Why this issue exists
The release-automation stack hardened in this repo (#6, #34, #36, #37) is general-purpose — Conventional Commits + commitlint, semantic-release (monorepo-aware), Dependabot with grouped updates and held-major rules, dogfood security scanning split into binding PR gate + observe-only nightly deep mode. Right now it only lives here. Every other DecOperations / Dial-WTF / YLaunchinator repo has to re-derive it by hand.
We want one canonical source.
Decision (locked in)
Split the work across two existing ecosystem projects:
- xCoder.WTF owns the scaffolder —
xc release init drops the proven file set into a target repo. Greenfield repos get the whole stack in seconds.
- Calibrate.WTF owns the gate — a
release-readiness quality check that fails CI (after advisory burn-in) if the repo doesn't have semantic-release wired, commitlint enforced, and Dependabot configured.
Together: create-side + enforce-side.
Child issues (filed)
| Repo |
Issue |
Scope |
| xCoder.WTF |
#45 — feat: ship xc release init scaffolder |
Drops .releaserc.json, commitlint.config.cjs, husky hook, release.yml, ci.yml, dependabot.yml, RELEASING.md into target repos. References xCoder #16 (xc init), #23 (migration flow), #24 (semantic commits policy). |
| Calibrate.WTF |
#125 — feat(checks): add release-readiness quality check |
Five-probe scoring rubric incl. "latest release was bot-published" (only probe that proves the pipeline actually runs). References Calibrate #98 (engine readiness epic), #113 (Release-asset distribution policy), #119 (PeerSpeak rollout), #67 (PR action pattern), #111 (fixture testing). |
Both child issues reference this issue as tracking origin and reference the canonical files in this repo's main (after PR #37 lands) as the source of truth.
Portable assets (inventory)
Files in this repo that became the canonical templates. Paths are stable references.
| Asset |
Path |
Portability notes |
| Semantic-release config |
.releaserc.json |
Monorepo-aware (semantic-release-monorepo), branches main/beta/alpha, tagFormat: cli-v${version} — tag format is the only repo-specific bit. |
| Release workflow |
.github/workflows/release.yml |
~150 lines. Lint → typecheck → test → build → semantic-release → pack tarball → attach asset → smoke-test. Already templated; needs only pkgRoot and tag-format swap. Aligns with Calibrate.WTF#113 (Release-asset distribution, not GH Packages). |
| Commit linting |
commitlint.config.cjs + husky commit-msg hook (prepare: husky in root package.json) |
Conventional Commits with extended type-enum (incl. security). Zero project-specific code. |
| CI quality gates |
.github/workflows/ci.yml |
Lint/typecheck/test/build. Stack-agnostic for TS monorepos. |
| Dependabot config |
.github/dependabot.yml (added in #37) |
Grouped updates, majors-held-for-review for next/react/CLI deps. Pattern portable; package lists adjusted per consumer. |
| Branch protection sketch |
docs only (#6 §10) |
Required-checks list + linear history + signed commits. Needs gh api automation. |
Specifically NOT portable (security-tool-specific)
action.yml — the composite GitHub Action consumers use to run scans.
.github/workflows/dogfood.yml + .github/workflows/dogfood-nightly.yml — invoke owasp-wtf against itself. The pattern (binding gate + observe-only nightly deep, baseline-aware) is portable; the workflow files are not.
Acceptance criteria for this meta-issue
Related
Why this issue exists
The release-automation stack hardened in this repo (#6, #34, #36, #37) is general-purpose — Conventional Commits + commitlint, semantic-release (monorepo-aware), Dependabot with grouped updates and held-major rules, dogfood security scanning split into binding PR gate + observe-only nightly deep mode. Right now it only lives here. Every other DecOperations / Dial-WTF / YLaunchinator repo has to re-derive it by hand.
We want one canonical source.
Decision (locked in)
Split the work across two existing ecosystem projects:
xc release initdrops the proven file set into a target repo. Greenfield repos get the whole stack in seconds.release-readinessquality check that fails CI (after advisory burn-in) if the repo doesn't have semantic-release wired, commitlint enforced, and Dependabot configured.Together: create-side + enforce-side.
Child issues (filed)
xc release initscaffolder.releaserc.json,commitlint.config.cjs, husky hook,release.yml,ci.yml,dependabot.yml,RELEASING.mdinto target repos. References xCoder #16 (xc init), #23 (migration flow), #24 (semantic commits policy).release-readinessquality checkBoth child issues reference this issue as tracking origin and reference the canonical files in this repo's
main(after PR #37 lands) as the source of truth.Portable assets (inventory)
Files in this repo that became the canonical templates. Paths are stable references.
.releaserc.jsonsemantic-release-monorepo), branchesmain/beta/alpha,tagFormat: cli-v${version}— tag format is the only repo-specific bit..github/workflows/release.ymlpkgRootand tag-format swap. Aligns with Calibrate.WTF#113 (Release-asset distribution, not GH Packages).commitlint.config.cjs+ huskycommit-msghook (prepare: huskyin rootpackage.json)security). Zero project-specific code..github/workflows/ci.yml.github/dependabot.yml(added in #37)next/react/CLI deps. Pattern portable; package lists adjusted per consumer.gh apiautomation.Specifically NOT portable (security-tool-specific)
action.yml— the composite GitHub Action consumers use to run scans..github/workflows/dogfood.yml+.github/workflows/dogfood-nightly.yml— invokeowasp-wtfagainst itself. The pattern (binding gate + observe-only nightly deep, baseline-aware) is portable; the workflow files are not.Acceptance criteria for this meta-issue
DecOperations/xCoder.WTF→ #45DecOperations/Calibrate.WTF→ #125release-readinesscheck, in advisory mode.release-readinessonce shipped (golden-reference assertion).Related
release.yml).xc init(this work extends).