Skip to content

release: v1.1.0#130

Open
VijitSingh97 wants to merge 16 commits into
mainfrom
develop
Open

release: v1.1.0#130
VijitSingh97 wants to merge 16 commits into
mainfrom
develop

Conversation

@VijitSingh97

@VijitSingh97 VijitSingh97 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Promote develop to main for the v1.1.0 release.

Highlights

Release gate (miner-0, Ryzen 7800X3D, pool gouda.lan:3333)

Full tests/e2e-real.sh on develop HEAD: provision 8/8, verify 39/39 (live connect + accepted share, live autotune, real tune/efficiency/A-B, every verb), teardown 13/13. Suite: 666 passed.

After merge (fast-forward), tag v1.1.0 from main to trigger the release pipeline (draft).

VijitSingh97 and others added 16 commits June 18, 2026 01:14
…ain branch model (#120)

* ci: supply-chain & secrets hardening — gitleaks, Dependabot, zizmor (#117)

Adds the three cross-cutting gates from #117 on top of RigForge's existing
SHA-pinned actions and commit-verified XMRig build. Scope is only the gaps,
not a redo of that work.

- gitleaks: new Security workflow scans the full git history for committed
  secrets (pool creds, tokens, the #113 stratum access-password) on every push
  and PR, with a matching pre-commit hook. Binary is version+checksum pinned,
  mirroring the shellcheck/shfmt installs.
- Dependabot: .github/dependabot.yml for the github-actions ecosystem only
  (RigForge has no pip/npm/docker deps) — keeps the action pins current and
  surfaces advisories.
- zizmor: audits the workflows for template injection, over-broad GITHUB_TOKEN,
  and credential persistence. Hardened ci.yml/release.yml to a read-only default
  token and persist-credentials: false on checkout so the audit is clean.

The broader pre-commit hook set (shellcheck/shfmt/yamllint/markdownlint +
freebies) is left to #118, which extends .pre-commit-config.yaml.

Validated locally: gitleaks clean over full history, zizmor reports no findings.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci(security): enable zizmor online audits + weekly schedule

Run zizmor with online audits on (its default) so the known-vulnerable-actions
audit cross-references the actions we pin against the GitHub Advisory Database —
a CVE disclosed against a pinned action now fails the gate, not just structural
issues. GH_TOKEN is the built-in read-only token (advisory data is public; it's
only for API access).

Add a weekly schedule so a freshly-published advisory trips against main even
with no open PRs (the online audit is time-varying by design). gitleaks is
skipped on the scheduled tick — history doesn't change between pushes.

Complements Dependabot: zizmor blocks the merge, Dependabot opens the bump.
Validated: zizmor online reports no findings against the current pins.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: adopt the develop/main branch model (mirrors Pithead)

Pithead uses develop as the default integration branch and main as the release
branch; mirror that here (develop is now the repo default).

- ci.yml + security.yml: run on push to [main, develop] (PRs already run on any
  base via the unfiltered pull_request trigger).
- coverage: diff-cover now compares against the PR's actual base branch
  (github.base_ref, falling back to the pushed branch) instead of a hardcoded
  origin/main — so patch coverage stays correct once develop diverges from main.
- CONTRIBUTING: document the two-branch model; PRs target develop.
- RELEASING: build the release commit on develop, fast-forward into main, tag
  from main. develop is merged to main at each release (1.1 onward).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…markdownlint, lychee) (#118) (#122)

Rounds out the non-shell tooling around RigForge's existing shellcheck/shfmt +
kcov core, finishing the tooling epic (#116).

