diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 3d9e512..356ba51 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -23,9 +23,7 @@ - [ ] `socket_basics/version.py` updated to new version - [ ] `pyproject.toml` `version:` field updated to match -- [ ] `action.yml` `image:` ref updated to `docker://ghcr.io/socketdev/socket-basics:` *(auto-updated by `publish-docker.yml` after v2.0.0; manual update required only for the initial v2.0.0 release)* -- [ ] `CHANGELOG.md` `[Unreleased]` section reviewed *(note: this content is replaced by auto-generated release notes when the tag fires — see [docs/releasing.md](../docs/releasing.md#changelog-and-release-notes))* +- [ ] `action.yml` `image:` ref updated to `docker://ghcr.io/socketdev/socket-basics:` *(auto-updated by `publish-docker.yml` +- [ ] `CHANGELOG.md` `[Unreleased]` section reviewed -> ⚠️ **After merging:** run `publish-docker.yml` via `workflow_dispatch` with the new version -> **before** creating the git tag. The image must exist in GHCR before the tag is pushed. -> See [docs/releasing.md](../docs/releasing.md) for the full process. +> See [docs/releasing.md](../docs/releasing.md) for the full release process. diff --git a/CHANGELOG.md b/CHANGELOG.md index 53e43ce..a5e7cdc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,207 +4,9 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). -> **Versioning note:** Releases through `1.1.3` used bare semver tags (e.g. `1.1.3`). -> Starting with `v2.0.0` the project uses a `v` prefix (e.g. `v2.0.0`). Floating major -> tags (`v2`) are intentionally not published — immutable version tags and SHA pinning -> are the recommended consumption pattern for a security tool. - --- ## [Unreleased] -## [2.0.2] - 2026-03-22 - - - - - -**Full Changelog**: https://github.com/SocketDev/socket-basics/compare/v2.0.1...v2.0.2 -## [2.0.0] - 2026-03-20 - - - -## What's Changed -### 🔧 Other Changes -* feat: 🐳 multi-stage Docker builds, immutable release pipeline, `CHANGELOG` automation by @lelia in https://github.com/SocketDev/socket-basics/pull/46 -* fix(ci): add conventional commit prefixes to Dependabot config by @lelia in https://github.com/SocketDev/socket-basics/pull/53 -* fix(ci): support breaking change indicator (!) in commit-lint pattern by @lelia in https://github.com/SocketDev/socket-basics/pull/54 -* fix(ci): accept full tag name in workflow_dispatch, drop auto-v-prefix by @lelia in https://github.com/SocketDev/socket-basics/pull/55 -* feat!: switch to pre-built GHCR images by @lelia in https://github.com/SocketDev/socket-basics/pull/48 - - -**Full Changelog**: https://github.com/SocketDev/socket-basics/compare/1.1.3...v2.0.0 -## [1.1.3] - 2026-03-03 - -### Added -- Smoke test Docker workflow with scheduled runs every 12 hours ([#41]) -- `pytest` GitHub Actions workflow for Python unit tests ([#42]) -- Structured findings added to webhook payload ([#38]) - -### Fixed -- Slack and MS Teams notifiers not reading URL from dashboard config ([#37]) - -[#37]: https://github.com/SocketDev/socket-basics/pull/37 -[#38]: https://github.com/SocketDev/socket-basics/pull/38 -[#41]: https://github.com/SocketDev/socket-basics/pull/41 -[#42]: https://github.com/SocketDev/socket-basics/pull/42 - -## [1.1.2] - 2026-03-02 - -### Changed -- Bump Trivy from `v0.67.2` to `v0.69.2` ([#39]) -- `CODEOWNERS` updated with new team name ([#36]) - -[#36]: https://github.com/SocketDev/socket-basics/pull/36 -[#39]: https://github.com/SocketDev/socket-basics/pull/39 - -## [1.1.0] - 2026-02-20 - -### Fixed -- Jira dashboard config params not reaching notifier ([#22]) -- Notifiers reading repo/branch from wrong source ([#30]) -- GitHub PR comment