From 81ce7c1ee0e31beedc72bc4ff29a1586e0e1e5d1 Mon Sep 17 00:00:00 2001 From: Letro Bot Date: Thu, 30 Apr 2026 13:02:31 +0330 Subject: [PATCH] update fork divergence --- FORK_DIVERGENCE.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/FORK_DIVERGENCE.md b/FORK_DIVERGENCE.md index fb42b2a1d..a4f8e3786 100644 --- a/FORK_DIVERGENCE.md +++ b/FORK_DIVERGENCE.md @@ -17,7 +17,8 @@ Upstream: Fork: - Version is sourced from a dedicated `LETRO_VERSION` file, decoupling the fork release cycle from Rust crate versions - Git tags follow the `letro-v*` format to namespace fork releases -- Release artifacts include a `fork-changes.diff` (diff from upstream commit recorded in `UPSTREAM_VERSION`) and `FORK_DIVERGANCE.md` instead of binaries +- Release artifacts include a `fork-changes.diff` (diff from upstream commit recorded in `UPSTREAM_VERSION`), `FORK_DIVERGENCE.md`, and two SBOM files (`sbom-repo.json` for repository scan, `sbom-image.json` for Docker image scan) instead of binaries +- SBOM files generated using Trivy in CycloneDX format for supply chain security and vulnerability tracking - Rust toolchain installation removed from release workflows (no longer needed) - `BOT_GITHUB_TOKEN` used for checkout steps that require write access - 30-second delay added before enabling auto-merge on release PRs to allow GitHub to register pending checks @@ -29,6 +30,7 @@ COMMIT_REFS: - 71c6c8320576f84590f05bc972895ce8b5eb445b - 6231550007ab050ea43b5ddc77ecf3bc85ec7109 - 494c4267c354bcc85d54fe4ffb6615bf50d56928 +- 8bfc965b0f72f8f8624e83c084353f9c0eacc72f Impact: - Fork versioning is fully independent of upstream Cargo crate versions