From b6cd0cfb50e257d34b4053c6bfc322de0c29f2a4 Mon Sep 17 00:00:00 2001 From: Stephen Hellicar Date: Fri, 27 Mar 2026 06:46:49 +1100 Subject: [PATCH] Bump to 1.0.0-preview.6 Co-authored-by: BananaBot9000 --- .../workflows/verify-commit-signatures.yml | 55 +++++++++++++++++++ CHANGELOG.md | 17 ++++++ packages/mcp-exec/package.json | 2 +- 3 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/verify-commit-signatures.yml diff --git a/.github/workflows/verify-commit-signatures.yml b/.github/workflows/verify-commit-signatures.yml new file mode 100644 index 0000000..b61081c --- /dev/null +++ b/.github/workflows/verify-commit-signatures.yml @@ -0,0 +1,55 @@ +name: Verify Commit Signatures + +on: + pull_request: + branches: [main] + +permissions: + contents: read + +jobs: + verify-signatures: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Verify commit signatures + shell: sh + env: + GH_TOKEN: ${{ github.token }} + run: | + FAILED=0 + REPO="${{ github.repository }}" + + for COMMIT in $(gh pr view "${{ github.event.pull_request.number }}" --repo "$REPO" --json commits --jq '.commits[].oid'); do + VERIFIED=$(gh api "repos/$REPO/commits/$COMMIT" --jq '.commit.verification.verified') + REASON=$(gh api "repos/$REPO/commits/$COMMIT" --jq '.commit.verification.reason') + COMMITTER=$(gh api "repos/$REPO/commits/$COMMIT" --jq '.commit.committer.email') + MESSAGE=$(gh api "repos/$REPO/commits/$COMMIT" --jq '.commit.message' | head -1) + SHORT=$(echo "$COMMIT" | cut -c1-7) + + echo "---" + echo "Commit: $SHORT $MESSAGE" + echo " Committer: $COMMITTER" + echo " Verified: $VERIFIED" + echo " Reason: $REASON" + + if [ "$VERIFIED" != "true" ]; then + echo " FAIL: Commit is not verified (reason: $REASON)" + FAILED=1 + else + echo " OK" + fi + done + + echo "" + if [ "$FAILED" -eq 1 ]; then + echo "VERIFICATION FAILED: One or more commits are not verified." + echo "All commits must be GPG-signed and verified by GitHub." + exit 1 + else + echo "All commits verified." + fi diff --git a/CHANGELOG.md b/CHANGELOG.md index 4974d26..59300da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [1.0.0-preview.6] - 2026-03-27 + +### Changed + +- Strict schema validation (`.strict()`) on all input objects for better small-model compatibility (#20) +- Example added to tool description (#20) +- Content and structuredContent derived from a single canonical result (#13) + +### Fixed + +- ANSI escape codes not stripped from structuredContent output (#12) + +### Security + +- picomatch CVE-2026-33671 (ReDoS) and CVE-2026-33672 (method injection) resolved via pnpm override + ## [1.0.0-preview.5] - 2026-03-24 ### Added @@ -48,6 +64,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Built-in validation rules blocking destructive operations including rm, sed -i, git reset, force push, xargs, and sudo - Pluggable rule system for custom validation +[1.0.0-preview.6]: https://github.com/shellicar/mcp-exec/releases/tag/1.0.0-preview.6 [1.0.0-preview.5]: https://github.com/shellicar/mcp-exec/releases/tag/1.0.0-preview.5 [1.0.0-preview.4]: https://github.com/shellicar/mcp-exec/releases/tag/1.0.0-preview.4 [1.0.0-preview.3]: https://github.com/shellicar/mcp-exec/releases/tag/1.0.0-preview.3 diff --git a/packages/mcp-exec/package.json b/packages/mcp-exec/package.json index df1052b..3ac602d 100644 --- a/packages/mcp-exec/package.json +++ b/packages/mcp-exec/package.json @@ -1,7 +1,7 @@ { "name": "@shellicar/mcp-exec", "private": false, - "version": "1.0.0-preview.5", + "version": "1.0.0-preview.6", "type": "module", "license": "MIT", "author": "Stephen Hellicar",