- .editorconfig: encodes the whitespace house style (shfmt -i 4, LF, final
  newline) so editors match CI.
- pre-commit: .pre-commit-config.yaml now orchestrates `make lint` (shellcheck +
  shfmt via the Makefile's SHELL_FILES — single source of truth, no duplicated
  list), the existing gitleaks hook, and freebie hygiene hooks (detect-private-key,
  check-added-large-files, end-of-file-fixer, trailing-whitespace).
- yamllint + markdownlint: new CI jobs in ci.yml (and `make lint-yaml` /
  `make lint-md`), each with a tuned config (.yamllint, .markdownlint-cli2.yaml)
  matching the repo's house style. Pinned via pipx / npx like diff-cover/zizmor.
- lychee: new scheduled workflow (links.yml) + `make lint-links`, kept off the PR
  path since external links are flaky-by-nature. Pinned + checksum-verified binary.
- docs: small fixes to satisfy the structural markdown rules (blank lines around
  headings/lists/fences via --fix; code-fence languages; fenced donation block;
  README hero subtitle as <h3> to keep the heading hierarchy clean).
- CONTRIBUTING: document the hooks + the config/docs lint targets.

Validated locally: yamllint --strict, markdownlint, zizmor (online), lychee
(198 links OK), and `pre-commit run --all-files` all green.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Roll up the Unreleased changelog under 1.1.0 and bump VERSION. v1.1 is the
tooling/code-quality + repo-hardening release: supply-chain & secrets gates
(#117), DX glue + config/docs lint (#118), the develop/main branch model, and
the MIT-licensing contributing note (#119). Stratum auth/TLS (#113/#115) were
deferred to v1.6.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Moderate style pass across the README, the docs/ guides, and the meta docs
(CONTRIBUTING, SECURITY, RELEASING, issue/PR templates): trim em-dash density,
drop gratuitous bold and italics-for-emphasis, soften marketing cadence and the
recurring "X, not Y" construction, and cut filler/virtue words.

Prose-only. Verified no code blocks, command tokens, flags, env vars, numbers,
link targets, or table rows changed; emoji section headers kept; markdownlint
clean across all 18 files. CHANGELOG left in the standard Keep-a-Changelog style.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The v1.1 work is dev tooling (gitleaks/zizmor/Dependabot, pre-commit, the lint
configs, the develop/main branch model) plus a docs copy-edit. None of the
tooling is in the release bundle (release.yml ships rigforge.sh/util/systemd/
config templates/README/docs/images/LICENSE/VERSION — not tests/, .github/, or
the dotfiles), and rigforge.sh is unchanged, so there's nothing user-facing to
release. Bumping to 1.1.0 (MINOR) would signal new functionality that isn't there.

Revert the premature VERSION bump (back to 1.0.1) and the changelog rollup; the
entries stay under [Unreleased] and will ship with the next release that actually
changes something for users. main stays at the last release (1.0.1).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ACCESS_TOKEN no longer defaults to the rig name. Left unset, the rig's
:8080 xmrig API is served `restricted` (read-only) with NO token — which
matches Pithead's new default no-auth stats probe, so a stock rig needs
zero token coordination. Setting ACCESS_TOKEN re-enables Bearer auth (now
validated only when non-empty); match it dashboard-side with
workers.api_auth token|name.

Pairs with pithead#171/#172 (the dashboard's single config-driven worker
API probe).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 6.0.3 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@df4cb1c...9c091bb)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Vijit Singh <vijit.n.singh@gmail.com>
* docs: rewrite CONTRIBUTING.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite README.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite RELEASING.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite SECURITY.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite docs/README.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite docs/benchmarks.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite docs/configuration.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite docs/faq.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite docs/getting-started.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite docs/hardware.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite docs/how-it-works.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite docs/operations.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite docs/pithead-integration.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: rewrite tests/README.md for voice consistency

Voice/style pass to match the cadence of the p2pool, xmrig, and monero READMEs.
No technical facts, commands, flags, addresses, ports, or numbers changed
(code fences and inline code verified byte-identical).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Behaviour-preserving cleanups from a ponytail (over-engineering) audit. The audit's
headline finding is that rigforge is already lean; these are the few real cuts.

