Skip to content

Commit 965e146

Browse files
chore(ga): repo + version hygiene for public GA cut (#705)
Addresses the public-repo hygiene findings from the GA readiness review. None are functional/security blockers; this is the public-cut polish pass. F1 — version surfaces now agree (all -> 0.2.0-rc.17): README, the workflows README, the root VERSION build-fallback (was 0.1.0-alpha.1), api/openapi.yaml (title "OpenWatch (Stage 0)" -> "OpenWatch", version, and the stale "three endpoints" description; it actually serves 123 paths), and the API_GUIDE / MONITORING_SETUP / PRODUCTION_DEPLOYMENT / QUICKSTART guides (were rc.14). F2 — untrack the runtime SQLite sidecars .kensa/remediation.db-{shm,wal} (already gitignored; they were the recurring dirty-tree noise). F3 — prettier --write the 8 unformatted frontend files (formatting only; tsc + eslint still clean). F5 — `make migrate` now runs `openwatch migrate` (was "not yet implemented"). F7 — RELEASING.md + workflows README now state the real signing behavior: GPG is REQUIRED on a tag-push (release.yml fails closed); only a workflow_dispatch trial can publish unsigned. Judgment calls: F4 — `make lint` now hard-fails on a golangci-lint version mismatch (was a warning then ran the wrong binary), so local lint matches the pinned CI v1. F6 — removed the zero-secret-value cruft ignore patterns that hid source/docs (*test*.ts/.tsx/.mjs are TS source; *_MIGRATION*.md hid migration docs); kept the *secret*/*password*/*credential* guards (they have negations + real value). Also: add docs/guides/README.md (a version-agnostic operator-guide index for hanalyx.com/docs).
1 parent f7d483b commit 965e146

22 files changed

Lines changed: 468 additions & 115 deletions

.github/workflows/README.md

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ The workflow then:
7474
Distribution is via GitHub Releases. Operators install with
7575
`sudo dnf install ./openwatch-*.rpm` or `sudo apt install ./openwatch_*.deb`. A tag
7676
with a pre-release suffix (for example `-rc.5`) is marked as a pre-release; a bare
77-
`vX.Y.Z` is GA. The current version (`0.2.0-rc.5`) is a pre-release. See
77+
`vX.Y.Z` is GA. The current version (`0.2.0-rc.17`) is a pre-release. See
7878
`specs/system/supply-chain.spec.yaml`, `specs/release/package-build.spec.yaml`, and
7979
`docs/runbooks/RELEASING.md`.
8080

@@ -117,8 +117,10 @@ remain a manual RC step (see `docs/runbooks/RELEASING.md`).
117117
| `GPG_PRIVATE_KEY`, `GPG_PASSPHRASE` | `release.yml` | Sign RPMs and the checksum manifest |
118118
| `COSIGN_PRIVATE_KEY`, `COSIGN_PASSWORD` | `release.yml` | Cosign signature over the checksum manifest |
119119

120-
Signing steps in `release.yml` are gated on key presence; without them, packages and
121-
checksums publish unsigned.
120+
On a tag-push release, GPG signing is required: `release.yml` fails closed and refuses
121+
to publish unsigned if `GPG_PRIVATE_KEY` is absent. The cosign layer is optional and
122+
skips if its key is absent. An unsigned build is only possible via a `workflow_dispatch`
123+
trial run (never a tag push).
122124

123125
## Reproducing CI locally
124126

.gitignore

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -341,9 +341,9 @@ frontend_test.log
341341
# Exception: committed test harness scripts under packaging/tests/ (e.g. the
342342
# container upgrade test) are real tracked files, not transient scratch.
343343
!packaging/tests/*test*.sh
344-
*test*.mjs
345-
*test*.ts
346-
*test*.tsx
344+
# NOTE: do NOT blanket-ignore *test*.ts / *test*.tsx / *test*.mjs — in the Go
345+
# rebuild those are first-class TypeScript source (frontend *.test.ts(x) suites),
346+
# not build artifacts. Ignoring them silently hides new tests from git.
347347

348348
# Go-rebuild layout: the active frontend (promoted from app/frontend) keeps its
349349
# tests under frontend/tests/ and co-located *.test.ts(x). Re-include them — the
@@ -702,12 +702,15 @@ scripts/cleanup-documentation.sh
702702
*-migration-output
703703

704704
# Working Documents and Analysis Reports (DO NOT COMMIT)
705+
# These guard against committing AI/working scratch notes. They match an
706+
# UPPER_SUFFIX.md convention legit docs mostly avoid. NOTE: *_MIGRATION*.md was
707+
# removed — it wrongly hid legitimate DB-migration documentation; name scratch
708+
# migration notes differently if needed.
705709
*_ASSESSMENT.md
706710
*_ANALYSIS.md
707711
*_COMPLETE.md
708712
*_FIX*.md
709713
*_IMPLEMENTATION*.md
710-
*_MIGRATION*.md
711714
*_PHASE*.md
712715
*_REPORT.md
713716
*_STATUS.md

.kensa/remediation.db-shm

-32 KB
Binary file not shown.

.kensa/remediation.db-wal

-350 KB
Binary file not shown.

