@oddessentials/repo-standards 3.0.0 → 3.1.0

package/dist/config/standards.go.azure-devops.json

@@ -121,7 +121,7 @@
             "stage": "release"
           }
         },
-        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history.",
+        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history. Maintain a single canonical version source (for example, package.json or VERSION) that all release artifacts use.",
         "id": "semantic-versioning",
         "label": "Semantic Versioning",
         "stack": {
@@ -133,8 +133,44 @@
             "goreleaser",
             "semantic-release"
           ],
-          "notes": "Go uses git tags for versioning (v1.2.3 format). Use goreleaser for automated releases with changelog generation. Tag versions consistently.",
-          "verification": "Check that git tags follow vMAJOR.MINOR.PATCH format and goreleaser or similar tool generates releases and changelogs."
+          "notes": "Go uses git tags (v1.2.3) as the canonical version source. Use goreleaser for automated releases with changelog generation and publish GitHub/Docker artifacts from the same tag.",
+          "optionalFiles": [
+            ".goreleaser.yml",
+            "CHANGELOG.md"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
+          "verification": "Check that git tags follow vMAJOR.MINOR.PATCH format and goreleaser or similar tooling generates releases and changelogs."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "release"
+          }
+        },
+        "description": "Use a single CI release pipeline that publishes all artifacts (GitHub releases, packages, containers) from the same canonical version source.",
+        "id": "unified-release-workflow",
+        "label": "Unified Release Workflow",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/release.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "goreleaser",
+            "docker buildx"
+          ],
+          "notes": "Use a single release pipeline (goreleaser or equivalent) to publish GitHub releases and Docker images from the same git tag.",
+          "optionalFiles": [
+            ".goreleaser.yml",
+            "CHANGELOG.md"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
+          "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
         }
       },
       {
@@ -143,10 +179,17 @@
             "stage": "quality"
           }
         },
-        "description": "Enforce structured commit messages such as Conventional Commits.",
+        "description": "Enforce structured commit messages such as Conventional Commits via commit-msg hooks and CI. This is required for deterministic versioning and changelog generation.",
         "id": "commit-linting",
         "label": "Commit Linting",
         "stack": {
+          "anyOfFiles": [
+            "commitlint.config.js",
+            "commitlint.config.cjs",
+            "commitlint.config.mjs",
+            "commitlint.config.json",
+            ".cz.toml"
+          ],
           "exampleConfigFiles": [
             "commitlint.config.js",
             ".cz.toml"
@@ -155,8 +198,11 @@
             "commitlint",
             "commitizen"
           ],
-          "notes": "Use commitlint with pre-commit hooks for enforcing Conventional Commits. Consistent with goreleaser changelog generation.",
-          "verification": "Test that non-conforming commit messages are rejected by the configured hooks or CI check."
+          "notes": "Use commitlint with commit-msg or pre-commit hooks plus a CI check. Conventional Commits keep goreleaser changelog generation deterministic.",
+          "requiredScripts": [
+            "commitlint"
+          ],
+          "verification": "Test that non-conforming commit messages are rejected by the configured hooks and CI check."
         }
       },
       {
@@ -265,7 +311,7 @@
             "stage": "quality"
           }
         },
-        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code.",
+        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code. For JS/TS stacks, require a TypeScript-first policy with strict mode and a CI typecheck step; allow JSDoc/checkJs migration for legacy JS.",
         "id": "type-checking",
         "label": "Type Checking",
         "stack": {
@@ -313,6 +359,93 @@
           "verification": "go.sum is present; run 'govulncheck ./...' to verify security scanning."
