Release v1.3.2

Author: Hackerchen716

.github/ISSUE_TEMPLATE/release-checklist.md

@@ -9,24 +9,31 @@ assignees: ""
 ## Version
 
 - [ ] `bla/__version__.py` contains the target version
+- [ ] Git tag is exactly `vX.Y.Z` and matches `bla.__version__`
 - [ ] `bla --version` shows the target version
 - [ ] JSON/SARIF report metadata uses the target version
 - [ ] README examples use the target version
 
 ## Validation
 
 - [ ] `python3 -m compileall -q bla bla_cli.py setup.py tests`
+- [ ] `python3 -m pytest -q`
 - [ ] `python3 -m unittest discover -s tests -v`
 - [ ] `python3 bla_cli.py validate-rules --strict-metadata`
 - [ ] sample log smoke tests pass with `--exit-on none`
+- [ ] P0 fixture smoke test passes with `--profile cn-hvv --out /tmp/bla-p0-smoke --exit-on none --no-color`
 - [ ] `bla ssh --help` confirms Remote Workspace CLI wiring
+- [ ] `python3 bla_cli.py benchmark --size-mb 1`
+- [ ] `python3 bla_cli.py benchmark --size-mb 1 --memory`
 - [ ] `python3 -m build`
-- [ ] wheel/sdist include `bla/rules/web_attacks.yaml` and `bla/remote/ssh_workspace.py`
+- [ ] `python3 -m twine check dist/*` when `twine` is available
+- [ ] wheel includes package code/rules; sdist includes release notes, sample logs, and P0 fixtures
+- [ ] fresh wheel install smoke test passes
 
 ## Publishing
 
 - [ ] Git tag created as `vX.Y.Z`
-- [ ] GitHub Release created with notes and artifacts
+- [ ] GitHub Release created with notes and artifacts, marked Latest
 - [ ] PyPI Trusted Publishing is configured for `.github/workflows/publish.yml` and the `pypi` GitHub environment
 - [ ] Only one PyPI publish path is used for this version: GitHub Release workflow preferred, no prior manual `twine` upload
 - [ ] PyPI publish workflow completed

.github/workflows/publish.yml

@@ -22,17 +22,35 @@ jobs:
         with:
           python-version: "3.12"
 
-      - name: Build package
+      - name: Verify tag version
+        run: |
+          python - <<'PY'
+          import os
+          from bla.__version__ import __version__
+          ref = os.environ.get("GITHUB_REF_NAME", "")
+          if ref.startswith("v") and ref[1:] != __version__:
+              raise SystemExit(f"Tag {ref} does not match package version {__version__}")
+          PY
+
+      - name: Run validation
         run: |
-          python -m pip install --upgrade build
-          python -m build
+          python -m pip install --upgrade build twine pytest
+          python -m pytest -q
+          python -m compileall -q bla bla_cli.py setup.py tests
+          python bla_cli.py validate-rules --strict-metadata
+          python bla_cli.py ssh --help
+
+      - name: Build package
+        run: python -m build
 
       - name: Check distribution metadata
         run: |
+          python -m twine check dist/*
           python - <<'PY'
           from pathlib import Path
           import tarfile
           import zipfile
+          from bla.__version__ import __version__
 
           dist = Path("dist")
           wheels = sorted(dist.glob("*.whl"))
@@ -53,8 +71,26 @@ jobs:
                   raise SystemExit("Source distribution is missing bla/rules/web_attacks.yaml")
               if not any(name.endswith("/bla/remote/ssh_workspace.py") for name in names):
                   raise SystemExit("Source distribution is missing bla/remote/ssh_workspace.py")
+              required = [
+                  f"/docs/releases/v{__version__}.md",
+                  "/sample_logs/auth.log",
+                  "/sample_logs/windows_rdp_sample.xml",
+                  "/tests/fixtures/p0/hvv_chain.jsonl",
+              ]
+              for suffix in required:
+                  if not any(name.endswith(suffix) for name in names):
+                      raise SystemExit(f"Source distribution is missing {suffix}")
           PY
 
+      - name: Smoke test built wheel
+        run: |
+          python -m venv /tmp/bla-wheel-smoke
+          /tmp/bla-wheel-smoke/bin/python -m pip install --upgrade pip
+          /tmp/bla-wheel-smoke/bin/python -m pip install dist/*.whl
+          /tmp/bla-wheel-smoke/bin/bla --version
+          /tmp/bla-wheel-smoke/bin/bla validate-rules --strict-metadata
+          /tmp/bla-wheel-smoke/bin/bla ssh --help
+
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:

.github/workflows/test.yml

@@ -30,24 +30,25 @@ jobs:
       - name: Validate bundled rules
         run: python bla_cli.py validate-rules --strict-metadata
 
+      - name: Install test dependencies
+        run: python -m pip install --upgrade pytest
+
+      - name: Run pytest regressions
+        run: python -m pytest -q
+
       - name: Run regression tests
         run: python -m unittest discover -s tests -v
 
       - name: Smoke test Remote Workspace CLI
         run: python bla_cli.py ssh --help
 
       - name: Smoke test on sample logs
-        # 样本日志包含故意构造的暴力破解 / Web 攻击，bla 命中严重告警时退出码为 1，
-        # 这是期望行为而不是 CI 失败。允许 0 或 1，其它退出码才视为故障。
         shell: bash
         run: |
-          set +e
-          python bla_cli.py sample_logs/auth.log --no-color --max-alerts 5
-          rc=$?; [ $rc -eq 0 ] || [ $rc -eq 1 ] || exit $rc
-          python bla_cli.py sample_logs/access.log --no-color --max-alerts 5
-          rc=$?; [ $rc -eq 0 ] || [ $rc -eq 1 ] || exit $rc
-          python bla_cli.py sample_logs/remote_ssh_auth.log --no-color --max-alerts 5
-          rc=$?; [ $rc -eq 0 ] || [ $rc -eq 1 ] || exit $rc
+          python bla_cli.py sample_logs/auth.log --no-color --max-alerts 5 --exit-on none
+          python bla_cli.py sample_logs/access.log --no-color --max-alerts 5 --exit-on none
+          python bla_cli.py sample_logs/remote_ssh_auth.log --no-color --max-alerts 5 --exit-on none
+          python bla_cli.py sample_logs/windows_rdp_sample.xml --rdp --no-color --max-alerts 5 --exit-on none
 
       - name: Build package
         if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'

.gitignore

@@ -42,8 +42,15 @@ Thumbs.db
 !docs/allowlist-example.json
 !tests/fixtures/**/*.json
 *.csv
+*.sarif
+iocs.txt
+report/
 case-*/
 !sample_logs/
+.coverage
+htmlcov/
+.pytest_cache/
+.ruff_cache/
 
 # Logs
 *.log

MANIFEST.in

@@ -0,0 +1,5 @@
+include README.md LICENSE pyproject.toml setup.py
+recursive-include bla/rules *.yaml
+recursive-include docs *.md *.png *.json
+recursive-include sample_logs *.log *.xml
+recursive-include tests *.py *.json *.jsonl