to contain useful strings. -- Semantic tags: add new Tag variants in `types.rs`, implement detection in `classification/semantic.rs`, and update any tag merging logic if needed. +- Semantic tags: add new Tag variants in `types/mod.rs`, implement detection in `classification/`, and update any tag merging logic if needed. - Deduplication: preserve all occurrences and merge tags across occurrences in `extraction/dedup.rs`. - Public structs: keep public API structs non_exhaustive and provide explicit constructors. -- Imports: prefer `stringy::extraction` or `stringy::types`. Do not import locally-defined types inside `extraction/mod.rs`. +- Imports: prefer `stringy::extraction` or `stringy::types`. Do not import deeply nested paths. ## Tests - Add or update tests for behavior changes. - Use insta snapshots for output verification when appropriate. - Integration tests live in tests/ and fixtures in tests/fixtures/. -- Use insta snapshots for output verification when changing output formatters. Run: @@ -73,13 +72,67 @@ Run: - Link related issues in the PR description. - Update documentation when behavior changes. +### Code review requirements + +All pull requests require review before merging. Reviewers check for: + +- **Correctness**: Does the code do what it claims? Are edge cases handled? +- **Safety**: No unsafe code, proper bounds checking, no panics/unwraps in library code +- **Tests**: New functionality has tests, existing tests still pass +- **Style**: Follows project conventions, passes `cargo fmt` and `cargo clippy -- -D warnings` +- **Documentation**: Public APIs have rustdoc, AGENTS.md updated if architecture changes + +CI must pass before merge. This includes formatting, linting, tests, security audit, and CodeQL analysis. Branch protection enforces these checks on the `main` branch. + +## Developer Certificate of Origin (DCO) + +This project requires all contributors to sign off on their commits, certifying that they have the right to submit the code under the project's license. This is enforced by the [DCO GitHub App](https://github.com/apps/dco). + +To sign off, add `-s` to your commit command: + +```bash +git commit -s -m "feat: add new feature" +``` + +This adds a `Signed-off-by` line to your commit message: + +```text +Signed-off-by: Your Name +``` + +By signing off, you agree to the [Developer Certificate of Origin](https://developercertificate.org/). + ## Documentation Docs live under docs/ and project planning artifacts are in project_plan/. Update them when you change user-facing behavior. ## Security -If you believe you found a security issue, please do not open a public issue. Use GitHub Security Advisories if available, or contact the maintainers privately. +If you believe you found a security issue, please do not open a public issue. See [SECURITY.md](SECURITY.md) for reporting instructions, scope, and our PGP key. + +## Project governance + +### Decision-making + +Stringy uses a **maintainer-driven** governance model. Decisions are made by the project maintainers through consensus on GitHub issues and pull requests. + +### Roles + +| Role | Responsibilities | Current | +| --------------- | -------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | +| **Maintainer** | Merge PRs, manage releases, set project direction, review security reports | [@unclesp1d3r](https://github.com/unclesp1d3r), [@KryptoKat08](https://github.com/KryptoKat08) | +| **Contributor** | Submit issues, PRs, and participate in discussions | Anyone following this guide | + +### How decisions are made + +- **Bug fixes and minor changes**: Any maintainer can review and merge +- **New features**: Discussed in a GitHub issue before implementation; maintainer approval required +- **Architecture changes**: Require agreement from both maintainers +- **Breaking