         }
       },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "build"
+          }
+        },
+        "description": "Ensure builds are reproducible by pinning dependencies, base images, and tool/runtime versions. Avoid network/time variance and fail when lockfiles drift.",
+        "id": "deterministic-builds",
+        "label": "Deterministic & Hermetic Builds",
+        "stack": {
+          "exampleConfigFiles": [
+            "go.sum",
+            "go.mod",
+            ".go-version"
+          ],
+          "exampleTools": [
+            "go env -w GOPROXY=off",
+            "go mod download"
+          ],
+          "notes": "Use go.sum for deterministic module versions and pin Go versions (go.mod + .go-version). Avoid network variance by caching modules and pinning proxies.",
+          "optionalFiles": [
+            ".go-version"
+          ],
+          "requiredFiles": [
+            "go.sum"
+          ],
+          "verification": "go.sum is present and builds use pinned Go versions; module downloads are cached."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "security"
+          }
+        },
+        "description": "Produce SBOMs or provenance metadata, enable secret/code scanning, and sign tags or commits for critical repos.",
+        "id": "provenance-security",
+        "label": "Provenance & Security Metadata",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/codeql.yml",
+            ".github/workflows/provenance.yml"
+          ],
+          "exampleTools": [
+            "syft",
+            "cyclonedx-gomod",
+            "codeql",
+            "gitleaks",
+            "cosign"
+          ],
+          "notes": "Generate SBOM/provenance for Go binaries and container artifacts, enable secret scanning, and sign tags/commits for critical repos.",
+          "optionalFiles": [
+            "SECURITY.md",
+            ".github/workflows/codeql.yml"
+          ],
+          "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "ci"
+          }
+        },
+        "description": "Adopt standard CI templates and config samples to scale across repositories, minimizing bespoke pipeline logic.",
+        "id": "ci-templates-automation",
+        "label": "CI Templates & Automation",
+        "stack": {
+          "anyOfFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleConfigFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "GitHub Actions reusable workflows",
+            "Azure DevOps templates"
+          ],
+          "notes": "Use shared CI templates for build/test/release stages to standardize across Go repos.",
+          "requiredScripts": [
+            "ci"
+          ],
+          "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -657,5 +790,5 @@
   },
   "stack": "go",
   "stackLabel": "Go",
-  "version": 2
+  "version": 3
 }

package/dist/config/standards.go.github-actions.json

@@ -121,7 +121,7 @@
             "job": "release"
           }
         },
-        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history.",
+        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history. Maintain a single canonical version source (for example, package.json or VERSION) that all release artifacts use.",
         "id": "semantic-versioning",
         "label": "Semantic Versioning",
         "stack": {
@@ -133,8 +133,44 @@
             "goreleaser",
             "semantic-release"
           ],
-          "notes": "Go uses git tags for versioning (v1.2.3 format). Use goreleaser for automated releases with changelog generation. Tag versions consistently.",
-          "verification": "Check that git tags follow vMAJOR.MINOR.PATCH format and goreleaser or similar tool generates releases and changelogs."
+          "notes": "Go uses git tags (v1.2.3) as the canonical version source. Use goreleaser for automated releases with changelog generation and publish GitHub/Docker artifacts from the same tag.",
+          "optionalFiles": [
+            ".goreleaser.yml",
+            "CHANGELOG.md"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
+          "verification": "Check that git tags follow vMAJOR.MINOR.PATCH format and goreleaser or similar tooling generates releases and changelogs."
+        }
+      },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "release"
+          }
+        },
+        "description": "Use a single CI release pipeline that publishes all artifacts (GitHub releases, packages, containers) from the same canonical version source.",
+        "id": "unified-release-workflow",
+        "label": "Unified Release Workflow",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/release.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "goreleaser",
+            "docker buildx"
+          ],
+          "notes": "Use a single release pipeline (goreleaser or equivalent) to publish GitHub releases and Docker images from the same git tag.",
+          "optionalFiles": [
+            ".goreleaser.yml",
+            "CHANGELOG.md"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
+          "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
         }
       },
       {
@@ -143,10 +179,17 @@
             "job": "ci"
           }
         },
-        "description": "Enforce structured commit messages such as Conventional Commits.",
+        "description": "Enforce structured commit messages such as Conventional Commits via commit-msg hooks and CI. This is required for deterministic versioning and changelog generation.",
         "id": "commit-linting",
         "label": "Commit Linting",
         "stack": {
+          "anyOfFiles": [
+            "commitlint.config.js",
+            "commitlint.config.cjs",
+            "commitlint.config.mjs",
+            "commitlint.config.json",
+            ".cz.toml"
+          ],
           "exampleConfigFiles": [
             "commitlint.config.js",
             ".cz.toml"
@@ -155,8 +198,11 @@
             "commitlint",
             "commitizen"
           ],
-          "notes": "Use commitlint with pre-commit hooks for enforcing Conventional Commits. Consistent with goreleaser changelog generation.",
-          "verification": "Test that non-conforming commit messages are rejected by the configured hooks or CI check."
+          "notes": "Use commitlint with commit-msg or pre-commit hooks plus a CI check. Conventional Commits keep goreleaser changelog generation deterministic.",
+          "requiredScripts": [
+            "commitlint"
+          ],
+          "verification": "Test that non-conforming commit messages are rejected by the configured hooks and CI check."
