diff --git a/docs/changelog/index.md b/docs/changelog/index.md index e569b38..7c05223 100644 --- a/docs/changelog/index.md +++ b/docs/changelog/index.md @@ -20,153 +20,39 @@ Notable changes to the guide and its tooling. Follows [Keep a Changelog](https:/ --- -## [v2.0.1] +## [v1.2.3] — 2026-05-24 -!!! Note "Meta" - - - Released 2026-05-24 from [`c658c35`](https://github.com/Anon-Planet/thgtoa/commit/c658c354ee0b982163167a7ac7106a0bf16465ed) - -!!! Note "Added" - - - Add tag_release.py — guided signed release tagger - - How to verify the authenticity of our files and check virus scans - -!!! Note "Changed" - - - Rewrite developer guide for current pipeline - - 8/8 chore(bump): v1.2.3 - - 8/8 chore(scripts): minor cleanup to setup_workflow.py - - 7/8 docs(guide): bump version string to v1.2.3 - - 6/8 chore: track .b2 hash files in .gitignore - - 5/8 docs(changelog): rewrite for v1.2.3 — consolidate and clean up - - 4/8 ci: add automated changelog update workflow - - 3/8 ci: split monolithic workflow into build, sign, release stages - - 2/8 refactor(pdf): wire dark mode through convert.py - - 1/8 feat(pdf): add pixel-based dark mode PDF converter - - Refactor pipeline into independent build/sign/release/changelog workflows - - Submit actual develop page - - Fix copy information in website footer - - Fix some broken YAML references - - Delete stale information - - Sign local copy - - Tweaking some of the build to function - - Tweaking some of the build to function - - Tweaking some of the build to function - - Tweaking some of the build to function - - Tweaking some of the build to function - - Tweaking some of the build to function - - Tweaking some of the build to function pt6 - - Tweaking some of the build to function pt5 - - Tweaking some of the build to function pt4 - - Tweaking some of the build to function pt3 - - Tweaking some of the build to function pt2 - - Tweaking some of the build to function - - Moving some things around - - One job to rule them all - - Forgot to add flag - - The GPG bit fails, let's try again pt2 - - The GPG bit fails, let's try again - - Move out some scripts - - Combined actions refactor - - Combined actions into one file for less overhead - - Overhaul the Hashing, scanning, release management - - Overhaul the Hashing, scanning, release management - - Refactor build action - - Slightly refactor the workflow task - - Fix README - - Build pipeline WIP - - Refactoring the VT job - - Downgrade to working versions to fix broken jobs - - Appendix A6: comment out deprecated ODT information - - Replace broken internal link with correct rel path - - Add nav in mkdocs.yml config - - Fix broken link to page - - Update VT scan workflow - - Use VT v5.x - - Add VirusTotal scans for submitted PDFs - - Fix path - - Refactor PDF build in CI, add dark mode PDF (pt 4) - - Fix PDF build in CI - - Fix PDF build in CI - - Archive Matrix database and shutdown - - The Tor onion v3 address works - - Fix - - Revert "Fix some metadata" - - File endings - - Missing parenthesis - - Extra parenthesis - - Creating your anonymous online identities - - Traffic anonymization - - OPSEC thoughts - - Watermarking - - Browser and device fingerprinting - - Requirements refs - - Local data leaks, forensics - - Whonix virtual machines - - Some more - - Adversarial considerations (threats) - - Some more - - Some Tails refs - - Some additional measures against forensics refs - - Comparing versions ref - - Persistent plausible deniability - - All refs I have time for at the moment - - Fix some metadata - - Update admin info in Matrix listing - - Fix some metadata - - Fix discussion channels - - Fix nope's Matrix pushed to only one repo - - Fix Das' Matrix pushed to only one repo - - Remove commitizen requirement - - Remove than/nope signed canary - - Upgrade pre-commit hooks - - Wikiless.org --> Wikiless.com - - Minor updated information - - Still broken, try again - - Fix workflow - - Missing README.md - - Fix some references and tidy up language - - Cleanup old remnants - - Sample