Skip to content

Commit 26d51ca

Browse files
committed
chore(audit-2026-05): apply org-uniform CI/release/README baseline
- Phase C: add .github/workflows/sync-release-branch.yml so release branch auto-tracks vX.Y.Z tags. - Phase E: add .github/dependabot.yml with weekly cadence + correct ecosystems. - Phase F: inject org-uniform README badge row + release-model section (idempotent markers). See embeddedos-org/.github/STANDARDS.md for the canonical release model and tag scheme. This commit is part of the 2026-05 production-readiness audit.
1 parent bb3accc commit 26d51ca

3 files changed

Lines changed: 165 additions & 6 deletions

File tree

.github/dependabot.yml

Lines changed: 71 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,75 @@
1+
# Standard, org-uniform Dependabot configuration template.
2+
#
3+
# Each repo should drop this file at .github/dependabot.yml and uncomment the
4+
# ecosystem entries that apply. Keep weekly cadence so review backlogs stay
5+
# manageable. Auto-assigning all PRs to a single triage owner (@srpatcha)
6+
# prevents the "ten people CC'd, no one acts" failure mode.
7+
#
8+
# Reference template lives at embeddedos-org/.github/.github/dependabot-template.yml.
9+
110
version: 2
211
updates:
3-
- package-ecosystem: "github-actions"
4-
directory: "/"
12+
# GitHub Actions — every repo should keep this enabled.
13+
- package-ecosystem: github-actions
14+
directory: /
515
schedule:
6-
interval: "weekly"
7-
- package-ecosystem: "npm"
8-
directory: "/"
16+
interval: weekly
17+
day: monday
18+
open-pull-requests-limit: 5
19+
assignees:
20+
- srpatcha
21+
labels:
22+
- dependencies
23+
- github-actions
24+
25+
# Python — uncomment in repos with pyproject.toml or requirements.txt.
26+
# - package-ecosystem: pip
27+
# directory: /
28+
# schedule:
29+
# interval: weekly
30+
# day: monday
31+
# open-pull-requests-limit: 5
32+
# assignees:
33+
# - srpatcha
34+
# labels:
35+
# - dependencies
36+
# - python
37+
38+
# Node.js — uncomment in repos with package.json.
39+
- package-ecosystem: npm
40+
directory: /
941
schedule:
10-
interval: "weekly"
42+
interval: weekly
43+
day: monday
44+
open-pull-requests-limit: 5
45+
assignees:
46+
- srpatcha
47+
labels:
48+
- dependencies
49+
- npm
50+
51+
# Go — uncomment in repos with go.mod.
52+
# - package-ecosystem: gomod
53+
# directory: /
54+
# schedule:
55+
# interval: weekly
56+
# day: monday
57+
# open-pull-requests-limit: 5
58+
# assignees:
59+
# - srpatcha
60+
# labels:
61+
# - dependencies
62+
# - go
63+
64+
# Docker — uncomment in repos with Dockerfile.
65+
# - package-ecosystem: docker
66+
# directory: /
67+
# schedule:
68+
# interval: weekly
69+
# day: monday
70+
# open-pull-requests-limit: 3
71+
# assignees:
72+
# - srpatcha
73+
# labels:
74+
# - dependencies
75+
# - docker
Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
name: sync-release-branch
2+
3+
# When a vMAJOR.MINOR.PATCH (or rc) tag is pushed to master, force-push that
4+
# exact commit to the `release` branch so `release` is always a rolling
5+
# pointer to the latest released tag. This is the org-uniform release model:
6+
#
7+
# master = line of development, every PR lands here.
8+
# release = exact commit of the latest released vX.Y.Z tag, updated only
9+
# by this workflow. Never push to release manually.
10+
# tags = immutable named snapshots created on master.
11+
#
12+
# Mirror of this file lives in embeddedos-org/.github/.github/workflows/sync-release-branch.yml.
13+
# Drift from that template should be considered a bug.
14+
15+
on:
16+
push:
17+
tags:
18+
- 'v[0-9]+.[0-9]+.[0-9]+'
19+
- 'v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+'
20+
21+
permissions:
22+
contents: write
23+
24+
concurrency:
25+
group: sync-release-branch
26+
cancel-in-progress: false
27+
28+
jobs:
29+
sync:
30+
name: Force-push tag commit to release branch
31+
runs-on: ubuntu-latest
32+
steps:
33+
- name: Checkout tagged commit
34+
uses: actions/checkout@v4
35+
with:
36+
fetch-depth: 1
37+
ref: ${{ github.ref }}
38+
39+
- name: Compute target SHA
40+
id: target
41+
run: |
42+
sha=$(git rev-parse HEAD)
43+
echo "sha=$sha" >> "$GITHUB_OUTPUT"
44+
echo "Force-pushing $sha (from tag ${GITHUB_REF#refs/tags/}) to refs/heads/release"
45+
46+
- name: Force-push to release
47+
env:
48+
GH_TOKEN: ${{ github.token }}
49+
run: |
50+
set -euo pipefail
51+
# Try to update; if release doesn't exist, create it.
52+
if gh api "repos/${GITHUB_REPOSITORY}/git/refs/heads/release" >/dev/null 2>&1; then
53+
gh api -X PATCH "repos/${GITHUB_REPOSITORY}/git/refs/heads/release" \
54+
-f sha="${{ steps.target.outputs.sha }}" -F force=true >/dev/null
55+
echo "release fast-forwarded / force-updated"
56+
else
57+
gh api -X POST "repos/${GITHUB_REPOSITORY}/git/refs" \
58+
-f ref=refs/heads/release -f sha="${{ steps.target.outputs.sha }}" >/dev/null
59+
echo "release created"
60+
fi
61+
62+
- name: Summary
63+
run: |
64+
{
65+
echo "## release branch updated"
66+
echo ""
67+
echo "- tag: \`${GITHUB_REF#refs/tags/}\`"
68+
echo "- sha: \`${{ steps.target.outputs.sha }}\`"
69+
echo "- repo: \`${GITHUB_REPOSITORY}\`"
70+
echo ""
71+
echo "release branch now points at the same commit as the tag."
72+
} >> "$GITHUB_STEP_SUMMARY"