API changes**: Discussed in a GitHub issue with community input; require agreement from both maintainers + +### Becoming a maintainer + +As the project grows, active contributors who demonstrate sustained, high-quality contributions and alignment with project goals may be invited to become maintainers. ## AI-assisted development diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..480bda7 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,114 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | --------- | +| 0.1.x | Yes | +| < 0.1 | No | + +Users on unsupported versions should upgrade to the latest release. Please review the [release notes](https://github.com/EvilBit-Labs/Stringy/releases) when upgrading. + +## Reporting a Vulnerability + +We take the security of Stringy seriously. If you believe you have found a security vulnerability, please report it to us as described below. + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, use one of the following channels: + +1. [GitHub Private Vulnerability Reporting](https://github.com/EvilBit-Labs/Stringy/security/advisories/new) (preferred) +2. Email [support@evilbitlabs.io](mailto:support@evilbitlabs.io) encrypted with our [PGP key](#pgp-key) (verify the full fingerprint below before use) + +Please include: + +- Description of the vulnerability +- Steps to reproduce +- Potential impact +- Suggested fix (if any) + +### Scope + +**In scope:** + +- Crashes or out-of-bounds reads when parsing crafted ELF, PE, or Mach-O binaries +- Denial of service via pathological input (excessive memory or CPU) +- Path traversal in file input handling +- Command injection via CLI arguments +- Unsafe code in dependencies that affects Stringy + +**Out of scope:** + +- Vulnerabilities in the underlying OS binary loaders +- Issues requiring physical access to the machine running Stringy +- Social engineering attacks + +### What to Expect + +**Note**: This is a passion project with volunteer maintainers. Response times are best-effort and may vary based on maintainer availability. + +- We will acknowledge receipt of your report within **1 week** +- We will provide an initial assessment within **2 weeks** +- We aim to release a fix within **90 days** of confirmed vulnerabilities +- We will coordinate disclosure through a [GitHub Security Advisory](https://github.com/EvilBit-Labs/Stringy/security/advisories) +- We will credit you in the advisory (unless you prefer to remain anonymous) + +### Responsible Disclosure + +We ask that you: + +- Give us reasonable time to respond to issues before any disclosure +- Avoid accessing or modifying other users' data +- Avoid actions that could negatively impact other users + +## Security Features + +Stringy includes several security-focused features: + +- **No unsafe code**: `#![forbid(unsafe_code)]` is enforced project-wide +- **Memory-safe parsing**: All binary format parsing uses bounds-checked Rust libraries (goblin, pelite) +- **Graceful error handling**: Malformed inputs produce errors, not crashes +- **Dependency auditing**: `cargo-audit` and `cargo-deny` run in CI +- **Automated dependency updates**: Via Dependabot +- **Supply chain transparency**: CycloneDX SBOMs and Sigstore attestations per release + +## Safe Harbor + +We support safe harbor for security researchers who: + +- Make a good faith effort to avoid privacy violations, data destruction, and service disruption +- Only interact with accounts you own or with explicit permission of the account holder +- Report vulnerabilities through the channels described above + +We will not pursue legal action against researchers who follow this policy. + +## PGP Key + +**Fingerprint:** `F839 4B2C F0FE C451 1B11 E721 8F71 D62B F438 2BC0` + +```text +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEaLJmxhYJKwYBBAHaRw8BAQdAaS3KAoo+AgZGR6G6+m0wT2yulC5d6zV9lf2m +TugBT+O0L3N1cHBvcnRAZXZpbGJpdGxhYnMuaW8gPHN1cHBvcnRAZXZpbGJpdGxh +YnMuaW8+iNcEExYKAH8DCwkHRRQAAAAAABwAIHNhbHRAbm90YXRpb25zLm9wZW5w +Z3Bqcy5vcmexd21FpCDfIrO7bf+T6hH/8drbGLWiuEueWvSTyw4T/QMVCggEFgAC +AQIZAQKbAwIeARYhBPg5Syzw/sRRGxHnIY9x1iv0OCvABQJpiUiCBQkIXQE5AAoJ +EI9x1iv0OCvAm2sA/AqFT6XEULJCimXX9Ve6e63RX7y2B+VoBVHt+PDaPBwkAP4j +39xBoLFI6KZJ/A7SOQBkret+VONwPqyW83xfn+E7Arg4BGiyZsYSCisGAQQBl1UB +BQEBB0ArjU33Uj/x1Kc7ldjVIM9UUCWMTwDWgw8lB/mNESb+GgMBCAeIvgQYFgoA +cAWCaLJmxgkQj3HWK/Q4K8BFFAAAAAAAHAAgc2FsdEBub3RhdGlvbnMub3BlbnBn +cGpzLm9yZ4msIB6mugSL+LkdT93+rSeNePtBY4Aj+O6TRFU9aKiQApsMFiEE+DlL +LPD+xFEbEechj3HWK/Q4K8AAALEXAQDqlsBwMP2XXzXDSnNNLg8yh1/zQcxT1zZ1 +Z26lyM7L6QD+Lya5aFe74WE3wTys5ykGuWkHYEgba+AyZNmuPhwMGAc= +=9zSi +-----END PGP PUBLIC KEY BLOCK----- +``` + +## Contact + +For general security questions, open a GitHub Issue. For vulnerability reports, use [Private Vulnerability Reporting](https://github.com/EvilBit-Labs/Stringy/security/advisories/new) or email [support@evilbitlabs.io](mailto:support@evilbitlabs.io). + +--- + +Thank you for helping keep Stringy and its users secure! diff --git a/cliff.toml b/cliff.toml new file mode 100644 index 0000000..7324db5 --- /dev/null +++ b/cliff.toml @@ -0,0 +1,86 @@ +# git-cliff ~ configuration file +# https://git-cliff.org/docs/configuration +# +# Lines starting with "#" are comments. +# Configuration options are organized into tables and keys. +# See documentation for more information on available options. + +[changelog] +# template for the changelog header +header = """ +# Changelog\n +All notable changes to this project will be documented in this file.\n +""" +# template for the changelog body +# https://keats.github.io/tera/docs/#introduction +body = """ +{%- if version %} +## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }} +{%- else %} +## [unreleased] +{%- endif %} +{% for group, commits in commits | group_by(attribute="group") %} +### {{ group | striptags | trim | upper_first }} +{% for commit in commits %} +- {% if commit.scope %}**{{ commit.scope }}**: {% endif -%} +{% if commit.breaking %}[**breaking**] {% endif -%} +{{ commit.message | upper_first }} +{%- endfor %} +{% endfor %} +""" +# template for the changelog footer +footer = """ + +""" +# remove the leading and trailing whitespace +trim = true +# postprocessors +postprocessors = [] +# render body even when there are no releases to process +# render_always = true +# output file path +# output = "CHANGELOG.md" + +[git] +# parse the commits based on https://www.conventionalcommits.org +conventional_commits = true +# filter out the commits that are not conventional +filter_unconventional = true +# process each line of a commit as an individual commit +split_commits = false +# regex for preprocessing the commit messages +commit_preprocessors = [ + # Replace issue/PR numbers with links + { pattern = '\(#([0-9]+)\)', replace = "([#${1}](https://github.com/EvilBit-Labs/Stringy/pull/${1}))" }, + # Check spelling of the commit with https://github.com/crate-ci/typos + # If the spelling is incorrect, it will be automatically fixed. + # { pattern = '.*', replace_command = 'typos --write-changes -' }, +] +# regex for parsing and grouping commits +commit_parsers = [ + { message = "^feat", group = "Features" }, + { message = "^fix\\(security\\)", group = "Security", scope = "security" }, + { message = "^fix", group = "Bug Fixes" }, + { message = "^[Dd]oc", group = "Documentation" }, + { message = "^perf", group = "Performance" }, + { message = "^refactor", group = "Refactor" }, + { message = "^style", group = "Styling" }, + { message = "^test", group = "Testing" }, + { message = "^chore\\(release\\): prepare for", skip = true }, + { message = "^chore\\(deps.