1.40.0 - Spectrum
This release standardises and hardens the Vortex tooling surface: database commands are unified under a fetch/import/export/push vocabulary, environment variables drop vendor-specific prefixes, and CI gains automated security scanning (Zizmor, Gitleaks), SSH host-key pinning, native test-result reporting, and site-wide accessibility checks. The installer can now target multiple scaffold versions and ship Single Directory Component tooling out of the box.
π Highlights
-
Automated CI security scanning
Every project's CI lint stage now runs Zizmor static analysis of GitHub Actions workflows and Gitleaks secret scanning. Both run automatically - no configuration needed. -
Hardened deployments with SSH host-key pinning
Deployments can now pin the remote SSH host key instead of disabling strict host-key checking, and the GitHub Actionsknown_hostsis configurable per step. This closes a long-standing man-in-the-middle gap for artifact and Lagoon deployments. -
Test results in the GitHub Checks UI
PHPUnit and Behat results are published natively to the GitHub Checks UI, so failures surface inline on pull requests instead of only in raw CI logs. -
Site-wide accessibility reporting
The Behat test suite now produces a site-wide accessibility report and captures animated screenshots on failure, making regressions easier to see and triage. -
Single Directory Components (SDC) tooling by default
Vortex ships a sample button component,drupal/sdc_develinrequire, and CI validation that fails whensdc-devel:validatereports problems - giving new projects a working SDC baseline. -
Label-driven deployment gate
Deployments can be gated behind a pull-request label, giving teams an explicit, auditable switch to control when a branch is allowed to deploy. -
Unified, hardened database tooling
The database commands were standardised and hardened:download-dbbecamefetch-db, dedicatedimport-dbandexport-dbscripts are now reused by both provision and Ahoy, and a platform-agnostictaskrunner backs hosting operations. See Breaking changes for the variable renames. -
Multi-version installer
The installer can now scaffold either the current1.xor the upcoming2.xline, and the documentation is versioned per major line.
π₯ Breaking changes
These changes are applied when you update to 1.40.0. Most are simple find-and-replace renames in your .env file and hosting environment variables.
-
DRUPAL_ENVIRONMENTrenamed toENVIRONMENT_TYPE. Update any references in your settings overrides, CI, and hosting environment variables. -
VORTEX_LOCALDEV_URLrenamed toLOCALDEV_URL. Update any references in your.envand local tooling. -
Database "download" variables renamed to "fetch". All
VORTEX_DOWNLOAD_DB_*andVORTEX_DOWNLOAD_DB2_*variables are nowVORTEX_FETCH_DB_*andVORTEX_FETCH_DB2_*(for exampleVORTEX_DOWNLOAD_DB_URLβVORTEX_FETCH_DB_URL,VORTEX_DOWNLOAD_DB_ENVIRONMENTβVORTEX_FETCH_DB_ENVIRONMENT). Update your.envand hosting configuration. Theahoy fetch-dbcommand keepsdownload-dbas an alias, so scripted command calls keep working, but the environment variables must be renamed. -
Deployment types changed. The deploy types are now
artifact,webhook, andlagoon(previouslycode,container_registry,webhook). Thecontainer_registrydeploy type was removed; container-image publishing moved to a dedicatedpushcommand and its scripts/variables were renamed fromdeploytopush. -
upload-db-s3renamed topush-db-s3. Update any custom automation that invoked the S3 upload script directly. -
ahoy reset hardreplaced byahoy reset --hard. The barehardpositional argument is now an option flag. -
VORTEX_LAGOON_AMAZEEIO_REGIONremoved. The Lagoon amazee.io trusted-host pattern was simplified and no longer needs a per-region variable. -
Tooling scripts prefixed with
vortex-. Shipped tooling scripts are now prefixed withvortex-, and user-facing ones are exposed as Composer binaries undervendor/bin/vortex-*. Update any project scripts that referenced the old unprefixed script paths. -
PHPMD removed. PHPMD was dropped from the tooling, CI, installer, and docs. If your project relied on it, add it back locally.
