diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..1736cfe --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,3 @@ +# The Docs & Wizard team owns the Warlock day-to-day (see CONTRIBUTING.md). +# Security team is consulted on security-sensitive changes but is not a code owner. +* @PostHog/team-docs-wizard diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5bd1279 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,23 @@ +version: 2 +updates: + # npm dependencies (currently just @virustotal/yara-x + dev tooling). + - package-ecosystem: npm + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 5 + # Wait 7 days before proposing newly published versions + cooldown: + default-days: 7 + groups: + dev-dependencies: + dependency-type: development + + # GitHub Actions used in our workflows – keeps pinned action SHAs current. + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 5 + cooldown: + default-days: 7 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..62ff42b --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,38 @@ +name: CI + +on: + pull_request: + push: + branches: [main] + +permissions: + contents: read + +jobs: + test: + name: Test & build + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Install pnpm + uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2.4.1 + with: + version: 10 + run_install: false + + - name: Set up Node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + with: + node-version-file: '.nvmrc' + cache: 'pnpm' + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Run tests + run: pnpm test + + - name: Build + run: pnpm build diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..36a0227 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,76 @@ +name: 'Release' + +permissions: + contents: read + +on: + push: + branches: [main] + workflow_dispatch: + +# Only one release runs at a time. Prevents races when multiple PRs +# merge close together. +concurrency: + group: release + cancel-in-progress: false + +jobs: + release-please: + name: Open or update release PR / tag release + runs-on: ubuntu-latest + timeout-minutes: 5 + permissions: + contents: write + pull-requests: write + outputs: + release_created: ${{ steps.release.outputs.release_created }} + tag_name: ${{ steps.release.outputs.tag_name }} + steps: + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 + id: release + with: + config-file: release-please-config.json + manifest-file: .release-please-manifest.json + + publish: + name: Publish to npm + needs: release-please + if: needs.release-please.outputs.release_created == 'true' + runs-on: ubuntu-latest + timeout-minutes: 10 + # Required reviewers for this environment are configured in the repo + # settings (Settings → Environments → Release): `@PostHog/team-docs-wizard`. + # GitHub notifies reviewers in-product and by email when a publish is pending. + environment: 'Release' + permissions: + contents: read + id-token: write # for npm OIDC trusted publishing + provenance + steps: + - name: Checkout release tag + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + ref: ${{ needs.release-please.outputs.tag_name }} + + - name: Install pnpm + uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2.4.1 + with: + version: 10 + run_install: false + + - name: Set up Node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + with: + node-version-file: '.nvmrc' + cache: 'pnpm' + registry-url: 'https://registry.npmjs.org' + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Build + run: pnpm build + + - name: Publish to npm (OIDC trusted publishing + provenance) + run: pnpm publish --access public --no-git-checks + env: + NPM_CONFIG_PROVENANCE: 'true' diff --git a/.nvmrc b/.nvmrc new file mode 100644 index 0000000..2bd5a0a --- /dev/null +++ b/.nvmrc @@ -0,0 +1 @@ +22 diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 0000000..466df71 --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1,3 @@ +{ + ".": "0.1.0" +} diff --git a/README.md b/README.md index 64c08c5..4f839e2 100644 --- a/README.md +++ b/README.md @@ -324,6 +324,24 @@ pnpm test:watch # run tests in watch mode pnpm build # compile TypeScript and copy rule files to dist/ ``` +## Releasing + +Releases follow the spirit of PostHog's [SDK release procedure](https://posthog.com/handbook/engineering/sdks/releases) – semi-automatic, with a human approval gate on the publish step and npm [OIDC trusted publishing](https://docs.npmjs.com/trusted-publishers) for the actual publish. Nobody runs `npm publish` by hand :) + +How it works: + +1. Land changes on `main` with [Conventional Commits](https://www.conventionalcommits.org/) messages (`fix:` → patch, `feat:` → minor, `feat!:` or a `BREAKING CHANGE:` footer → major). That's how [release-please](https://github.com/googleapis/release-please) knows what to bump. +2. release-please keeps a **release PR** open that bumps the version in `package.json` and updates `CHANGELOG.md`. It keeps updating itself as more commits land. +3. When you're ready to ship, review and merge that release PR. Merging it tags the release. +4. The publish job then waits for approval on the **`Release` GitHub Environment**. The Docs & Wizard team (`@PostHog/team-docs-wizard`) gets a pending-deployment notification in-product and by email. +5. Once approved, `@posthog/warlock` is published to npm via OIDC trusted publishing – no long-lived `NPM_TOKEN` anywhere. + +A few rules of thumb: + +- Don't bump the version in `package.json` by hand – release-please owns it. +- Doc-only / CI / test-only changes use `docs:`, `ci:`, `test:` prefixes and don't trigger a version bump. +- Anything user-facing should be `fix:` or `feat:` so it ends up in the release PR. + ## Contributing See [CONTRIBUTING.md](CONTRIBUTING.md) for the contribution process, review model, rule-writing guide, and category-addition policy. diff --git a/package.json b/package.json index d63f5a1..d47784d 100644 --- a/package.json +++ b/package.json @@ -1,9 +1,12 @@ { "name": "@posthog/warlock", - "version": "0.0.0", + "version": "0.1.0", "description": "Security scanner for PostHog's agentic flows", "license": "MIT", - "private": true, + "repository": { + "type": "git", + "url": "git+https://github.com/PostHog/warlock.git" + }, "type": "module", "main": "dist/index.js", "types": "dist/index.d.ts", diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 09a02ca..c40b97c 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -1,3 +1,7 @@ +packages: + - '.' +# Refuse to install any dependency version published less than 7 days ago, requires pnpm >= 10.16.0. +minimumReleaseAge: 10080 allowBuilds: esbuild: true onlyBuiltDependencies: diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..e5ad9c7 --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,11 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "packages": { + ".": { + "release-type": "node", + "package-name": "@posthog/warlock", + "changelog-path": "CHANGELOG.md" + } + }, + "include-component-in-tag": false +}