diff --git a/CHANGELOG.md b/CHANGELOG.md index 920ef7d..c94c80e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,40 @@ versions follow [SemVer](https://semver.org/). > section **above** Unreleased, or remove the Unreleased block for the > release commit. Otherwise the GitHub release ships boilerplate. -## [Unreleased] +## [1.0.1] — 2026-05-19 + +Stability batch on top of v1.0.0 — three rounds of edge-case +hardening covered by 57 new tests (194 → 251), plus supply-chain +hardening on the publish pipeline (CycloneDX SBOM + signed SLSA +provenance attached to each release). No new features; no behavior +change for users on the golden path. Highlights: the LSP install +command now uses the universal `python -m pip` form so the official +Windows Python installer + corporate ExecutionPolicy combo stops +blocking first-run install; the welcome panel and status bar no +longer go stale after an LSP crash or workspace-folder removal; +`Scan workspace` against a dead LSP surfaces a real error instead of +a false-success toast; the rc → ga "What's new" toast actually fires +this time. + +### Security + +- **CycloneDX SBOM attached to each GitHub release.** The publish + workflow now scans `package-lock.json` via `anchore/sbom-action` + and uploads `pipeline-check--sbom.cdx.json` alongside the + `.vsix`. Downstream consumers can ingest it into their existing + vuln-management tooling without re-deriving the dep set from the + bundle. +- **Signed SLSA build provenance for each `.vsix`.** Emitted by + `actions/attest-build-provenance` using GitHub's OIDC token and + Sigstore's keyless flow. Consumers verify with + `gh attestation verify pipeline-check-.vsix --owner greylag-ci`. + Covers signing (no separate cosign step) and provenance in one + attestation. +- **`npm audit --omit=dev --audit-level=high` gate on the publish + workflow.** CI already runs this on every push; the publish-side + gate catches advisories that land between the merge to `main` and + the tag push, preventing a known-vulnerable build from shipping + during the window between merge and release. ### Changed diff --git a/package.json b/package.json index 66cd3f4..1b0c3b2 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "pipeline-check", "displayName": "Pipeline-Check", "description": "Lint CI/CD pipelines for 22 providers against OWASP Top 10 CI/CD Risks and 14 other compliance frameworks. 810+ rules, inline in your editor.", - "version": "1.0.0", + "version": "1.0.1", "publisher": "greylag-ci", "license": "MIT", "icon": "icon.png", diff --git a/src/extension.ts b/src/extension.ts index 2a14b5b..ac6dcaf 100644 --- a/src/extension.ts +++ b/src/extension.ts @@ -8,7 +8,7 @@ // position translation). // // The server itself lives upstream in `dmartinochoa/pipeline-check` -// under `pipeline_check/lsp/`; install via `pip install +// under `pipeline_check/lsp/`; install via `python -m pip install // "pipeline-check[lsp]"`. import * as vscode from "vscode";