-
oomphinc/composer-installers-extenderremoved. This abandoned package is no longer required; its functionality is covered bycomposer/installers. -
Removed deprecated
sid_lengthandsid_bits_per_characterfromservices.yml. These keys are no longer supported by Drupal 11 core and are removed from the shippedservices.yml.
What's new since 1.39.0
π Template
-
β¨ New
- [#2563] Added GitHub Actions security analysis with Zizmor. @AlexSkrypnyk (#2591)
What it does: Runs Zizmor static analysis over the project's GitHub Actions workflows as part of the CI lint stage, flagging insecure workflow patterns.
How to use it: Runs automatically on CI for GitHub Actions projects; no configuration needed. - [#2562] Added Gitleaks secret scanning to CI lint jobs. @AlexSkrypnyk (#2579)
What it does: Scans the repository for committed secrets during the CI lint stage and fails the build when a secret is detected.
How to use it: Runs automatically on CI; no configuration needed. - [#2548] Added SSH host key pinning as a secure alternative to disabling strict checking. @AlexSkrypnyk (#2587)
What it does: Lets deployments verify the remote host against a pinned SSH host key instead of turning off strict host-key checking.
How to use it: Provide the pinned host key via the deployment SSH variables; combined with #2632, the GitHub Actionsknown_hostsis configurable per step. - [#2566] Published PHPUnit and Behat test results to the GitHub Checks UI. @AlexSkrypnyk (#2576)
What it does: Surfaces PHPUnit and Behat results as GitHub Checks so failures appear inline on pull requests.
How to use it: Applies automatically to GitHub Actions projects; results appear on the PR checks tab. - [#2651] Added SDC tooling, a sample button component, and CI validation. @AlexSkrypnyk (#2671)
What it does: Ships a sample Single Directory Component (button), SDC development tooling, and a CI step that validates components.
How to use it: The sample component lives under the custom theme; CI runssdc-devel:validateautomatically. - [#2571] Added label-driven deployment gate to the deploy router. @AlexSkrypnyk (#2575)
What it does: Allows a deployment to be gated behind a pull-request label so branches only deploy when explicitly approved.
How to use it: Apply the configured deployment label to a PR to permit its deployment; controlled via the deploy gate variable. - [#2719] Added a platform-agnostic
taskrunner for hosting operations. @AlexSkrypnyk (#2721)
What it does: Introduces a singletaskrunner that abstracts hosting-provider operations behind one entry point.
How to use it: Hosting operations route through the newtaskscript; no action needed for existing provision flows. - [#2720] Extracted a dedicated
import-dbscript reused by provision and Ahoy. @AlexSkrypnyk (#2728)
What it does: Provides a standaloneimport-dbscript shared by the provision flow andahoy import-db.
How to use it: Runahoy import-db; provisioning uses the same script internally. - Added
*.xversion branch CI support behindVORTEX_DEVfences. @AlexSkrypnyk (#2604)
What it does: Enables CI on*.xdevelopment branches, fenced behindVORTEX_DEVso it only affects the template's own development.
How to use it: No action for consumer projects; this supports Vortex's multi-major development.
- [#2563] Added GitHub Actions security analysis with Zizmor. @AlexSkrypnyk (#2591)
-
π Changed
- [#2726] Renamed the
download-dbcommand, variables, and installer source tofetch. @AlexSkrypnyk (#2730)
What it does: Standardises the database-retrieval vocabulary onfetch.
How to use it: RenameVORTEX_DOWNLOAD_DB_*/VORTEX_DOWNLOAD_DB2_*toVORTEX_FETCH_DB_*/VORTEX_FETCH_DB2_*;ahoy download-dbremains an alias ofahoy fetch-db. See Breaking changes. - [#2733] Renamed the container-image push scripts and variables from
deploytopushand dropped the container-registry deploy type. @AlexSkrypnyk (#2737)
What it does: Separates container-image publishing (push) from deployment (deploy) and removes thecontainer_registrydeploy type.
How to use it: Deploy types are nowartifact,webhook,lagoon; use thepushcommand for container images. See Breaking changes. - [#2739] Renamed
upload-db-s3topush-db-s3and aligned tooling and playground script names. @AlexSkrypnyk (#2740)
What it does: Aligns the S3 database upload script with the newpushvocabulary.
How to use it: Callpush-db-s3instead ofupload-db-s3. - Renamed
DRUPAL_ENVIRONMENTenvironment variable toENVIRONMENT_TYPE. @AlexSkrypnyk (#2750)
What it does: Drops theDRUPAL_prefix from the environment-type indicator for a vendor-neutral name.
How to use it: ReplaceDRUPAL_ENVIRONMENTwithENVIRONMENT_TYPEin settings, CI, and hosting variables. - Renamed
VORTEX_LOCALDEV_URLenvironment variable toLOCALDEV_URL. @AlexSkrypnyk (#2748)
What it does: Simplifies the local development URL variable name.
How to use it: ReplaceVORTEX_LOCALDEV_URLwithLOCALDEV_URLin your.env. - [#2713] Converted
ahoy reset hardto theahoy reset --hardoption flag. @AlexSkrypnyk (#2717)
What it does: Replaces the barehardpositional argument with a proper--hardflag.
How to use it: Runahoy reset --hardfor a destructive reset. - Simplified the Lagoon amazee.io trusted-host pattern and removed
VORTEX_LAGOON_AMAZEEIO_REGION. @AlexSkrypnyk (#2716)
What it does: Uses a single simplified trusted-host pattern for amazee.io, removing the per-region variable.
How to use it: RemoveVORTEX_LAGOON_AMAZEEIO_REGIONfrom your configuration. - [#2715] Prefixed all tooling scripts with
vortex-and surfaced user-facing ones as Composer binaries. @AlexSkrypnyk (#2741)
What it does: Namespaces shipped tooling scripts with avortex-prefix and exposes user-facing ones asvendor/bin/vortex-*.
How to use it: Call scripts viavendor/bin/vortex-*; update any custom references to old paths. - [#2725] Moved
require-toolinginto the Ahoy entrypoint. @AlexSkrypnyk (#2735)
What it does: Ensures the Vortex tooling package is present before tooling commands run, without a separate manual step.
How to use it: No action needed;ahoyself-installs the tooling on a fresh clone. - [#2723] Extracted the container-image deployment from
export-dbinto a dedicated script. @AlexSkrypnyk (#2727)
What it does: Separates container-image publishing from the database export path.
How to use it: No action needed; thepushcommand now owns image publishing. - [#2718] Used
export-dbfor the Lagoon pre-deployment database backup. @AlexSkrypnyk (#2724)
What it does: Reuses the sharedexport-dbscript for Lagoon pre-deployment backups instead of a bespoke path.
How to use it: No action needed for Lagoon deployments. - Moved
drupal/sdc_develto therequiresection. @AlexSkrypnyk (#2714)
What it does: Ships the SDC development tooling as a runtime requirement so components validate consistently.
How to use it: Installed by default; no action needed. - [#2691] Replaced inline
COMPOSER_AUTHJSON withcomposer config --authin CI. @AlexSkrypnyk (#2694)
What it does: Configures Composer authentication viacomposer config --authinstead of an inline JSON environment blob, reducing the risk of leaking credentials in logs.
How to use it: Applies automatically in CI; no action needed. - [#2655] Migrated
config.audittoconfig.policyfor report-only installs. @AlexSkrypnyk (#2672)
What it does: Switches report-only configuration validation fromconfig.audittoconfig.policy.
How to use it: Applies automatically; report-only installs use the new policy. - [#2632] Made GitHub Actions SSH
known_hostsconfigurable via per-step variables. @AlexSkrypnyk (#2641)
What it does: Lets each GitHub Actions step supply its ownknown_hostsvalue.