rigforge.sh:
- macOS tuning block re-set YIELD/PRIORITY/NUMA/HTTP_RESTRICTED to the exact values
  the shared defaults block already sets — dead no-ops (plus an orphaned priority
  comment duplicating the default's). Keep only the values that actually differ.
- link_cli: fold the `ok` flag into the `if` it guards.

util/proposed-grub.sh:
- L3-cache + socket parsing: `lscpu | grep ... | awk` -> single `awk`; strip via
  bash builtin (`${L3_RAW//[!0-9]/}`) instead of `echo | sed`.
- 1GB-pages read: `$(<file)` instead of `cat ... || echo 0` (the file is guarded
  by -f already, and the default is set to 0 above).

No behaviour change; 614-test suite green.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
config.json.template -> config.minimal.json   (the copy-me starter: just the pool URL)
config.advanced.example.json -> config.reference.json   (the full reference: every key
  with its default, enforced complete by the #23 test)

Matches the same rename in Pithead for cross-repo consistency. Content unchanged — the
the starter is still just the pool URL. Updated all references (rigforge.sh, RELEASING,
docs/configuration, .gitignore, the release workflow + macOS e2e bundle, and the config
tests). CHANGELOG keeps the old names (historical).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Adds ~58 assertions for previously-untested branches and degenerate
inputs, all at the run.sh layer (stub-driven, hardware-independent,
bash 3.2-safe) per tests/README.md — no new files, SHELL_FILES unchanged.

Behaviours now covered:
- check_prerequisites: the whole jq-bootstrap (apt/dnf/pacman/none/brew/
  no-brew/already-present) — was entirely untested
- install_dependencies: the dnf and pacman branches + the no-manager
  warn-not-abort path + the apt-cache-present linux-tools branch
- install_service reboot-gate (#audit A2): enable-but-NOT-start when a
  reboot is pending, restart on rebuild, start on steady state, plus
  CPUPOWER_PATH substitution in ExecStartPre
- compile_xmrig drops the clone (rm -rf) on a commit mismatch (#18)
- config-gen round-trips: bracketed IPv6 url, single-pool tls, empty
  ACCESS_TOKEN -> JSON null
- restore of a corrupt / config-less archive: fails AND leaves the
  existing config.json untouched (no silent clobber)
- uninstall without --yes aborts cleanly on 'n' and reverts nothing
- mac_start guard (no built worker -> "run setup first"); mac_stop
  launchd-owned delegation
- numeric degenerate inputs: _median/_stddev/_mean on empty/single
  sample; _watts_from_energy backwards counter w/ no wrap-max; the
  no-power efficiency fallbacks in _accept_better and _autotune_score
- compute_build_jobs sub-2GB floor; the 1G fstab line on a fresh write;
  the rest of the xmrig.service hardening block

Verified: make lint clean; make test 664/664; make coverage 91.34%
(floor 80); suite passes 687/687 on a real Ubuntu 24.04 / bash 5.2 rig.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The worker HTTP API now defaults to open (read-only) with no token, so
XMRig 401s the stale "Bearer $(hostname)" the verify warmup still sent.
Under set -e + pipefail that surfaced as curl -f exit 22 aborting verify
silently before any output. Send the header only when ACCESS_TOKEN is set.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
_read_api_hashrate always sent "Bearer ${ACCESS_TOKEN:-}", so with the
new open (no-token) API default it sent an empty Bearer, XMRig 401'd it,
and curl -f (exit 22) aborted the caller under set -e — breaking every
live-hashrate read: autotune (incl. the monthly timer), tune --live,
tune --confirm, and the upgrade re-tune. Send the header only when
ACCESS_TOKEN is set. The suites stub this via API_CMD, so only the
real-hardware e2e gate exercised the curl path that regressed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ect push

The develop->main promotion goes through a PR (release gate + audit trail);
main is protected. Fast-forward/rebase-merge so the tag lands on develop's
release commit.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant