Merged
Conversation
…andard model - Add optional MODEL_TIER param to derive-branch-summary.sh - Remove stderr suppression in worktree-start; errors now visible - Retry with standard model when lightweight fails - Print manual workaround hint with actual issue/type when both fail Refs: #183 Co-authored-by: Cursor <cursoragent@cursor.com>
…andard model (#184) ## Description Fixes #183: When `derive-branch-summary.sh` fails (e.g. `agent --print` times out), the error message was silently swallowed by `worktree-start`. This PR surfaces errors and adds a retry with the standard model. ## Type of Change - [x] `fix` -- Bug fix ## Changes Made - **scripts/derive-branch-summary.sh**: Add optional `MODEL_TIER` parameter (3rd arg) and `BRANCH_SUMMARY_MODEL` env var; default remains `lightweight` - **justfile.worktree**: Remove stderr suppression; try lightweight first, retry with standard model on failure; print manual workaround hint with actual issue/type when both fail - **tests/bats/worktree.bats**: Add BATS test for `MODEL_TIER` parameter - **assets/workspace/.devcontainer/justfile.worktree**: Synced via `just sync-workspace` ## Changelog Entry ``` ### Fixed - **worktree-start swallows derive-branch-summary error messages** ([#183](#183)) - Remove stderr suppression so error messages from derive-branch-summary.sh are visible - Retry with standard model when lightweight model fails; print manual workaround hint if both fail - Add optional MODEL_TIER parameter to derive-branch-summary.sh; BATS test for retry path ``` ## Testing - [x] BATS test added for MODEL_TIER param - [x] Manual: `env BRANCH_SUMMARY_CMD="false" ./scripts/derive-branch-summary.sh "Test"` shows [ERROR] and hint - [x] Manual: `env BRANCH_SUMMARY_CMD="echo retry-summary" ./scripts/derive-branch-summary.sh "Test" "/dev/null" "standard"` returns retry-summary ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [x] I have updated CHANGELOG.md in the [Unreleased] section - [x] I have added tests that prove my fix is effective Refs: #183 Made with [Cursor](https://cursor.com)
…182) ## Summary - Replace `_styled(f"#{n}", "cyan")` with `_gh_link(owner_repo, n, "issues")` in `_build_pr_table` - Issue numbers in the PR table's "Issues" column are now clickable hyperlinks (consistent with PR numbers and issue table) - Minor display change: numbers no longer have `#` prefix (matches `_gh_link` convention used elsewhere) ## Test plan - [x] Failing regression test added (`TestBuildPrTableIssueLinks`) - [x] Test passes after fix - [x] All 68 existing tests pass - [ ] Manual verification: `just gh-issues` shows clickable issue links in PR table Refs: #174
Signed-off-by: gerchowl <gerchowl@ethz.ch>
## Description Fixes the `just gh-issues` PR table CI column showing incorrect status when checks are re-run. The `statusCheckRollup` from `gh pr list` includes all check runs (including re-runs), so a check that failed twice then succeeded would show red (✗ 1/3) instead of green (✓ 1/1). This PR deduplicates `statusCheckRollup` by check name, keeping only the latest result (by `completedAt`), so the CI column matches what GitHub shows on the PR page. ## Type of Change - [x] `fix` -- Bug fix - [ ] `feat` -- New feature - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `scripts/gh_issues.py`: Add `_dedupe_status_checks()` helper; call it at start of `_format_ci_status()` - `tests/test_gh_issues.py`: Add two tests for dedup (by completedAt, fallback when missing) - `CHANGELOG.md`: Add Fixed entry for #176 ## Changelog Entry ### Fixed - **gh-issues CI status deduplicates re-run checks** ([#176](#176)) - Deduplicate `statusCheckRollup` by check name, keeping only the latest result (by `completedAt`) - CI column now matches GitHub PR page when checks are re-run ## Testing - [x] Tests pass locally (`uv run pytest tests/test_gh_issues.py -v`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A — unit tests cover the dedup logic. ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [x] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published ## Additional Notes Design and implementation plan posted as comments on #176. Refs: #176
Refs: #187 Co-authored-by: Cursor <cursoragent@cursor.com>
Replace dirname(justfile_directory()) with source_directory()/scripts to correctly locate version-check.sh in both deployed workspace and devcontainer repo contexts. Matches justfile.gh pattern. Refs: #187 Co-authored-by: Cursor <cursoragent@cursor.com>
Refs: #187 Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: gerchowl <gerchowl@ethz.ch>
Remove "hadolint-docker", "pip-licenses", "check-action-pins", "bandit", and "validate-commit-msg" They are not available in downstream projects yet. Refs: #170
) - Add manifest entries for resolve-branch.sh, derive-branch-summary.sh, check-skill-names.sh → .devcontainer/scripts/ - Update justfile.worktree to use source_directory() / "scripts" for portable path resolution (devcontainer repo vs deployed workspace) - Add Sed transform for check-skill-names.sh path in synced pre-commit Refs: #190 Co-authored-by: Cursor <cursoragent@cursor.com>
