v0.8.0

0.8.0 (2026-05-08)

⚠ BREAKING CHANGES

• dataviewer: bump frontend stack to React 19, Vite 8, Tailwind v4, MSAL 5, ESLint 10 (#524)

✨ Features

• agents: add automated validation for high-risk Dependabot bumps (#574) (8c3686a), closes #573
• data: add camera selector to annotation workspace and fix AV1 frame extraction (#591) (c809d2f)
• data: seed dataviewer frontend test foundation and per-section codecov flags (#594) (c06c4e3)
• dataviewer: add OWASP security middleware stack (#439) (239edb9)
• infrastructure: add conversion pipeline Terraform module (#542) (244531e)
• infrastructure: upgrade OSMO to chart 1.2.1 / image 6.2 with secure auth and skrl 2.0.0 compatibility (#492) (edfd7a5)
• pipeline: add ACSA setup for ROS2 bag sync to Blob (#451) (c271a54)
• workflows: add advisory Dependabot PR reviewer agentic workflow (#498) (d4bb140)
• workflows: trigger AW Dependabot PR reviewer after PR Validation (#580) (7ab3d16)

🐛 Bug Fixes

• ci: correct stale version comment for actions/create-github-app-token (#506) (b2e9a54)
• ci: restore data-pipeline and training broken tests by domain folder restructure (#547) (06d8472)
• docs: update remaining stale 'Coming soon' labels in docs/README.md (#507) (02439d6)
• docs: update stale coming soon label for Training section (#472) (46db49b)
• evaluation: scope SIL AzureML validation code path and script reference (#387) (9f138a9)
• infrastructure: OSMO workflow execution, PostgreSQL public access, and quickstart corrections (#477) (9ed2da6)
• scripts: exclude CHANGELOG.md from changed-files msdate check (#644) (8133bdc)
• workflows: allow dependabot[bot] to activate AW Dependabot PR Review (#586) (39dc022)
• workflows: correct branches filter on AW Dependabot PR Review workflow_run trigger (#584) (fe06b52)
• workflows: normalize validate.yaml placeholder env/compute values (#510) (340ff44)
• workflows: recompile aw-dependabot-pr-review lock file (#576) (d77c167)
• workflows: switch AW Dependabot PR Review to pull_request_target (#589) (3f1edd1)

📚 Documentation

• docs: Fix deployment guide links (#614) (0070b04)
• document dependency-pinning-artifacts directory purpose (#508) (50e0010)

📦 Build System

• training: standardize on Python 3.12 across manifests, containers, and runtime scripts (#541) (7ad014a)

🔧 Operations

• build: add Copilot cloud agent setup-steps workflow (#593) (c912668)

🔧 Miscellaneous

• build: exclude auto-generated CHANGELOG.md from cspell and seed dictionary (#582) (de1dd57)
• build: redesign codecov flags and split pytest CI per component (#520) (357e745)
• dataviewer: bump frontend stack to React 19, Vite 8, Tailwind v4, MSAL 5, ESLint 10 (#524) (50f8ad4)
• dataviewer: repoint stale src/dataviewer references to data-management/viewer (#504) (88fa1b4), closes #503
• deps-dev: bump basic-ftp from 5.3.0 to 5.3.1 (#618) (ca10f2a)
• deps-dev: bump globals from 15.15.0 to 17.5.0 in /data-management/viewer/frontend (#527) (0e0b2ae)
• deps-dev: bump ip-address from 10.1.0 to 10.2.0 (#616) (816c9cf)
• deps-dev: bump lint-staged from 16.4.0 to 17.0.2 in the root-npm-dependencies group across 1 directory (#626) (0e2f293)
• deps-dev: bump pydantic from 2.13.3 to 2.13.4 in the python-dependencies group across 1 directory (#629) (c24f1c1)
• deps-dev: bump the python-dependencies group across 1 directory with 2 updates (#514) (8410f4b)
• deps: bump azure-core from 1.39.0 to 1.40.0 in /evaluation in the inference-dependencies group across 1 directory (#597) (6141db4)
• deps: bump cryptography from 46.0.6 to 46.0.7 in /data-management/viewer (#424) (5fb6d58)
• deps: bump cryptography from 46.0.6 to 46.0.7 in /data-management/viewer/backend (#423) (b516ad5)
• deps: bump lucide-react from 0.469.0 to 1.8.0 in /data-management/viewer/frontend (#528) (1bdfc1e)
• deps: bump nginx from 8aa63af to 5616878 in /data-management/viewer/frontend (#511) (9e7e20e)
• deps: bump nginx from 1.27-alpine to 1.29-alpine in /data-management/viewer/frontend (#484) (0e5c3dd)
• deps: bump node from 435f353 to e49fd70 in /data-management/viewer/frontend (#560) (2884649)
• deps: bump react-is from 18.3.1 to 19.2.5 in /data-management/viewer/frontend (#530) (d51318c)
• deps: bump tensordict from 0.11.0 to 0.12.1 in /evaluation in the inference-dependencies group across 1 directory (#456) (b24e733)
• deps: bump the dataviewer-backend-dependencies group across 1 directory with 2 updates (#531) (171a1da)
• deps: bump the dataviewer-backend-dependencies group across 1 directory with 5 updates (#516) (4f9a577)
• deps: bump the dataviewer-backend-dependencies group across 1 directory with 5 updates (#602) (6c27ab5)
• deps: bump the dataviewer-dependencies group across 1 directory with 2 updates (#529) (8646971)
• deps: bump the dataviewer-dependencies group across 1 directory with 3 updates (#601) (d28fb50)
• deps: bump the dataviewer-dependencies group across 1 directory with 3 updates (#632) (4ca5f3e)
• deps: bump the dataviewer-dependencies group across 1 directory with 5 updates (#515) (109ee81)
• deps: bump the dataviewer-frontend-patch-minor group across 1 directory with 6 updates (#630) (04d5dfd)
• deps: bump the dataviewer-frontend-patch-minor group across 1 directory with 9 updates (#563) (c08f450)
• deps: bump the docusaurus-dependencies group across 1 directory with 4 updates (#627) (f5825fc)
• deps: bump the docusaurus-dependencies group across 1 directory with 6 updates (#599) (b859344)
• deps: bump the github-actions group across 1 directory with 4 updates (#459) (2609c52)
• deps: bump the github-actions group across 1 directory with 4 updates (#517) (f54bf5d)
• deps: bump the inference-dependencies group across 1 directory with 11 updates (#562) (087f53a)
• deps: bump the inference-dependencies group across 1 directory with 2 updates (#628) (4a3be47)
• deps: bump the pip group across 2 directories with 1 update (#494) (a14b6b0)
• docs: update stale Python 3.11 references to 3.12 (#575) (6f85c95)
• scripts: remove redundant SC1091 disables in OSMO deploy scripts (#509) (ae1cb82)

