Skip to content

Commit 40790f1

Browse files
etretr
committed
TASK-059: housekeeping -- check off action items, mark Done
Tick all four action items, annotate the acceptance-criteria satisfaction (local rehearsal results), and set Status: Done.
1 parent 7abbe4e commit 40790f1

1 file changed

Lines changed: 19 additions & 11 deletions

File tree

specs/tasks/v2-deferred-backlog-plan.md

Lines changed: 19 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -421,29 +421,37 @@ the only outstanding supply-chain hardening item from the
421421
manual-validation review.
422422

423423
**Action Items:**
424-
- [ ] Pin the current PMD release version (e.g. `7.2.0`) in the
425-
workflow.
426-
- [ ] After `curl/wget` of the zip, run
427-
`echo "<known-good-sha256> pmd.zip" | sha256sum -c -` and fail the
424+
- [x] Pin the current PMD release version (`7.24.0`, already pinned via
425+
`PMD_VERSION` in the workflow; kept rather than downgrading to the
426+
example `7.2.0` from the original task wording).
427+
- [x] After `curl` of the zip, run
428+
`echo "${PMD_SHA256} /tmp/pmd.zip" | sha256sum -c -` and fail the
428429
step on mismatch.
429-
- [ ] Document the rotation procedure in the workflow comments: when
430-
PMD releases a new version, update both the URL and the hash in the
431-
same PR.
432-
- [ ] Remove the TODO comment now that the check is real.
430+
- [x] Document the rotation procedure in the workflow comments: when
431+
PMD releases a new version, update both `PMD_VERSION` and
432+
`PMD_SHA256` in the same PR.
433+
- [x] Remove the TODO comment now that the check is real — vacuously
434+
satisfied; no TODO comment existed on the PMD step.
433435

434436
**Dependencies:**
435437
- Blocked by: None
436438
- Blocks: v2.0 release tag (security item, but trivially small)
437439

438440
**Acceptance Criteria:**
439441
- A modified `pmd.zip` (e.g. one byte flipped) causes the CI step to
440-
fail.
441-
- The current good build still succeeds.
442-
- The TODO comment is gone.
442+
fail — proven locally before commit by a wrong-hash rehearsal and a
443+
one-byte-flipped rehearsal; both produced `sha256sum -c -` exit
444+
status 1.
445+
- The current good build still succeeds — proven locally by the
446+
pristine-zip check (exit 0); end-to-end CI confirmation comes from
447+
the lint lane on the PR.
448+
- The TODO comment is gone — vacuously satisfied (none existed).
443449

444450
**Related Findings:** manual-validation #10
445451
**Related Decisions:** none
446452

453+
**Status:** Done
454+
447455
---
448456

449457
## Execution order

0 commit comments

Comments
 (0)