Makefile

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -140,14 +140,17 @@ lint: internal/server/openapi_embed.yaml $(SPA_DIR)/index.html
140140
@if command -v golangci-lint >/dev/null 2>&1; then \
141141
have=$$(golangci-lint version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1); \
142142
if [ "$$have" != "$(GOLANGCI_VERSION)" ]; then \
143-
echo "WARNING: golangci-lint $$have installed, but CI pins $(GOLANGCI_VERSION)."; \
144-
echo " Results may differ from CI. Install the pinned version:"; \
143+
echo "ERROR: golangci-lint $$have installed, but this repo pins $(GOLANGCI_VERSION)."; \
144+
echo " Local lint must match CI (the config is v1 format; a v2 binary cannot"; \
145+
echo " load it). Install the pinned version, then re-run:"; \
145146
echo " go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$(GOLANGCI_VERSION)"; \
147+
exit 1; \
146148
fi; \
147149
golangci-lint run; \
148150
else \
149-
echo "golangci-lint not installed; skipping (CI pins v$(GOLANGCI_VERSION)):"; \
151+
echo "ERROR: golangci-lint not installed (this repo pins v$(GOLANGCI_VERSION)):"; \
150152
echo " go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$(GOLANGCI_VERSION)"; \
153+
exit 1; \
151154
fi
152155

153156
# vuln: known-CVE scan against deps + stdlib (call-graph aware).
@@ -267,7 +270,7 @@ spa:
267270

268271
.PHONY: migrate
269272
migrate:
270-
@echo "migrate: not yet implemented (lands in Day 3: goose)"
273+
go run ./cmd/openwatch migrate
271274

272275
# -----------------------------------------------------------------------------
273276
# Packaging (Day 11: RPM + DEB)
@@ -335,7 +338,7 @@ help:
335338
@echo ""
336339
@echo "Codegen + DB:"
337340
@echo " generate Run codegen (oapi-codegen, sqlc, registries) [Day 5]"
338-
@echo " migrate Run goose database migrations [Day 3]"
341+
@echo " migrate Run goose database migrations (openwatch migrate)"
339342
@echo ""
340343
@echo "Packaging:"
341344
@echo " rpm Build RPM package [Day 11]"

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ OpenWatch is the compliance operating system for teams managing Linux infrastruc
2020
> Python/FastAPI implementation was archived out of the repo on 2026-06-05). The
2121
> Go tree lives at the **repo root**: Go 1.26 backend (`cmd/`, `internal/`),
2222
> React 19 + TanStack frontend (`frontend/`), PostgreSQL-only. The current
23-
> version is `0.2.0-rc.13`, a pre-release, not a GA build.
23+
> version is `0.2.0-rc.17`, a pre-release, not a GA build.
2424
2525
![OpenWatch Host Management: a fleet of RHEL and Ubuntu hosts with per-host compliance scores against 538 Kensa rules](docs/images/host-management.png)
2626

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
0.1.0-alpha.1
1+
0.2.0-rc.17

api/openapi.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,13 @@
1717
openapi: 3.0.3
1818

1919
info:
20-
title: OpenWatch (Stage 0)
21-
version: 0.1.0-alpha.1
20+
title: OpenWatch
21+
version: 0.2.0-rc.17
2222
description: |
23-
Stage 0 walking-skeleton surface — three endpoints that exercise the
24-
foundation stack (correlation, idempotency, audit, error envelope).
23+
The OpenWatch REST API: authentication, hosts, scans, compliance posture,
24+
remediation, reports, notifications, and administration. All responses carry
25+
a correlation ID and a structured error envelope; mutating calls are
26+
idempotency-keyed and audited.
2527
2628
servers:
2729
- url: https://localhost:8443

docs/guides/API_GUIDE.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ React UI over HTTPS on port `8443`. All API paths live under `/api/v1`. The
1212
running binary serves its own OpenAPI document as the contract source of truth,
1313
and `GET /api/v1/version` reports the build it came from.
1414

15-
This guide reflects OpenWatch `v0.2.0-rc.14`, a pre-release. The compliance
15+
This guide reflects OpenWatch `v0.2.0-rc.17`, a pre-release. The compliance
1616
surface (scan execution + results, remediation, exceptions, posture/drift, audit
1717
export, the rule browser) IS exposed over `/api/v1`. See [the compliance API surface
1818
(now live)](#compliance-api-surface-now-live). The genuinely-absent pieces (a
@@ -279,7 +279,7 @@ curl -s --cacert /etc/openwatch/tls/ca.crt https://localhost:8443/api/v1/health
279279
```
280280

281281
```json
282-
{"status": "healthy", "db_connected": true, "version": "0.2.0-rc.14"}
282+
{"status": "healthy", "db_connected": true, "version": "0.2.0-rc.17"}
283283
```
284284

285285
`status` is `healthy` or `degraded`; the endpoint returns `503` when the service
@@ -356,7 +356,7 @@ configuration steps, see
356356

357357
## Compliance API surface (now live)
358358

359-
As of `v0.2.0-rc.14`, the compliance workflow IS exposed over `api/v1` (it is no
359+
As of `v0.2.0-rc.17`, the compliance workflow IS exposed over `api/v1` (it is no
360360
longer worker-internal only):
361361

362362
- **Scans**: trigger with `POST /api/v1/hosts/{id}/scans`; browse durable

docs/guides/MONITORING_SETUP.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ curl -k https://localhost:8443/api/v1/health
5252
A healthy response returns `200 OK`:
5353

5454
```json
55-
{"status": "healthy", "db_connected": true, "version": "0.2.0-rc.14"}
55+
{"status": "healthy", "db_connected": true, "version": "0.2.0-rc.17"}
5656
```
5757

5858
When the database ping fails, the endpoint returns `503 Service Unavailable`
@@ -74,7 +74,7 @@ curl -k https://localhost:8443/api/v1/version
7474

7575
```json
7676
{
77-
"openwatch": "0.2.0-rc.14",
77+
"openwatch": "0.2.0-rc.17",
7878
"kensa": "<embedded engine version>",
7979
"go": "<go toolchain>",
8080
"commit": "<abbrev commit>",

0 commit comments

Comments
 (0)