Skip to content

docs(changelog): per-version keep-a-changelog entries (RAN-61) #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aksOps merged 1 commit into from
Apr 26, 2026
Merged

docs(changelog): per-version keep-a-changelog entries (RAN-61) #83

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
143 changes: 126 additions & 17 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,139 @@
# Changelog

Curated release notes for each version are published on
**[GitHub Releases](https://github.com/RandomCodeSpace/docsiq/releases)**.
All notable changes to **docsiq** are documented in this file.

Every release includes:
The format is based on [Keep a Changelog 1.1.0](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html).
Each release is identified by an immutable `vX.Y.Z` git tag.

- A human-readable summary of changes (the release body).
- A `CHANGELOG.md` asset attached to the release, containing the same
curated notes.
- Signed binaries (cosign keyless + Rekor), a signed `SHA256SUMS`, and
SLSA build provenance.
## How releases are produced

## Release procedure

Release notes are provided at release time, not maintained in-repo:
Releases are cut by the manual
[`release.yml`](.github/workflows/release.yml) workflow:

```sh
gh workflow run release.yml --ref main \
-f bump=patch \
-f notes=$'### Changed\n\n- Describe major changes...\n\n### Upgrade impact\n\nDrop-in replacement — no schema/API changes.'
```

The workflow uses the `notes` input verbatim as the release body and
also uploads it as `CHANGELOG.md` on the release page. The repository
never auto-commits a CHANGELOG entry — this file is static.
The workflow uses the `notes` input verbatim as the GitHub Release body
and uploads it as `CHANGELOG.md` on the release page. Each release ships
signed binaries (cosign keyless via Sigstore + Rekor anchoring), a signed
`SHA256SUMS`, and SLSA build provenance.

This in-repo file is the canonical, human-curated history. The matching
GitHub Release page for each `vX.Y.Z` tag carries the same notes plus the
signed artifacts and verification snippet.

## [Unreleased]

No unreleased changes.

## [0.0.3] — 2026-04-23

Supply-chain hardening: complete OpenSSF Best Practices passing tier and
flip the published Scorecard signal up.

### Added
- `.bestpractices.json` so the OpenSSF Best Practices badge tracks
project [12628](https://www.bestpractices.dev/en/projects/12628)
automatically. ([#45])
- Governance and community files (`SECURITY.md`, `CODE_OF_CONDUCT.md`,
`CONTRIBUTING.md`, issue / PR templates) to flip the remaining
Best Practices criteria to Met. ([#46])
- Initial `CHANGELOG.md` and the rest of the missing Best Practices
criteria (release-notes pointer, vulnerability-report instructions,
build documentation pointers). ([#48])

### Changed
- Release signing path: switched to `goreleaser` to expose a
`Packaging` signal to OSSF Scorecard, then dropped it again because
prebuilt-binary signing is a goreleaser Pro feature. The current
release path is inline `cosign sign-blob` + `gh release create`,
preserving keyless signing without the Pro dependency.
([#43], [#50])
- CI hygiene: dropped `push: main` triggers from the `ci` and `fuzz`
workflows. Both still run on PRs and on the relevant scheduled jobs;
this removes ~2 minutes from each merge while keeping branch
protection coverage intact. ([#47])

### Fixed
- CodeQL path/command-injection findings closed by adding
`filepath.IsLocal` sanitisers on user-supplied path inputs in the
loader and crawler boundaries. ([#44])
- `TestScale_1000Notes` flake on macOS — dropped macOS from the test
matrix (Linux-only CI is sufficient for the supported targets;
darwin-arm64 builds are still produced in the release matrix).
([#49])

[#43]: https://github.com/RandomCodeSpace/docsiq/pull/43
[#44]: https://github.com/RandomCodeSpace/docsiq/pull/44
[#45]: https://github.com/RandomCodeSpace/docsiq/pull/45
[#46]: https://github.com/RandomCodeSpace/docsiq/pull/46
[#47]: https://github.com/RandomCodeSpace/docsiq/pull/47
[#48]: https://github.com/RandomCodeSpace/docsiq/pull/48
[#49]: https://github.com/RandomCodeSpace/docsiq/pull/49
[#50]: https://github.com/RandomCodeSpace/docsiq/pull/50

## [0.0.2] — 2026-04-23

Small CI-only follow-up to v0.0.1. No user-facing behaviour changes.

### Changed
- OpenSSF Scorecard workflow cadence: `scorecard.yml` now runs on
release completion and on a weekly schedule, instead of firing on
every push to `main`. The policy being scored is unchanged; this
trims noise from re-scoring commits that don't move any
scorecard-visible state. ([#42])

### Upgrade impact
Safe drop-in upgrade from v0.0.1. No API, CLI, or on-disk schema
changes — replace the binary in place.

[#42]: https://github.com/RandomCodeSpace/docsiq/pull/42

## [0.0.1] — 2026-04-23

First non-beta release of docsiq after an extended beta phase. This
release establishes the feature set and API surface that subsequent
0.0.x patches maintain back-compat against.

### Added
- **GraphRAG indexing pipeline** — five-phase ingestion: chunk →
extract entities + relationships + claims → community-detect
(Louvain) → embed → persist.
- **Document loaders** — PDF (langchaingo), DOCX, TXT, Markdown, and a
polite web crawler with `robots.txt` + allow-list + MIME checks.
- **Multi-provider LLM layer** — Azure OpenAI, OpenAI, and Ollama
behind a single `internal/llm` abstraction (langchaingo
underneath).
- **Hybrid query engine** — local search (vector + FTS5) plus global
search (community-summary).
- **Surfaces** — CLI (`docsiq index|search|serve`), REST API, MCP
server, and an embedded React SPA served by `docsiq serve`.
- **Storage** — single SQLite file with `sqlite_fts5` + `sqlite-vec`
for vector search. No external DB to deploy.

### Security
- Release binaries signed with [cosign](https://github.com/sigstore/cosign)
keyless via Sigstore and anchored to the Rekor transparency log.
- Signed `SHA256SUMS` published with each release, with verification
instructions attached.
- SLSA build provenance (`.intoto.jsonl`) accompanies the binaries.

### Known limitations
- Darwin support is limited to `arm64`; `amd64` binaries are not
built (cgo + sqlite-vec cross-compile complexity).
- Pre-1.0: APIs and on-disk schema are not yet frozen.

### Upgrade impact
No previous stable release exists — this is v0.0.1. Users upgrading
from `v0.0.0-beta.*` should start with a fresh data directory; the
schema is the same as the final beta but the beta tags have been
retired.

The project follows
[Semantic Versioning](https://semver.org/spec/v2.0.0.html) and each
release is identified by its immutable `vX.Y.Z` tag.
[Unreleased]: https://github.com/RandomCodeSpace/docsiq/compare/v0.0.3...HEAD
[0.0.3]: https://github.com/RandomCodeSpace/docsiq/releases/tag/v0.0.3
[0.0.2]: https://github.com/RandomCodeSpace/docsiq/releases/tag/v0.0.2
[0.0.1]: https://github.com/RandomCodeSpace/docsiq/releases/tag/v0.0.1
Loading