Prepare 0.14.2 and fix WinGet egress policy

[spoorcc]

Add static.crates.io:443 and objects.githubusercontent.com:443 to the
winget-publish egress allowlist. cargo-binstall fetches the komac source
tarball from static.crates.io to read binstall metadata (even for binary
installs), and the komac binary/dfetch MSI are served from
objects.githubusercontent.com. These two missing endpoints caused the
WinGet publish step to fail for 0.14.0 (index.crates.io) and 0.14.1
(static.crates.io) respectively.

Bump version to 0.14.2 and open the changelog for the new cycle.

Summary by CodeRabbit

• Bug Fixes
  • Fixed WinGet publish workflow connectivity issues to enable proper release distribution.
• Chores
  • Version bumped to 0.14.2.

[coderabbitai]

Warning

Review limit reached

@spoorcc, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 49 minutes and 26 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: edf5fe77-3a25-4861-b442-f45289be5722

📥 Commits

Reviewing files that changed from the base of the PR and between b12d6ba and 6039366.

📒 Files selected for processing (37)

• features/check-archive.feature
• features/check-git-repo.feature
• features/check-specific-projects.feature
• features/check-svn-repo.feature
• features/checked-project-has-dependencies.feature
• features/diff-in-git.feature
• features/diff-in-svn.feature
• features/environment.feature
• features/fetch-archive.feature
• features/fetch-checks-destination.feature
• features/fetch-file-pattern-git.feature
• features/fetch-file-pattern-svn.feature
• features/fetch-git-repo-with-submodule.feature
• features/fetch-git-repo.feature
• features/fetch-single-file-git.feature
• features/fetch-single-file-svn.feature
• features/fetch-svn-repo-with-external.feature
• features/fetch-svn-repo-with-nonstd-external.feature
• features/fetch-with-ignore-git.feature
• features/fetch-with-ignore-svn.feature
• features/freeze-projects.feature
• features/guard-against-overwriting-git.feature
• features/guard-against-overwriting-svn.feature
• features/handle-invalid-metadata.feature
• features/journey-basic-patching.feature
• features/journey-basic-usage.feature
• features/list-projects.feature
• features/patch-after-fetch-git.feature
• features/patch-after-fetch-svn.feature
• features/patch-fuzzy-matching-git.feature
• features/remove-project.feature
• features/report-sbom.feature
• features/suggest-project-name.feature
• features/update-patch-in-git.feature
• features/update-patch-in-svn.feature
• features/updated-project-has-dependencies.feature
• features/validate-manifest.feature

Walkthrough

The WinGet publish workflow's runner hardening step is updated to allow outbound connections to objects.githubusercontent.com:443 and static.crates.io:443. The package version is bumped from 0.14.1 to 0.14.2, and a corresponding CHANGELOG entry is added.

Changes

WinGet publish egress fix and version bump

Layer / File(s)	Summary
Runner hardening egress allowlist expansion .github/workflows/winget-publish.yml	Adds objects.githubusercontent.com:443 and static.crates.io:443 to the allowed-endpoints list in the harden-runner step, alongside the previously allowed endpoints.
Version bump and changelog dfetch/__init__.py, CHANGELOG.rst	Bumps __version__ from 0.14.1 to 0.14.2 and documents the egress fix under a new Release 0.14.2 section in the changelog.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• dfetch-org/dfetch#1175: Introduces step-security/harden-runner with egress blocking and initial allowlists in the same workflow file.
• dfetch-org/dfetch#1263: Modifies the same winget-publish.yml runner hardening egress allowlist.
• dfetch-org/dfetch#1266: Adds index.crates.io to the same winget-publish.yml harden-runner allowed-endpoints list.

Suggested labels

development, github_actions

Suggested reviewers

• ben-edna

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: version bump to 0.14.2 and fixing WinGet egress policy by adding missing endpoints.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/release-0.14.2-winget-egress-otmowz

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}