) (#191) ## Summary Fixes #190 — scripts referenced by synced justfiles and pre-commit were not deployed to workspaces. ## Changes 1. **Manifest entries** — Add resolve-branch.sh, derive-branch-summary.sh, check-skill-names.sh to `scripts/manifest.toml` with dest `.devcontainer/scripts/` 2. **Path resolution** — Update justfile.worktree to use `source_directory() / "scripts"` instead of `$(pwd)/scripts/`: - Devcontainer repo: `source_directory()` = repo root → `scripts/` ✓ - Deployed workspace: `source_directory()` = `.devcontainer/` → `.devcontainer/scripts/` ✓ 3. **Pre-commit transform** — Add Sed transform to update check-skill-names.sh path from `scripts/` to `.devcontainer/scripts/` in synced `.pre-commit-config.yaml` ## Note Issue #190 lists devc-remote.sh as a fourth script; it does not exist in the current codebase. The three scripts that exist are now synced. If devc-remote.sh is added later, a manifest entry can be added in a follow-up. ## Verification - `uv run python scripts/sync_manifest.py sync assets/workspace/` — all entries sync successfully - `just -f justfile.worktree --list` — parses correctly - `uv run pytest tests/test_transforms.py tests/test_utils.py` — 78 passed
## Description Fixes the `just check` recipe path resolution bug. The recipe used `dirname(justfile_directory())` to locate `.devcontainer/scripts/version-check.sh`, which resolved one level above the project root in both deployed workspaces and the devcontainer repo. Replaced with `source_directory()/scripts` (matching the pattern in `justfile.gh`) so the path resolves correctly in both contexts. ## Type of Change <!-- Mark the relevant option(s) with an 'x' --> - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `justfile.base`: Replace `dirname(justfile_directory())` with `source_directory()/scripts` in check recipe - `assets/workspace/.devcontainer/justfile.base`: Synced via `just sync-workspace` - `tests/test_integration.py`: Add regression test `test_just_check_config_via_just_command` that runs `just check config` from workspace - `CHANGELOG.md`: Add entry under Fixed ## Changelog Entry ### Fixed - **just check uses wrong path — justfile_directory() resolves incorrectly in imported justfile.base** ([#187](#187)) - Replace `dirname(justfile_directory())` with `source_directory()/scripts` to correctly locate version-check.sh in deployed workspaces and devcontainer repo - Regression test: `just check config` runs successfully from workspace ## Testing <!-- Describe the tests you ran and how to verify your changes --> - [x] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details Integration tests pass (110 passed). Regression test `test_just_check_config_via_just_command` verifies `just check config` runs successfully from initialized workspace. BATS and hadolint precommit hooks failed due to environment (bats-support library, Docker daemon) — unrelated to this fix. ## Checklist <!-- Mark completed items with an 'x' --> - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes TDD: regression test added first (RED), then fix (GREEN). The fix uses `source_directory()` (available since just 1.27.0), which returns the directory of the current source file — correct for imported justfile.base in both workspace and repo contexts. Refs: #187
Refs: #192 Co-authored-by: Cursor <cursoragent@cursor.com>
) (#193) ## Description Adds a "pull latest base branch and merge" step to all PR-creating skills before creating or pushing a pull request. Ensures branches are up to date with `origin/dev` (or the target base) to avoid merge conflicts and stale code in PRs. ## Type of Change <!-- Mark the relevant option(s) with an 'x' --> - [x] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - **pr_create**: Step 1 now merges `origin/<base_branch>` after base is confirmed. Conflict handling: ask user to resolve manually. - **pr_solve**: Step 5 now merges `origin/<base_branch>` (from PR metadata) before first push. Conflict handling: ask user to resolve. - **worktree_pr**: Reordered steps so base branch is determined first (step 1), then step 2 ensures clean state including merge of `origin/<base_branch>` before push. Conflict handling: invoke worktree_ask to post question on issue. - **worktree_solve-and-pr**: Inherits merge step via worktree_pr (no direct changes). - **solve-and-pr**: Delegates to worktree_solve-and-pr (no changes needed). ## Changelog Entry No changelog needed — issue specifies "No changelog needed" for this refactor. ## Testing <!-- Describe the tests you ran and how to verify your changes --> - [x] Tests pass locally (`just test`) - [x] Manual testing performed (describe below) ### Manual Testing Details - Ran `just sync-workspace` to sync skills to assets/workspace - Pre-commit hooks passed (branch-name, pymarkdown, trailing-whitespace, etc.) - Merged latest `origin/dev` before PR per the new workflow ## Checklist <!-- Mark completed items with an 'x' --> - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [ ] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published ## Additional Notes <!-- Any additional information, screenshots, or context that reviewers should know --> Refs: #192
…mit-msg, author check, PR body scan - Canonical blocklist .github/agent-blocklist.toml (trailers, names, emails) - prepare-commit-msg hook strips Co-authored-by trailers before validation - Pre-commit hook rejects author/committer matching blocklist (skips in CI) - validate-commit-msg --blocked-patterns for TOML; shared agent_blocklist module - pr-title-check CI scans PR title and body for agent fingerprints - Skill rules strengthened (git_commit, worktree_execute, worktree_pr) Refs: #163
