Skip to content

Harden release integrity, licensing, and provenance#11

Open
masarray wants to merge 42 commits into
mainfrom
hardening/release-integrity
Open

Harden release integrity, licensing, and provenance#11
masarray wants to merge 42 commits into
mainfrom
hardening/release-integrity

Conversation

@masarray

Copy link
Copy Markdown
Owner

Summary

  • replaces stale hard-coded About version/build/license text with the executable informational version, build commit, GPL-3.0-or-later status, historical boundary, commercial-license boundary, source links, and evidence limitations
  • regenerates Quick Start and User Manual PDFs deterministically under the current GPL release line and validates their extracted text
  • adds exact SOURCE.md corresponding-source identity, immutable commit archive URL, CycloneDX 1.5 SBOM, checksum coverage, build/source/tested-merge commit separation, and embedded package provenance
  • verifies package legal files, source offer, SBOM, EXE version, embedded wording, required PDFs, and optional Authenticode status
  • blocks public release publication until Windows signing secrets are configured, and adds GitHub build attestations for the package and SBOM
  • validates Pages changes on pull requests and smoke-tests the deployed public site for the expected GPL/version state
  • versions the CLA, identifies the Licensor, adds future CLA/DCO enforcement, expands asset and dependency provenance, and preserves the historical boundary with annotated tag license-boundary/apache-2.0-final
  • pins critical GitHub Actions to reviewed revisions and aligns security scope with the receive-only product surface

Local validation

  • deterministic PDF regeneration check
  • public wording and PDF extraction validation
  • repository health gate
  • clean restore
  • Release build
  • full test suite: 54/54 passed

Release decision

Do not publish v1.4.0-beta.2 until this PR is merged, the deployed Pages smoke test passes, a fresh Windows candidate passes package verification, and the Authenticode certificate secrets are configured. Pull-request candidates may remain unsigned and are not official signed releases.

Contribution licensing

  • I have read and affirmatively accept CONTRIBUTOR-LICENSE-AGREEMENT.md (CLA Version 1.0, effective 2026-07-17)
  • I have the legal right and any required employer or organizational authorization to submit this contribution
  • Every commit includes Signed-off-by: Name <email> under the DCO
  • Any third-party material is identified with its license and provenance

masarray and others added 30 commits July 17, 2026 16:08
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
masarray added 12 commits July 17, 2026 17:02
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
Signed-off-by: Ari Sulistiono <admin@arisulistiono.com>
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant