Skip to content

feat(suzuki-shunsuke/cmdx): GitHub immutable release config#50113

Merged
suzuki-shunsuke merged 1 commit into
aquaproj:mainfrom
scop:feat/cmdx-immutable-config
Mar 10, 2026
Merged

feat(suzuki-shunsuke/cmdx): GitHub immutable release config#50113
suzuki-shunsuke merged 1 commit into
aquaproj:mainfrom
scop:feat/cmdx-immutable-config

Conversation

@scop

@scop scop commented Mar 10, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

All releases are marked immutable, but only >= 2.0.2-0 contain the required release attestations needed for verification.

This got me thinking, maybe the related registry property would be better renamed as github_release_attestations rather than github_immutable_release?

Check List

Summary by CodeRabbit

  • Chores
    • Added support for cmdx version 2.0.1 in package registry configurations.
    • Updated package manifests with new version constraints and asset specifications.
    • Enabled immutable release tracking for enhanced package management stability.
    • Implemented checksum verification and SLSA provenance tracking for improved package integrity verification.

@coderabbitai

coderabbitai Bot commented Mar 10, 2026
edited
Loading

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 22814ec3-2842-42d4-a32f-571dff772a54

📥 Commits

Reviewing files that changed from the base of the PR and between d9443e7 and 4390f47.

📒 Files selected for processing (3)
  • pkgs/suzuki-shunsuke/cmdx/pkg.yaml
  • pkgs/suzuki-shunsuke/cmdx/registry.yaml
  • registry.yaml
📝 Walkthrough

Walkthrough

Adds version-specific configuration for cmdx v2.0.1 across registry files, including checksum verification, SLSA provenance, platform-specific overrides, and marks the default version with an immutable release flag.

Changes

Cohort / File(s) Summary
Package Registry Configuration
pkgs/suzuki-shunsuke/cmdx/pkg.yaml, pkgs/suzuki-shunsuke/cmdx/registry.yaml		 Added new package entry for version v2.0.1 with asset references, checksums, cosign verification, and SLSA provenance. Modified default entry to include github_immutable_release flag.
Root Registry
registry.yaml		 Parallel changes adding version constraint semver("\<= 2.0.1") with checksums, certificate identity verification, SLSA provenance, and platform overrides; updated default entry with immutable release marker.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

enhancement

Poem

🐰 A bunny hops through versions old,
With checksums verified and true,
Now v2.0.1 takes its hold,
Immutable releases, fresh and new,
Registry magic, a rabbit's delight!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive The description includes context about the change and raises a thoughtful design question, but several checklist items remain unchecked (CONTRIBUTING.md, package testing, code scaffolding), indicating incomplete adherence to the template requirements. Complete the checklist items: review and check the CONTRIBUTING.md and code scaffolding requirements, or explicitly document why they don't apply to this change.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: adding GitHub immutable release configuration to the cmdx package. It directly reflects the core modification across all three modified files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@suzuki-shunsuke suzuki-shunsuke added this to the v4.481.0 milestone Mar 10, 2026
@suzuki-shunsuke

suzuki-shunsuke commented Mar 10, 2026

Copy link
Copy Markdown
Member

This got me thinking, maybe the related registry property would be better renamed as github_release_attestations rather than github_immutable_release?

Good point.
It looks reasonable, but we should also keep the compatibility.

@suzuki-shunsuke suzuki-shunsuke merged commit 052e041 into aquaproj:main Mar 10, 2026
18 checks passed
@scop scop deleted the feat/cmdx-immutable-config branch March 10, 2026 06:58
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Mar 11, 2026
build(deps): update aquaproj/aqua-registry to v4.481.0
92f3ddf 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [aquaproj/aqua-registry](https://github.com/aquaproj/aqua-registry) | minor | `v4.476.0` → `v4.481.0` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>aquaproj/aqua-registry (aquaproj/aqua-registry)</summary>

### [`v4.481.0`](https://github.com/aquaproj/aqua-registry/releases/tag/v4.481.0)

[Compare Source](aquaproj/aqua-registry@v4.480.0...v4.481.0)

[Issues](https://github.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.481.0) | [Merge Requests](https://github.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.481.0) | <aquaproj/aqua-registry@v4.480.0...v4.481.0>

#### 🎉 New Packages

[#&#8203;50135](aquaproj/aqua-registry#50135) [raaymax/lazytail](https://github.com/raaymax/lazytail): Log viewer for app development [@&#8203;hituzi-no-sippo](https://github.com/hituzi-no-sippo)
[#&#8203;50093](aquaproj/aqua-registry#50093) [stackrox/stackrox/roxctl](https://github.com/stackrox/stackrox) - CLI for StackRox Kubernetes Security Platform [@&#8203;sebdanielsson](https://github.com/sebdanielsson)

