Skip to content

Commit 8c46245

Browse files
committed
Prep release v0.3.0
- CHANGELOG.md: promote Unreleased to 0.3.0 with today's date and a full summary of the signing, SBOM, attestation, installer, docs, and Go-cleanup changes shipping in this release. - README.md and docs/install.sh: bump the version pinning examples from v0.1.6 / v0.2.0 to v0.3.0. - CONTRIBUTING.md: update the release process examples to reference v0.3.0 instead of v0.2.0. - docs/install.test.sh intentionally still pins TEST_VERSION to v0.2.0 to exercise the installer's legacy-release soft-skip path (v0.2.0 predates cosign signing).
1 parent 3e3df0d commit 8c46245

4 files changed

Lines changed: 85 additions & 16 deletions

File tree

CHANGELOG.md

Lines changed: 70 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,74 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
## [0.3.0] — 2026-04-15
11+
12+
### Added
13+
- Cosign keyless signing of every release's `checksums.txt`, published
14+
as `checksums.txt.sigstore` (Sigstore bundle format). Signing identity
15+
is the release workflow, the OIDC issuer is GitHub Actions, and the
16+
signing event is logged to the public Rekor transparency log.
17+
- Per-archive SPDX JSON Software Bill of Materials (SBOM) generated by
18+
syft and attached to each GitHub Release.
19+
- SLSA build-provenance attestation for `checksums.txt` via
20+
`actions/attest-build-provenance`, queryable with
21+
`gh attestation verify`.
22+
- `docs/install.sh` now performs best-effort Cosign signature
23+
verification of `checksums.txt` when `cosign` is on `PATH`, and
24+
refuses to install when `TRUESTAMP_REQUIRE_COSIGN=1` is set and
25+
verification fails or the bundle is missing.
26+
- `--help` / `-h` flag on `docs/install.sh` so
27+
`curl … | sh -s -- --help` prints the env-var reference.
28+
- `docs/install.test.sh` end-to-end installer smoke test, wired into
29+
CI alongside shellcheck.
30+
- `govulncheck` step in CI catches Go stdlib and dependency
31+
vulnerabilities on every push.
32+
- `SECURITY.md`, `CONTRIBUTING.md`, and `CODE_OF_CONDUCT.md`.
33+
- README sections for verifying a download, pinning a specific
34+
version, config-file permissions, and exit codes.
35+
- Package-level godoc on every `internal/*` package.
36+
- `cmd/timestamp_test.go` table-driven tests for the new
37+
`--timestamp` ISO 8601 validator.
38+
- `cosign`, `shellcheck`, and `syft` to `.tool-versions` so
39+
`mise install` bootstraps every tool the repo uses.
40+
- `-buildvcs=true` build flag so `go version -m` on the released
41+
binary reports the source commit.
42+
43+
### Changed
44+
- Homebrew cask updates now land via a pull request to
45+
`truestamp/homebrew-tap` instead of a direct push to `main`,
46+
reducing the blast radius of the publish token.
47+
- `--timestamp` values are validated locally and normalised to UTC
48+
RFC 3339 before being sent to the API, rejecting bad inputs with a
49+
clear local error.
50+
- Every `uses:` reference in the GitHub Actions workflows is pinned to
51+
a full commit SHA with a version comment for Dependabot.
52+
- `cmd/verify.go` no longer calls `os.Exit`; failures propagate as
53+
errors. A silent-mode sentinel keeps `verify --silent` exit-code 1
54+
without producing any output.
55+
- Duplicate file-picker and table-style helpers in `cmd/` consolidated
56+
into `internal/ui` (`PickFile`, `LabelValueStyleFunc`).
57+
- HTTP calls now accept a `context.Context` end to end, plumbed from
58+
each Cobra `cmd.Context()`.
59+
- Contributor-facing content moved out of `README.md` into
60+
`CONTRIBUTING.md`; the README is now focused on install and use.
61+
62+
### Fixed
63+
- Removed an unreachable init-time `panic` in `internal/proof/binary.go`
64+
that could only fire for an impossible CBOR option combination.
65+
- Replaced the `":pick"` / `":prompt"` flag sentinels with NUL-byte
66+
values so that a filename like `:pick` can never collide with the
67+
picker trigger.
68+
69+
### Security
70+
- All release artifacts now have a cryptographically verifiable chain
71+
of custody: signed Sigstore bundle → `checksums.txt` SHA-256 →
72+
platform archives. Tampering anywhere in that chain is detected.
73+
- The `HOMEBREW_TAP_GITHUB_TOKEN` PAT is expected to be fine-grained,
74+
scoped to `truestamp/homebrew-tap` only, with
75+
`Contents: Read and write` + `Pull requests: Read and write`. The
76+
previous classic-PAT guidance has been corrected.
77+
1078
## [0.2.0] — 2026-04-15
1179

1280
### Added
@@ -55,6 +123,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
55123
v0.1.0 is the first release of a standalone Go codebase; the two share
56124
nothing beyond the repository name.
57125

58-
[Unreleased]: https://github.com/truestamp/truestamp-cli/compare/v0.2.0...HEAD
126+
[Unreleased]: https://github.com/truestamp/truestamp-cli/compare/v0.3.0...HEAD
127+
[0.3.0]: https://github.com/truestamp/truestamp-cli/releases/tag/v0.3.0
59128
[0.2.0]: https://github.com/truestamp/truestamp-cli/releases/tag/v0.2.0
60129
[0.1.0]: https://github.com/truestamp/truestamp-cli/releases/tag/v0.1.0

