Themis v1.0.0
Summary
Themis v1.0.0 is the initial stable release of a Nix-first, fail-closed pre-upstream PR validation gate for contributors, maintainers, CI users, and GitHub Action users.
Highlights
- Deterministic CLI gate with Markdown, JSON, comment, and SARIF output.
- GitHub composite action with step summaries, artifacts, annotations, workflow selection, config checks, and optional PR comments.
- Strict policy checks for AI disclosure, human accountability, test evidence, DCO/signoff, upstream rules, generated/vendor/binary/secret-like content, placeholders, and oversized changes.
- Dynamic upstream rule inference from contribution docs, PR templates, and monorepo policy files.
- Disabled-by-default AI provider diagnostics and preview workflows that cannot affect gate pass/fail status.
- Nix flake packaging and
nix flake checkrelease gates. - Apache-2.0 license, documented asset provenance, threat model, stability policy, and release audit workflow.
- Release-ready README with Themis banner artwork, neutral project description, and grouped quick-start steps.
Verification
Completed before tagging:
nix run . -- release check
nix flake check
nix run . -- release audit --history --format markdown
nix run . -- self-check --repo . --base HEAD~1 --body-file examples/pr-body.md --evidence "nix flake check passed" --human --run-checks
git grep -n -i anubis $(git rev-list --all) -- . || true
git tag -v v1.0.0Results:
release check: passnix flake check: passrelease audit --history: passself-check: pass- removed-name history scan: clean
- signed tag verification: pass
GitHub Action Smoke Test
- Repository:
https://github.com/Pheoxy/themis - Workflow:
Themis Smoke - Run: https://github.com/Pheoxy/themis/actions/runs/28492194173
- Result: success
- Commit tested:
972f68442dcfbbc7eab7792dabc0f5a82fd52d4d - Outputs verified:
status=pass,exit-code=0,report=smoke-report.md - Step summary, annotations, and report artifact path were exercised by the composite action.
Security And Provenance
- License: Apache-2.0.
- GitHub license detection recognizes the repository as Apache-2.0.
- Generated asset provenance is documented in
docs/assets/PROVENANCE.md. - Synthetic secret-like fixtures are documented in
docs/security-fixtures.mdand approved by the release audit. - Release audit reports locations only and does not print matched secret-like values.
Non-Guarantees
Themis is a pre-upstream readiness gate. Passing Themis or this release's checks does not certify code correctness, security, licensing, legal compliance, or upstream acceptance.
Upgrade Notes
This is the initial stable release. Use Pheoxy/themis@v1.0.0 in GitHub workflows for stable action pinning.
Links
- Changelog: https://github.com/Pheoxy/themis/blob/v1.0.0/CHANGELOG.md
- Documentation: https://github.com/Pheoxy/themis#readme
- Release tag: https://github.com/Pheoxy/themis/releases/tag/v1.0.0