diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f55afd4..d194930 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,11 +1,34 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later +# SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell +# +# Dependabot configuration for rescript-tea # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file version: 2 updates: - - package-ecosystem: "" # See documentation for possible values - directory: "/" # Location of package manifests + # npm dependencies + - package-ecosystem: "npm" + directory: "/" schedule: - interval: "daily" + interval: "weekly" + commit-message: + prefix: "deps(npm):" + open-pull-requests-limit: 10 + groups: + rescript: + patterns: + - "rescript*" + - "@rescript/*" + react: + patterns: + - "react*" + - "@types/react*" + + # GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "deps(actions):" + open-pull-requests-limit: 5 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d0d73b5..cc0e5ce 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,4 @@ -# SPDX-License-Identifier: MIT AND Palimpsest-0.8 +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later # SPDX-FileCopyrightText: 2024 Jonathan D.A. Jewell name: CI @@ -19,10 +19,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ matrix.node-version }} cache: 'npm' @@ -41,10 +41,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20.x cache: 'npm' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 96e7d12..2c032c9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,97 +1,56 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later +# SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell # -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL Advanced" +# CodeQL Security Analysis for rescript-tea +# Analyzes JavaScript output from ReScript compilation + +name: "CodeQL" on: push: - branches: [ "main" ] + branches: [main] pull_request: - branches: [ "main" ] + branches: [main] schedule: - cron: '35 3 * * 5' jobs: analyze: - name: Analyze (${{ matrix.language }}) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + name: Analyze + runs-on: ubuntu-latest permissions: - # required for all workflows security-events: write - - # required to fetch internal or private CodeQL packs packages: read - - # only required for workflows in private repositories actions: read contents: read strategy: fail-fast: false matrix: - include: - # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@v4 + language: [javascript-typescript] - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - name: Run manual build steps - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - with: - category: "/language:${{matrix.language}}" + steps: + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Initialize CodeQL + uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 + with: + languages: ${{ matrix.language }} + + - name: Setup Node.js + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + with: + node-version: 20.x + cache: 'npm' + + - name: Install dependencies + run: npm ci + + - name: Build ReScript + run: npm run build + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml index ac08939..60e2e92 100644 --- a/.github/workflows/rsr-antipattern.yml +++ b/.github/workflows/rsr-antipattern.yml @@ -1,6 +1,7 @@ -# RSR Anti-Pattern CI Check # SPDX-License-Identifier: AGPL-3.0-or-later +# SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell # +# RSR Anti-Pattern CI Check # Enforces: No TypeScript, No Go, No Python (except SaltStack), No npm # Allows: ReScript, Deno, WASM, Rust, OCaml, Haskell, Guile/Scheme @@ -16,7 +17,7 @@ jobs: antipattern-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Check for TypeScript run: | diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml index 43465a3..2810a84 100644 --- a/.github/workflows/ts-blocker.yml +++ b/.github/workflows/ts-blocker.yml @@ -1,15 +1,18 @@ +# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later +# SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell + name: TypeScript/JavaScript Blocker on: [push, pull_request] jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Block new TypeScript/JavaScript run: | NEW_TS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.(ts|tsx)$' | grep -v '\.gen\.' || true) NEW_JS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.