RubyGems - carson - Versions diffs - 2.16.1 → 2.17.1 - Mend

carson 2.16.1 → 2.17.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/RELEASE.md +24 -0
data/VERSION +1 -1
data/lib/carson/config.rb +1 -1
data/templates/.github/.mega-linter.yml +24 -0
data/templates/.github/workflows/carson-lint.yml +1 -0
metadata +2 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1489c32c54a8efbec17c73bc909ab85070f74946c610f24367e9df3efba32323
-  data.tar.gz: 1158faec2bdaa9e3bf8d3efc8dcdeace7cbe80507b864513f89e4bc335e89065
+  metadata.gz: d65e5e487eef845979a9d198caa500ba17464cd944a19fe0eed72920eabe5c0b
+  data.tar.gz: 84cc21d8a7b499e69918410c69c78573a6c6d58b0b83e395ad2d4303bec90f6c
 SHA512:
-  metadata.gz: 13a4e277f985f23f18651c1b697f5293b66cd2bbb335d76ad8d28ec0b0a4c87bf50fdbdcc09e8b23cd717ade089ba060de557646f21850465c2866b25d90b798
-  data.tar.gz: 0460adf85975e4ead6b8ab3a2f86aafe630589542274cd175204b118d368c646efbd98725090e6f89cd4b4e904d63d2be9256276b9da0372e7b5b39561a8b216
+  metadata.gz: dbc24993812dc8bed85be6493a85386cf8038ef265c842c23bc428779cd215eedb7f8a642cbcddfed04722b26ebdeae57d7609944d2a439fc7322035c458d357
+  data.tar.gz: 681e8626a1e3185df143b4a2202d4633bb5d25c58c7f3a74debe6459fed95d49a194edca27d3f09792cbe43a7d7b65199c4e3eca5c846dbe4d887cefa7171464

data/RELEASE.md CHANGED Viewed

@@ -5,6 +5,30 @@ Release-note scope rule:
 - `RELEASE.md` records only version deltas, breaking changes, and migration actions.
 - Operational usage guides live in `MANUAL.md` and `API.md`.
+## 2.17.1 — Disable IaC Security Scanners
+### What changed
+- Disabled `REPOSITORY_CHECKOV` and `REPOSITORY_KICS` in the MegaLinter config template. Both are IaC security scanners that flag Carson's own workflow permissions (`issues: write`, `pull-requests: write`) as overly permissive — but MegaLinter needs these to post PR comments. Same false positive in every governed repo.
+### No migration required
+Run `carson refresh` — the updated template propagates automatically.
+## 2.17.0 — MegaLinter Configuration Template
+### What changed
+- Added `.mega-linter.yml` as a Carson-managed template, deployed to `.github/.mega-linter.yml` in governed repositories. Previously MegaLinter ran with its own defaults, ignoring project-level configs and producing thousands of false positives.
+- **Project configs first**: `LINTER_RULES_PATH: "."` tells MegaLinter to use project-root config files (`.rubocop.yml`, `.eslintrc`, etc.) instead of built-in defaults. Fixes the RuboCop indentation mismatch.
+- **Vendor exclusions**: `FILTER_REGEX_EXCLUDE` skips `vendor/`, `node_modules/`, `public/packs`, `public/assets`, `tmp/`, `log/`, and `coverage/`.
+- **Noisy linters disabled**: `SPELL_CSPELL` (needs per-project dictionary), `COPYPASTE_JSCPD` (false positives on generated code), `HTML_DJLINT` (designed for Jinja, not ERB).
+- Updated `carson-lint.yml` workflow with `MEGALINTER_CONFIG: .github/.mega-linter.yml` to point MegaLinter at the non-default config location.
+### Migration
+Run `carson refresh` — the new template is applied automatically and propagated to governed repos.
 ## 2.16.1 — Template Propagation Cleanup Fix
 ### What changed

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 2.16.1
1	+ 2.17.1

data/lib/carson/config.rb CHANGED Viewed

@@ -48,7 +48,7 @@ module Carson
 					}
 				},
 				"template" => {
-					"managed_files" => [ ".github/carson.md", ".github/copilot-instructions.md", ".github/CLAUDE.md", ".github/AGENTS.md", ".github/pull_request_template.md", ".github/workflows/carson-lint.yml" ],
+					"managed_files" => [ ".github/carson.md", ".github/copilot-instructions.md", ".github/CLAUDE.md", ".github/AGENTS.md", ".github/pull_request_template.md", ".github/workflows/carson-lint.yml", ".github/.mega-linter.yml" ],
 					"superseded_files" => [ ".github/carson-instructions.md" ]
 				},
 				"lint" => {

data/templates/.github/.mega-linter.yml ADDED Viewed

@@ -0,0 +1,24 @@
+# Carson-managed MegaLinter configuration.
+# Pushed to governed repositories by `carson template apply`.
+# To override, add entries to a local .mega-linter.yml — MegaLinter merges both.
+# Use project-root linter configs (.rubocop.yml, .eslintrc, etc.)
+# instead of MegaLinter's built-in defaults.
+LINTER_RULES_PATH: "."
+# Only lint changed files on PRs, not the entire codebase.
+VALIDATE_ALL_CODEBASE: false
+# Exclude vendored, generated, and dependency directories.
+FILTER_REGEX_EXCLUDE: "(vendor/|node_modules/|public/packs|public/assets|tmp/|log/|coverage/)"
+# Disable linters that are too noisy without per-project configuration.
+# checkov and kics are IaC security scanners — they flag Carson's own
+# workflow permissions (issues: write, pull-requests: write) as overly
+# permissive, but MegaLinter needs these to post PR comments.
+DISABLE_LINTERS:
+  - SPELL_CSPELL
+  - COPYPASTE_JSCPD
+  - HTML_DJLINT
+  - REPOSITORY_CHECKOV
+  - REPOSITORY_KICS

data/templates/.github/workflows/carson-lint.yml CHANGED Viewed

@@ -18,5 +18,6 @@ jobs:
           fetch-depth: 0
       - uses: oxsecurity/megalinter@v8
         env:
+          MEGALINTER_CONFIG: .github/.mega-linter.yml
           VALIDATE_ALL_CODEBASE: false
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: carson
 version: !ruby/object:Gem::Version
-  version: 2.16.1
+  version: 2.17.1
 platform: ruby
 authors:
 - Hailei Wang
@@ -63,6 +63,7 @@ files:
 - lib/carson/runtime/review/utility.rb
 - lib/carson/runtime/setup.rb
 - lib/carson/version.rb
+- templates/.github/.mega-linter.yml
 - templates/.github/AGENTS.md
 - templates/.github/CLAUDE.md
 - templates/.github/carson.md