How to use it: Set the per-step SSH variables where needed; underpins host-key pinning (#2548). - [#2619] Excluded demo dev/test modules from exported configuration. @AlexSkrypnyk (#2625)
What it does: Keeps demo-only development and test modules out of exported config.
How to use it: Applies automatically on config export. - [#2675] Excluded
develfrom config exports via a settings file. @AlexSkrypnyk (#2682)
What it does: Prevents the optionaldevelmodule from being written into exported configuration.
How to use it: Applies automatically whendevelis enabled. - [#2615] Removed PHPMD from tooling, CI, installer, docs, and tests. @AlexSkrypnyk (#2620)
What it does: Drops PHPMD across the project in favour of the remaining static-analysis stack (PHPStan, PHPCS, Rector).
How to use it: Re-add PHPMD locally if your project depended on it. See Breaking changes. - Removed the abandoned
oomphinc/composer-installers-extenderpackage. @AlexSkrypnyk (#2688)
What it does: Removes an abandoned dependency; installer paths are handled bycomposer/installers.
How to use it: No action needed for standard projects. - [#2557] Included the
scriptsdirectory in PHPCS and PHPStan analysis paths. @AlexSkrypnyk (#2590)
What it does: Extends static analysis and coding-standards checks to custom project scripts underscripts/.
How to use it: Applies automatically; ensure yourscripts/pass the checks. - [#2545] Removed the stale cloned
ScriptHandler.phpand its Composer wiring. @AlexSkrypnyk (#2578)
What it does: Removes obsolete Composer 1-era scaffolding code.
How to use it: No action needed. - Removed the
yarn.lockdependency-changes summary PR comment from GitHub Actions. @AlexSkrypnyk (#2592)
What it does: Reverts the short-lived yarn.lock changes PR comment.
How to use it: No action needed.
- [#2726] Renamed the
-
π Fixed
- [#2704] Fixed the SDC lint check passing when
sdc-devel:validatereports problems. @AlexSkrypnyk (#2705)
What it does: Makes the SDC validation step fail CI when component problems are reported instead of silently passing.
How to use it: Applies automatically; fix reported component issues to pass CI. - [#2621] Fixed the CI
Export DBstep not copying the processed dump back to the host. @AlexSkrypnyk (#2622)
What it does: Ensures the processed database dump is copied back to the host after export in CI.
How to use it: Applies automatically; database caching now stores the processed dump. - [#2613] Fixed
download-db-acquiato read the backup URL from the JSON response. @AlexSkrypnyk (#2617)
What it does: Reads the Acquia backup URL from the API's JSON response instead of an incorrect field.
How to use it: Applies automatically to Acquia database fetches. - [#2614] Fixed inline
extra.patchesfordrevops/vortex-toolingfailing in the bootstrap install. @AlexSkrypnyk (#2616)
What it does: Fixes a bootstrap-install failure caused by inline patch declarations for the tooling package.
How to use it: Applies automatically on fresh installs. - [#2549] Hardened fragile site UUID extraction in the provision script. @AlexSkrypnyk (#2584)
What it does: Makes site UUID extraction during provisioning robust against formatting variations.
How to use it: Applies automatically on provision. - [#2609] Removed deprecated
sid_lengthandsid_bits_per_characterfromservices.yml. @AlexSkrypnyk (#2610)
What it does: Removes session-ID keys no longer supported by Drupal 11 core.
How to use it: Applies automatically. See Breaking changes. - [#2643] Hardened the host-side database-download tooling scripts. @AlexSkrypnyk (#2648)
What it does: Adds defensive handling to the host-side database fetch scripts.
How to use it: Applies automatically. - [#2631] Removed the hardcoded Drupal major from the CI database cache key. @AlexSkrypnyk (#2639)
What it does: Drops the hardcoded Drupal major version from the CI database cache key so it no longer needs manual updates across majors.
