Skip to content

1.40.0 - Spectrum

Latest

Choose a tag to compare

@AlexSkrypnyk AlexSkrypnyk released this 01 Jul 06:50
8718f34
vortex-1400-spectrum

1.40.0 - Spectrum

This release standardises and hardens the Vortex tooling surface: database commands are unified under a fetch/import/export/push vocabulary, environment variables drop vendor-specific prefixes, and CI gains automated security scanning (Zizmor, Gitleaks), SSH host-key pinning, native test-result reporting, and site-wide accessibility checks. The installer can now target multiple scaffold versions and ship Single Directory Component tooling out of the box.


πŸ” Highlights

  • Automated CI security scanning
    Every project's CI lint stage now runs Zizmor static analysis of GitHub Actions workflows and Gitleaks secret scanning. Both run automatically - no configuration needed.

  • Hardened deployments with SSH host-key pinning
    Deployments can now pin the remote SSH host key instead of disabling strict host-key checking, and the GitHub Actions known_hosts is configurable per step. This closes a long-standing man-in-the-middle gap for artifact and Lagoon deployments.

  • Test results in the GitHub Checks UI
    PHPUnit and Behat results are published natively to the GitHub Checks UI, so failures surface inline on pull requests instead of only in raw CI logs.

  • Site-wide accessibility reporting
    The Behat test suite now produces a site-wide accessibility report and captures animated screenshots on failure, making regressions easier to see and triage.

  • Single Directory Components (SDC) tooling by default
    Vortex ships a sample button component, drupal/sdc_devel in require, and CI validation that fails when sdc-devel:validate reports problems - giving new projects a working SDC baseline.

  • Label-driven deployment gate
    Deployments can be gated behind a pull-request label, giving teams an explicit, auditable switch to control when a branch is allowed to deploy.

  • Unified, hardened database tooling
    The database commands were standardised and hardened: download-db became fetch-db, dedicated import-db and export-db scripts are now reused by both provision and Ahoy, and a platform-agnostic task runner backs hosting operations. See Breaking changes for the variable renames.

  • Multi-version installer
    The installer can now scaffold either the current 1.x or the upcoming 2.x line, and the documentation is versioned per major line.


πŸ’₯ Breaking changes

These changes are applied when you update to 1.40.0. Most are simple find-and-replace renames in your .env file and hosting environment variables.

  • DRUPAL_ENVIRONMENT renamed to ENVIRONMENT_TYPE. Update any references in your settings overrides, CI, and hosting environment variables.

  • VORTEX_LOCALDEV_URL renamed to LOCALDEV_URL. Update any references in your .env and local tooling.

  • Database "download" variables renamed to "fetch". All VORTEX_DOWNLOAD_DB_* and VORTEX_DOWNLOAD_DB2_* variables are now VORTEX_FETCH_DB_* and VORTEX_FETCH_DB2_* (for example VORTEX_DOWNLOAD_DB_URL β†’ VORTEX_FETCH_DB_URL, VORTEX_DOWNLOAD_DB_ENVIRONMENT β†’ VORTEX_FETCH_DB_ENVIRONMENT). Update your .env and hosting configuration. The ahoy fetch-db command keeps download-db as an alias, so scripted command calls keep working, but the environment variables must be renamed.

  • Deployment types changed. The deploy types are now artifact, webhook, and lagoon (previously code, container_registry, webhook). The container_registry deploy type was removed; container-image publishing moved to a dedicated push command and its scripts/variables were renamed from deploy to push.

  • upload-db-s3 renamed to push-db-s3. Update any custom automation that invoked the S3 upload script directly.

  • ahoy reset hard replaced by ahoy reset --hard. The bare hard positional argument is now an option flag.

  • VORTEX_LAGOON_AMAZEEIO_REGION removed. The Lagoon amazee.io trusted-host pattern was simplified and no longer needs a per-region variable.

  • Tooling scripts prefixed with vortex-. Shipped tooling scripts are now prefixed with vortex-, and user-facing ones are exposed as Composer binaries under vendor/bin/vortex-*. Update any project scripts that referenced the old unprefixed script paths.

