You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The release.yml finalize-release workflow for 0.3.1 (release-kind=final) completed successfully, but the ## [0.3.1] - TBD heading was never replaced with the actual release date. This TBD then propagated to every downstream artifact: the GHCR image, the release PR body, and the smoke-test deployment.
Steps to Reproduce
just finalize-release 0.3.1 (workflow run #23609745942)
All jobs reported success (validate, finalize, build-and-test, publish, smoke-test)
Root cause investigation areas in .github/workflows/release.yml:
Finalize commit race: commit-action (line 632) commits via API to refs/heads/release/$VERSION. The subsequent git fetch + git reset --hard (line 709) may have fetched before the API commit was visible, causing build-and-test to use a pre-finalize SHA.
Workspace CHANGELOG sync: scripts/sync_manifest.py sync (line 600) must propagate the finalized root CHANGELOG.md to assets/workspace/.devcontainer/CHANGELOG.md. If the manifest doesn't include CHANGELOG or the sync ran before prepare-changelog finalize, the workspace copy would retain TBD.
PR body refresh: The sed extraction (line 722) runs after git reset --hard, but if the reset didn't pick up the finalize commit, the CHANGELOG on disk would still have TBD.
The fact that origin/main still has TBD after merge strongly suggests the finalize commit either didn't land or was superseded by a concurrent commit (e.g. from sync-issues.yml).
Possible Solution
Add a post-commit verification step that fetches the finalized SHA from the API, confirms CHANGELOG.md contains the date, and fails the job if TBD is still present
Ensure build-and-test checks out the exact SHA from the API commit response rather than relying on git rev-parse HEAD after a git reset
Add an integration test: grep -q "## [$VERSION] - [0-9]" CHANGELOG.md after the finalize commit lands
Changelog Category
Fixed
TDD compliance (see .cursor/rules/tdd.mdc)
Related: README "Latest Version" stale after release (pre-commit / CI)
What happened:README.md (Image Details → Latest Version, ~lines 184–185) still listed 0.3.0 (2026-03-13) after 0.3.1 shipped. The generate-docs pre-commit hook regenerates README.md from templates and produced 0.3.1 (2026-03-26). uv run pre-commit run --all-files therefore failed with pre-commit hook(s) made changes and that README diff.
Desired outcome (pick one or combine):
Automation: Ensure the release / prepare-release path updates generated README.mdafterCHANGELOG.md is finalized, then run a full uv run pre-commit run --all-files (or equivalent in CI) so committed artifacts match what hooks generate.
De-scope: Remove or relocate the Latest Version line if it is not worth keeping in sync by hand or by release automation.
This is the same class of problem as the CHANGELOG finalize drift: release artifacts on main were not fully synchronized before downstream sync PRs ran the normal checks.
Description
The
release.ymlfinalize-release workflow for 0.3.1 (release-kind=final) completed successfully, but the## [0.3.1] - TBDheading was never replaced with the actual release date. This TBD then propagated to every downstream artifact: the GHCR image, the release PR body, and the smoke-test deployment.Steps to Reproduce
just finalize-release 0.3.1(workflow run #23609745942)Expected Behavior
CHANGELOG.mdshould contain## [0.3.1] - 2026-03-26on the release branch after the finalize jobghcr.io/vig-os/devcontainer:0.3.1should ship the finalized CHANGELOG in/root/assets/workspace/.devcontainer/CHANGELOG.mdorigin/mainshould contain the finalized CHANGELOG after merge## [0.3.1] - 2026-03-26headerActual Behavior
podman run --rm ghcr.io/vig-os/devcontainer:0.3.1 head -8 /root/assets/workspace/.devcontainer/CHANGELOG.mdshows## [0.3.1] - TBDorigin/mainCHANGELOG.md starts with## [0.3.1] - TBD## [0.3.1] - TBDin the changelog section (header correctly readsRelease 0.3.1 - 2026-03-26)### Added-- no version header at all## [0.3.1] - TBDEnvironment
ghcr.io/vig-os/devcontainer:0.3.1Additional Context
Root cause investigation areas in
.github/workflows/release.yml:commit-action(line 632) commits via API torefs/heads/release/$VERSION. The subsequentgit fetch + git reset --hard(line 709) may have fetched before the API commit was visible, causingbuild-and-testto use a pre-finalize SHA.scripts/sync_manifest.py sync(line 600) must propagate the finalized rootCHANGELOG.mdtoassets/workspace/.devcontainer/CHANGELOG.md. If the manifest doesn't include CHANGELOG or the sync ran beforeprepare-changelog finalize, the workspace copy would retain TBD.git reset --hard, but if the reset didn't pick up the finalize commit, the CHANGELOG on disk would still have TBD.The fact that
origin/mainstill has TBD after merge strongly suggests the finalize commit either didn't land or was superseded by a concurrent commit (e.g. fromsync-issues.yml).Possible Solution
CHANGELOG.mdcontains the date, and fails the job if TBD is still presentbuild-and-testchecks out the exact SHA from the API commit response rather than relying ongit rev-parse HEADafter agit resetgrep -q "## [$VERSION] - [0-9]" CHANGELOG.mdafter the finalize commit landsChangelog Category
Fixed
Related: README "Latest Version" stale after release (pre-commit / CI)
CI failure: Project Checks — job 68847671680 on PR #458 (
chore: sync main into dev after 0.3.1 release).What happened:
README.md(Image Details → Latest Version, ~lines 184–185) still listed 0.3.0 (2026-03-13) after 0.3.1 shipped. Thegenerate-docspre-commit hook regeneratesREADME.mdfrom templates and produced 0.3.1 (2026-03-26).uv run pre-commit run --all-filestherefore failed with pre-commit hook(s) made changes and that README diff.Desired outcome (pick one or combine):
README.mdafterCHANGELOG.mdis finalized, then run a fulluv run pre-commit run --all-files(or equivalent in CI) so committed artifacts match what hooks generate.This is the same class of problem as the CHANGELOG finalize drift: release artifacts on
mainwere not fully synchronized before downstream sync PRs ran the normal checks.