Skip to content

Promote: AGENTS git-governance / author-identity rule#410

Merged
ptr727 merged 3 commits into
mainfrom
develop
Jul 14, 2026
Merged

Promote: AGENTS git-governance / author-identity rule#410
ptr727 merged 3 commits into
mainfrom
develop

Conversation

@ptr727

@ptr727 ptr727 commented Jul 14, 2026

Copy link
Copy Markdown
Owner

Promotes develop->main: the AGENTS.md git-governance additions (author-identity rule / signing / staging), part of the fleet governance-conformance sweep.

🤖 Generated with Claude Code

dependabot Bot and others added 3 commits July 13, 2026 14:54
…eps group (#405)

Bumps the actions-deps group with 1 update:
[softprops/action-gh-release](https://github.com/softprops/action-gh-release).

Updates `softprops/action-gh-release` from 3.0.1 to 3.0.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/softprops/action-gh-release/releases">softprops/action-gh-release's
releases</a>.</em></p>
<blockquote>
<h2>v3.0.2</h2>
<p><code>3.0.2</code> is a patch release focused on release reliability
and compatibility. It
reuses existing draft releases when publishing prereleases, supports
replacing
release assets on Gitea, hardens streamed asset uploads, and provides
clearer
release-creation diagnostics. It also includes TypeScript, coverage, and
tooling
maintenance merged since <code>3.0.1</code>.</p>
<p>This release fixes <a
href="https://redirect.github.com/softprops/action-gh-release/issues/795">#795</a>,
<a
href="https://redirect.github.com/softprops/action-gh-release/issues/438">#438</a>,
and <a
href="https://redirect.github.com/softprops/action-gh-release/issues/803">#803</a>.
The upload transport hardening covers the
historical failure reported in <a
href="https://redirect.github.com/softprops/action-gh-release/issues/790">#790</a>,
although current hosted Node 24 runners did
not reproduce it naturally. The diagnostics work is related to <a
href="https://redirect.github.com/softprops/action-gh-release/issues/786">#786</a>
and does not
claim a reproducible release-creation fix.</p>
<h2>What's Changed</h2>
<h3>Exciting New Features 🎉</h3>
<ul>
<li>feat: improve release error reporting and test coverage by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/813">softprops/action-gh-release#813</a></li>
</ul>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix: publish existing draft releases as prereleases by <a
href="https://github.com/godfengliang"><code>@​godfengliang</code></a>
in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/801">softprops/action-gh-release#801</a></li>
<li>fix: upload small checksum assets reliably by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/815">softprops/action-gh-release#815</a></li>
<li>fix: replace existing release assets on Gitea by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/816">softprops/action-gh-release#816</a></li>
<li>fix: clarify release creation 404 errors by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/817">softprops/action-gh-release#817</a></li>
</ul>
<h3>Other Changes 🔄</h3>
<ul>
<li>chore(deps): upgrade TypeScript to 7 by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/812">softprops/action-gh-release#812</a></li>
<li>chore(deps): remove unused TypeScript tooling by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/814">softprops/action-gh-release#814</a></li>
<li>dependency, Node 24 pin, and CI maintenance merged since
<code>3.0.1</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md">softprops/action-gh-release's
changelog</a>.</em></p>
<blockquote>
<h2>3.0.2</h2>
<p><code>3.0.2</code> is a patch release focused on release reliability
and compatibility. It
reuses existing draft releases when publishing prereleases, supports
replacing
release assets on Gitea, hardens streamed asset uploads, and provides
clearer
release-creation diagnostics. It also includes TypeScript, coverage, and
tooling
maintenance merged since <code>3.0.1</code>.</p>
<p>This release fixes <a
href="https://redirect.github.com/softprops/action-gh-release/issues/795">#795</a>,
<a
href="https://redirect.github.com/softprops/action-gh-release/issues/438">#438</a>,
and <a
href="https://redirect.github.com/softprops/action-gh-release/issues/803">#803</a>.
The upload transport hardening covers the
historical failure reported in <a
href="https://redirect.github.com/softprops/action-gh-release/issues/790">#790</a>,
although current hosted Node 24 runners did
not reproduce it naturally. The diagnostics work is related to <a
href="https://redirect.github.com/softprops/action-gh-release/issues/786">#786</a>
and does not
claim a reproducible release-creation fix.</p>
<h2>What's Changed</h2>
<h3>Exciting New Features 🎉</h3>
<ul>