README.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,14 @@
11
# EoS — Embedded Operating System Developer Portal
22

3+
<!-- begin: org-uniform badges (audit-2026-05) -->
4+
[![CI](https://github.com/embeddedos-org/embeddedos-org.github.io/actions/workflows/ci.yml/badge.svg)](https://github.com/embeddedos-org/embeddedos-org.github.io/actions/workflows/ci.yml)
5+
[![CodeQL](https://github.com/embeddedos-org/embeddedos-org.github.io/actions/workflows/codeql.yml/badge.svg)](https://github.com/embeddedos-org/embeddedos-org.github.io/actions/workflows/codeql.yml)
6+
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/embeddedos-org/embeddedos-org.github.io/badge)](https://securityscorecards.dev/viewer/?uri=github.com/embeddedos-org/embeddedos-org.github.io)
7+
[![Release](https://img.shields.io/github/v/tag/embeddedos-org/embeddedos-org.github.io?label=release&sort=semver)](https://github.com/embeddedos-org/embeddedos-org.github.io/releases)
8+
[![License](https://img.shields.io/github/license/embeddedos-org/embeddedos-org.github.io)](LICENSE)
9+
<!-- end: org-uniform badges (audit-2026-05) -->
10+
11+
312
<!-- BEGIN PLATFORMS -->
413
## v3.0.0 — Unified Production Release (2026-05-13)
514

@@ -189,6 +198,19 @@ If you discover a security vulnerability in any EmbeddedOS component, please rep
189198

190199
ISO/IEC/IEEE 15288:2023 · ISO/IEC 12207 · ISO/IEC 25000 · ISO/IEC 27001 · IEC 61508 · ISO 26262 · DO-178C · FIPS 140-3 · POSIX · WCAG 2.1 · NTIA SBOM · SPDX · CycloneDX · OpenChain
191200

201+
<!-- begin: release-model (audit-2026-05) -->
202+
## Release model
203+
204+
`master` is the line of development; every PR lands here. `release` is a
205+
rolling pointer to the latest released `vX.Y.Z` tag, updated automatically
206+
by [`.github/workflows/sync-release-branch.yml`](.github/workflows/sync-release-branch.yml).
207+
Tags are immutable.
208+
209+
See [embeddedos-org/.github/STANDARDS.md](https://github.com/embeddedos-org/.github/blob/master/STANDARDS.md)
210+
for the org-wide tag scheme, release model, and the compliance frameworks
211+
every product targets.
212+
<!-- end: release-model (audit-2026-05) -->
213+
192214
## License
193215

194216
MIT License — see [LICENSE](LICENSE) for details.

0 commit comments

Comments
 (0)