publishing config - - Move CNAME to docs - - Add CNAME - - Remove old site artifacts - - Fix some absolute links - - Add Blackhat USA 2024 conference on Wi-Fi dangers - - Add Blackhat USA 2024 conference on Wi-Fi dangers - - Formatting and tooling upgrades to improve performance - -!!! Note "Fixed" - - - Actually save per-page PDFs for qpdf, not PNGs - - Fail fast with helpful message if pdftoppm or qpdf missing - - Resolve Pillow JPEG KeyError and cairosvg missing dep - -## [v1.2.3] — 2026-05-22 - -CI/CD pipeline split into independent stages, dark PDF quality improved, and the changelog is now updated automatically on every release. v1.2.2 was just a placeholder, this is a minor but CI breaking change. +CI/CD pipeline split into independent stages, dark PDF quality improved, release signing automated, and the changelog now updates itself on every build. !!! success "Added" - - **Dark mode PDF** (`scripts/convert.py`): pixel-level converter replaces the broken `--prefers-color-scheme=dark` Chromium flag. Produces a 200 DPI hacker-themed PDF (`#1f1f31` background, `#e0e0e0` text, `#5e8bde` links) with batched page processing to avoid OOM. + - **Dark mode PDF** (`scripts/convert.py`): pixel-level converter replaces the broken `--prefers-color-scheme=dark` Chromium flag. Produces a 200 DPI hacker-themed PDF (`#1f1f31` background, `#e0e0e0` text, `#5e8bde` links) with batched page processing to avoid OOM on large documents. - **Three independent CI workflows** replacing the old monolithic `build-sign-release.yml`: - - `build.yml` — builds PDFs and uploads them as an artifact; no secrets required. + - `build.yml` — builds PDFs and uploads them as an artifact; no secrets required, can be re-run freely. - `sign.yml` — downloads the PDF artifact, computes SHA-256 and BLAKE2b hashes, GPG-signs all outputs, and uploads a `signatures` artifact. Can be re-run against any historical build. - - `release.yml` — downloads both artifacts, uploads to VirusTotal, and publishes a tagged GitHub Release with all 12 assets attached. **Can be triggered manually against any previous sign run**. - - **`scripts/update_changelog.py`**: reads `git log` since the last version tag, categorises commits by conventional-commit prefix, and prepends a new entry here automatically after each successful build. - - **`changelog.yml`** workflow: commits the auto-generated changelog entry back to `main` after every build, with `dry_run` and `manual_version` dispatch inputs for testing. + - `release.yml` — downloads both artifacts, uploads to VirusTotal, and publishes a tagged GitHub Release with all 12 assets attached. Can be triggered manually against any previous sign run. + - **`scripts/update_changelog.py`**: reads `git log` since the last version tag, categorises commits by conventional-commit prefix, and prepends a new entry to this file automatically after each successful build. + - **`changelog.yml`** workflow: commits the auto-generated changelog entry back to `main` after every build, with `dry_run` and `manual_version` dispatch inputs for safe local testing. + - **`scripts/tag_release.py`**: interactive guided helper for maintainers to create GPG-signed annotated tags. Checks clean tree and branch, auto-increments the version, pulls the message from the changelog, resolves the release signing key, creates and verifies the tag, then prints the push command. + - **`docs/code/develop.md`**: full developer reference covering prerequisites, local build instructions, the pipeline flow, all required GitHub Secrets, the release process, verification steps, and a troubleshooting section for every known CI failure mode. !!! warning "Changed" - - `build-sign-release.yml` is now deprecated — push triggers removed, manual dispatch only. Will be deleted once in-flight runs complete. - - The full pipeline (build → sign → release) now chains automatically via `workflow_run` on every push to `main`. + - `build-sign-release.yml` deprecated — push triggers removed, manual dispatch only. Will be deleted once