<li>feat: improve release error reporting and test coverage by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/813">softprops/action-gh-release#813</a></li>
</ul>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix: publish existing draft releases as prereleases by <a
href="https://github.com/godfengliang"><code>@​godfengliang</code></a>
in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/801">softprops/action-gh-release#801</a></li>
<li>fix: upload small checksum assets reliably by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/815">softprops/action-gh-release#815</a></li>
<li>fix: replace existing release assets on Gitea by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/816">softprops/action-gh-release#816</a></li>
<li>fix: clarify release creation 404 errors by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/817">softprops/action-gh-release#817</a></li>
</ul>
<h3>Other Changes 🔄</h3>
<ul>
<li>chore(deps): upgrade TypeScript to 7 by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/812">softprops/action-gh-release#812</a></li>
<li>chore(deps): remove unused TypeScript tooling by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/814">softprops/action-gh-release#814</a></li>
<li>dependency, Node 24 pin, and CI maintenance merged since
<code>3.0.1</code></li>
</ul>
<h2>3.0.1</h2>
<ul>
<li>maintenance release with updated dependencies</li>
</ul>
<h2>3.0.0</h2>
<p><code>3.0.0</code> is a major release that moves the action runtime
from Node 20 to Node 24.
Use <code>v3</code> on GitHub-hosted runners and self-hosted fleets that
already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible
line, stay on
<code>v2.6.2</code>.</p>
<h2>What's Changed</h2>
<h3>Other Changes 🔄</h3>
<ul>
<li>Move the action runtime and bundle target to Node 24</li>
<li>Update <code>@types/node</code> to the Node 24 line and allow future
Dependabot updates</li>
<li>Keep the floating major tag on <code>v3</code>; <code>v2</code>
remains pinned to the latest <code>2.x</code> release</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/softprops/action-gh-release/commit/3d0d9888cb7fd7b750713d6e236d1fcb99157228"><code>3d0d988</code></a>
release 3.0.2 (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/818">#818</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/7e13ed4ac596a4adf801d3812be5a089356949aa"><code>7e13ed4</code></a>
fix: clarify release creation 404 errors (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/817">#817</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/e6c70a53cf67373fbff7eeebca7782b4fe8f106c"><code>e6c70a5</code></a>
fix: replace existing release assets on Gitea (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/816">#816</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/f3453378888d5ef6208e2788af1c5ba50d8a898d"><code>f345337</code></a>
fix: publish existing draft releases as prereleases (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/801">#801</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/d8a89a206684ded8435bf16d6f698bf04ab05164"><code>d8a89a2</code></a>
fix: upload small checksum assets reliably (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/815">#815</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/45ece40c3178522904ac6c51c21d8a4e3565f3c8"><code>45ece40</code></a>
chore(deps): remove unused TypeScript tooling (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/814">#814</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/f6b913c3f95302d88e8ef7cb2859c2e7656aa01e"><code>f6b913c</code></a>
feat: improve release error reporting and test coverage (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/813">#813</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/15f193d7d8aa9623b5181913a31fafceb4e8cef9"><code>15f193d</code></a>
chore(deps): upgrade TypeScript to 7 (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/812">#812</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/cc8268d46a81d57ec9b061f27b0dd68ebd7fb17f"><code>cc8268d</code></a>
chore(deps): bump actions/checkout in the github-actions group (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/810">#810</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/fd0ed1e85b6730f87f5c67d7355751c46ad513d6"><code>fd0ed1e</code></a>
chore(deps): bump the npm group with 3 updates (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/811">#811</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/softprops/action-gh-release/compare/718ea10b132b3b2eba29c1007bb80653f286566b...3d0d9888cb7fd7b750713d6e236d1fcb99157228">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=softprops/action-gh-release&package-manager=github_actions&previous-version=3.0.1&new-version=3.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updated [Microsoft.NET.Test.Sdk](https://github.com/microsoft/vstest)
from 18.7.0 to 18.8.1.