  • PHPMD removed. PHPMD was dropped from the tooling, CI, installer, and docs. If your project relied on it, add it back locally.

  • oomphinc/composer-installers-extender removed. This abandoned package is no longer required; its functionality is covered by composer/installers.

  • Removed deprecated sid_length and sid_bits_per_character from services.yml. These keys are no longer supported by Drupal 11 core and are removed from the shipped services.yml.


What's new since 1.39.0

πŸŒ€ Template

  • ✨ New

    • [#2563] Added GitHub Actions security analysis with Zizmor. @AlexSkrypnyk (#2591)
      What it does: Runs Zizmor static analysis over the project's GitHub Actions workflows as part of the CI lint stage, flagging insecure workflow patterns.
      How to use it: Runs automatically on CI for GitHub Actions projects; no configuration needed.
    • [#2562] Added Gitleaks secret scanning to CI lint jobs. @AlexSkrypnyk (#2579)
      What it does: Scans the repository for committed secrets during the CI lint stage and fails the build when a secret is detected.
      How to use it: Runs automatically on CI; no configuration needed.
    • [#2548] Added SSH host key pinning as a secure alternative to disabling strict checking. @AlexSkrypnyk (#2587)
      What it does: Lets deployments verify the remote host against a pinned SSH host key instead of turning off strict host-key checking.
      How to use it: Provide the pinned host key via the deployment SSH variables; combined with #2632, the GitHub Actions known_hosts is configurable per step.
    • [#2566] Published PHPUnit and Behat test results to the GitHub Checks UI. @AlexSkrypnyk (#2576)
      What it does: Surfaces PHPUnit and Behat results as GitHub Checks so failures appear inline on pull requests.
      How to use it: Applies automatically to GitHub Actions projects; results appear on the PR checks tab.
    • [#2651] Added SDC tooling, a sample button component, and CI validation. @AlexSkrypnyk (#2671)
      What it does: Ships a sample Single Directory Component (button), SDC development tooling, and a CI step that validates components.
      How to use it: The sample component lives under the custom theme; CI runs sdc-devel:validate automatically.
    • [#2571] Added label-driven deployment gate to the deploy router. @AlexSkrypnyk (#2575)
      What it does: Allows a deployment to be gated behind a pull-request label so branches only deploy when explicitly approved.
      How to use it: Apply the configured deployment label to a PR to permit its deployment; controlled via the deploy gate variable.
    • [#2719] Added a platform-agnostic task runner for hosting operations. @AlexSkrypnyk (#2721)
      What it does: Introduces a single task runner that abstracts hosting-provider operations behind one entry point.
      How to use it: Hosting operations route through the new task script; no action needed for existing provision flows.
    • [#2720] Extracted a dedicated import-db script reused by provision and Ahoy. @AlexSkrypnyk (#2728)
      What it does: Provides a standalone import-db script shared by the provision flow and ahoy import-db.
      How to use it: Run ahoy import-db; provisioning uses the same script internally.
    • Added *.x version branch CI support behind VORTEX_DEV fences. @AlexSkrypnyk (#2604)
      What it does: Enables CI on *.x development branches, fenced behind VORTEX_DEV so it only affects the template's own development.
      How to use it: No action for consumer projects; this supports Vortex's multi-major development.
  • πŸ›  Changed