🔒 Security

• build: pin dependencies and hash-verify downloads (#465) (0289f49)
• build: remediate dependency security advisories (#479) (7196d6d)
• deps-dev: bump basic-ftp from 5.2.1 to 5.2.2 (#454) (cb158f1)
• deps-dev: bump basic-ftp from 5.2.2 to 5.3.0 (#495) (e983b8b)
• deps-dev: bump hypothesis from 6.152.3 to 6.152.4 in the python-dependencies group (#598) (83384d2)
• deps-dev: bump markdownlint-cli2 from 0.22.0 to 0.22.1 in the root-npm-dependencies group (#559) (32bde35)
• deps-dev: bump picomatch from 2.3.1 to 2.3.2 in /docs/docusaurus (#455) (66f86ca)
• deps-dev: bump postcss from 8.5.10 to 8.5.12 in /data-management/viewer/frontend (#569) (a652dba)
• deps-dev: bump the python-dependencies group with 2 updates (#457) (749d231)
• deps-dev: bump the python-dependencies group with 2 updates (#485) (71b44fd)
• deps-dev: bump the python-dependencies group with 3 updates (#564) (9fc52fd)
• deps-dev: bump typescript from 6.0.2 to 6.0.3 in /docs/docusaurus in the docusaurus-dependencies group (#513) (5694dbc)
• deps: bump azureml/openmpi4.1.0-ubuntu22.04 from 20260303.v5 to 20260409.v4 in /evaluation/sil/docker (#480) (25d4df8)
• deps: bump cryptography from 46.0.6 to 46.0.7 in /evaluation in the uv group across 1 directory (#538) (92c5b2e)
• deps: bump diffusers from 0.35.2 to 0.38.0 in /training/il/lerobot (#638) (6261d19)
• deps: bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#469) (0458908)
• deps: bump gitpython and mako for lerobot IL training (#623) (9f8022b)
• deps: bump node from 24.14.1-slim to 25.9.0-slim in /data-management/viewer/frontend (#482) (1532d09)
• deps: bump packaging from 26.0 to 26.1 in /evaluation in the inference-dependencies group (#483) (f4afb6c)
• deps: bump pillow from 12.1.1 to 12.2.0 (#467) (39fb663)
• deps: bump python from 3.11-slim to 3.14-slim in /data-management/viewer/backend (#481) (7af9dfc)
• deps: bump the dataviewer-backend-dependencies group across 1 directory with 15 updates (#428) (e4446a2)
• deps: bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 4 updates (#487) (0f57c5b)
• deps: bump the dataviewer-backend-dependencies group in /data-management/viewer/backend with 8 updates (#566) (d6e7869)
• deps: bump the dataviewer-dependencies group across 1 directory with 5 updates (#464) (24c208d)
• deps: bump the dataviewer-dependencies group in /data-management/viewer with 2 updates (#486) (90149f3)
• deps: bump the dataviewer-dependencies group in /data-management/viewer with 6 updates (#565) (f0bb36b)
• deps: bump the dataviewer-frontend-patch-minor group across 1 directory with 10 updates (#613) (e481f83)
• deps: bump the github-actions group across 1 directory with 4 updates (#534) (5478ab6)
• deps: bump the github-actions group with 2 updates (#488) (4e6ce98)
• deps: bump the github-actions group with 3 updates (#567) (48c38dc)
• deps: bump the github-actions group with 3 updates (#634) (00cfb49)
• deps: bump the github-actions group with 6 updates (#603) (73eb79a)
• deps: bump the training-dependencies group across 1 directory with 23 updates (#463) (d5a8656)
• deps: bump yaml from 2.8.2 to 2.8.3 in /data-management/viewer/frontend (#453) (10449df)
• pytest harness, dependabot advisories, and OSSF Scorecard remediations (#501) (e8756e8)
• scripts: pin and hash-verify all shell script downloads (#468) (0c2bb9c)

---

Artifact Verification

All release artifacts include Sigstore provenance attestations. Verify with the GitHub CLI:

# Download the source archive
gh release download v0.8.0 --repo microsoft/physical-ai-toolchain --pattern 'source-v0.8.0.tar.gz'

# Verify build provenance
gh attestation verify source-v0.8.0.tar.gz --repo microsoft/physical-ai-toolchain

# Verify SBOM attestation
gh attestation verify source-v0.8.0.tar.gz --repo microsoft/physical-ai-toolchain --predicate-type https://spdx.dev/Document