         }
       },
       {
@@ -265,7 +311,7 @@
             "job": "ci"
           }
         },
-        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code.",
+        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code. For JS/TS stacks, require a TypeScript-first policy with strict mode and a CI typecheck step; allow JSDoc/checkJs migration for legacy JS.",
         "id": "type-checking",
         "label": "Type Checking",
         "stack": {
@@ -313,6 +359,93 @@
           "verification": "go.sum is present; run 'govulncheck ./...' to verify security scanning."
         }
       },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "ci"
+          }
+        },
+        "description": "Ensure builds are reproducible by pinning dependencies, base images, and tool/runtime versions. Avoid network/time variance and fail when lockfiles drift.",
+        "id": "deterministic-builds",
+        "label": "Deterministic & Hermetic Builds",
+        "stack": {
+          "exampleConfigFiles": [
+            "go.sum",
+            "go.mod",
+            ".go-version"
+          ],
+          "exampleTools": [
+            "go env -w GOPROXY=off",
+            "go mod download"
+          ],
+          "notes": "Use go.sum for deterministic module versions and pin Go versions (go.mod + .go-version). Avoid network variance by caching modules and pinning proxies.",
+          "optionalFiles": [
+            ".go-version"
+          ],
+          "requiredFiles": [
+            "go.sum"
+          ],
+          "verification": "go.sum is present and builds use pinned Go versions; module downloads are cached."
+        }
+      },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "security"
+          }
+        },
+        "description": "Produce SBOMs or provenance metadata, enable secret/code scanning, and sign tags or commits for critical repos.",
+        "id": "provenance-security",
+        "label": "Provenance & Security Metadata",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/codeql.yml",
+            ".github/workflows/provenance.yml"
+          ],
+          "exampleTools": [
+            "syft",
+            "cyclonedx-gomod",
+            "codeql",
+            "gitleaks",
+            "cosign"
+          ],
+          "notes": "Generate SBOM/provenance for Go binaries and container artifacts, enable secret scanning, and sign tags/commits for critical repos.",
+          "optionalFiles": [
+            "SECURITY.md",
+            ".github/workflows/codeql.yml"
+          ],
+          "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+        }
+      },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "ci"
+          }
+        },
+        "description": "Adopt standard CI templates and config samples to scale across repositories, minimizing bespoke pipeline logic.",
+        "id": "ci-templates-automation",
+        "label": "CI Templates & Automation",
+        "stack": {
+          "anyOfFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleConfigFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "GitHub Actions reusable workflows",
+            "Azure DevOps templates"
+          ],
+          "notes": "Use shared CI templates for build/test/release stages to standardize across Go repos.",
+          "requiredScripts": [
+            "ci"
+          ],
+          "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+        }
+      },
       {
         "ciHints": {
           "github-actions": {
@@ -657,5 +790,5 @@
   },
   "stack": "go",
   "stackLabel": "Go",
-  "version": 2
+  "version": 3
 }

package/dist/config/standards.go.json

@@ -136,7 +136,7 @@
             "job": "release"
           }
         },
-        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history.",
+        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history. Maintain a single canonical version source (for example, package.json or VERSION) that all release artifacts use.",
         "id": "semantic-versioning",
         "label": "Semantic Versioning",
         "stack": {
@@ -148,8 +148,47 @@
             "goreleaser",
             "semantic-release"
           ],
-          "notes": "Go uses git tags for versioning (v1.2.3 format). Use goreleaser for automated releases with changelog generation. Tag versions consistently.",
-          "verification": "Check that git tags follow vMAJOR.MINOR.PATCH format and goreleaser or similar tool generates releases and changelogs."