<details>
<summary>Release notes</summary>

_Sourced from [Microsoft.NET.Test.Sdk's
releases](https://github.com/microsoft/vstest/releases)._

## 18.8.1

## What's Changed
* Fix protocol negotiation timeout when STJ reflection is disabled
(18.8.1) by @​nohwnd in microsoft/vstest#16281


**Full Changelog**:
microsoft/vstest@v18.8.0...v18.8.1

## 18.8.0

## What's Changed
* Migrate from Newtonsoft.Json to System.Text.Json / Jsonite (merge to
main) by @​nohwnd in microsoft/vstest#15687
- For more detail refer to
https://devblogs.microsoft.com/dotnet/vs-test-is-removing-its-newtonsoft-json-dependency/
* Create source-only filter package by @​Youssef1313 in
microsoft/vstest#15638
* Add ARM64 msdia140.dll support to test platform packages by @​nohwnd
in microsoft/vstest#15692
* Fix mutex cleanup crash on macOS/Linux by @​nohwnd in
microsoft/vstest#15684
* Restrict artifact temp directory permissions on Unix by @​nohwnd in
microsoft/vstest#15729
* Add support for filtering uncategorized tests with TestCategory=None
by @​Evangelink in microsoft/vstest#15727
* Fix SCI binding failure in DTA hosts (main) by @​nohwnd in
microsoft/vstest#15724
* Fix HTML logger parallel file collision by @​nohwnd in
microsoft/vstest#15435
* Improve error message when testhost cannot be found by @​nohwnd in
microsoft/vstest#16053
* Fix HTML logger exception on invalid XML chars in test display names
by @​nohwnd in microsoft/vstest#16051

**Full Changelog**:
microsoft/vstest@v18.7.0...v18.8.0

Commits viewable in [compare
view](microsoft/vstest@v18.7.0...v18.8.1).
</details>

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=Microsoft.NET.Test.Sdk&package-manager=nuget&previous-version=18.7.0&new-version=18.8.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary

A fleet governance audit found this repo's `AGENTS.md` defined the
**signing** rule and the **default-to-staging** rule, but was missing
the **author-identity** rule (which account/identity a commit must use).
The canonical template `AGENTS.md` now defines this rule; this PR adds
it here for fleet consistency.

## Change

One bullet added to the **Git and Commit Rules** section, immediately
after the existing "All commits must be cryptographically signed"
bullet:

> Commit under the committing account's own GitHub `noreply` identity -
never a private, personal, or invented address...

It codifies that `author`/`committer` must be the GitHub `noreply` of
the signing account (`ptr727@users.noreply.github.com` for this fleet),
to verify `user.email` before committing, and why a wrong identity
matters (GH007 email-privacy push protection, polluted history), while
noting identity is distinct from signing.

## Notes

- Canonical wording inserted essentially verbatim, matching the existing
bullet style.
- ASCII-only, US English, ` - ` hyphens (no em-dashes).
- File EOL (CRLF) preserved; zero mixed line endings.
- Commit is SSH-signed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 14, 2026 19:00

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This promote-to-main PR brings forward git-governance guidance updates in AGENTS.md (focused on commit identity/signing discipline), alongside routine dependency/workflow pin refreshes consistent with the repo’s CI/CD and release practices.

Changes:

  • Add an AGENTS.md rule requiring agent-authored commits to use the committing account’s GitHub noreply identity.
  • Bump Microsoft.NET.Test.Sdk to 18.8.1 via centralized package versioning.
  • Update the pinned commit for softprops/action-gh-release to the v3.0.2 revision in the release workflow.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
Directory.Packages.props Updates centralized NuGet package versions (test SDK bump).
AGENTS.md Adds commit author/committer identity governance guidance for agents.
.github/workflows/build-release-task.yml Updates pinned softprops/action-gh-release action revision used during release creation.

Comment thread AGENTS.md
@ptr727 ptr727 merged commit c82ac2a into main Jul 14, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants