chore: release v0.16.0#1526
Merged
Merged
Conversation
Bump pyproject.toml to 0.16.0 (and uv.lock). Move [Unreleased] to [0.16.0] - 2026-05-28 in CHANGELOG.md with one concise 'so what' entry per PR merged since v0.15.0. Minor bump (not patch) is required: the cycle carries a BREAKING change to apm install exit-code semantics plus new user-facing features (apm deps why, semver ranges on git deps, require_pinned_constraint policy, OpenAPM v0.1 spec). Lint mirror green locally (ruff check + format, pylint R0801, auth-signals). Post-merge: tag v0.16.0 to trigger the release workflow. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Cuts the v0.16.0 release by bumping the project version and rolling the changelog forward to a dated release section.
Changes:
- Bump
apm-cliversion from0.15.0to0.16.0inpyproject.toml(and correspondinguv.lockentry). - Promote the prior Unreleased entries into
## [0.16.0] - 2026-05-28inCHANGELOG.md.
Show a summary per file
| File | Description |
|---|---|
uv.lock |
Updates the locked project version to 0.16.0. |
pyproject.toml |
Updates the package version to 0.16.0. |
CHANGELOG.md |
Adds the 0.16.0 release section and summarizes changes since 0.15.0. |
Copilot's findings
- Files reviewed: 2/3 changed files
- Comments generated: 3
Comment on lines
+14
to
+15
| - OpenAPM v0.1 normative spec at `docs/src/content/docs/specs/openapm-v0.1.md` with JSON Schemas for manifest/lockfile/policy and conformance fixtures under `tests/fixtures/spec-conformance/`, so third-party integrators can build conformant tools without reading the rest of the APM docs. (closes #1502, #1517) | ||
| - `ref:` on git-source dependencies now accepts semver ranges (`^1.2.0`, `~1.4`, `>=2.0 <3`, `1.5.x`). `apm install` resolves the highest matching remote tag and pins the resolved tag, SHA, and constraint in `apm.lock.yaml`; subsequent installs replay offline, `apm install --update` re-resolves. (closes #1488, #1496) |
| - `apm.cmd` Windows shim is now written as ASCII so `cmd.exe` parses it correctly when invoked via `PATH`. A previous attempt to write the shim as UTF-16LE broke fresh installs with garbled output and exit code 1. (#1522) | ||
| - `install.ps1` is now strict ASCII, so `apm self-update` on `cp1252` Windows consoles no longer crashes with `UnicodeEncodeError: 'charmap' codec can't encode characters`. (#1523) | ||
| - `apm install --target opencode` now warns at install time when an agent's frontmatter has shapes OpenCode's Zod schema rejects (`tools:` as list/string, non-hex/non-theme `color:`), so users learn why OpenCode refuses the agent instead of hitting only a runtime crash. (Phase 1 of #581, #1513) | ||
| - `apm compile --target claude` now honors `compilation.strategy: single-file` and `--single-agents`, collapsing into one root `CLAUDE.md` instead of silently emitting per-subdirectory files. (closes #1445, #1514) |
Comment on lines
+32
to
+36
| - `apm install git@gitlab.com:owner/repo.git#ref` now succeeds for users with an SSH key and no `GITLAB_APM_PAT` / `GITLAB_TOKEN`: the validator honors the explicit SSH transport instead of demanding an HTTPS-token probe. GitLab SSH-key users get parity with GitHub SSH users. (closes #1501, #1515) | ||
| - `apm install -g` now correctly integrates hook JSON files authored in the "naked" Claude settings-slice format (event names at top-level, no outer `hooks:` wrap). Previously the file parsed cleanly but merged nothing while the summary still reported `1 hook(s) integrated`; the counter now reflects actual contributions and malformed shapes fail closed with a warning. (closes #1499, #1516) | ||
| - `apm install --update` now re-resolves direct git-source semver dependencies even when the dependency's install path already exists; previously the BFS resolver short-circuited and `--update` was a silent no-op for git-semver refs. (#1496) | ||
| - `policy.dependencies.require_pinned_constraint: true` no longer misclassifies the npm/cargo explicit-equality form `=1.2.3` as `BARE_BRANCH`. Both `1.2.3` and `=1.2.3` are pinned; pip-style `==1.2.3` is still rejected. (follow-up to #1494, #1506) | ||
| - `apm uninstall` now fully cleans `.windsurf/skills/<pkg>/` directories on the `windsurf` target. (by @yoelabril, #1486) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cut release v0.16.0.
pyproject.tomlto 0.16.0 (anduv.lock).[Unreleased]to[0.16.0] - 2026-05-28inCHANGELOG.md, with one short "so what?" entry per PR merged since v0.15.0.Why minor (0.16.0), not patch (0.15.1)
This cycle carries a BREAKING change to
apm installexit-code semantics (now exits1on errors instead of0, matching npm/pip/cargo) plus four user-facing features:apm deps why <package>command (feat(deps): add 'apm deps why <pkg>' to explain transitive dependencies #1495)policy.dependencies.require_pinned_constraint(feat(policy): require_pinned_constraint to ban unbounded dep ranges #1494)A patch release cannot carry breaking behavior changes or new commands.
Validation
Lint mirror green locally (ruff check + format, pylint R0801, auth-signals).
Post-merge
Tag
v0.16.0to trigger the release workflow.