Skip to content

Commit 94cced2

Browse files
committed
chore(release): bump to 0.4.1
Hardening release after the 0.4.0 public OSS launch: OSSF Scorecard, dependency review, PR labeler, advisory MCP pin freshness on pull requests, public-repo settings applied (visibility, branch protection, tag ruleset, Dependabot), and documentation refresh. No plugin behavior versions changed.
1 parent 641bf8e commit 94cced2

4 files changed

Lines changed: 24 additions & 3 deletions

File tree

CHANGELOG.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,27 @@ The format follows Keep a Changelog, and marketplace/plugin versions follow Sema
1212

1313
### Security
1414

15+
## [0.4.1] - 2026-05-19
16+
17+
### Added
18+
19+
- `.github/workflows/scorecard.yml`: OpenSSF Scorecard analysis on weekly schedule, on push to `main`, on branch protection rule changes, and on `workflow_dispatch`. Uploads SARIF to the GitHub Security tab and publishes results to `scorecard.dev`. Pinned `ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3`.
20+
- `.github/workflows/dependency-review.yml`: blocks pull requests that introduce dependencies with high-severity vulnerabilities or licenses outside the AGPL-3.0-or-later compatible allow-list. Pinned `actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0`.
21+
- `.github/workflows/labeler.yml` and `.github/labeler.yml`: PR auto-labeling by changed paths for ci-cd / scripts / plugin / docs / tests / serena-memories / release / security / system areas. Pinned `actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0`.
22+
- README badge for OpenSSF Scorecard.
23+
- Public-repo settings applied via GitHub API: repository visibility public, `admin:org`-level branch protection on `main` with 9 required status checks, repository tag ruleset blocking deletion/update/non-fast-forward push of SemVer release tags (admin bypass), repository description, homepage, topics, merge policy (squash + rebase, no merge commits, delete branch on merge, allow update branch), Dependabot vulnerability alerts, and Dependabot automated security updates.
24+
25+
### Changed
26+
27+
- `validate.yml` MCP runtime pin freshness job now runs without `--fail-on-outdated` so a stale pin produces an advisory step summary instead of blocking pull request merges. The `dependency-check.yml` workflow continues to fail on stale pins, providing a maintainer-visible signal without coupling it to the pull request gate.
28+
- `README.md`, `CONTRIBUTING.md`, and `SECURITY.md` describe the OpenSSF Scorecard, Dependency Review, Labeler, gitleaks history scan, branch protection state, and tag ruleset.
29+
30+
### Security
31+
32+
- Full git history scanned with `gitleaks` 8.30.1 prior to the public visibility switch: 190 commits, 0 leaks found.
33+
- GitHub branch protection on `main` enforces strict required status checks (9 jobs), linear history, no force pushes, no deletions, and requires conversation resolution. Maintainer keeps admin access (`enforce_admins: false`).
34+
- GitHub tag ruleset protects `[0-9]*.[0-9]*.[0-9]*` and `[0-9]*.[0-9]*.[0-9]*-*` tags from deletion, update, and non-fast-forward push.
35+
1536
## [0.4.0] - 2026-05-19
1637

1738
### Added

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
0.4.0
1+
0.4.1

pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[project]
22
name = "rldyour-codex"
3-
version = "0.4.0"
3+
version = "0.4.1"
44
description = "Personal Codex marketplace with rldyour plugins, MCP servers, skills, hooks, and SDLC tooling."
55
readme = "README.md"
66
requires-python = ">=3.13,<3.14"

uv.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)