(js|jsx)$' | grep -v '\.res\.js$' | grep -v '\.gen\.' | grep -v 'node_modules' || true) - + if [ -n "$NEW_TS" ] || [ -n "$NEW_JS" ]; then echo "❌ New TS/JS files detected. Use ReScript instead." [ -n "$NEW_TS" ] && echo "$NEW_TS" diff --git a/META.scm b/META.scm index edeee13..48c9c28 100644 --- a/META.scm +++ b/META.scm @@ -15,7 +15,7 @@ (consequences . ("RSR Gold target" "SHA-pinned actions" "SPDX headers" "Multi-platform CI"))))) (define development-practices - '((code-style (languages . ("unknown")) (formatter . "auto-detect") (linter . "auto-detect")) + '((code-style (languages . ("rescript")) (formatter . "rescript format") (linter . "rescript")) (security (sast . "CodeQL") (credentials . "env vars only")) (testing (coverage-minimum . 70)) (versioning (scheme . "SemVer 2.0.0")))) diff --git a/ROADMAP.adoc b/ROADMAP.adoc index 944d8b5..d3949d7 100644 --- a/ROADMAP.adoc +++ b/ROADMAP.adoc @@ -1,11 +1,22 @@ -// SPDX-License-Identifier: MIT AND Palimpsest-0.8 -// SPDX-FileCopyrightText: 2024 Jonathan D.A. Jewell +// SPDX-License-Identifier: MIT OR AGPL-3.0-or-later +// SPDX-FileCopyrightText: 2024-2025 Jonathan D.A. Jewell = rescript-tea Roadmap :toc: +:toclevels: 3 == Current Status: Alpha (v0.1.0) -Core TEA implementation complete with basic subscriptions. +*Last Updated: 2025-12-17* + +Core TEA (The Elm Architecture) implementation for ReScript with React integration. + +=== Completed +* [x] Core TEA modules (Tea_Cmd, Tea_Sub, Tea_Program) +* [x] JSON encoding/decoding utilities (Tea_Json) +* [x] Basic example application +* [x] RSR compliance (SPDX headers, SHA-pinned actions) +* [x] CI/CD pipeline with CodeQL security scanning +* [x] Dependabot configuration for dependency updates == MVP 1.0 Release Checklist @@ -35,7 +46,7 @@ Core TEA implementation complete with basic subscriptions. |npm publish configuration (package.json fields, .npmignore) |Small -|[ ] +|[x] |GitHub Actions CI (build, test, lint) |Small @@ -158,9 +169,12 @@ Declarative animations: == Release Criteria -=== Alpha (current) +=== Alpha (current - v0.1.0) - [x] Core modules compile - [x] Basic example works +- [x] RSR compliance achieved +- [x] Security scanning enabled (CodeQL) +- [x] SHA-pinned GitHub Actions - [ ] Manual testing passes === Beta (v0.9.0) diff --git a/SECURITY.md b/SECURITY.md index 034e848..7db1fd5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,20 +2,49 @@ ## Supported Versions -Use this section to tell people about which versions of your project are -currently being supported with security updates. - | Version | Supported | | ------- | ------------------ | -| 5.1.x | :white_check_mark: | -| 5.0.x | :x: | -| 4.0.x | :white_check_mark: | -| < 4.0 | :x: | +| 0.1.x | :white_check_mark: | ## Reporting a Vulnerability -Use this section to tell people how to report a vulnerability. +If you discover a security vulnerability in rescript-tea, please report it responsibly: + +1. **Do NOT** open a public issue +2. Email the maintainer directly or use GitHub's private vulnerability reporting feature +3. Include: + - Description of the vulnerability + - Steps to reproduce + - Potential impact + - Suggested fix (if any) + +### Response Timeline + +- **Acknowledgment**: Within 48 hours +- **Initial assessment**: Within 1 week +- **Fix timeline**: Depends on severity + - Critical: Within 7 days + - High: Within 30 days + - Medium/Low: Next scheduled release + +### Scope + +This policy covers: +- The core `rescript-tea` library (`src/` directory) +- Build configurations and CI workflows +- Documentation that could lead to insecure usage + +### Out of Scope + +- Issues in dependencies (report to upstream) +- Issues in example applications (unless they demonstrate insecure patterns) + +## Security Practices + +This project follows RSR (Rhodium Standard Repository) security guidelines: -Tell them where to go, how often they can expect to get an update on a -reported vulnerability, what to expect if the vulnerability is accepted or -declined, etc. +- SHA-pinned GitHub Actions +- Dependabot enabled for dependency updates +- CodeQL scanning for JavaScript/TypeScript output +- No secrets in repository (environment variables only) +- SPDX license headers on all source files diff --git a/STATE.scm b/STATE.scm index d8a4a37..058688e 100644 --- a/STATE.scm +++ b/STATE.scm @@ -8,14 +8,14 @@ (schema-version . "2025-12-10") (project . "Rescript-TEA") (created . "2025-12-10T19:03:55+00:00") - (updated . "2025-12-10T19:03:55+00:00")) + (updated . "2025-12-17T00:00:00+00:00")) (position (summary . "RSR-compliant project") (phase . implementation) (maturity . alpha) (rsr-tier . infrastructure) - (primary-language . "guile") + (primary-language . "rescript") (domain . "General")) (context