    • [#2726] Renamed the download-db command, variables, and installer source to fetch. @AlexSkrypnyk (#2730)
      What it does: Standardises the database-retrieval vocabulary on fetch.
      How to use it: Rename VORTEX_DOWNLOAD_DB_*/VORTEX_DOWNLOAD_DB2_* to VORTEX_FETCH_DB_*/VORTEX_FETCH_DB2_*; ahoy download-db remains an alias of ahoy fetch-db. See Breaking changes.
    • [#2733] Renamed the container-image push scripts and variables from deploy to push and dropped the container-registry deploy type. @AlexSkrypnyk (#2737)
      What it does: Separates container-image publishing (push) from deployment (deploy) and removes the container_registry deploy type.
      How to use it: Deploy types are now artifact, webhook, lagoon; use the push command for container images. See Breaking changes.
    • [#2739] Renamed upload-db-s3 to push-db-s3 and aligned tooling and playground script names. @AlexSkrypnyk (#2740)
      What it does: Aligns the S3 database upload script with the new push vocabulary.
      How to use it: Call push-db-s3 instead of upload-db-s3.
    • Renamed DRUPAL_ENVIRONMENT environment variable to ENVIRONMENT_TYPE. @AlexSkrypnyk (#2750)
      What it does: Drops the DRUPAL_ prefix from the environment-type indicator for a vendor-neutral name.
      How to use it: Replace DRUPAL_ENVIRONMENT with ENVIRONMENT_TYPE in settings, CI, and hosting variables.
    • Renamed VORTEX_LOCALDEV_URL environment variable to LOCALDEV_URL. @AlexSkrypnyk (#2748)
      What it does: Simplifies the local development URL variable name.
      How to use it: Replace VORTEX_LOCALDEV_URL with LOCALDEV_URL in your .env.
    • [#2713] Converted ahoy reset hard to the ahoy reset --hard option flag. @AlexSkrypnyk (#2717)
      What it does: Replaces the bare hard positional argument with a proper --hard flag.
      How to use it: Run ahoy reset --hard for a destructive reset.
    • Simplified the Lagoon amazee.io trusted-host pattern and removed VORTEX_LAGOON_AMAZEEIO_REGION. @AlexSkrypnyk (#2716)
      What it does: Uses a single simplified trusted-host pattern for amazee.io, removing the per-region variable.
      How to use it: Remove VORTEX_LAGOON_AMAZEEIO_REGION from your configuration.
    • [#2715] Prefixed all tooling scripts with vortex- and surfaced user-facing ones as Composer binaries. @AlexSkrypnyk (#2741)
      What it does: Namespaces shipped tooling scripts with a vortex- prefix and exposes user-facing ones as vendor/bin/vortex-*.
      How to use it: Call scripts via vendor/bin/vortex-*; update any custom references to old paths.
    • [#2725] Moved require-tooling into the Ahoy entrypoint. @AlexSkrypnyk (#2735)
      What it does: Ensures the Vortex tooling package is present before tooling commands run, without a separate manual step.
      How to use it: No action needed; ahoy self-installs the tooling on a fresh clone.
    • [#2723] Extracted the container-image deployment from export-db into a dedicated script. @AlexSkrypnyk (#2727)
      What it does: Separates container-image publishing from the database export path.
      How to use it: No action needed; the push command now owns image publishing.
    • [#2718] Used export-db for the Lagoon pre-deployment database backup. @AlexSkrypnyk (#2724)
      What it does: Reuses the shared export-db script for Lagoon pre-deployment backups instead of a bespoke path.
      How to use it: No action needed for Lagoon deployments.
    • Moved drupal/sdc_devel to the require section. @AlexSkrypnyk (#2714)
      What it does: Ships the SDC development tooling as a runtime requirement so components validate consistently.
      How to use it: Installed by default; no action needed.
    • [#2691] Replaced inline COMPOSER_AUTH JSON with composer config --auth in CI. @AlexSkrypnyk (#2694)
      What it does: Configures Composer authentication via composer config --auth instead of an inline JSON environment blob, reducing the risk of leaking credentials in logs.
      How to use it: Applies automatically in CI; no action needed.
    • [#2655] Migrated config.audit to config.policy for report-only installs. @AlexSkrypnyk (#2672)
      What it does: Switches report-only configuration validation from config.audit to config.policy.
      How to use it: Applies automatically; report-only installs use the new policy.
    • [#2632] Made GitHub Actions SSH known_hosts configurable via per-step variables. @AlexSkrypnyk (#2641)
      What it does: Lets each GitHub Actions step supply its own known_hosts value.
      How to use it: Set the per-step SSH variables where needed; underpins host-key pinning (#2548).
    • [#2619] Excluded demo dev/test modules from exported configuration. @AlexSkrypnyk (#2625)
      What it does: Keeps demo-only development and test modules out of exported config.
      How to use it: Applies automatically on config export.
    • [#2675] Excluded devel from config exports via a settings file. @AlexSkrypnyk (#2682)
      What it does: Prevents the optional devel module from being written into exported configuration.
      How to use it: Applies automatically when devel is enabled.
    • [#2615] Removed PHPMD from tooling, CI, installer, docs, and tests. @AlexSkrypnyk (#2620)
      What it does: Drops PHPMD across the project in favour of the remaining static-analysis stack (PHPStan, PHPCS, Rector).
      How to use it: Re-add PHPMD locally if your project depended on it. See Breaking changes.
    • Removed the abandoned oomphinc/composer-installers-extender package. @AlexSkrypnyk (#2688)
      What it does: Removes an abandoned dependency; installer paths are handled by composer/installers.
      How to use it: No action needed for standard projects.
    • [#2557] Included the scripts directory in PHPCS and PHPStan analysis paths. @AlexSkrypnyk (#2590)
      What it does: Extends static analysis and coding-standards checks to custom project scripts under scripts/.
      How to use it: Applies automatically; ensure your scripts/ pass the checks.
    • [#2545] Removed the stale cloned ScriptHandler.php and its Composer wiring. @AlexSkrypnyk (#2578)
      What it does: Removes obsolete Composer 1-era scaffolding code.
      How to use it: No action needed.
    • Removed the yarn.lock dependency-changes summary PR comment from GitHub Actions. @AlexSkrypnyk (#2592)
      What it does: Reverts the short-lived yarn.lock changes PR comment.
      How to use it: No action needed.
  • 🐞 Fixed

