Skip to content

v2.1.0

Choose a tag to compare

@github-actions github-actions released this 29 Jun 17:22

Fixed

  • starship.toml VPN segment no longer spams on Windows. The [custom.vpn]
    probe (ifconfig …) is Unix-only; once the canonical file synced to the Windows
    host verbatim, starship ran it every prompt and hit command_timeout with a noisy
    custom command … timed out WARN. Split it into OS-gated [custom.vpn_macos] /
    [custom.vpn_linux] modules (a custom module's os takes one value — no "unix"),
    so Windows matches neither and never runs the probe. Unchanged on macOS/Linux.

Added

  • Core-integrity CI guard (make core-integrity + core-integrity.yml). A
    durable, CI-runnable tamper check: it compares each OS repo's vendored core/ tree
    object against the commit its core.lock pins (content-addressed, so any hand-edit
    diverges the hash). Replaces the local-only .git/hooks core-guard, which couldn't
    run on a fresh clone or in CI. Companion to fleet-drift (integrity vs staleness) —
    both run weekly and on demand.
  • Per-repo core-guard (core-integrity-call.yml + core-integrity.sh --self).
    A reusable workflow_call an OS repo invokes from its own CI to BLOCK a hand-edit
    to its vendored core/ at PR time (prevention), where the central sweep only
    DETECTS one after the fact. Runs the same tree-SHA comparison via a new --self
    mode that checks exactly one repo against its core.lock. Each OS repo adds a
    three-line caller.

Changed

  • Reusable-workflow pin policy: @vN moving major tag. tag-release.sh now
    force-advances a vN major tag (e.g. v2) to each vN.x release, alongside the
    immutable vX.Y.Z tag. Cross-repo callers of the fleet's reusable workflows
    (bootstrap-test.yml, core-integrity-call.yml) pin to @vN instead of @main:
    deterministic between releases (a caller's CI can't change with zero diff in its
    repo) yet still auto-propagating patch/minor guard fixes. Documented in
    RELEASE-STRATEGY.md. (Foundation only — re-pinning the existing @main callers
    fleet-wide is a follow-up once a v2 tag is published.)
  • fleet-drift.sh labels the Windows row by release tag too. _check_repo
    gained a fourth tag-key argument (default core_tag); the Windows row passes
    tag, so once dotfiles-Windows's nvim-sync.ps1 stamps a tag = <release>
    field into nvim/.core-ref (its companion change), the dashboard shows v2.0.0
    for Windows instead of the bare SHA — all nine rows now speak in release names.
    Backward compatible: with no tag recorded it still falls back to the short SHA,
    and the drift verdict stays SHA-based. Verified both paths against a fixture.
  • starship.toml is now cross-shell (one canonical file). Added
    powershell_indicator to [shell] so the single Core starship.toml renders under
    both zsh and PowerShell, and dotfiles-Windows now syncs this file verbatim (its new
    starship-sync.ps1) instead of carrying a drifted copy. Benign on zsh — starship
    only renders the active shell's indicator.