#### Improvement

[#&#8203;50136](aquaproj/aqua-registry#50136) hellux/jotdown: Add search words `djot` [@&#8203;hituzi-no-sippo](https://github.com/hituzi-no-sippo)
[#&#8203;50164](aquaproj/aqua-registry#50164) Use preferred signer\_workflow spelling [@&#8203;scop](https://github.com/scop)

#### Fixes

[#&#8203;50085](aquaproj/aqua-registry#50085) mvdan/sh: Starting v3.13.0, no longer includes a sha256sums.txt asset [@&#8203;adilsyed518](https://github.com/adilsyed518)

#### Security

Configure GitHub Immutable Release config by [@&#8203;scop](https://github.com/scop)

[#&#8203;50115](aquaproj/aqua-registry#50115) twpayne/chezmoi
[#&#8203;50114](aquaproj/aqua-registry#50114) suzuki-shunsuke/ghir
[#&#8203;50113](aquaproj/aqua-registry#50113) suzuki-shunsuke/cmdx
[#&#8203;50084](aquaproj/aqua-registry#50084) pnpm/pnpm
[#&#8203;50081](aquaproj/aqua-registry#50081) jdx/usage
[#&#8203;50077](aquaproj/aqua-registry#50077) jdx/mise
[#&#8203;50076](aquaproj/aqua-registry#50076) jdx/hk
[#&#8203;50075](aquaproj/aqua-registry#50075) j178/prek
[#&#8203;50074](aquaproj/aqua-registry#50074) dprint/dprint

### [`v4.480.0`](https://github.com/aquaproj/aqua-registry/releases/tag/v4.480.0)

[Compare Source](aquaproj/aqua-registry@v4.479.0...v4.480.0)

[Issues](https://github.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.480.0) | [Merge Requests](https://github.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.480.0) | <aquaproj/aqua-registry@v4.479.0...v4.480.0>

#### 🎉 New Packages

[#&#8203;50019](aquaproj/aqua-registry#50019) [betterleaks/betterleaks](https://github.com/betterleaks/betterleaks): A Better Secrets Scanner built for configurability and speed [@&#8203;hituzi-no-sippo](https://github.com/hituzi-no-sippo)

#### Fixes

[#&#8203;50041](aquaproj/aqua-registry#50041) moonrepo/moon: Re-scaffold to support v2.0.0 or later
[#&#8203;50020](aquaproj/aqua-registry#50020) swanysimon/markdownlint-rs: Rename to swanysimon/mdlint

### [`v4.479.0`](https://github.com/aquaproj/aqua-registry/releases/tag/v4.479.0)

[Compare Source](aquaproj/aqua-registry@v4.478.0...v4.479.0)

[Issues](https://github.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.479.0) | [Merge Requests](https://github.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.479.0) | <aquaproj/aqua-registry@v4.478.0...v4.479.0>

#### 🎉 New Packages

[#&#8203;49988](aquaproj/aqua-registry#49988) [princjef/gomarkdoc](https://github.com/princjef/gomarkdoc): Generate markdown documentation for Go (golang) code
[#&#8203;49970](aquaproj/aqua-registry#49970) [majorcontext/moat](https://github.com/majorcontext/moat) - Run agents in containers with credential injection and full observability [@&#8203;joonas](https://github.com/joonas)
[#&#8203;49969](aquaproj/aqua-registry#49969) [sudorandom/fauxrpc](https://github.com/sudorandom/fauxrpc) - Easily start a fake gRPC/gRPC-Web/Connect/REST server from protobufs [@&#8203;joonas](https://github.com/joonas)
[#&#8203;49947](aquaproj/aqua-registry#49947) [apache/ant](https://github.com/apache/ant) - Apache Ant is a Java library and command-line tool whose mission is to drive processes described in build files as targets and extension points dependent upon each other [@&#8203;chadlwilson](https://github.com/chadlwilson)

### [`v4.478.0`](https://github.com/aquaproj/aqua-registry/releases/tag/v4.478.0)

[Compare Source](aquaproj/aqua-registry@v4.477.0...v4.478.0)

[Issues](https://github.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.478.0) | [Merge Requests](https://github.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.478.0) | <aquaproj/aqua-registry@v4.477.0...v4.478.0>

#### 🎉 New Packages

[#&#8203;49934](aquaproj/aqua-registry#49934) [suzuki-shunsuke/docfresh](https://github.com/suzuki-shunsuke/docfresh): Make document maintainable, reusable, and testable

