chore: Update release candidate

.circleci/config.yml

@@ -399,9 +399,19 @@ workflows:
           channel: cli-alerts
           trusted-branch: main
 
+      - docs-only-check:
+          filters:
+            branches:
+              only:
+                - '/^docs\/.*/'
+
       - prepare-build:
           requires:
             - secrets-scan
+          filters:
+            branches:
+              ignore:
+                - '/^docs\/.*/'
 
       - code-analysis:
           go_target_os: linux
@@ -437,7 +447,7 @@ workflows:
             - nodejs-install
             - team_hammerhead-cli
           requires:
-            - secrets-scan
+            - prepare-build
           filters:
             branches:
               ignore:
@@ -590,6 +600,7 @@ workflows:
           go_os: linux
           go_arch: arm64
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
+          shards: 6
           context:
             - nodejs-install
             - team_hammerhead-cli
@@ -609,6 +620,7 @@ workflows:
           go_os: linux
           go_arch: arm64
           go_download_base_url: << pipeline.parameters.fips_go_download_base_url >>
+          shards: 6
           executor: docker-arm64
           test_snyk_command: ./binary-releases/fips/snyk-linux-arm64
           fips: 1
@@ -650,6 +662,7 @@ workflows:
           go_os: linux
           go_arch: arm64
           go_download_base_url: << pipeline.parameters.go_download_base_url >>
+          shards: 6
           context:
             - nodejs-install
             - team_hammerhead-cli
@@ -1024,6 +1037,7 @@ jobs:
           name: Set version
           command: |
             make binary-releases/version binary-releases/fips/version
+            make release-validate-version
             make ts-cli-binaries/version BINARY_RELEASES_FOLDER_TS_CLI=ts-cli-binaries
       - run:
           # required for one unit test (ts-binary-wrapper/test/unit/common.spec.ts:15:30)
@@ -1080,6 +1094,30 @@ jobs:
           iac-scan: disabled
           release-branch: main
 
+  docs-only-check:
+    executor: docker-amd64
+    steps:
+      - checkout
+      - run:
+          name: Check if all changed files are documentation (.md)
+          command: |
+            CHANGED_FILES=$(git diff --name-only main)
+
+            # If this step fails, check if you need to add another extension, 
+            # or indeed if this PR adds more than docs-related changes.
+            ALLOWED_DOCS_EXTENSIONS="(\.md|\.svg|\.jpg)$"
+
+            for file in $CHANGED_FILES; do
+              echo "Checking extension of file: $file"
+              # -q:  quiet
+              # -E: extended regular expressions
+              if ! echo "$file" | grep -q -E "$ALLOWED_DOCS_EXTENSIONS"; then
+                echo "Error: Disallowed file type found: $file"
+                exit 1
+              fi
+            done
+            exit 0
+
   test-node:
     executor: docker-amd64
     environment:
@@ -1237,7 +1275,7 @@ jobs:
         default: 'echo Running tests'
       shards:
         type: integer
-        default: 3
+        default: 4
     executor: << parameters.executor >>
     parallelism: << parameters.shards >>
     environment:

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,5 +1,9 @@
 ## Pull Request Submission Checklist
+
 - [ ] Follows [CONTRIBUTING](https://github.com/snyk/cli/blob/main/CONTRIBUTING.md) guidelines
+- [ ] Commit messages
+  are [release-note ready](https://github.com/snyk/cli/blob/main/CONTRIBUTING.md#writing-commit-messages), emphasizing
+  _what_ was changed, not _how_.
 - [ ] Includes detailed description of changes
 - [ ] Contains risk assessment (Low | Medium | High)
 - [ ] Highlights breaking API changes (if applicable)
@@ -17,6 +21,8 @@
 ## What's the product update that needs to be communicated to CLI users?
 
 <!---
+## Risk assessment (Low | Medium | High)?
+
 ## Any background context you want to provide?
 