*\\)", skip = true }, + { message = "^chore\\(pr\\)", skip = true }, + { message = "^chore\\(pull\\)", skip = true }, + { message = "^Merge pull request", skip = true }, + { message = "^Merge branch", skip = true }, + { message = "^chore\\(ci\\): update", skip = true }, + { message = "^chore|^ci", group = "Miscellaneous Tasks" }, + { body = ".*security", group = "Security" }, + { body = "BREAKING CHANGE:", group = "Breaking Changes" }, + { message = "^revert", group = "Revert" }, +] +# filter out the commits that are not matched by commit parsers +filter_commits = false +# sort the tags topologically +topo_order = false +# sort the commits inside sections by oldest/newest order +sort_commits = "oldest" diff --git a/mise.lock b/mise.lock new file mode 100644 index 0000000..d379be0 --- /dev/null +++ b/mise.lock @@ -0,0 +1,138 @@ +[[tools.actionlint]] +version = "1.7.10" +backend = "aqua:rhysd/actionlint" + +[[tools.cargo-binstall]] +version = "1.16.7" +backend = "aqua:cargo-bins/cargo-binstall" + +[[tools.cargo-insta]] +version = "1.46.1" +backend = "aqua:mitsuhiko/insta" + +[[tools."cargo:cargo-audit"]] +version = "0.22.0" +backend = "cargo:cargo-audit" + +[[tools."cargo:cargo-auditable"]] +version = "0.7.2" +backend = "cargo:cargo-auditable" + +[[tools."cargo:cargo-cyclonedx"]] +version = "0.5.7" +backend = "cargo:cargo-cyclonedx" + +[[tools."cargo:cargo-deny"]] +version = "0.19.0" +backend = "cargo:cargo-deny" + +[[tools."cargo:cargo-dist"]] +version = "0.30.3" +backend = "cargo:cargo-dist" + +[[tools."cargo:cargo-llvm-cov"]] +version = "0.6.24" +backend = "cargo:cargo-llvm-cov" + +[[tools."cargo:cargo-nextest"]] +version = "0.9.123-b.4" +backend = "cargo:cargo-nextest" + +[[tools."cargo:cargo-release"]] +version = "0.25.22" +backend = "cargo:cargo-release" + +[[tools."cargo:cargo-zigbuild"]] +version = "0.21.2" +backend = "cargo:cargo-zigbuild" + +[[tools."cargo:mdbook"]] +version = "0.5.2" +backend = "cargo:mdbook" + +[[tools."cargo:mdbook-admonish"]] +version = "1.20.0" +backend = "cargo:mdbook-admonish" + +[[tools."cargo:mdbook-i18n-helpers"]] +version = "0.4.0" +backend = "cargo:mdbook-i18n-helpers" + +[[tools."cargo:mdbook-linkcheck"]] +version = "0.7.7" +backend = "cargo:mdbook-linkcheck" + +[[tools."cargo:mdbook-mermaid"]] +version = "0.17.0" +backend = "cargo:mdbook-mermaid" + +[[tools."cargo:mdbook-open-on-gh"]] +version = "3.0.0" +backend = "cargo:mdbook-open-on-gh" + +[[tools."cargo:mdbook-tabs"]] +version = "0.3.4" +backend = "cargo:mdbook-tabs" + +[[tools."cargo:mdbook-toc"]] +version = "0.15.3" +backend = "cargo:mdbook-toc" + +[[tools.claude]] +version = "2.1.42" +backend = "aqua:anthropics/claude-code" + +[[tools.cyclonedx]] +version = "0.29.2" +backend = "aqua:CycloneDX/cyclonedx-cli" + +[[tools.git-cliff]] +version = "2.11.0" +backend = "aqua:orhun/git-cliff" + +[[tools.goreleaser]] +version = "2.13.3" +backend = "aqua:goreleaser/goreleaser" + +[[tools.just]] +version = "1.46.0" +backend = "aqua:casey/just" + +[[tools.lychee]] +version = "0.22.0" +backend = "aqua:lycheeverse/lychee" + +[[tools.markdownlint-cli2]] +version = "0.20.0" +backend = "npm:markdownlint-cli2" + +[[tools.node]] +version = "25.4.0" +backend = "core:node" + +[[tools."pipx:mdformat"]] +version = "0.7.21" +backend = "pipx:mdformat" + +[tools."pipx:mdformat".options] +uvx_args = "--with mdformat-gfm --with mdformat-frontmatter --with mdformat-footnote --with mdformat-simple-breaks --with mdformat-gfm-alerts --with mdformat-toc --with mdformat-wikilink --with mdformat-tables" + +[[tools.pre-commit]] +version = "4.5.1" +backend = "aqua:pre-commit/pre-commit" + +[[tools.prettier]] +version = "3.8.1" +backend = "npm:prettier" + +[[tools.python]] +version = "3.14.2" +backend = "core:python" + +[[tools.rust]] +version = "1.92.0" +backend = "core:rust" + +[[tools.zig]] +version = "0.15.2" +backend = "core:zig"