Skip to content

meta: operationalize release process across DecOperations / Dial-WTF / YLaunchinator repos (xCoder scaffolds, Calibrate gates) #38

Description

@jeremyjs

Why this issue exists

The release-automation stack hardened in this repo (#6, #34, #36, #37) is general-purpose — Conventional Commits + commitlint, semantic-release (monorepo-aware), Dependabot with grouped updates and held-major rules, dogfood security scanning split into binding PR gate + observe-only nightly deep mode. Right now it only lives here. Every other DecOperations / Dial-WTF / YLaunchinator repo has to re-derive it by hand.

We want one canonical source.

Decision (locked in)

Split the work across two existing ecosystem projects:

  • xCoder.WTF owns the scaffolderxc release init drops the proven file set into a target repo. Greenfield repos get the whole stack in seconds.
  • Calibrate.WTF owns the gate — a release-readiness quality check that fails CI (after advisory burn-in) if the repo doesn't have semantic-release wired, commitlint enforced, and Dependabot configured.

Together: create-side + enforce-side.

Child issues (filed)

Repo Issue Scope
xCoder.WTF #45 — feat: ship xc release init scaffolder Drops .releaserc.json, commitlint.config.cjs, husky hook, release.yml, ci.yml, dependabot.yml, RELEASING.md into target repos. References xCoder #16 (xc init), #23 (migration flow), #24 (semantic commits policy).
Calibrate.WTF #125 — feat(checks): add release-readiness quality check Five-probe scoring rubric incl. "latest release was bot-published" (only probe that proves the pipeline actually runs). References Calibrate #98 (engine readiness epic), #113 (Release-asset distribution policy), #119 (PeerSpeak rollout), #67 (PR action pattern), #111 (fixture testing).

Both child issues reference this issue as tracking origin and reference the canonical files in this repo's main (after PR #37 lands) as the source of truth.

Portable assets (inventory)

Files in this repo that became the canonical templates. Paths are stable references.

Asset Path Portability notes
Semantic-release config .releaserc.json Monorepo-aware (semantic-release-monorepo), branches main/beta/alpha, tagFormat: cli-v${version} — tag format is the only repo-specific bit.
Release workflow .github/workflows/release.yml ~150 lines. Lint → typecheck → test → build → semantic-release → pack tarball → attach asset → smoke-test. Already templated; needs only pkgRoot and tag-format swap. Aligns with Calibrate.WTF#113 (Release-asset distribution, not GH Packages).
Commit linting commitlint.config.cjs + husky commit-msg hook (prepare: husky in root package.json) Conventional Commits with extended type-enum (incl. security). Zero project-specific code.
CI quality gates .github/workflows/ci.yml Lint/typecheck/test/build. Stack-agnostic for TS monorepos.
Dependabot config .github/dependabot.yml (added in #37) Grouped updates, majors-held-for-review for next/react/CLI deps. Pattern portable; package lists adjusted per consumer.
Branch protection sketch docs only (#6 §10) Required-checks list + linear history + signed commits. Needs gh api automation.

Specifically NOT portable (security-tool-specific)

  • action.yml — the composite GitHub Action consumers use to run scans.
  • .github/workflows/dogfood.yml + .github/workflows/dogfood-nightly.yml — invoke owasp-wtf against itself. The pattern (binding gate + observe-only nightly deep, baseline-aware) is portable; the workflow files are not.

Acceptance criteria for this meta-issue

  • Child issue filed in DecOperations/xCoder.WTF#45
  • Child issue filed in DecOperations/Calibrate.WTF#125
  • Both child issues reference the OWASP.WTF reference files as the canonical templates.
  • Pilot rollout: at least one external repo (PeerSpeak preferred, given rollout: adopt OWASP.WTF as the security gate in Dial-WTF/PeerSpeak #33) has been scaffolded via xCoder AND scored by Calibrate's release-readiness check, in advisory mode.
  • OWASP.WTF scores ≥95 on Calibrate release-readiness once shipped (golden-reference assertion).

Related

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions