fix(release-automation): converge CC regexes — drop top-level security:#154
Merged
githubrobbi merged 1 commit intomainfrom May 8, 2026
Merged
fix(release-automation): converge CC regexes — drop top-level security:#154githubrobbi merged 1 commit intomainfrom
security:#154githubrobbi merged 1 commit intomainfrom
Conversation
…ty:`
Brings forward the Phase R1b "decide whether to keep top-level
`security:` or migrate to `chore(security):`" sub-question and resolves
it: top-level `security:` is no longer an accepted Conventional Commits
type anywhere in the toolchain. Security work uses `fix(security):`
(patch + Security changelog row) or `chore(security):` (no bump +
Security changelog row).
Background — four regexes had drifted into two camps:
Strict (11 standard CC types):
- scripts/ci/check_commit_subjects.sh (commit-msg + pre-push hook)
- .github/workflows/commitlint.yml (PR-title advisory check)
Permissive (11 + top-level `security:`):
- cliff.toml::commit_parsers
- release-plz.toml::release_commits
The permissive carve-out tolerated PRs #31, #33, #34 — three early-
project commits that used `security:` as a top-level type before the
commit-msg hook was installed. Since the hook landed, no future commit
can use that prefix on `main`, so the cliff.toml + release-plz.toml
allowances are dead code preemptively allowing what no longer reaches
the codebase. The dedicated `^fix\(security\)` and `^chore\(security\)`
parsers in `cliff.toml` already route security work to the dedicated
**### Security** changelog section without the top-level type.
Changes:
- `release-plz.toml::release_commits`:
^(feat|fix|perf|security)(\\(.+\\))?:
→ ^(feat|fix|perf)(\\(.+\\))?:
Plus a comment block explaining the security-encoding convention
and pointing to CONTRIBUTING.md.
- `cliff.toml::commit_parsers`:
Drop the `^security(\\([a-z0-9-]+\\))?:` line and its carve-out
comment. The two scope-based parsers
(`^fix\\(security\\)` + `^chore\\(security\\)`) remain, so the
Security changelog section is unaffected.
- `CONTRIBUTING.md` § "Commit message conventions":
Add a "Security commits" paragraph explicitly codifying
`fix(security):` + `chore(security):` as the canonical encodings
and stating that top-level `security:` is NOT an allowed type.
Cross-reference the commit-msg hook + commitlint workflow + the
release-plz `release_commits` filter.
- `docs/architecture/release-automation-plan.md`:
Append a deviation log entry "R1b CC-type convergence (early)"
documenting the decision, the dead-code rationale, and that
historical PRs #31/#33/#34 remain in the changelog.
No code changes. Pure regex + comment + docs convergence.
Validation:
- `git grep -nE "release_commits|\\^security|security:"` in
`cliff.toml` + `release-plz.toml` shows the four regexes now
agree (11 standard CC types only).
- No CHANGELOG churn — the historical PR #31/#33/#34 entries are
not regenerated by `git-cliff` because they predate the most
recent tag.
- `taplo fmt --check` on the two TOML files green.
Refs: #153 (R5 retirement, where the drift was first surfaced).
Plan impact: brings R1b's enforcement decision forward by ~1 phase.
Does NOT change the R1a → R1b advisory→required scheduling for the
commitlint workflow itself; only resolves the orthogonal type-list
sub-question.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings forward the Phase R1b sub-question "keep top-level
security:or migrate tochore(security):" and resolves it: top-levelsecurity:is no longer an accepted Conventional Commits type anywhere in the toolchain. Security work uses the conventional encoding:fix(security): foo0.x.y→0.x.y+1)chore(security): fooTop-level
security: foois rejected by the localcommit-msghook, the commitlint workflow, and (after this PR) by bothcliff.tomlandrelease-plz.toml'srelease_commitsfilter.Background — the four-regex drift
scripts/ci/check_commit_subjects.sh(commit-msg + pre-push hook).github/workflows/commitlint.yml(PR-title advisory check)cliff.toml::commit_parserssecurity:release-plz.toml::release_commitsfeat|fix|perf|securityfeat|fix|perfThe permissive carve-out in
cliff.toml+release-plz.tomlwas a tolerance for PRs #31, #33, #34 — three early-project commits that usedsecurity:as a top-level type before the commit-msg hook was installed. Since the hook landed, no future commit can use that prefix onmain, so the carve-outs were dead code preemptively allowing what no longer reaches the codebase.The dedicated
^fix\(security\)and^chore\(security\)parsers incliff.tomlalready route security work to the ### Security changelog section without needing a non-CC top-level type, so this PR is strictly subtractive for the changelog generator.Diff (4 files, +34 / −11)
release-plz.toml—release_commitsregex collapses; comment block expanded with the security-encoding convention.cliff.toml— drop the^security(\([a-z0-9-]+\))?:parser and its carve-out comment; updated the section header explaining why only the two scope-based parsers remain.CONTRIBUTING.md§ Commit message conventions — new "Security commits" paragraph codifyingfix(security):+chore(security):as canonical and explicitly stating top-levelsecurity:is not allowed. Cross-references the hook + workflow + release-plz filter.docs/architecture/release-automation-plan.md— append a deviation log entry "R1b CC-type convergence (early)" documenting decision, rationale, and historical PR linkage.No code changes. Pure regex + comment + docs convergence.
Validation
lint-pre-push(Tier 1 fast gate, workspace-parallel) ✅ green in 3s — Bucket 2 (rust/dep/infra) auto-skipped because no source files changed.taplo fmt --checkon both modified TOML files ✅ green (run as part oflint-fast).git-cliffbecause they predate the most recent tag.Plan impact
Brings R1b's enforcement decision forward by ~1 phase. Does not change the R1a → R1b advisory→required scheduling for the commitlint workflow itself; only resolves the orthogonal "should
security:be a top-level type" sub-question.Rollback
Single-file revert restores the carve-outs. No data has moved; no commits are affected (the historical entries in CHANGELOG and
release-automation-baseline.mdremain unchanged regardless).Refs
release_commits)