From 0ea9bcfe0a4225308135f4165071c17320a74aa1 Mon Sep 17 00:00:00 2001 From: szymonmaszke Date: Thu, 31 Jul 2025 20:05:04 +0200 Subject: [PATCH 1/2] fix: improve descriptions Signed-off-by: szymonmaszke --- CODEOWNERS | 2 ++ README.md | 2 +- SECURITY-SELF-ASSESSMENT.md | 21 +++++++++++++++------ pyproject.toml | 3 ++- src/comver/_version.py | 3 ++- 5 files changed, 22 insertions(+), 9 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 1014e9c..d0468c6 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -6,3 +6,5 @@ # Define the code owners for the repository manually # See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners # for more information + +* @szymonmaszke diff --git a/README.md b/README.md index 408ddfb..7c363ca 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ SPDX-License-Identifier: Apache-2.0

- Commit-based semantic versioning — verifiable, immutable, and tag-free. + Commit-based semantic versioning - highly configurable and tag-free.

diff --git a/SECURITY-SELF-ASSESSMENT.md b/SECURITY-SELF-ASSESSMENT.md index a3b4c73..5cf762c 100644 --- a/SECURITY-SELF-ASSESSMENT.md +++ b/SECURITY-SELF-ASSESSMENT.md @@ -56,11 +56,15 @@ Source: https://tag-security.cncf.io/community/assessments/guide/self-assessment ## Overview -Commit-based semantic versioning — verifiable, immutable, and tag-free. +Commit-based semantic versioning - highly configurable and tag-free. ### Background -TBD +Tool creating versions directly from commits (no tag creation, no tag usage), +which makes it largely immutable. + +Usable with any language as long as the project is git based, but +created in and tailored largely towards Python. ### Actors @@ -69,15 +73,18 @@ TBD ### Actions -TBD +- All security features are provided by + [opentemplate](https://github.com/open-nudge/opentemplate) [](templateskip) ### Goals -TBD +Making [semantic versioning](https://semver.org/) more reliable +and flexible by introducing double versioning scheme. ### Non-goals -TBD +Changing current software versioning standards; this project looks to build +upon them and improve the weak points. ## Self-assessment use @@ -147,7 +154,9 @@ file. ### Incident response -TBD +As defined in [`SECURITY.md`](https://github.com/open-nudge/cogeol/blob/master/SECURITY.md#reporting-a-vulnerability.), +usually response should take up to a few working days, if not please reach out +at `security@opennudge.com`. ## Appendix diff --git a/pyproject.toml b/pyproject.toml index e1c6794..3907cc8 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,7 +14,7 @@ requires = [ [project] name = "comver" -description = "Commit-based semantic versioning — verifiable, immutable, and tag-free." +description = "Commit-based semantic versioning - highly configurable and tag-free." readme = "README.md" license = "Apache-2.0" @@ -426,6 +426,7 @@ ignore_undeclared = [ ] ignore_unused = [ + "hatchling", "basedpyright", "cairosvg", "cffconvert", diff --git a/src/comver/_version.py b/src/comver/_version.py index be994df..a375442 100644 --- a/src/comver/_version.py +++ b/src/comver/_version.py @@ -511,7 +511,8 @@ def from_message( # noqa: PLR0913 if unrecognized_message == "error": raise error.MessageUnrecognizedError(message) - return version + # Based on hypothesis testing this line may not run + return version # pragma: no cover @classmethod def from_string(cls, version: str) -> Version: From 8e59cfc7897d7f7d67ea2162a2f6a7e15c41ff09 Mon Sep 17 00:00:00 2001 From: szymonmaszke Date: Thu, 31 Jul 2025 20:17:52 +0200 Subject: [PATCH 2/2] feat: add another point to the 'why' section Signed-off-by: szymonmaszke --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 7c363ca..4dee152 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,8 @@ Semantic versioning based on Git tags has a few limitations: [__Double versioning scheme__](https://open-nudge.github.io/comver/tutorials/why); one version for technical changes, another for public releases is a viable mitigation. +- Tag creation by `bot`s (e.g. during automated releases) lead to problems + with `branch protection` (see [here](https://github.com/orgs/community/discussions/25305)). - Not all commits are relevant for release versions (e.g., CI changes, bot updates, or tooling config), yet many schemes count them in. With filtering, `comver` can exclude