 ## What are the relevant tickets?

.github/workflows/deployment-monitor.yml

@@ -0,0 +1,265 @@
+name: Deployment Tests
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/deployment-monitor.yml'
+  schedule:
+    # At minute 0 past every 2nd hour
+    - cron: '0 */2 * * *'
+  workflow_dispatch:
+
+env:
+  SNYK_VERSION_DIR: snyk-versions-${{ github.run_id }}
+
+jobs:
+  create_version_dir:
+    name: 'Create version directory'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create version directory for version comparison
+        run: |
+          mkdir -p $SNYK_VERSION_DIR
+          echo "Created directory for Snyk versions."
+          touch ${{ env.SNYK_VERSION_DIR }}/.keep
+      - uses: actions/upload-artifact@v4
+        with:
+          name: snyk-version-${{ github.job }}
+          path: ${{ env.SNYK_VERSION_DIR }}
+          include-hidden-files: 'true'
+
+  monitor_cdn:
+    name: 'deployment: CDN'
+    runs-on: ${{ matrix.os }}-latest
+    needs: create_version_dir
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu]
+        base_url: [static.snyk.io, downloads.snyk.io]
+        channel: [stable, preview]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y curl
+      - uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SNYK_VERSION_DIR }}
+      - name: Install Snyk
+        run: |
+          rm -f ./snyk
+          curl --retry 2 -L -v --compressed https://${{ matrix.base_url }}/cli/${{ matrix.channel }}/snyk-linux -o ./snyk-linux
+          curl --retry 2 -L -v --compressed https://${{ matrix.base_url }}/cli/${{ matrix.channel }}/snyk-linux.sha256 -o ./snyk-linux.sha256
+          echo --- Content shasum file ---
+          cat snyk-linux.sha256
+          echo --- Shasum binary ---
+          sha256sum snyk-linux
+          chmod +x ./snyk-linux
+          echo --- CLI version ---
+          ./snyk-linux --version
+          echo --- Shasum comparison ---
+          sha256sum -c snyk-linux.sha256
+      - name: Set unique identifier for the artifact file name
+        run: echo "SUFFIX=${{ matrix.os }}-${{ matrix.base_url }}-${{ matrix.channel }}" >> $GITHUB_ENV
+      - name: Run snyk --version
+        run: ./snyk-linux --version > ${{ env.SNYK_VERSION_DIR }}/snyk-version-${{ env.SUFFIX }}.txt
+      - uses: actions/upload-artifact@v4
+        with:
+          name: snyk-version-${{ env.SUFFIX }}
+          path: ${{ env.SNYK_VERSION_DIR }}/snyk-version-${{ env.SUFFIX }}.txt
+
+  monitor_homebrew:
+    name: 'deployment: Homebrew (macos)'
+    runs-on: macos-latest
+    needs: create_version_dir
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SNYK_VERSION_DIR }}
+      - name: Install Snyk
+        run: |
+          brew tap snyk/tap
+          brew install snyk
+      - name: Run snyk --version
+        run: snyk --version > ${{ env.SNYK_VERSION_DIR }}/snyk-version-${{ github.job }}.txt
+      - uses: actions/upload-artifact@v4
+        with:
+          name: snyk-version-${{ github.job }}
+          path: ${{ env.SNYK_VERSION_DIR }}/snyk-version-${{ github.job }}.txt
+
+  monitor_scoop:
+    name: 'deployment: Scoop (windows)'
+    runs-on: windows-latest
+    needs: create_version_dir
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SNYK_VERSION_DIR }}
+      - name: Install Scoop and Snyk, run Snyk --version
+        run: |
+          Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
+          Invoke-RestMethod -Uri https://get.scoop.sh | Invoke-Expression
+          scoop bucket add snyk https://github.com/snyk/scoop-snyk
+          scoop install snyk
+          snyk --version > ${{ env.SNYK_VERSION_DIR }}/snyk-version-${{ github.job }}.txt
+      - uses: actions/upload-artifact@v4
+        with:
+          name: snyk-version-${{ github.job }}
+          path: ${{ env.SNYK_VERSION_DIR }}/snyk-version-${{ github.job }}.txt
+
+  monitor_npm:
+    name: 'deployment: npm (ubuntu)'
+    runs-on: ubuntu-latest
+    needs: create_version_dir
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SNYK_VERSION_DIR }}
+      - uses: actions/setup-node@v4
+        with:
+          node-version: latest
+      - name: Install Snyk
+        run: npm install -g snyk
+      - name: Run snyk --version
+        run: snyk --version > ${{ env.SNYK_VERSION_DIR }}/snyk-version-${{ github.job }}.txt
+      - uses: actions/upload-artifact@v4
+        with:
+          name: snyk-version-${{ github.job }}
+          path: ${{ env.SNYK_VERSION_DIR }}/snyk-version-${{ github.job }}.txt
+
+  monitor_snyk_images:
+    name: 'deployment: snyk-images (snyk/snyk:linux)'
+    runs-on: ubuntu-latest