How to use it: Applies automatically in CI. - [#2659] Fixed tooling script messages to read as proper English and aligned wording. @AlexSkrypnyk (#2663)
What it does: Corrects and aligns user-facing tooling messages.
How to use it: No action needed. - [#2551] Guarded
VORTEX_NOTIFY_BRANCHunderset -uin notify branch filters. @AlexSkrypnyk (#2573)
What it does: Prevents an unbound-variable error in notification branch filtering.
How to use it: Applies automatically. - [#2553] Fixed an overly broad branch-filter regex character class in the CircleCI deploy config. @AlexSkrypnyk (#2574)
What it does: Narrows a deploy branch-filter regex that matched more branches than intended.
How to use it: Applies automatically to CircleCI deployments. - [#2552] Cleaned up
vendor-tempon failure invortex-tooling.sh. @AlexSkrypnyk (#2561)
What it does: Removes the temporary vendor directory if the tooling bootstrap fails.
How to use it: Applies automatically. - Internal fixes (no consumer action needed): grouped
findname predicates in the CI Dockerfile lint step (#2554, #2560); corrected the tmate timeout comment to match the 120-minute value (#2555, #2559); isolatedssh-addin BATS tests (#2649, #2662); masked secrets in the demo-video pipeline (#2709).
- [#2704] Fixed the SDC lint check passing when
-
β¬οΈ Updated
- [#2699] Updated Behat and Drupal extensions; enabled animated screenshots and a site-wide accessibility report. @AlexSkrypnyk (#2700)
What it does: Bumps the Behat and Drupal testing extensions and turns on animated failure screenshots plus a site-wide accessibility report.
How to use it: Runahoy test-bdd; the accessibility report and screenshots are produced automatically. - [#2697] Updated
vincentlanglet/twig-cs-fixerto v4. @AlexSkrypnyk (#2698) - [#2676] Updated the Solr config-set
luceneMatchVersionto9.12.3to match the image Lucene. @AlexSkrypnyk (#2678) - [#2611] Removed
guzzlehttp/psr7audit-ignore entries and bumped core to~11.3.12. @AlexSkrypnyk (#2658) - [#2611] Ignored
guzzlehttp/psr7advisories pulled transitively viadrupal/core-recommended. @AlexSkrypnyk (#2612) - Updated the database base image, theme dependencies, and a pinned GitHub Action. @AlexSkrypnyk (#2712)
- Refreshed
.vortex/dev dependencies for June 2026. @AlexSkrypnyk (#2738) - Bumped the CI database cache version to
v26.7.0. @AlexSkrypnyk (#2710) - Updated deps. @AlexSkrypnyk (#2624)
- Update PHP - Drupal core - Minor and patch to ~11.3.13. @AlexSkrypnyk (#2707)
- Update PHP - All packages except core - Minor and patch. @AlexSkrypnyk (#2607, #2585)
- Update PHP - All packages except core - Minor and patch. @renovate[bot]
- Update Container images - All - Major, minor and patch to v26.6.0. @AlexSkrypnyk (#2667)
- Update uselagoon/mysql-8.4 Docker tag to v26.6.0. @AlexSkrypnyk (#2669)
- Update uselagoon/valkey-8 Docker tag to v26.6.0. @renovate[bot] (#2664)
- Update drevops/docker-wait-for-dependencies Docker tag to v26.6.1. @AlexSkrypnyk (#2702) and to v26.6.0 (#2668)
- Update selenium/standalone-chromium Docker tag to v149. @AlexSkrypnyk (#2706)
- Update GitHub Actions - All - Major, minor and patch. @renovate[bot] (#2749, #2742, #2736, #2708, #2695, #2693, #2677, #2637, #2608, #2593, #2589, #2588, #2582, #2542)
- [#2699] Updated Behat and Drupal extensions; enabled animated screenshots and a site-wide accessibility report. @AlexSkrypnyk (#2700)
π Installer
-
β¨ New
- [#2596] Added installer support for multiple Vortex scaffold versions (1.x and 2.x). @AlexSkrypnyk (#2605)
What it does: Lets the installer scaffold either the current1.xline or the upcoming2.xline.
How to use it: Choose the desired version during installation; the default follows theVORTEX_CURRENT_MAJORsetting. - [#2675] Added a selectable
develmodule via the installer. @AlexSkrypnyk (#2679)
What it does: Adds an installer prompt to include the Drupaldevelmodule.
How to use it: Answer the installer prompt; when enabled,develis excluded from config exports (#2675/#2682). - [#2665] Added an installer prompt to make the in-container theme build optional. @AlexSkrypnyk (#2681)
What it does: Lets you skip the in-container theme build during installation.
How to use it: Answer the new installer prompt to enable or skip the in-container theme build.
- [#2596] Added installer support for multiple Vortex scaffold versions (1.x and 2.x). @AlexSkrypnyk (#2605)
-
π Changed
- [#2726] Renamed the installer's database source from
download-dbtofetch(installer source). @AlexSkrypnyk (#2730)
What it does: Updates the installer's database-source handler and generated variables to thefetchvocabulary, matching the template rename.
How to use it: Reflected automatically in newly installed projects. - Excluded installer test fixtures from the Zizmor GitHub Actions audit. @AlexSkrypnyk (#2684)
What it does: Scopes the Zizmor audit so it does not analyse installer test fixtures.
How to use it: Internal test-infrastructure change; no consumer action needed.
- [#2726] Renamed the installer's database source from
π Documentation
-
β¨ New
- Redesigned the documentation homepage and themed the docs site with new fonts and brand colors. @AlexSkrypnyk (#2746)
What it does: Refreshes the vortextemplate.com homepage and applies new brand fonts and colors across the docs.
How to use it: Visit https://www.vortextemplate.com. - [#2595] Added path-based documentation versioning with v1/v2 CI aggregation. @AlexSkrypnyk (#2601)
What it does: Publishes per-major documentation (v1, v2) with CI aggregation so each major line has its own docs.
How to use it: Use the version selector on the docs site; the default followsVORTEX_CURRENT_MAJOR. - [#2599] Consolidated project onboarding into a single tabbed installation guide. @AlexSkrypnyk (#2600)
What it does: Merges the onboarding paths into one tabbed installation guide.
How to use it: Follow the unified installation guide in the docs. - [#2602] Deployed PR docs as Netlify previews and commented the preview link. @AlexSkrypnyk (#2603)
What it does: Builds a Netlify preview for documentation pull requests and posts the preview link as a comment.
How to use it: Maintainers see the preview link on docs PRs automatically. - [#2744] Documented all
requirepackages on thecomposer.jsondocumentation page. @AlexSkrypnyk (#2745)
What it does: Documents every shippedrequiredependency and its purpose.
How to use it: See the composer.json docs page. - [#2673] Documented allowlisting Diffy's static IP in a WAF or CDN. @AlexSkrypnyk (#2674)
What it does: Explains how to allowlist Diffy's static IP for visual-regression runs behind a WAF/CDN.
How to use it: Follow the Diffy documentation section. - [#2543] Documented the required
DRUPAL_HASH_SALTvariable for hosted environments. @AlexSkrypnyk (#2558)
What it does: DocumentsDRUPAL_HASH_SALTas a required variable for hosted environments in the onboarding/setup section.
How to use it: SetDRUPAL_HASH_SALTin your hosting environment. - [#2731] Documented tagging
drevops/vortex-toolingbefore each Vortex release. @AlexSkrypnyk (#2734)
What it does: Adds the tooling-tagging step to the maintenance release documentation.
How to use it: Maintainer-facing; see the release maintenance guide.
- Redesigned the documentation homepage and themed the docs site with new fonts and brand colors. @AlexSkrypnyk (#2746)
-
π Changed
- [#2729] Clarified that
export-dbandimport-dbrun on the host or in the container. @AlexSkrypnyk (#2732)
What it does: Clarifies the execution context of the database export/import commands.