- Add devcontainer dependency group (rich, pre-commit, ruff, pip-licenses) - Container build installs from pyproject via uv export --only-group devcontainer - Add rich to workspace template dev group; change justfile.gh to uv run python - prepare-build.sh copies pyproject.toml and uv.lock to build context Refs: #159
Signed-off-by: gerchowl <gerchowl@ethz.ch>
…member The uv.lock references vig-utils as an editable workspace member at packages/vig-utils. Moving the COPY before uv export ensures the lockfile can resolve all workspace members during the build. Refs: #159
- Move PRE_COMMIT_HOME, UV_PROJECT_ENVIRONMENT, VIRTUAL_ENV from docker-compose.yml to Containerfile image ENV - Remove --no-install-project from sync recipe so project is installed - Add just sync step to init-workspace.sh after placeholder replacement Refs: #170
…initialization Refs: #170
Added `jq`, `tmux`, and cursor agent CLI. Updated documentation (README, CHANGELOG, and CONTRIBUTE) Refs: #196
## Description Replaces executable `.vig-os` loading with data-only parsing in `initialize.sh` and `version-check.sh` so unexpected shell content cannot execute. Adds regression integration coverage proving shell payloads in `.vig-os` are not executed while `DEVCONTAINER_VERSION` is still read and used. Includes a follow-up test hardening commit to restore `.vig-os` after mutation-based tests so later integration tests are not impacted by test-side config changes. Adds a final test stabilization commit so `IN_CONTAINER=true` hook-path BATS checks are deterministic and no longer depend on host hook return behavior. ## Type of Change - [ ] `feat` -- New feature - [ ] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [x] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `assets/workspace/.devcontainer/scripts/initialize.sh` - Replaced `source "$config_file"` in `load_vig_os_config` with line-by-line key/value parsing for `DEVCONTAINER_VERSION` - Preserved existing `.env` update behavior and Darwin/Linux `sed` handling - `assets/workspace/.devcontainer/scripts/version-check.sh` - Replaced `source "$config_file"` in `get_current_version` with data-only parsing for `DEVCONTAINER_VERSION` - Preserved existing pinned-version filtering (`dev`, `latest`, empty) - `tests/test_integration.py` - Added regression test for `initialize.sh` to ensure shell payloads in `.vig-os` are not executed - Added regression test for `version-check.sh config` to ensure shell payloads in `.vig-os` are not executed - Added restoration of `.vig-os` after mutation tests to prevent side effects on later tests - `tests/bats/githooks.bats` - Made `IN_CONTAINER=true` guard tests deterministic for `pre-commit`, `prepare-commit-msg`, and `commit-msg` - Adjusted expectations so tests validate guard behavior without flaky exit-code assumptions ## Changelog Entry No changelog needed. Issue `#285` explicitly marks changelog category as "No changelog needed", and this PR keeps behavior intact while hardening implementation details. ## Testing - [x] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [ ] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [x] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes Issue references a security hardening concern flagged during smoke-test review; this PR keeps scope limited to the two script functions and corresponding tests. Refs: #285
## Summary - Update all `vig-os/commit-action` workflow pins used by release/sync/smoke-test flows to `c0024cbad0e501764127cccab732c6cd465b4646` (`v0.1.5`). - Align workspace template workflow pins with root workflow pin updates. - Add a `CHANGELOG.md` entry under `0.3.0` → `Fixed` for issue #286. ## Test plan - [x] Confirm old `commit-action` SHAs no longer exist in repo workflow files. - [x] Run pre-commit hooks via local commit (all checks passed). - [ ] Validate end-to-end smoke-test repository dispatch run after merge.
## Description Fix smoke-test deploy commit traceability by removing an invalid local issue reference from automated `chore: deploy <tag>` commits generated in `vig-os/devcontainer-smoke-test`. Also add a maintainer note in the template workflow that changes in this file require manual redeploy to the smoke-test repository and promotion through PRs to `main`. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `assets/smoke-test/.github/workflows/repository-dispatch.yml` - Remove `Refs: #258` from the automated deploy commit body (invalid in smoke-test repo context) - Add a template note about manual redeploy/sync expectations for this workflow file - `CHANGELOG.md` - Add a `0.3.0` `### Fixed` entry for issue `#284` ## Changelog Entry ### Fixed - **Smoke-test deploy commit no longer references non-local issue IDs** ([#284](#284)) - `assets/smoke-test/.github/workflows/repository-dispatch.yml` no longer injects `Refs: #258` into automated `chore: deploy <tag>` commits in the smoke-test repository - Added maintainer note that workflow-template changes require manual redeploy to `vig-os/devcontainer-smoke-test` and promotion through PRs to `main` ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes Follow-up enhancement tracked in `#289` for richer dispatch payload metadata and downstream completion reporting. Refs: #284
## Description Fixes a release-blocking edge case where sanitized project names could end with `_`, producing an invalid `pyproject.toml` package name during install/integration flows. Adds a regression test, applies boundary-safe normalization in both install paths, and records the fix in the changelog. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `tests/test_install_script.py` - Added `test_dry_run_name_sanitization_trims_trailing_separator`. - Verifies `--name "Install-Test-Project-"` becomes `install_test_project` (no trailing underscore). - `install.sh` - Updated `sanitize_name()` to collapse duplicate underscores, trim non-alphanumeric boundaries, and fallback to `project` when empty. - `assets/init-workspace.sh` - Mirrored the same short-name normalization to keep runtime initialization behavior consistent with install-time behavior. - `CHANGELOG.md` - Added a `### Fixed` entry for issue `#291` under the active `0.3.0` section. ## Changelog Entry ### Fixed - **Install name sanitization trims invalid package boundaries** ([#291](#291)) - `install.sh` now normalizes sanitized project names to ensure they start/end with alphanumeric characters before passing `SHORT_NAME` - `init-workspace.sh` mirrors the same normalization so generated `pyproject.toml` names cannot end with separators like `_` ## Testing - [x] Tests pass locally (`just test`) ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [x] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes - Release failure reference: [run 23049118093](https://github.com/vig-os/devcontainer/actions/runs/23049118093), [job 66945611261](https://github.com/vig-os/devcontainer/actions/runs/23049118093/job/66945611261) - Intended base branch for this fix PR: `release/0.3.0` Refs: #291
## Description Fixes the smoke-test dispatch redeploy failure when resetting an existing `chore/deploy-<tag>` branch. The GitHub API PATCH request in `repository-dispatch.yml` previously sent `force` as a string (`-f force=true`), which returns `HTTP 422` in the smoke-test repository. This updates the call to use a typed boolean flag. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [x] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `assets/smoke-test/.github/workflows/repository-dispatch.yml` - Changed `gh api` PATCH argument from `-f force=true` to `-F force=true` - Ensures `force` is sent as a boolean, matching GitHub API schema for ref updates ## Changelog Entry No changelog needed. This is an internal CI workflow fix on a release bugfix branch, and issue `#293` explicitly sets changelog category to "No changelog needed". ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [ ] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes Repro/error reference: https://github.com/vig-os/devcontainer-smoke-test/actions/runs/23051686417/job/66954252175 Refs: #293
## Summary - Use `publish_version` (not base `version`) for build, test, and artifact naming in release candidate/final release image flow. - Align downloaded artifact patterns and source image tags in publish step to the same `publish_version` value. - Prevent RC smoke-test deploys from falling back to stable-only tags when validating container image availability. ## Test plan - [x] Pre-commit hooks pass for the workflow change. - [ ] Run release workflow in `candidate` mode for `0.3.0` and verify generated smoke-test PR writes `.vig-os` with `DEVCONTAINER_VERSION=<rc tag>`. - [ ] Verify smoke-test `CI (Container)` resolves and validates `ghcr.io/vig-os/devcontainer:<rc tag>` successfully. - [ ] Run final release workflow and verify stable release path remains unchanged. Refs: #296
…rd (#298) ## Description Align `actions/checkout` pin in the sync-main-to-dev workflow to the repository-standard SHA (`v6.0.2`) to keep CI action pinning consistent. This updates both the source workflow and its mirrored workspace asset with no behavioral refactor. ## Type of Change - [ ] `feat` -- New feature - [ ] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [x] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `.github/workflows/sync-main-to-dev.yml` - Updated both `actions/checkout` steps from `34e114876b0b11c390a56381ad16ebd13914f8d5 # v4` to `de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`. - `assets/workspace/.github/workflows/sync-main-to-dev.yml` - Mirrored the same two pin updates to keep generated/workspace assets aligned. ## Changelog Entry No changelog needed: this is an internal `chore(ci)` pin-alignment change with no user-facing impact. ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [ ] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes N/A Refs: #295
Set release date to 2026-03-13 in CHANGELOG.md Refs: #270
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release 0.3.0 - 2026-03-13
This PR prepares release 0.3.0 for merge to main.
Release Content
Added