    • [#2704] Fixed the SDC lint check passing when sdc-devel:validate reports problems. @AlexSkrypnyk (#2705)
      What it does: Makes the SDC validation step fail CI when component problems are reported instead of silently passing.
      How to use it: Applies automatically; fix reported component issues to pass CI.
    • [#2621] Fixed the CI Export DB step not copying the processed dump back to the host. @AlexSkrypnyk (#2622)
      What it does: Ensures the processed database dump is copied back to the host after export in CI.
      How to use it: Applies automatically; database caching now stores the processed dump.
    • [#2613] Fixed download-db-acquia to read the backup URL from the JSON response. @AlexSkrypnyk (#2617)
      What it does: Reads the Acquia backup URL from the API's JSON response instead of an incorrect field.
      How to use it: Applies automatically to Acquia database fetches.
    • [#2614] Fixed inline extra.patches for drevops/vortex-tooling failing in the bootstrap install. @AlexSkrypnyk (#2616)
      What it does: Fixes a bootstrap-install failure caused by inline patch declarations for the tooling package.
      How to use it: Applies automatically on fresh installs.
    • [#2549] Hardened fragile site UUID extraction in the provision script. @AlexSkrypnyk (#2584)
      What it does: Makes site UUID extraction during provisioning robust against formatting variations.
      How to use it: Applies automatically on provision.
    • [#2609] Removed deprecated sid_length and sid_bits_per_character from services.yml. @AlexSkrypnyk (#2610)
      What it does: Removes session-ID keys no longer supported by Drupal 11 core.
      How to use it: Applies automatically. See Breaking changes.
    • [#2643] Hardened the host-side database-download tooling scripts. @AlexSkrypnyk (#2648)
      What it does: Adds defensive handling to the host-side database fetch scripts.
      How to use it: Applies automatically.
    • [#2631] Removed the hardcoded Drupal major from the CI database cache key. @AlexSkrypnyk (#2639)
      What it does: Drops the hardcoded Drupal major version from the CI database cache key so it no longer needs manual updates across majors.
      How to use it: Applies automatically in CI.
    • [#2659] Fixed tooling script messages to read as proper English and aligned wording. @AlexSkrypnyk (#2663)
      What it does: Corrects and aligns user-facing tooling messages.
      How to use it: No action needed.
    • [#2551] Guarded VORTEX_NOTIFY_BRANCH under set -u in notify branch filters. @AlexSkrypnyk (#2573)
      What it does: Prevents an unbound-variable error in notification branch filtering.
      How to use it: Applies automatically.
    • [#2553] Fixed an overly broad branch-filter regex character class in the CircleCI deploy config. @AlexSkrypnyk (#2574)
      What it does: Narrows a deploy branch-filter regex that matched more branches than intended.
      How to use it: Applies automatically to CircleCI deployments.
    • [#2552] Cleaned up vendor-temp on failure in vortex-tooling.sh. @AlexSkrypnyk (#2561)
      What it does: Removes the temporary vendor directory if the tooling bootstrap fails.
      How to use it: Applies automatically.
    • Internal fixes (no consumer action needed): grouped find name predicates in the CI Dockerfile lint step (#2554, #2560); corrected the tmate timeout comment to match the 120-minute value (#2555, #2559); isolated ssh-add in BATS tests (#2649, #2662); masked secrets in the demo-video pipeline (#2709).
  • ⬆️ Updated