#### Security

[#&#8203;49919](aquaproj/aqua-registry#49919) spinel-coop/rv: GitHub artifact attestations config [@&#8203;scop](https://github.com/scop)

#### Fixes

[#&#8203;49892](aquaproj/aqua-registry#49892) Re-scaffold cloudflare/cloudflared

### [`v4.477.0`](https://github.com/aquaproj/aqua-registry/releases/tag/v4.477.0)

[Compare Source](aquaproj/aqua-registry@v4.476.0...v4.477.0)

[Issues](https://github.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.477.0) | [Merge Requests](https://github.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.477.0) | <aquaproj/aqua-registry@v4.476.0...v4.477.0>

#### 🎉 New Packages

[#&#8203;49856](aquaproj/aqua-registry#49856) [k1LoW/mo](https://github.com/k1LoW/mo): mo is a Markdown viewer that opens .md files in a browser
[#&#8203;49770](aquaproj/aqua-registry#49770) [#&#8203;49791](aquaproj/aqua-registry#49791) [rtk-ai/rtk](https://github.com/rtk-ai/rtk) - CLI proxy that reduces LLM token consumption by 60-90% on common dev commands. Single Rust binary, zero dependencies [@&#8203;NikitaCOEUR](https://github.com/NikitaCOEUR) [@&#8203;TyceHerrman](https://github.com/TyceHerrman)
[#&#8203;49738](aquaproj/aqua-registry#49738) [yashikota/exiftool-go](https://github.com/yashikota/exiftool-go) - Pure Go ExifTool wrapper powered by WebAssembly [@&#8203;yashikota](https://github.com/yashikota)
[#&#8203;49610](aquaproj/aqua-registry#49610) [datadog-labs/pup](https://github.com/datadog-labs/pup) - Give your AI agent a Pup — a CLI companion with 200+ commands across 33+ Datadog products [@&#8203;iwata](https://github.com/iwata)
[#&#8203;49348](aquaproj/aqua-registry#49348) [huseyinbabal/taws](https://github.com/huseyinbabal/taws) - Terminal UI for AWS (taws) - A terminal-based AWS resource viewer and manager [@&#8203;TyceHerrman](https://github.com/TyceHerrman)

#### Security

[#&#8203;49707](aquaproj/aqua-registry#49707) owenlamont/ryl: GitHub artifact attestations config [@&#8203;scop](https://github.com/scop)
[#&#8203;49340](aquaproj/aqua-registry#49340) astral-sh/ruff: GitHub artifact attestations config [@&#8203;scop](https://github.com/scop)
[#&#8203;49344](aquaproj/aqua-registry#49344) rhysd/actionlint: GitHub artifact attestations config [@&#8203;scop](https://github.com/scop)
[#&#8203;49345](aquaproj/aqua-registry#49345) caarlos0/fork-cleaner: GitHub artifact attestations config [@&#8203;scop](https://github.com/scop)
[#&#8203;49418](aquaproj/aqua-registry#49418) block/goose: GitHub artifact attestations config [@&#8203;scop](https://github.com/scop)

#### Fixes

[#&#8203;49398](aquaproj/aqua-registry#49398) pre-commit/pre-commit: Exclude Windows from `supported_envs` [@&#8203;altendky](https://github.com/altendky)
[#&#8203;49613](aquaproj/aqua-registry#49613) Rename kunobi-ninja/kunobi-releases to kunobi-ninja/kunobi [@&#8203;rawmind0](https://github.com/rawmind0)
[#&#8203;49623](aquaproj/aqua-registry#49623) weaviate/weaviate: Remove hidden Unicode whitespace [@&#8203;jamietanna](https://github.com/jamietanna)
[#&#8203;49652](aquaproj/aqua-registry#49652) technicalpickles/envsense: Add linux/arm64 support [@&#8203;technicalpickles](https://github.com/technicalpickles)
[#&#8203;49753](aquaproj/aqua-registry#49753) mozilla/sccache): Support aarch64 [@&#8203;lahabana](https://github.com/lahabana)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS4zIiwidXBkYXRlZEluVmVyIjoiNDMuNjAuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90IiwiYXV0b21hdGlvbjpib3QtYXV0aG9yZWQiLCJkZXBlbmRlbmN5LXR5cGU6Om1pbm9yIl19-->
@scop scop mentioned this pull request Mar 11, 2026
Closed
@coderabbitai coderabbitai Bot mentioned this pull request Mar 18, 2026
Merged
5 tasks
@coderabbitai coderabbitai Bot mentioned this pull request Mar 26, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v4.481.0

Development

Successfully merging this pull request may close these issues.

2 participants

@scop @suzuki-shunsuke