--forceworkspace upgrades (#212)init-workspace --forceno longer overwritesREADME.md,CHANGELOG.md,LICENSE,.github/CODEOWNERS, orjustfile.projectup,down,status,logs,shell,restart,openlog(pretty one-line, last 20),branch(current + recent).cursor/agent-models.tomlwithstandardtier (sonnet-4.5) and[skill-tiers]mapping for skill categories (data-gathering, formatting, review, orchestration).cursor/rules/subagent-delegation.mdcdocumenting when and how to delegate mechanical sub-steps to lightweight subagents via the Task tool## Delegationsections to 12 skills identifying steps that should spawn lightweight/standard-tier subagents to reduce token consumption on the primary autonomous modelworktree_solve-and-pr,worktree_brainstorm,worktree_plan,worktree_execute,worktree_verify,worktree_pr,worktree_ci-check,worktree_ci-fix,code_review,issue_triage,pr_post-merge,ci_checkhadolinthook to.pre-commit-config.yaml, pinned by SHA (v2.9.3)RUNlayers, shellcheck for inline scriptstests/fixtures/sidecar.Containerfileto pass hadolint with no warningstmuxto the Containerfileapt-get installblockcheck-skill-namesenforces[a-z0-9][a-z0-9_-]*naming for skill directoriesreviewerparameter injust worktree-startPR_REVIEWERvia tmux environment to the autonomous agentworktree_prskill to automatically request review whenPR_REVIEWERis setinception_explore(divergent problem understanding),inception_scope(convergent scoping),inception_architect(pattern-validated design),inception_plan(decomposition into GitHub issues)docs/templates/RFC.md(Problem Statement, Proposed Solution, Alternatives, Impact, Phasing) anddocs/templates/DESIGN.md(Architecture, Components, Data Flow, Technology Stack, Testing)docs/rfcs/anddocs/designs/for durable artifactsinception_architectskill: ByteByteGoHq/system-design-101, donnemartin/system-design-primer, karanpratapsingh/system-design, binhnguyennus/awesome-scalability, mehdihadeli/awesome-software-architectureversion-check.shintopost-attach.shfor automatic update checksjust devcontainer-upgraderecipe for convenient upgrades from hostjust checkrecipe for version management (#73)just check,just check config,just check on/off,just check 7d.cursor/worktrees.jsonfor native Cursor worktree initialization (macOS/Linux local)justfile.worktreewith tmux + cursor-agent CLI recipes (worktree-start,worktree-list,worktree-attach,worktree-stop,worktree-clean) for devcontainer environmentsworktree_brainstorm,worktree_plan,worktree_execute,worktree_verify,worktree_pr,worktree_ask,worktree_solve-and-prjust gh-issuesdisplays open issues grouped by milestone in rich tables with columns for type, title, assignee, linked branch, priority, scope, effort, and semver.devcontainer/justfile.gh+.devcontainer/scripts/gh_issues.py).cursor/skills/issue_triage/for triaging open issues across priority, area, effort, SemVer impact, dependencies, and release readinesslabel-taxonomy.md) for priority, area, effort, and SemVer dimensionscoding-principles.mdc(YAGNI, minimal diff, DRY, no secrets, traceability, single responsibility) andtdd.mdc(RED-GREEN-REFACTOR discipline)start-issue.md,create-issue.md,brainstorm.md,tdd.md,review.md,verify.mdcheck-ci.md,fix-ci.mdplan.md,execute-plan.md,debug.md.cursor/rules/changelog.mdc(always applied) guiding agents on when, where, and how to update CHANGELOG.mdbug_report.yml,feature_request.yml, andtask.ymlissue templatesrefactor.yml(scope/invariants),documentation.yml(docs/templates workflow),ci_build.yml(target workflows/triggers/release impact)config.ymldisabling blank issues and linking to project docsdocs/templates/andjust docs.gitmessagesynced toassets/workspace/assets/workspace/is generated outputjust worktree-startto work out of the box without manual installationsetup-gh-repo.shconfigures repo merge settings viagh api(merge_commit_title=PR_TITLE,merge_commit_message=PR_BODY,allow_auto_merge=true)post-create.shso downstream devcontainer projects get compliant merge commits automatically--subject-onlyflag forvalidate-commit-msgto validate PR titles without requiring body or Refspr-title-check.ymlCI workflow enforces commit message standard on PR titlesRefs: #placeholder for merge commit traceabilityci.ymlpasses on a real GitHub-hosted runnerbanditpre-installed in devcontainer image (#170)bandit[toml]added to the system Python install in the Containerfilepre-commitpre-installed in CIsetup-envaction (#170)setup-envcomposite action now installspre-commitas a mandatory step so hooks are available in bare-runner CI without a devcontainersetup-gh-repo.shdetaches org default code security configuration (#170)init-workspace.shrunsjust syncafter placeholder replacement (#170)uv.lockfor the new project name and installs the project package into the venv during workspace bootstraprelease.ymlnow supportsrelease-kind=candidate(default) and infers the next availableX.Y.Z-rcNtag automaticallyrelease-kind=finaland are exposed byjust finalize-releasesync-main-to-dev.ymlreplacespost-release.yml— syncs main into dev via PR instead of direct push, satisfying branch protection rulesmerge-conflictwith resolution instructionshadolintin the devcontainer image with SHA-256 checksum verificationhadolintis available in the built imagehadolintbinary and install it insetup-env/test-projectworkflowstaplo-formatandtaplo-linthooks to enforce TOML formatting and schema-aware validation.taplo.tomlconfiguration (local to this repository, not synced downstream)--smoke-testflag to deploy smoke-test-specific assets (#250)init-workspace.sh --smoke-testdeploys files fromassets/smoke-test/(currentlyrepository-dispatch.ymlandREADME.md)install.shforwards--smoke-testflag toinit-workspace.sh--force --no-promptsfor unattended useinitialized_workspacefixture into reusable_init_workspace()withsmoke_testparameter.vig-osconfig file as devcontainer version SSoT (#257)assets/workspace/.vig-oskey/value config withDEVCONTAINER_VERSIONas the canonical version sourcedocker-compose.yml,initialize.sh, andversion-check.shto consume.vig-os-driven version flow.vig-ospresence and graceful handling when.vig-osis missing.vscode/settings.jsontoscripts/manifest.tomlto keep editor settings consistent across root repo and workspace templaterepository_dispatchinvig-os/devcontainer-smoke-testwith the RC tag payloadchore/deploy-<tag>, and opens a PR todevci.yml,ci-container.yml) trigger on the deploy PR, and auto-merge is enabled when checks passX.Y.ZorX.Y.Z-rcNbefore using the tag in refs/URLsCVE-2026-31812inuv/uvxpending upstream dependency patch releaseChanged
