Skip to content

docs: release-readiness sweep — spec + populate changelog, refresh guides, future-proof upgrade test#585

Merged
remyluslosius merged 3 commits into
mainfrom
docs/release-readiness-sweep
Jun 17, 2026
Merged

docs: release-readiness sweep — spec + populate changelog, refresh guides, future-proof upgrade test#585
remyluslosius merged 3 commits into
mainfrom
docs/release-readiness-sweep

Conversation

@remyluslosius

@remyluslosius remyluslosius commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Release-readiness docs + changelog sweep

Brings docs, the changelog, and the upgrade postscripts up to date for the
release, and specs the changelog format so entries stay human-readable.

Changelog is now specced and populated

  • New specs/release/changelog.spec.yaml (release-changelog): every entry is
    a user-facing sentence (>=5 words, no commit-subject prefix), Keep a Changelog
    categories, dated version sections, no emoji. Enforced by
    packaging/tests/changelog_test.go (source-inspection, AC-01..05), scoped to
    the actively-edited [Unreleased] section so history is grandfathered.
  • Registered in specter.yaml (108 specs total now).
  • Populated [Unreleased] with the post-rc.7 work in that style: Settings
    activation (users, notifications, security/SSO), per-host SSH auth/sudo
    learning, one-command safe upgrade, airgap + fresh-install fixes, and the
    pre-release security-hardening batch (fix(security): pre-release hardening batch — 8 SDD-specced fixes #584).

Docs refreshed to match main

  • docs/guides/SECURITY_HARDENING.md: removed the "not yet implemented"
    rate-limit/headers callout (those shipped in fix(security): pre-release hardening batch — 8 SDD-specced fixes #584). Documents auth rate
    limiting, CSRF double-submit, and security headers as live; notes always-on
    breach-password screening; adds an outbound-SSH persistent known-hosts
    subsection (migration 0036). Version line to the 0.2.0 rc series.
  • docs/engineering/install_guide.md: fixed the stale DEB version example
    (rc.5 -> rc.7) and added an Upgrading section documenting the
    one-command auto-migrate + pre-upgrade pg_dump + fail-safe flow and
    /etc/openwatch/upgrade.conf.

Upgrade postscripts: verified and made future-proof

  • The RPM/DEB upgrade scriptlets, openwatch-upgrade.sh, and dbbackup already
    match the release-upgrade spec; the Go gates (upgrade_test.go AC-01..07,
    dbbackup tests, the full packaging/tests build suite) pass.
  • Rewrote the container integration test (upgrade-container-test.sh +
    run-upgrade-container-test.sh) to stop hardcoding migration 34->35 and the
    host_connection_profile table — it broke the moment migration 0036 landed
    and would re-break on every new migration. The host driver now derives the
    head migration's goose version_id and its -- +goose Down SQL and passes them
    in; the test reverses exactly the head migration and asserts a generic
    prior->head advance. Also pinned the driver to the host RPM arch (a leftover
    cross-built arm64 RPM in dist/ was colliding in the container).
  • Validated end-to-end: a real rpm -U in rockylinux:9 ran the %post
    helper ($1=2), stopped the service, took a pg_dump restore point, applied
    0036 (35 -> 36), and restarted. RESULT: PASS.

Note on CLAUDE.md

CLAUDE.md was also refreshed locally (spec count 97 -> 108; current Go security
controls), but it is intentionally gitignored (do not commit, commit
7a73353), so that change stays local and is not part of this PR.

Not included

The three still-open PRs (#580 distro matrix, #582 SPA caching, #583 auth
redirect) are not yet on main, so they are not in [Unreleased]; each should
add its own changelog line on merge (now gated by release-changelog).

🤖 Generated with Claude Code

@remyluslosius
docs(changelog): spec a human-readable changelog + populate [Unreleased]
f9b2b07 
Add specs/release/changelog.spec.yaml (release-changelog): every entry is a
user-facing sentence (>=5 words, no commit-subject prefix), Keep a Changelog
categories, dated version sections, no emoji. Enforced by
packaging/tests/changelog_test.go (source-inspection, AC-01..05), scoped to
the actively-edited [Unreleased] section so history is grandfathered.

Populate [Unreleased] with the post-rc.7 work in that style: Settings
activation (users, notifications, security/SSO), per-host SSH auth/sudo
learning, one-command safe upgrade, airgap + fresh-install fixes, and the
pre-release security-hardening batch (#584).
@remyluslosius
docs: refresh hardening + install guides; de-hardcode upgrade test
9b9ded6 
- SECURITY_HARDENING.md: drop the 'not yet implemented' rate-limit/headers
  callout (shipped in #584); document auth rate limiting, CSRF, and security
  headers as live; note always-on breach screening; add an outbound-SSH
  persistent known-hosts subsection; version line to 0.2.0 rc series.
- install_guide.md: fix the stale DEB version example (rc.5 -> rc.7) and add an
  'Upgrading' section documenting the one-command auto-migrate + backup +
  fail-safe path and /etc/openwatch/upgrade.conf.
- upgrade-container-test.sh / run-upgrade-container-test.sh: stop hardcoding
  migration 34->35 and the host_connection_profile table. The host driver now
  derives the head migration's goose version_id and its -- +goose Down SQL and
  passes them in; the test reverses exactly the head migration and asserts a
  generic prior->head advance, so it survives every future migration.

(CLAUDE.md was also refreshed locally for AI sessions but is intentionally
gitignored per commit 7a73353, so it is not part of this commit.)
@remyluslosius
test(packaging): pin upgrade-test driver to the host RPM arch
5c4d576 
dist/ can hold a leftover cross-built arm64 RPM (the packaging Go suite
cross-builds it for AC-14), and the rockylinux:9 container runs the host
platform, so the previous `cp dist/openwatch-*-1.*.rpm` swept in both arches
and `rpm -i` collided on /usr/bin/openwatch. Glob a single host-arch RPM.

Validated end-to-end: the container test now passes — real `rpm -U` runs the
%post helper ($1=2), which stops the service, takes a pg_dump restore point,
applies the head migration (35 -> 36), and restarts.
@github-actions github-actions Bot added size/XL documentation Improvements or additions to documentation labels Jun 17, 2026
@remyluslosius remyluslosius merged commit eaa165d into main Jun 17, 2026
27 of 29 checks passed
@remyluslosius remyluslosius deleted the docs/release-readiness-sweep branch June 17, 2026 01:15
@remyluslosius remyluslosius mentioned this pull request Jun 17, 2026
Merged
remyluslosius added a commit that referenced this pull request Jun 17, 2026
@remyluslosius
ci: harden the rpmbuild install against flaky third-party apt repos (#…
20cc7a8 
…586)

The package-smoke and release builds install 'rpm' on the hosted ubuntu runner
with 'apt-get update && apt-get install -y rpm'. The hosted image preconfigures
third-party apt repos (packages.microsoft.com, azure-cli, dl.google.com) that
intermittently return 403 / 'no longer signed'; apt-get update fails as a whole
when any one repo errors, so an unrelated broken repo kills the step even though
rpm ships from the Ubuntu archive. This flaked PR #585's 'Package upgrade' and
package-smoke jobs (both passed on rerun).

Add .github/scripts/install-rpmbuild.sh, used by all three 'Install rpmbuild'
steps: it strips the unneeded third-party sources (matched by content, not
filename) and then updates + installs with a short retry for genuine transient
blips. Also add the script to package-smoke's path trigger so changes to it
re-run the smoke matrix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation size/XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@remyluslosius