CONTRIBUTING.md

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ Move entries from `## [Unreleased]` into a new section for the version you're ab
8484
```md
8585
## [Unreleased]
8686

87-
## [0.2.0] — 2026-04-20
87+
## [0.3.0] — 2026-04-20
8888

8989
### Added
9090
- ...
@@ -95,7 +95,7 @@ Move entries from `## [Unreleased]` into a new section for the version you're ab
9595
This repo is a jj colocated workspace. Commit the CHANGELOG edit as a normal change and advance `main`:
9696

9797
```sh
98-
jj describe -m "Prep release v0.2.0"
98+
jj describe -m "Prep release v0.3.0"
9999
jj bookmark move main --to @
100100
jj git push --bookmark main
101101
```
@@ -105,8 +105,8 @@ jj git push --bookmark main
105105
jj does not create annotated tags itself — use the git CLI in the same working copy (the jj repo is colocated with `.git/`):
106106

107107
```sh
108-
git tag -a v0.2.0 -m "v0.2.0 - one-line summary of the headline change"
109-
git push origin v0.2.0
108+
git tag -a v0.3.0 -m "v0.3.0 - one-line summary of the headline change"
109+
git push origin v0.3.0
110110
```
111111

112112
The tag must point at the exact commit that `main` now holds, and must start with `v` so GoReleaser's trigger (`push: tags: ['v*']`) fires.
@@ -118,7 +118,7 @@ run_id=$(gh run list --workflow=release.yml --limit 1 --json databaseId -q '.[].
118118
gh run watch "$run_id" --exit-status
119119

120120
# Verify artifacts landed.
121-
gh release view v0.2.0 --json tagName,assets -q '{tag: .tagName, assets: (.assets | length)}'
121+
gh release view v0.3.0 --json tagName,assets -q '{tag: .tagName, assets: (.assets | length)}'
122122

123123
# Confirm the tap cask updated.
124124
gh api repos/truestamp/homebrew-tap/contents/Casks/truestamp-cli.rb -q '.content' | base64 -d | head
@@ -138,13 +138,13 @@ xattr -cr "$(brew --caskroom)/truestamp-cli" # macOS Gatekeeper, first run onl
138138
truestamp version
139139

140140
# Go install.
141-
go install github.com/truestamp/truestamp-cli/cmd/truestamp@v0.2.0
141+
go install github.com/truestamp/truestamp-cli/cmd/truestamp@v0.3.0
142142
truestamp version
143143

144144
# Direct tarball.
145145
os=$(uname -s | tr A-Z a-z)
146146
arch=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
147-
curl -sSL "https://github.com/truestamp/truestamp-cli/releases/download/v0.2.0/truestamp-cli_0.2.0_${os}_${arch}.tar.gz" | tar -xz
147+
curl -sSL "https://github.com/truestamp/truestamp-cli/releases/download/v0.3.0/truestamp-cli_0.3.0_${os}_${arch}.tar.gz" | tar -xz
148148
./truestamp version
149149
```
150150

@@ -153,13 +153,13 @@ curl -sSL "https://github.com/truestamp/truestamp-cli/releases/download/v0.2.0/t
153153
GoReleaser is mostly idempotent, but a partial failure (for example a tap push rejected) leaves the GitHub Release in place while the tap cask is out of date. To redo cleanly:
154154

155155
```sh
156-
gh release delete v0.2.0 -y
157-
git push origin :refs/tags/v0.2.0
158-
git tag -d v0.2.0
156+
gh release delete v0.3.0 -y
157+
git push origin :refs/tags/v0.3.0
158+
git tag -d v0.3.0
159159

160160
# Fix the problem in a new commit, push to main, then retag from the fixed commit.
161-
git tag -a v0.2.0 -m "v0.2.0 - ..."
162-
git push origin v0.2.0
161+
git tag -a v0.3.0 -m "v0.3.0 - ..."
162+
git push origin v0.3.0
163163
```
164164

165165
Do **not** re-tag a version that has already propagated to `proxy.golang.org` — the proxy caches tagged module versions forever. Bump the patch version (`v0.2.1`) instead.

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ The script detects your OS/architecture (darwin/linux × amd64/arm64), resolves
2222
Pin a specific version:
2323

2424
```sh
25-
curl -fsSL https://get.truestamp.com/install.sh | TRUESTAMP_VERSION=v0.1.6 sh
25+
curl -fsSL https://get.truestamp.com/install.sh | TRUESTAMP_VERSION=v0.3.0 sh
2626
```
2727

2828
Install to a custom directory:

docs/install.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
# curl -fsSL https://get.truestamp.com/install.sh | sh
99
#
1010
# Environment variables (all optional):
11-
# TRUESTAMP_VERSION Tag to install, e.g. v0.2.0. Defaults to latest.
11+
# TRUESTAMP_VERSION Tag to install, e.g. v0.3.0. Defaults to latest.
1212
# TRUESTAMP_INSTALL_DIR Install target dir. Defaults to /usr/local/bin
1313
# or ~/.local/bin.
1414
# TRUESTAMP_SKIP_CHECKSUM Set to 1 to skip SHA-256 verification. Debug only.
@@ -53,7 +53,7 @@ Usage:
5353
curl -fsSL https://get.truestamp.com/install.sh | sh -s -- --help
5454
5555
Environment variables (all optional):
56-
TRUESTAMP_VERSION Tag to install, e.g. v0.2.0. Defaults to latest.
56+
TRUESTAMP_VERSION Tag to install, e.g. v0.3.0. Defaults to latest.
5757
TRUESTAMP_INSTALL_DIR Install target dir. Defaults to /usr/local/bin
5858
or ~/.local/bin.
5959
TRUESTAMP_SKIP_CHECKSUM Set to 1 to skip SHA-256 verification. Debug only.

0 commit comments

Comments
 (0)