in-flight runs complete. + - The full pipeline (build → sign → release → changelog) now chains automatically via `workflow_run` on every push to `main`. - GPG signing uses `--pinentry-mode loopback` and `--passphrase-fd 0` to avoid interactive prompts on headless runners. - VirusTotal scans moved to the release stage so they run once per release, not once per build. + - `.gitignore` updated to track `.b2` per-file hash files alongside existing `.sha256` and `.sig` entries. + - Stale information removed from the guide; deprecated ODT section in Appendix A6 commented out. + - Footer copyright information corrected. !!! bug "Fixed" - - Broken internal links and a mismatched cross-reference in `docs/about/index.md`. - - Deprecated ODT section commented out in Appendix A6 of the guide. + - `_save_images_as_pdf` in `convert.py` was passing raw PNG files to `qpdf --pages`, which only accepts PDF inputs. Fixed by quantizing each page to palette mode (256 colours, FASTOCTREE) and saving as a single-page PDF before merging. + - `convert.py` now fails immediately with install instructions if `pdftoppm` or `qpdf` are missing, instead of crashing with an unhelpful `FileNotFoundError`. + - Pillow `KeyError: 'JPEG'` on CI resolved by installing `mkdocs-material[imaging]` and using palette-mode PDF encoding instead of RGB+JPEG. + - Orphaned footnote citations `[^536]` and `[^537]` (Australian privacy law and the Identify and Disrupt Act) restored at the key disclosure law paragraph in the guide. + - Broken internal links and mismatched cross-references throughout the guide corrected. --- diff --git a/scripts/update_changelog.py b/scripts/update_changelog.py index e33db28..2c463c8 100644 --- a/scripts/update_changelog.py +++ b/scripts/update_changelog.py @@ -84,11 +84,25 @@ def version_from_changelog() -> str | None: def commits_since(ref: str | None, until: str) -> list[str]: - """Return one-line commit messages between ref and until (exclusive/inclusive).""" + """Return one-line commit messages between ref and until (exclusive/inclusive). + + When no ref is given (no prior tag exists) we fall back to the merge-base + between HEAD and origin/main rather than walking the entire history, which + would otherwise dump every commit ever made into the changelog. + """ if ref: log_range = f"{ref}..{until}" else: - log_range = until + # No previous tag — scope to commits not yet on origin/main + merge_base = run( + ["git", "merge-base", "HEAD", "origin/main"], check=False + ).stdout.strip() + if merge_base: + log_range = f"{merge_base}..{until}" + else: + # Truly brand new repo with no remote — limit to last 50 commits + # to avoid dumping the whole history + log_range = f"-50 {until}" out = run(["git", "log", "--pretty=format:%s", log_range]) return [line.strip() for line in out.splitlines() if line.strip()] @@ -97,9 +111,30 @@ def categorise(messages: list[str]) -> dict[str, list[str]]: """Sort commit messages into Added / Changed / Fixed buckets.""" buckets: dict[str, list[str]] = {b: [] for b in BUCKET_ORDER} + # Patterns that are never useful in a human-readable changelog + NOISE = re.compile( + r""" + \[skip\ ci\] # CI skip marker + | ^Merge\ (pull\ request|branch) # merge commits + | ^chore:\ bump # version bump chores + | update\ changelog # self-referential + | ^\d+/\d+ # numbered commit series (e.g. 3/8) + | ^Tweaking # vague WIP messages + | ^Moving\ some # vague WIP messages + | \ pt\d+$ # "...pt2", "...pt3" suffixes + | ^Fix\ (workflow|path|README)$ # one-word infrastructure fixes + | ^Still\ broken # embarrassing mid-fix notes + | ^WIP\b # work in progress + | ^Forgot\ to # oops commits + | ^Revert\ " # reverts (surface the original instead) + | ^One\ job\ to\ rule # joke commit messages + """, + re.VERBOSE | re.IGNORECASE, + ) + for msg in messages: - # Skip automated / noise commits - if re.search(r"\[skip ci\]|^Merge |^chore: bump|update changelog", msg, re.I): + # Skip noise + if NOISE.search(msg): continue # Strip conventional-commit prefix to get the plain description