oleks/parity-lib
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9107923c5a24c612566d1bb2edf8a5251836996b
parity-lib/CHANGELOG.md
T
Oleks 9107923c5a fix(devtag-guard): snapshot explicit VERSION at source time (#194 finding) 
The guard read $VERSION, but app bodies set VERSION to the derived default
before calling it, so accidental local --publish without an explicit version
or v* tag still pushed. Capture PARITY_VERSION_EXPLICIT at source time and
gate on that instead.
2026-06-02 05:08:05 +03:00

2.5 KiB
Raw Blame History

Changelog

All notable changes to parity-lib are documented here. This project follows semantic versioning; the version is a conceptual tag (no git tag is created).

Unreleased

  • Fix (safety): dev-tag guard was ineffective. Every publish app body runs VERSION="$(parity_derive_version <default>)" before parity_devtag_guard, so by the time the guard checked $VERSION it was always non-empty (the derived default) and an accidental local --publish with no explicit version and no v* tag still pushed (cluster #194 finding). The guard now reads a source-time snapshot PARITY_VERSION_EXPLICIT captured before any clobber, so it correctly blocks unless the caller set $VERSION or $CI_COMMIT_TAG matches ^v[0-9].
  • pipeline-doctor (cluster #191 security sweep): added a scoped per-file check asserting no set -x in token-bearing ci/*.sh scripts going forward — a script that references a registry token (REGISTRY_TOKEN / CI_REGISTRY_TOKEN / an Authorization: token header) must not enable xtrace, which would echo the token to the build log. Token-free helpers (e.g. version parsers) are not flagged.

v0.1.0

Initial release (cluster #192/#193/#194, emmett#44).

  • lib.mkParityBuilders pkgs plus per-builder wrappers exposing the six archetype publish-app builders:
    • mkPyPiWheelPublish — single-arch Gitea PyPI wheel.
    • mkS390xNpmPublish — single-arch Gitea npm native addon.
    • mkGenericBinaryPublish — single-arch Gitea generic-registry binary.
    • mkGoBinaryPublish — alias of mkGenericBinaryPublish (explicit archetype).
    • mkNix2ContainerPublish — multi-arch OCI image with publish-index and :latest digest copy.
    • mkHelmPublish — Helm chart to an OCI registry.
  • Each builder returns flake apps following the corrected parity standard: stage-<arch> (build-parity, no registry), publish-<arch> (dry-run by default), publish-index (build-free, fail-closed multi-arch assembly via regctl), publish (all local arches + index + :latest last), and push-staged (replay ./.parity-stage).
  • Shared shell library ci/parity-lib.sh (token resolution with $REGISTRY_TOKEN + pass fallback and never printed, dev-tag guard, version derivation, the dry-run gate, registry preflight, stage-dir helpers).
  • packages.pipeline-doctor / apps.pipeline-doctor (cluster #193): static parity-contract checker that prints local-equivalent commands.
  • flake.lock fully pinned; nixpkgs follows the shared fleet-pins nixpkgs-ci.
Reference in New Issue View Git Blame Copy Permalink