Release CHANGELOG flow redesigned (#172)
prepare-release.ymlnow freezes CHANGELOG on dev (Unreleased → [X.Y.Z] - TBD + fresh empty Unreleased), then forks release branch and strips the empty Unreleased section## Unreleased; both branches share the [X.Y.Z] section for clean mergesRelease automation now uses dedicated GitHub App identities (#172)
APP_SYNC_ISSUES_*secrets withRELEASE_APP_*for release and preparation workflowssync-issues.ymlnow usesCOMMIT_APP_*;sync-main-to-dev.ymluses both apps (commit app for refs, release app for PR operations)sync-issuestrigger fromsync-main-to-dev.ymland documented the app permission model indocs/RELEASE_CYCLE.mdContainer CI defaults image tag from
.vig-os(#264)ci.ymlandci-container.ymlnow run only onpull_requestandworkflow_dispatchafter removing unusedworkflow_calltriggersci-container.ymlnow resolvesDEVCONTAINER_VERSIONfrom.vig-osbefore container jobs startworkflow_dispatchruns can still override the image viaimage-tag; fallback remainslatestwhen no version is availableresolve-imageso workflows fail fast if the resolved image tag is unavailable or inaccessibleworktree-clean: add filter mode for stopped-only vs all (#158)
just worktree-clean(no args) now cleans only stopped worktrees, skips running tmux sessionsjust worktree-clean allretains previous behavior (clean all worktrees) with warningjust wt-cleanalias unchangedConsolidate sync_manifest.py and utils.py into manifest-as-config architecture (#89)
scripts/transforms.pysubstitute_in_file()in utils shared by sed_inplace and Sed transformscripts/manifest.tomljustfile.base is canonical at repo root, synced via manifest (#71)
justfile.baseis now the single source of truth; synced toassets/workspace/.devcontainer/justfile.baseviasync_manifest.pyjust sync-workspaceand prepare-build keep workspace template in syncAutonomous PR skills use pull request template (#147)
pr_createandworktree_prnow read.github/pull_request_template.mdand fill each section from available contextRename skill namespace separator from colon to underscore (#128)
.cursor/skills/andassets/workspace/.cursor/skills/renamed (e.g.issue:create→issue_create)CLAUDE.mdcommand table, and label taxonomy updatedissue_createskill enhanced: gathers context viajust gh-issuesbefore drafting, suggests parent/child relationships and milestonesissue_createskill now includes TDD acceptance criterion for testable issue typessync-issuesworkflow trigger references removed from skillstdd.mdcexpanded with test scenario checklist and test type guidance; switched from always-on to glob-triggered on source/test filescode_tdd,code_execute, andworktree_executeskills now referencetdd.mdcexplicitlyClickable issue and PR numbers in gh-issues table (#104)
#column in issue and PR tables now uses Rich OSC 8 hyperlinks to GitHub URLsPR template aligned with canonical commit types (#115)
Updated update notification message (#73)
just updateinstruction (Python deps, not devcontainer upgrade)just devcontainer-upgradeand curl fallbackDeclarative Python sync manifest (#67)
sync-manifest.txt+ bash function andsync-workspace.shwithscripts/sync_manifest.pyprepare-build.shandjust sync-workspaceboth call the same manifestNamespace-prefixed Cursor skill names (#67)
issue:,design:,code:,git:,ci:,pr:)code:shows implementation skills)--orgflag for install script (#33)vigOS)ORG_NAMEas environment variable to the containercurl -sSf ... | bash -s --org MyOrg -- ~/my-project--orgflag in help, default value, and custom overrideVirtual environment prompt renaming (#34)
BATS (Bash Automated Testing System) shell testing framework (#35)
test-batsjustfile task and requirements configurationtest_helper.bashsupporting both local (node_modules) and CI (BATS_LIB_PATH) library resolutionPost-install user configuration step (#35)
run_user_conf()helper for host-side setup (git, ssh, gh)Git repository initialization in install script (#35)
setup_git_repo()function to initialize git if missingtest-installjustfile recipe for running install testsCommit message standardization (#36)
type(scope)!: subjectwith mandatoryRefs: #<issue>linedocs/COMMIT_MESSAGE_STANDARD.mddefining format, approved types (feat, fix, docs, chore, refactor, test, ci, build, revert, style), and traceability requirementsscripts/validate_commit_msg.pyenforcing the standard.githooks/commit-msgruns validation on every commit.pre-commit-config.yaml.gitmessagewith format placeholder.cursor/rules/commit-messages.mdcand.cursor/commands/commit-msg.mdfor AI-assisted commit messagesassets/workspace/for new projectstests/test_validate_commit_msg.pywith comprehensive validation test casesnano text editor in devcontainer image (#37)
Chore Refs exemption in commit message standard (#37)