πŸŽ› Installer

  • ✨ New

    • [#2596] Added installer support for multiple Vortex scaffold versions (1.x and 2.x). @AlexSkrypnyk (#2605)
      What it does: Lets the installer scaffold either the current 1.x line or the upcoming 2.x line.
      How to use it: Choose the desired version during installation; the default follows the VORTEX_CURRENT_MAJOR setting.
    • [#2675] Added a selectable devel module via the installer. @AlexSkrypnyk (#2679)
      What it does: Adds an installer prompt to include the Drupal devel module.
      How to use it: Answer the installer prompt; when enabled, devel is excluded from config exports (#2675/#2682).
    • [#2665] Added an installer prompt to make the in-container theme build optional. @AlexSkrypnyk (#2681)
      What it does: Lets you skip the in-container theme build during installation.
      How to use it: Answer the new installer prompt to enable or skip the in-container theme build.
  • πŸ›  Changed

    • [#2726] Renamed the installer's database source from download-db to fetch (installer source). @AlexSkrypnyk (#2730)
      What it does: Updates the installer's database-source handler and generated variables to the fetch vocabulary, matching the template rename.
      How to use it: Reflected automatically in newly installed projects.
    • Excluded installer test fixtures from the Zizmor GitHub Actions audit. @AlexSkrypnyk (#2684)
      What it does: Scopes the Zizmor audit so it does not analyse installer test fixtures.
      How to use it: Internal test-infrastructure change; no consumer action needed.

πŸ“– Documentation

  • ✨ New

    • Redesigned the documentation homepage and themed the docs site with new fonts and brand colors. @AlexSkrypnyk (#2746)
      What it does: Refreshes the vortextemplate.com homepage and applies new brand fonts and colors across the docs.
      How to use it: Visit https://www.vortextemplate.com.
    • [#2595] Added path-based documentation versioning with v1/v2 CI aggregation. @AlexSkrypnyk (#2601)
      What it does: Publishes per-major documentation (v1, v2) with CI aggregation so each major line has its own docs.
      How to use it: Use the version selector on the docs site; the default follows VORTEX_CURRENT_MAJOR.
    • [#2599] Consolidated project onboarding into a single tabbed installation guide. @AlexSkrypnyk (#2600)
      What it does: Merges the onboarding paths into one tabbed installation guide.
      How to use it: Follow the unified installation guide in the docs.
    • [#2602] Deployed PR docs as Netlify previews and commented the preview link. @AlexSkrypnyk (#2603)
      What it does: Builds a Netlify preview for documentation pull requests and posts the preview link as a comment.
      How to use it: Maintainers see the preview link on docs PRs automatically.
    • [#2744] Documented all require packages on the composer.json documentation page. @AlexSkrypnyk (#2745)
      What it does: Documents every shipped require dependency and its purpose.
      How to use it: See the composer.json docs page.
    • [#2673] Documented allowlisting Diffy's static IP in a WAF or CDN. @AlexSkrypnyk (#2674)
      What it does: Explains how to allowlist Diffy's static IP for visual-regression runs behind a WAF/CDN.
      How to use it: Follow the Diffy documentation section.
    • [#2543] Documented the required DRUPAL_HASH_SALT variable for hosted environments. @AlexSkrypnyk (#2558)
      What it does: Documents DRUPAL_HASH_SALT as a required variable for hosted environments in the onboarding/setup section.
      How to use it: Set DRUPAL_HASH_SALT in your hosting environment.
    • [#2731] Documented tagging drevops/vortex-tooling before each Vortex release. @AlexSkrypnyk (#2734)
      What it does: Adds the tooling-tagging step to the maintenance release documentation.
      How to use it: Maintainer-facing; see the release maintenance guide.
  • πŸ›  Changed