enhancement and layout improvements ([#26]) - -### Changed -- `CODEOWNERS` updated to reference new GHEC team name ([#33]) - -[#22]: https://github.com/SocketDev/socket-basics/pull/22 -[#26]: https://github.com/SocketDev/socket-basics/pull/26 -[#30]: https://github.com/SocketDev/socket-basics/pull/30 -[#33]: https://github.com/SocketDev/socket-basics/pull/33 - -## [1.0.29] - 2026-02-19 - -### Added -- `SKIP_SOCKET_SUBMISSION` and `SKIP_SOCKET_REACH` environment variables for Node.js - Socket CLI integration ([#29]) - -### Changed -- Pin TruffleHog to known-good version tag ([#32]) -- Enrich OpenGrep alerts with full vulnerability metadata and detailed reports ([#28]) - -[#28]: https://github.com/SocketDev/socket-basics/pull/28 -[#29]: https://github.com/SocketDev/socket-basics/pull/29 -[#32]: https://github.com/SocketDev/socket-basics/pull/32 - -## [1.0.28] - 2026-02-06 - -### Changed -- Dependency upgrades and internal maintenance ([#27]) - -[#27]: https://github.com/SocketDev/socket-basics/pull/27 - -## [1.0.27] - 2026-02-06 - -### Added -- Dockerfile auto-discovery workflow pattern documentation ([#25]) -- `scan_type` parameter added to full scan API calls ([#24]) - -[#24]: https://github.com/SocketDev/socket-basics/pull/24 -[#25]: https://github.com/SocketDev/socket-basics/pull/25 - -## [1.0.26] - 2026-01-20 - -### Fixed -- Empty CLI string defaults no longer override env/API config ([#17]) - -### Changed -- Bump `urllib3` from `2.5.0` to `2.6.3` ([#21]) - -[#17]: https://github.com/SocketDev/socket-basics/pull/17 -[#21]: https://github.com/SocketDev/socket-basics/pull/21 - -## [1.0.25] - 2025-10-28 - -### Fixed -- Regression in rule name detection ([#15]) - -[#15]: https://github.com/SocketDev/socket-basics/pull/15 - -## [1.0.24] - 2025-10-28 - -### Fixed -- Hard-coded detection for Golang ([#14]) - -[#14]: https://github.com/SocketDev/socket-basics/pull/14 - -## [1.0.23] - 2025-10-28 - -### Changed -- Improve default SAST ruleset ([#13]) - -[#13]: https://github.com/SocketDev/socket-basics/pull/13 - -## [1.0.21] - 2025-10-24 - -### Fixed -- Caching result fix ([#12]) - -[#12]: https://github.com/SocketDev/socket-basics/pull/12 - -## [1.0.20] - 2025-10-24 - -### Fixed -- Restore Node.js and Socket CLI in container ([#11]) - -[#11]: https://github.com/SocketDev/socket-basics/pull/11 - -## [1.0.10] - 2025-10-22 - -### Changed -- Updated examples with PR check and commit hash pinning ([#9]) - -[#9]: https://github.com/SocketDev/socket-basics/pull/9 - -## [1.0.9] - 2025-10-22 - -### Added -- Action inputs for configuring scan behavior ([#8]) - -### Fixed -- Documentation and version check issues ([#7]) - -[#7]: https://github.com/SocketDev/socket-basics/pull/7 -[#8]: https://github.com/SocketDev/socket-basics/pull/8 - -## [1.0.3] - 2025-10-21 - -### Added -- GitHub token support in `action.yml` ([#3]) - -### Fixed -- `action.yml` configuration issues ([#3]) -- Documentation link ([#5]) - -[#3]: https://github.com/SocketDev/socket-basics/pull/3 -[#5]: https://github.com/SocketDev/socket-basics/pull/5 - -## [1.0.2] - 2025-10-20 - -### Fixed -- Initial Trivy + Socket results integration fixes ([#2]) - -[#2]: https://github.com/SocketDev/socket-basics/pull/2 - ---- - [Unreleased]: https://github.com/SocketDev/socket-basics/compare/v2.0.2...HEAD -[2.0.2]: https://github.com/SocketDev/socket-basics/compare/v2.0.0...v2.0.2 -[2.0.0]: https://github.com/SocketDev/socket-basics/compare/1.1.3...v2.0.0 -[1.1.3]: https://github.com/SocketDev/socket-basics/compare/1.1.2...1.1.3 -[1.1.2]: https://github.com/SocketDev/socket-basics/compare/1.1.0...1.1.2 -[1.1.0]: https://github.com/SocketDev/socket-basics/compare/1.0.29...1.1.0 -[1.0.29]: https://github.com/SocketDev/socket-basics/compare/1.0.28...1.0.29 -[1.0.28]: https://github.com/SocketDev/socket-basics/compare/1.0.27...1.0.28 -[1.0.27]: https://github.com/SocketDev/socket-basics/compare/1.0.26...1.0.27 -[1.0.26]: https://github.com/SocketDev/socket-basics/compare/1.0.25...1.0.26 -[1.0.25]: https://github.com/SocketDev/socket-basics/compare/1.0.24...1.0.25 -[1.0.24]: https://github.com/SocketDev/socket-basics/compare/1.0.23...1.0.24 -[1.0.23]: https://github.com/SocketDev/socket-basics/compare/1.0.21...1.0.23 -[1.0.21]: https://github.com/SocketDev/socket-basics/compare/1.0.20...1.0.21 -[1.0.20]: https://github.com/SocketDev/socket-basics/compare/1.0.10...1.0.20 -[1.0.10]: https://github.com/SocketDev/socket-basics/compare/1.0.9...1.0.10 -[1.0.9]: https://github.com/SocketDev/socket-basics/compare/1.0.3...1.0.9 -[1.0.3]: https://github.com/SocketDev/socket-basics/compare/1.0.2...1.0.3 -[1.0.2]: https://github.com/SocketDev/socket-basics/commits/1.0.2 diff --git a/README.md b/README.md index e131ffb..edd4151 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ jobs: - name: Run Socket Basics # Pin to a commit SHA for supply-chain safety. # Dependabot will keep this up to date automatically — see docs/github-action.md. - uses: SocketDev/socket-basics@ # v2.0.0 + uses: SocketDev/socket-basics@ # v2.0.2 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: diff --git a/docs/github-action.md b/docs/github-action.md index cec53ce..3297c12 100644 --- a/docs/github-action.md +++ b/docs/github-action.md @@ -43,7 +43,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@v2.0.0 + uses: SocketDev/socket-basics@v2.0.2 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -57,7 +57,7 @@ With just your `SOCKET_SECURITY_API_KEY`, all scanning configurations are manage ### How the action is currently built -When you reference `uses: SocketDev/socket-basics@v2.0.0`, GitHub Actions builds the +When you reference `uses: SocketDev/socket-basics@v2.0.2`, GitHub Actions builds the `Dockerfile` from source at the start of every workflow run. As of `1.1.3` the Dockerfile uses a **multi-stage build** with BuildKit cache mounts, which provides two categories of improvement: @@ -147,7 +147,7 @@ enforces tag protection rules). SHA pinning is still preferable for defence in depth. ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: socket_security_api_key: ${{ secrets.SOCKET_SECURITY_API_KEY }} ``` @@ -206,7 +206,7 @@ Include these in your workflow's `jobs..permissions` section. **SAST (Static Analysis):** ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} # Enable SAST for specific languages @@ -220,7 +220,7 @@ Include these in your workflow's `jobs..permissions` section. **Secret Scanning:** ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} secret_scanning_enabled: 'true' @@ -232,7 +232,7 @@ Include these in your workflow's `jobs..permissions` section. **Container Scanning:** ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} # Scan Docker images (auto-enables container scanning) @@ -243,7 +243,7 @@ Include these in your workflow's `jobs..permissions` section. **Socket Tier 1 Reachability:** ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_tier_1_enabled: 'true' @@ -252,7 +252,7 @@ Include these in your workflow's `jobs..permissions` section. ### Output Configuration ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} python_sast_enabled: 'true' @@ -288,7 +288,7 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev **Enable in workflow:** ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -300,7 +300,7 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev > **Note:** You can also pass