chorecommits may omit theRefs:line when no issue or PR is directly relatedREFS_OPTIONAL_TYPESto accept chore commits without RefsDependency review allowlist entry for debug@0.6.0 (#37)
.github/dependency-review-allow.txt|- Dependency review exception for legacy test vulnerabilities (#37)
SECURITY.mdand.github/dependency-review-allow.txtBandit and Safety security scanning (#37, #50)
Scheduled weekly security scan workflow (
security-scan.yml) (#37)devbranch every Monday 06:00 UTCNon-blocking unfixed vulnerability reporting in CI (#37)
Comprehensive
.trivyignorevulnerability acceptance register (#37)Expiration-enforced dependency-review exceptions (#37)
.github/dependency-review-allow.txtBranch name enforcement as a pre-commit hook (#38)
branch-namehook enforcing<type>/<issue>-<summary>convention (e.g.feature/38-standardize-branching-strategy-enforcement).pre-commit-config.yaml,assets/workspace/.pre-commit-config.yaml)Cursor rules for branch naming and issue workflow (#38)
.cursor/rules/branch-naming.mdc: topic branch naming format, branch types, workflow for creating/linking branches viagh issue developRelease cycle documentation (#38, #48)
docs/RELEASE_CYCLE.mdwith complete release workflow, branching strategy, and CI/CD integrationafter-pr-merge.md,submit-pr.mdpip-licenses installed system-wide with version verification test (#43)
just-lsp language server and VS Code extension for Just files (#44)
Automated release cycle (#48)
prepare-releaseandfinalize-releasejustfile commands triggering GitHub Actions workflowsprepare-changelog.pyscript with prepare, validate, reset, and finalize commands for CHANGELOG automationreset-changelogjustfile command for post-merge CHANGELOG cleanupprepare-release.ymlGitHub Actions workflow: validates semantic version, creates release branch, prepares CHANGELOGrelease.ymlpipeline: validate → finalize → build/test → publish → rollbacktests/test_release_cycle.pyCI testing infrastructure (#48)
ci.ymlworkflow replacingtest.ymlwith streamlined project checks (lint, changelog validation, utility and release-cycle tests)setup-env,build-image,test-image,test-integration,test-projectGitHub Actions SHA pinning enforcement (#50)
scripts/check_action_pins.pypre-commit hook and CI check ensuring all GitHub Actions and Docker actions reference commit SHAstests/test_check_action_pins.pyCODEOWNERS for automated review assignment (#50)
SECURITY.md with vulnerability reporting procedures and supported version policy (#50)
OpenSSF Scorecard workflow (
scorecard.yml) for supply chain security scoring (#50)CodeQL analysis workflow (
codeql.yml) for automated static security analysis (#50)Dependabot configuration for automated dependency update PRs with license compliance monitoring (#50)
Vulnerability scanning and dependency review in CI pipeline with non-blocking MEDIUM severity reporting (#50)
SBOM generation, container signing, and provenance attestation in release and CI pipelines (#50)
Edge case tests for changelog validation, action SHA pinning, and install script (#50)
vig-utilsreusable CLI utilities package (#51)packages/vig-utils/for shared validation and build utilitiesvalidate_commit_msgmodule: enforces commit message format and references standardsfeat(api, cli): add feature)prepare_changelogmodule: CHANGELOG management and validationcheck_action_pinsmodule: GitHub Actions SHA pinning enforcementCode coverage reporting in CI (#52)
File duplication detection and elimination (#53)
.github/package.jsonprepare-build.shscript with manifest syncparse_manifestfixture andtest_manifest_filesGitHub workflow templates for devcontainer projects (#53)
Centralized
@devcontainers/cliversion management (#53).github/package.jsonfor consistent behavior across workflows and builds--require-scopeflag forvalidate-commit-msg(#58)feat(api): ...)feat: ...) are rejected at the commit-msg stagetest_validate_commit_msg.pypost-start.shdevcontainer lifecycle script (#60)just syncpostStartCommandindevcontainer.jsonDependency sync delegated to
just syncacross all lifecycle hooks (#60)post-create.sh,post-start.sh, andpost-attach.shnow calljust syncinstead ofuv syncdirectlyjustfile.basesyncrecipe updated with--all-extras --no-install-projectflags andpyproject.tomlguardGit initialization default branch (#35)
CI release workflow uses GitHub API (#35)
Commit message guidelines - updated documentation (#36)
Expected version checks - updated ruff and pre-commit versions in test suite (#37)
Bumped
actions/create-github-app-tokenfrom v1 to v2 across workflows with updated SHA pins (#37)Pinned
@devcontainers/clito version 0.81.1 in CI for consistent behavior (#37)CI and release Trivy scans gate on fixable CVEs only (#37)
ignore-unfixed: trueto blocking scan steps inci.ymlandrelease.yml.trivyignorewith risk assessmentsUpdated pre-commit hook configuration in the devcontainer (#38)
Renamed
publish-container-image.ymltorelease.ymland expanded into unified release pipeline (#48)Merged
prepare-build.shintobuild.sh— consolidated directory preparation, asset copying, placeholder replacement, and README updates into a single entry point (#48)Consolidated test files by domain — reorganized from 6 files to 4 (
test_image.py,test_integration.py,test_utils.py,test_release_cycle.py) (#48)Replaced
setup-python-uvwith flexiblesetup-envcomposite action supporting optional inputs for podman, Node.js, and devcontainer CLI (#48)Reduced
sync-issuesworkflow triggers — removededitedevent type from issues and pull_request triggers (#48)Release workflow pushes tested images instead of rebuilding after tests pass (#48)
Updated CONTRIBUTE.md release workflow documentation to match automated process (#50)
CodeQL Action v3 → v4 upgrade
.github/workflows/codeql.yml,security-scan.yml, andci.yml45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2for integritySync-issues workflow output directory (#53)
Workspace
validate-commit-msghook configured strict-by-default (#58)assets/workspace/.pre-commit-config.yamlnow ships with explicitargsinstead of commented-out examples--require-scope, andchorerefs exemptionvig-utilsREADME added as a comment above the hook for discoverabilityRefresh pinned Python base image digest (#213)
python:3.12-slim-bookwormpinned digest inContainerfileto the latest upstream value while keeping the same tagPre-commit hook removal transform preserves section comments (#171)
scripts/transforms.pykeeps section comments intact while removing configured hooks during manifest syncscripts/manifest.tomland related sync/test updates keep workspace pre-commit outputs aligned with container CI workflow changesMigrate shared scripts into
vig-utilspackage entrypoints (#217, #161, #179)check-skill-names.sh,derive-branch-summary.sh,resolve-branch.sh,setup-labels.sh) bundled insidevig_utils.shelland exposed asvig-<name>CLI entrypointsgh_issues.py,check-agent-identity.py,check-pr-agent-fingerprints.py,prepare-commit-msg-strip-trailers.py) migrated intovig-utilsmodules with entrypointsvig_utils.utilsmodulevig-utilsentrypointsRestructure workspace justfile into devc/project split (#219)
justfile.basetojustfile.devcand keep devcontainer lifecycle recipes therelint,format,precommit,test,sync,update,clean-artifacts,log,branch) intojustfile.projectjustfile.localtemplate for personal recipes while keeping it ignored in downstream workspaces, and update workspace imports/manifests to the new structureUpdate base Python image and GitHub Actions dependencies (#240)
python:3.12-slim-bookwormto latest digestBump GitHub CLI to 2.88.x
ghversion in image tests from 2.87 to 2.88Manifest sync includes
sync-main-to-devworkflow (#278).github/workflows/sync-main-to-dev.ymltoscripts/manifest.tomlso workspace sync includes the release-to-dev PR automation workflowRemoved
post-release.yml— replaced bysync-main-to-dev.yml(#172)scripts/prepare-build.sh— merged intobuild.sh(#48)scripts/sync-prs-issues.sh— deprecated sync script (#48)test.ymlworkflow — replaced byci.yml(#48).github_data/directory — 98 files superseded bydocs/issues/anddocs/pull-requests/(#91)scripts/check-agent-identity.py,scripts/check-skill-names.sh,scripts/derive-branch-summary.sh,scripts/resolve-branch.sh— now invig-utilsassets/workspace/.devcontainer/scripts/gh_issues.py,check-pr-agent-fingerprints.py,prepare-commit-msg-strip-trailers.py— now invig-utilsscripts/utils.pyshim — superseded byvig_utils.utilsFixed
justdefault recipe hidden by lint recipe (#254)defaultrecipe must appear before any other recipe in the justfile;lintwas placed first, shadowing the recipe listingdefaultrecipe abovelintto restorejustwith no arguments showing available recipesgh-issues --helpguard in justfile recipe (#173)gh-issuesCLI has no--helpflag, so the availability check always failed even when the binary was installedinit-workspace.sh --smoke-testnow excludesdocs/issues/anddocs/pull-requests/fromrsync --deletesync-issuesprepare-release.ymlnow usesCOMMIT_APP_*for git/ref andcommit-actionoperations that touchdevand release refsRELEASE_APP_*token scope for pull-request operationsget_version_from_changelog()andget_release_date_from_changelog()now skip entries without a concrete release datecontains_agent_fingerprintnow restricts name matching to attribution-context lines (e.g. "generated by", "authored by") instead of scanning the entire contentallow_patternsfromagent-blocklist.tomlto strip known-safe text (dotfile paths, doc filenames) before checkingrelease.ymlnow tagsghcr.io/vig-os/devcontainer:X.Y.Z-archartifacts asX.Y.Z-rcN-archbeforedocker pushin candidate runsdocker loadvig-os/commit-action@c0024cbad0e501764127cccab732c6cd465b4646(v0.1.5)FILE_PATHS: .and accidentally includes invalid.git/*tree pathsassets/smoke-test/.github/workflows/repository-dispatch.ymlno longer injectsRefs: #258into automatedchore: deploy <tag>commits in the smoke-test repositoryvig-os/devcontainer-smoke-testand promotion through PRs tomaininstall.shnow normalizes sanitized project names to ensure they start/end with alphanumeric characters before passingSHORT_NAMEinit-workspace.shmirrors the same normalization so generatedpyproject.tomlnames cannot end with separators like_Security
verbosenpm package.github/dependency-review-allow.txt.trivyignoreghrelease with Go 1.25.7 or later.github/dependency-review-allow.txtwith 6-month expiration date enforced by CIpython:3.12-slim-bookworm) with SHA256 checksum verification for all downloaded binaries and.trivyignorerisk-assessment policy in Containerfile (#50)urllib3>=2.6.3,filelock>=3.20.3, andvirtualenv>=20.36.1uv.lockwith patched resolutions (urllib3 2.6.3,filelock 3.25.0,virtualenv 21.1.0)CVE-2025-15558to.trivyignorewith risk assessment, upstream dependency context, and an expiration dateghrelease that includes the patchedgithub.com/docker/clidependency