    • [#2729] Clarified that export-db and import-db run on the host or in the container. @AlexSkrypnyk (#2732)
      What it does: Clarifies the execution context of the database export/import commands.
      How to use it: See the database documentation.
    • [#2634] Moved the AI doc cache to .artifacts and git-excluded .artifacts. @AlexSkrypnyk (#2638)
      What it does: Relocates cached AI documentation under .artifacts/ and ignores that directory in git.
      How to use it: No action needed; cached docs now live under .artifacts/.
    • [#2550] Scoped the php:eval rule to ad-hoc agent use in AGENTS.md. @AlexSkrypnyk (#2572)
      What it does: Clarifies that the drush php:eval prohibition targets ad-hoc agent use, not committed vetted scripts.
      How to use it: See AGENTS.md.
    • Enhanced vortex-tooling package docs and relocated the maintenance guide. @AlexSkrypnyk (#2541)
      What it does: Improves the tooling package documentation and moves its maintenance guide.
      How to use it: Maintainer-facing.
  • 🐞 Fixed

    • [#2644] Fixed imprecise --fresh/cache wording in the database docs. @AlexSkrypnyk (#2646)
      What it does: Corrects misleading wording about the --fresh flag and database caching.
      How to use it: See the database documentation.

πŸ“‹ Release checklist

  • Updated all dependencies outside of the schedule (Renovate) - pending: run renovate --schedule= --force-cli=true drevops/vortex manually.
  • Updated container images and checked @see links - current: uselagoon/mysql-8.4:26.6.0, uselagoon/valkey-8:26.6.0, selenium/standalone-chromium:149.0, drevops/docker-wait-for-dependencies:26.6.1, drevops/ci-runner:26.6.0. Verify latest via the Renovate run above.
  • Updated PHP version in composer.json for config.platform - 8.4.21, matches container.
  • Updated PHP version in phpcs.xml for testVersion - 8.4, matches.
  • Updated PHP version in phpstan.neon for phpVersion - 80421 (8.4.21), matches container PHP_VERSION.
  • Updated minor version of all packages in composer.json (composer update -W) - bumped phpstan/phpstan ^2.2.2β†’^2.2.3 and vincentlanglet/twig-cs-fixer ^4.0.1β†’^4.0.2 (bump-after-update).
  • Tagged drevops/vortex-tooling before the Vortex tag - published 1.3.0 (2026-07-01) with the new vortex-* binaries; pinned to 1.3.0 in all four spots: root composer.json require (~1.3.0), root path-repo versions override, scripts/vortex-tooling.sh (VORTEX_DEV dev-bootstrap), and .vortex/tests/phpunit/Traits/SutTrait.php (workflow-test .tooling-source path repo). The last two were initially missed and surfaced by CI + CodeRabbit; the release skill now lists all four and mandates a repo-wide grep for the previous version.
  • Updated theme dependencies (yarn upgrade in web/themes/custom/your_site_theme) - refreshed yarn.lock (64 in-range transitive bumps).
  • drevops/ci-runner version in CI configs - 26.6.0 (verify latest via Renovate run).
  • Incremented the CI database cache version - v26.7.0, consistent across .circleci/config.yml, .circleci/vortex-test-common.yml, .github/workflows/build-test-deploy.yml.
  • Updated documentation (cd .vortex && ahoy update-docs) - pending: regenerate variable docs (many renames this cycle).
  • Regenerated demo videos (cd .vortex && ahoy update-videos) - re-recorded all six (installer, build, provision, lint, test, test-bdd) against the published drevops/vortex-tooling:1.3.0; verified provision/build run cleanly with no missing-binary errors.
  • Tagged the Vortex release - done at publish time.
  • Pending deprecations checked - none due: the two @deprecated markers in HostingProjectName.php are open-ended backward-compatibility shims that name no removal version.

Full Changelog: 1.39.0...1.40.0

@AlexSkrypnyk, @renovate[bot] and renovate[bot]