blob: 7ead918804efb0c5e98ad93bda9f1927eb864b58 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
Code Integrity
==============
This project should preserve a reviewable and trustworthy history. The raw
``docs/protecting-code-integrity.md`` note covers broader PGP background; this
page records repository-level expectations.
Source Provenance
-----------------
* Prefer signed commits and signed tags when publishing releases.
* Protect credentials and signing keys outside the repository.
* Do not commit generated secrets, local database state, or build output.
* Review dependency changes with the same care as source changes.
Git Practices
-------------
* Keep commits focused by subsystem or behavior.
* Avoid mixing generated files with hand-written changes unless the generated
files are required for the change.
* Use branches for non-trivial work.
* Rebase or merge deliberately; avoid history rewrites on shared branches
unless the team has agreed.
Release Tags
------------
Release tags should be annotated and signed when possible:
.. code-block:: bash
git tag -s v1.2.0 -m "v1.2.0"
Verification
------------
Before trusting a release or dependency bump, verify:
* tag or commit signature when available;
* changelog and diff scope;
* dependency lockfile changes;
* CI result for the exact commit being released.
|