+          "notes": "Go uses git tags (v1.2.3) as the canonical version source. Use goreleaser for automated releases with changelog generation and publish GitHub/Docker artifacts from the same tag.",
+          "optionalFiles": [
+            ".goreleaser.yml",
+            "CHANGELOG.md"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
+          "verification": "Check that git tags follow vMAJOR.MINOR.PATCH format and goreleaser or similar tooling generates releases and changelogs."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "release"
+          },
+          "github-actions": {
+            "job": "release"
+          }
+        },
+        "description": "Use a single CI release pipeline that publishes all artifacts (GitHub releases, packages, containers) from the same canonical version source.",
+        "id": "unified-release-workflow",
+        "label": "Unified Release Workflow",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/release.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "goreleaser",
+            "docker buildx"
+          ],
+          "notes": "Use a single release pipeline (goreleaser or equivalent) to publish GitHub releases and Docker images from the same git tag.",
+          "optionalFiles": [
+            ".goreleaser.yml",
+            "CHANGELOG.md"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
+          "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
         }
       },
       {
@@ -161,10 +200,17 @@
             "job": "ci"
           }
         },
-        "description": "Enforce structured commit messages such as Conventional Commits.",
+        "description": "Enforce structured commit messages such as Conventional Commits via commit-msg hooks and CI. This is required for deterministic versioning and changelog generation.",
         "id": "commit-linting",
         "label": "Commit Linting",
         "stack": {
+          "anyOfFiles": [
+            "commitlint.config.js",
+            "commitlint.config.cjs",
+            "commitlint.config.mjs",
+            "commitlint.config.json",
+            ".cz.toml"
+          ],
           "exampleConfigFiles": [
             "commitlint.config.js",
             ".cz.toml"
@@ -173,8 +219,11 @@
             "commitlint",
             "commitizen"
           ],
-          "notes": "Use commitlint with pre-commit hooks for enforcing Conventional Commits. Consistent with goreleaser changelog generation.",
-          "verification": "Test that non-conforming commit messages are rejected by the configured hooks or CI check."
+          "notes": "Use commitlint with commit-msg or pre-commit hooks plus a CI check. Conventional Commits keep goreleaser changelog generation deterministic.",
+          "requiredScripts": [
+            "commitlint"
+          ],
+          "verification": "Test that non-conforming commit messages are rejected by the configured hooks and CI check."
         }
       },
       {
@@ -298,7 +347,7 @@
             "job": "ci"
           }
         },
-        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code.",
+        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code. For JS/TS stacks, require a TypeScript-first policy with strict mode and a CI typecheck step; allow JSDoc/checkJs migration for legacy JS.",
         "id": "type-checking",
         "label": "Type Checking",
         "stack": {
@@ -349,6 +398,102 @@
           "verification": "go.sum is present; run 'govulncheck ./...' to verify security scanning."
         }
       },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "build"
+          },
+          "github-actions": {
+            "job": "ci"
+          }
+        },
+        "description": "Ensure builds are reproducible by pinning dependencies, base images, and tool/runtime versions. Avoid network/time variance and fail when lockfiles drift.",
+        "id": "deterministic-builds",
+        "label": "Deterministic & Hermetic Builds",
+        "stack": {
+          "exampleConfigFiles": [
+            "go.sum",
+            "go.mod",
+            ".go-version"
+          ],
+          "exampleTools": [
+            "go env -w GOPROXY=off",
+            "go mod download"
+          ],
+          "notes": "Use go.sum for deterministic module versions and pin Go versions (go.mod + .go-version). Avoid network variance by caching modules and pinning proxies.",
+          "optionalFiles": [
+            ".go-version"
+          ],
+          "requiredFiles": [
+            "go.sum"
+          ],
+          "verification": "go.sum is present and builds use pinned Go versions; module downloads are cached."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "security"
+          },
+          "github-actions": {
+            "job": "security"
+          }
+        },
+        "description": "Produce SBOMs or provenance metadata, enable secret/code scanning, and sign tags or commits for critical repos.",
+        "id": "provenance-security",
+        "label": "Provenance & Security Metadata",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/codeql.yml",
+            ".github/workflows/provenance.yml"
+          ],
+          "exampleTools": [
+            "syft",
+            "cyclonedx-gomod",
+            "codeql",
+            "gitleaks",
+            "cosign"
+          ],
+          "notes": "Generate SBOM/provenance for Go binaries and container artifacts, enable secret scanning, and sign tags/commits for critical repos.",
+          "optionalFiles": [
+            "SECURITY.md",
+            ".github/workflows/codeql.yml"
+          ],
+          "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "ci"
+          },
+          "github-actions": {
+            "job": "ci"
+          }
+        },
+        "description": "Adopt standard CI templates and config samples to scale across repositories, minimizing bespoke pipeline logic.",
+        "id": "ci-templates-automation",
+        "label": "CI Templates & Automation",
+        "stack": {
+          "anyOfFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleConfigFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "GitHub Actions reusable workflows",
+            "Azure DevOps templates"
+          ],
+          "notes": "Use shared CI templates for build/test/release stages to standardize across Go repos.",
+          "requiredScripts": [
+            "ci"
+          ],
+          "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -726,5 +871,5 @@
   },
   "stack": "go",
   "stackLabel": "Go",
-  "version": 2
+  "version": 3
 }