credentials using environment variables instead of the `with:` section: > ```yaml -> - uses: SocketDev/socket-basics@v2.0.0 +> - uses: SocketDev/socket-basics@v2.0.2 > env: > SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} > with: @@ -318,7 +318,7 @@ All notification integrations require Socket Enterprise. **Slack Notifications:** ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -330,7 +330,7 @@ All notification integrations require Socket Enterprise. **Jira Issue Creation:** ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -345,7 +345,7 @@ All notification integrations require Socket Enterprise. **Microsoft Teams:** ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -357,7 +357,7 @@ All notification integrations require Socket Enterprise. **Generic Webhook:** ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -369,7 +369,7 @@ All notification integrations require Socket Enterprise. **SIEM Integration:** ```yaml -- uses: SocketDev/socket-basics@v2.0.0 +- uses: SocketDev/socket-basics@v2.0.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} socket_org: ${{ secrets.SOCKET_ORG }} @@ -405,7 +405,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@v2.0.0 + uses: SocketDev/socket-basics@v2.0.2 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -451,7 +451,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Full Security Scan - uses: SocketDev/socket-basics@v2.0.0 + uses: SocketDev/socket-basics@v2.0.2 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -505,7 +505,7 @@ jobs: run: docker build -t myapp:${{ github.sha }} . - name: Scan Container - uses: SocketDev/socket-basics@v2.0.0 + uses: SocketDev/socket-basics@v2.0.2 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -568,7 +568,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@v2.0.0 + uses: SocketDev/socket-basics@v2.0.2 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -620,7 +620,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Socket Basics - uses: SocketDev/socket-basics@v2.0.0 + uses: SocketDev/socket-basics@v2.0.2 env: GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }} with: @@ -713,7 +713,7 @@ env: ```yaml steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - Must be first - - uses: SocketDev/socket-basics@v2.0.0 + - uses: SocketDev/socket-basics@v2.0.2 ``` ### PR Comments Not Appearing diff --git a/pyproject.toml b/pyproject.toml index f6decde..e2dfcf9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "socket_basics" -version = "2.0.0" +version = "2.0.2" description = "Socket Basics with integrated SAST, secret scanning, and container analysis" readme = "README.md" requires-python = ">=3.10" diff --git a/scripts/update_changelog.py b/scripts/update_changelog.py index d577940..4ce45ec 100755 --- a/scripts/update_changelog.py +++ b/scripts/update_changelog.py @@ -65,10 +65,11 @@ def _insert_release_section(content: str, version: str, date: str, notes: str) - new_section = f"\n## [{version}] - {date}\n\n{notes.strip()}\n" # Match the [Unreleased] heading through to (but not including) the next ## heading + # or end of headings (handles a clean changelog with no prior version entries). unreleased_pattern = re.compile( r"(## \[Unreleased\][^\n]*\n)" # the heading line r"(.*?)" # any existing [Unreleased] content - r"(?=## \[)", # stop before the next ## [ section + r"(?=## \[|\Z)", # stop before next ## [ section or end of string re.IGNORECASE | re.DOTALL, ) match = unreleased_pattern.search(content) diff --git a/socket_basics/version.py b/socket_basics/version.py index 8c0d5d5..0309ae2 100644 --- a/socket_basics/version.py +++ b/socket_basics/version.py @@ -1 +1 @@ -__version__ = "2.0.0" +__version__ = "2.0.2"