How to use it: See the database documentation. - [#2634] Moved the AI doc cache to
.artifactsand git-excluded.artifacts. @AlexSkrypnyk (#2638)
What it does: Relocates cached AI documentation under.artifacts/and ignores that directory in git.
How to use it: No action needed; cached docs now live under.artifacts/. - [#2550] Scoped the
php:evalrule to ad-hoc agent use inAGENTS.md. @AlexSkrypnyk (#2572)
What it does: Clarifies that thedrush php:evalprohibition targets ad-hoc agent use, not committed vetted scripts.
How to use it: SeeAGENTS.md. - Enhanced
vortex-toolingpackage docs and relocated the maintenance guide. @AlexSkrypnyk (#2541)
What it does: Improves the tooling package documentation and moves its maintenance guide.
How to use it: Maintainer-facing.
- [#2729] Clarified that
-
π Fixed
- [#2644] Fixed imprecise
--fresh/cache wording in the database docs. @AlexSkrypnyk (#2646)
What it does: Corrects misleading wording about the--freshflag and database caching.
How to use it: See the database documentation.
- [#2644] Fixed imprecise
π Release checklist
- Updated all dependencies outside of the schedule (Renovate) - pending: run
renovate --schedule= --force-cli=true drevops/vortexmanually. - Updated container images and checked
@seelinks - current:uselagoon/mysql-8.4:26.6.0,uselagoon/valkey-8:26.6.0,selenium/standalone-chromium:149.0,drevops/docker-wait-for-dependencies:26.6.1,drevops/ci-runner:26.6.0. Verify latest via the Renovate run above. - Updated PHP version in
composer.jsonforconfig.platform-8.4.21, matches container. - Updated PHP version in
phpcs.xmlfortestVersion-8.4, matches. - Updated PHP version in
phpstan.neonforphpVersion-80421(8.4.21), matches containerPHP_VERSION. - Updated minor version of all packages in
composer.json(composer update -W) - bumpedphpstan/phpstan^2.2.2β^2.2.3andvincentlanglet/twig-cs-fixer^4.0.1β^4.0.2(bump-after-update). - Tagged
drevops/vortex-toolingbefore the Vortex tag - published1.3.0(2026-07-01) with the newvortex-*binaries; pinned to1.3.0in all four spots: rootcomposer.jsonrequire(~1.3.0), root path-repoversionsoverride,scripts/vortex-tooling.sh(VORTEX_DEV dev-bootstrap), and.vortex/tests/phpunit/Traits/SutTrait.php(workflow-test.tooling-sourcepath repo). The last two were initially missed and surfaced by CI + CodeRabbit; the release skill now lists all four and mandates a repo-wide grep for the previous version. - Updated theme dependencies (
yarn upgradeinweb/themes/custom/your_site_theme) - refreshedyarn.lock(64 in-range transitive bumps). -
drevops/ci-runnerversion in CI configs -26.6.0(verify latest via Renovate run). - Incremented the CI database cache version -
v26.7.0, consistent across.circleci/config.yml,.circleci/vortex-test-common.yml,.github/workflows/build-test-deploy.yml. - Updated documentation (
cd .vortex && ahoy update-docs) - pending: regenerate variable docs (many renames this cycle). - Regenerated demo videos (
cd .vortex && ahoy update-videos) - re-recorded all six (installer, build, provision, lint, test, test-bdd) against the publisheddrevops/vortex-tooling:1.3.0; verifiedprovision/buildrun cleanly with no missing-binary errors. - Tagged the Vortex release - done at publish time.
- Pending deprecations checked - none due: the two
@deprecatedmarkers inHostingProjectName.phpare open-ended backward-compatibility shims that name no removal version.
Full Changelog: 1.39.0...1.40.0
@AlexSkrypnyk, @renovate[bot] and renovate[bot]