Skip to content

Themis v1.0.0

Choose a tag to compare

@Pheoxy Pheoxy released this 01 Jul 02:02
v1.0.0
972f684

Summary

Themis v1.0.0 is the initial stable release of a Nix-first, fail-closed pre-upstream PR validation gate for contributors, maintainers, CI users, and GitHub Action users.

Highlights

  • Deterministic CLI gate with Markdown, JSON, comment, and SARIF output.
  • GitHub composite action with step summaries, artifacts, annotations, workflow selection, config checks, and optional PR comments.
  • Strict policy checks for AI disclosure, human accountability, test evidence, DCO/signoff, upstream rules, generated/vendor/binary/secret-like content, placeholders, and oversized changes.
  • Dynamic upstream rule inference from contribution docs, PR templates, and monorepo policy files.
  • Disabled-by-default AI provider diagnostics and preview workflows that cannot affect gate pass/fail status.
  • Nix flake packaging and nix flake check release gates.
  • Apache-2.0 license, documented asset provenance, threat model, stability policy, and release audit workflow.
  • Release-ready README with Themis banner artwork, neutral project description, and grouped quick-start steps.

Verification

Completed before tagging:

nix run . -- release check
nix flake check
nix run . -- release audit --history --format markdown
nix run . -- self-check --repo . --base HEAD~1 --body-file examples/pr-body.md --evidence "nix flake check passed" --human --run-checks
git grep -n -i anubis $(git rev-list --all) -- . || true
git tag -v v1.0.0

Results:

  • release check: pass
  • nix flake check: pass
  • release audit --history: pass
  • self-check: pass
  • removed-name history scan: clean
  • signed tag verification: pass

GitHub Action Smoke Test

  • Repository: https://github.com/Pheoxy/themis
  • Workflow: Themis Smoke
  • Run: https://github.com/Pheoxy/themis/actions/runs/28492194173
  • Result: success
  • Commit tested: 972f68442dcfbbc7eab7792dabc0f5a82fd52d4d
  • Outputs verified: status=pass, exit-code=0, report=smoke-report.md
  • Step summary, annotations, and report artifact path were exercised by the composite action.

Security And Provenance

  • License: Apache-2.0.
  • GitHub license detection recognizes the repository as Apache-2.0.
  • Generated asset provenance is documented in docs/assets/PROVENANCE.md.
  • Synthetic secret-like fixtures are documented in docs/security-fixtures.md and approved by the release audit.
  • Release audit reports locations only and does not print matched secret-like values.

Non-Guarantees

Themis is a pre-upstream readiness gate. Passing Themis or this release's checks does not certify code correctness, security, licensing, legal compliance, or upstream acceptance.

Upgrade Notes

This is the initial stable release. Use Pheoxy/themis@v1.0.0 in GitHub workflows for stable action pinning.

Links