+    needs: create_version_dir
+    container:
+      image: snyk/snyk:linux
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SNYK_VERSION_DIR }}
+      - name: Run snyk --version
+        run: snyk --version > ${{ env.SNYK_VERSION_DIR }}/snyk-version-${{ github.job }}.txt
+      - uses: actions/upload-artifact@v4
+        with:
+          name: snyk-version-${{ github.job }}
+          path: ${{ env.SNYK_VERSION_DIR }}/snyk-version-${{ github.job }}.txt
+
+  compare_versions:
+    name: 'Compare Snyk Versions'
+    runs-on: ubuntu-latest
+    needs:
+      [
+        monitor_cdn,
+        monitor_homebrew,
+        monitor_scoop,
+        monitor_npm,
+        monitor_snyk_images,
+      ]
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: snyk-version-*
+          merge-multiple: true
+          path: ${{ env.SNYK_VERSION_DIR }}
+      - name: Check if the directory is not empty
+        run: |
+          cd "${{ env.SNYK_VERSION_DIR }}"
+          txt_files=$(ls *.txt 2>/dev/null)
+          if [ -z "$txt_files" ]; then
+            echo "❌ No .txt files found in ${{ env.SNYK_VERSION_DIR }}. Version comparison cannot proceed."
+            exit 2
+          fi
+      - name: If not empty, compare Snyk versions
+        run: |
+          cd "${{ env.SNYK_VERSION_DIR }}"
+          echo "Collected Snyk versions:"
+
+          stable_versions=()
+          preview_versions=()
+
+          # First, sort the *.txt files containg versions numbers into a preview and stable array
+          for file in *.txt; do
+            job_name=$(basename "$file" .txt)
+            version=$(cat "$file" | tr -d '\r\n')
+            echo "$job_name: $version"
+
+            # Fail fast if any of the files are empty
+            if [ -z "$version" ]; then
+              echo "❌ File $file is does not contain anything. All .txt files must contain a version number."
+              exit 3
+            fi
+
+            # As long as we have at least one non-empty file, we can set all_empty to 0 and not fail on empty files
+            all_empty=0
+
+            # Fill the stable and preview arrays
+            if [[ "$file" == *"-preview"* ]]; then
+              preview_versions+=("$version")
+            else
+              stable_versions+=("$version")
+            fi
+          done
+
+          # Check stable versions consistency
+          found_diff_stable=0
+          first_stable="${stable_versions[0]}"
+          echo "Checking stable versions consistency..."
+          for version in "${stable_versions[@]}"; do
+            if [ "$version" != "$first_stable" ]; then
+              found_diff_stable=1
+              echo "  ❌ Found different stable version: $version (expected: $first_stable)"
+            fi
+          done
+
+          # Check preview versions consistency
+          found_diff_preview=0
+          first_preview="${preview_versions[0]}"
+          echo "Checking preview versions consistency..."
+          for version in "${preview_versions[@]}"; do
+            if [ "$version" != "$first_preview" ]; then
+              found_diff_preview=1
+              echo "  ❌ Found different preview version: $version (expected: $first_preview)"
+            fi
+          done
+
+          if [ "$found_diff_stable" -eq 1 ] || [ "$found_diff_preview" -eq 1 ]; then
+            echo "❌ Snyk versions are NOT consistent across jobs."
+            exit 1
+          fi
+
+          echo "✅ All Snyk versions (stable and preview) are consistent within their respective channels."
+
+  notify_slack_on_failure:
+    if: ${{ failure() }}
+    name: 'Do a Slack notification on failure'
+    needs: compare_versions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Post a message in a channel
+        uses: slackapi/slack-github-action@v2.1.0
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.SLACK_CLI_ALERTS_CHANNEL_ID }}
+            text: ":red_circle: *Deployment Monitor Failed!*"
+            blocks:
+              - type: "header"
+                text:
+                  type: "plain_text"
+                  text: ":red_circle: Deployment Monitor Failed!"
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: "*Workflow*: `${{ github.workflow }}`"
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: ":link: *View run:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Open in GitHub Actions>"
+              - type: "divider"
+              - type: "context"
+                elements:
+                  - type: "mrkdwn"
+                    text: ":warning: Please investigate the failure. This message was generated automatically."