release: cascade merge, status presets, default teams, secret scanning #714

Merged

jmiller merged 17 commits from dev into main 2026-06-28 09:41:36 +00:00

Conversation 0 Commits 17 Files Changed 20

+1144 -3

17 Commits

Author	SHA1	Message	Date
jmiller	23bb025700	merge: incorporate main into dev for release PR #714 ... Resolve CHANGELOG conflict — deduplicate feature entries. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 04:35:52 -05:00
jmiller	7913a05285	feat: cascade merge — auto-create PRs to downstream branches after merge (#460)	2026-06-28 08:52:04 +00:00
jmiller	98301bc92b	merge: incorporate latest dev (post status-presets merge) into cascade-merge ... Resolve CHANGELOG conflict, restore issue_metadata.go from dev. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 03:51:37 -05:00
jmiller	c618ec9f87	feat: issue status presets and cross-org migration (#507)	2026-06-28 08:49:23 +00:00
jmiller	5a25068d81	merge: incorporate dev changes into feature/cascade-merge ... Resolve CHANGELOG.md and api.go conflicts — keep both cascade_rules and security route groups. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 03:48:52 -05:00
jmiller	57894e25fd	merge: incorporate dev changes into feature/status-presets ... Resolve CHANGELOG.md conflict — keep both status presets and default teams entries. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 03:47:37 -05:00
jmiller	2857a1f6a1	feat: security scanning API + pre-receive hook blocking (#692)	2026-06-28 08:45:45 +00:00
jmiller	b9c04e51b4	feat(orgs): auto-create default teams on org creation (#513)	2026-06-28 08:45:25 +00:00
jmiller	cf25eef480	fix: distinguish unknown preset from DB errors in ApplyIssueStatusPreset ... db.ErrNotExist returns 404, other errors return 500 instead of masking all errors as 404. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 03:34:07 -05:00
jmiller	9a4aa0fafb	fix: log error when pre-receive secret scan cannot read commit ... Previously, GetCommit failures were silently swallowed, allowing pushes to proceed without scanning. Now logs the error so admins can diagnose issues while still allowing the push. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 02:35:50 -05:00
jmiller	84df5d7932	feat: register security scanning API routes in router ... Adds /repos/{owner}/{repo}/security/* route group for security alert management, scanning, and configuration endpoints. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 02:33:29 -05:00
jmiller	7b334f94c0	feat: security scanning API endpoints + pre-receive hook blocking (#692) ... Add REST API for security alerts (list, get, update status, trigger scan) and scanner config (get, update). Wire block_on_push into the pre-receive hook so pushes containing detected secrets are rejected with details. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 02:30:04 -05:00
jmiller	805c566615	fix: remove leaked security scanning routes from cascade-merge branch ... The security route group belongs to feature/secret-scanning (#692) and was accidentally committed here during parallel agent work. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 02:29:27 -05:00
jmiller	f53bc895ba	fix: prevent IDOR in CopyStatusesFromOrg endpoint ... Add source org visibility + membership check before copying statuses. Non-public source orgs now require the doer to be a member or site admin, preventing unauthorized enumeration of private org statuses. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 02:26:23 -05:00
jmiller	e99658ddc0	feat(orgs): auto-create default teams on org creation (#513) ... New organizations now get three default teams in addition to Owners: - Developers (write: code, issues, PRs, wiki, projects; read: releases) - Reviewers (read: code, issues, PRs, releases, wiki) - CI/CD (write: actions, packages, releases; read: code) Teams are defined in DefaultOrgTeams and created inside the same transaction as the org, so creation is atomic. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 02:08:47 -05:00
jmiller	f627219ca8	feat: cascade merge — auto-create PRs to downstream branches after merge (#460) ... Adds configurable cascade rules per repo. When a PR merges into a source branch, the system auto-creates PRs to each configured target branch. Skips if a matching PR already exists. - Model: CascadeMergeRule (repo_id, source, target, enabled, auto_merge) - Migration v362 creates cascade_merge_rule table - Notifier hooks into MergePullRequest/AutoMergePullRequest events - API: CRUD at /repos/{owner}/{repo}/cascade_rules (admin only) Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 02:06:42 -05:00
jmiller	df9305758f	feat: add issue status presets and cross-org migration (#507) ... 4 built-in presets: default, software-development, support-tickets, bug-tracking. API endpoints to list presets, apply to org, and copy statuses between orgs. Web UI dropdown on org settings page. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 02:05:14 -05:00