Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
Bumps the actions-minor-patch group with 2 updates: [github/codeql-action](https://github.com/github/codeql-action) and [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer). Updates `github/codeql-action` from 4.34.1 to 4.35.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3869755...c10b806) Updates `sigstore/cosign-installer` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@ba7bc0a...cad07c2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/dev/actions-minor-patch-d7ad8a5a21
branch
from
467bbd4 to
7333374
Compare
c-vigo
approved these changes
Apr 2, 2026
c-vigo
deleted the
dependabot/github_actions/dev/actions-minor-patch-d7ad8a5a21
branch
7 tasks
c-vigo
added a commit
that referenced
this pull request
Apr 2, 2026
## Description Merge `dev` into `release/0.3.2` to apply latest Dependabot GitHub Actions SHA pin bumps. ## Type of Change - [x] `chore` -- Maintenance task (deps, config, etc.) ## Changes Made Fast-forward merge of 3 commits from `dev` (PR #474) bumping GitHub Actions SHA pins: - `github/codeql-action` from `4.34.1` to `4.35.1` (ci.yml, codeql.yml, scorecard.yml, security-scan.yml, and workspace templates) - `sigstore/cosign-installer` from `4.1.0` to `4.1.1` (promote-release.yml, release.yml) Plus a changelog entry documenting the batch. ## Changelog Entry ### Changed - **Dependabot dependency update batch** ([#474](#474)) - Bump `github/codeql-action` from `4.34.1` to `4.35.1` - Bump `sigstore/cosign-installer` from `4.1.0` to `4.1.1` ## Testing - [x] No functional changes -- SHA pin updates only - [x] Pre-commit hooks pass locally ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors ## Additional Notes Chore maintenance -- no linked issue. Refs: N/A (chore, no issue)
This was referenced Apr 5, 2026
Merged
vig-os-release-app Bot
added a commit
to vig-os/devcontainer-smoke-test
that referenced
this pull request
Apr 5, 2026
# Release 0.3.2 This PR prepares release 0.3.2 for merge to main. ## [0.3.2] - TBD ### Added - **Downstream `promote-release.yml` workspace template** ([#463](vig-os/devcontainer#463)) - Add `assets/workspace/.github/workflows/promote-release.yml` as the counter-party to root `promote-release.yml`: validate draft release and release PR, publish the release, merge to `main`, best-effort git RC tag cleanup (no GHCR/cosign/smoke-test gate) - Document in `docs/DOWNSTREAM_RELEASE.md` and align `docs/RELEASE_CYCLE.md` Phase 5 for consumer vs upstream paths - **Optional draft pre-release for downstream release candidates** ([#463](vig-os/devcontainer#463)) - Workspace `release.yml` adds `create-release` (`workflow_dispatch`, default `false`); `release-publish.yml` creates a draft GitHub pre-release only when set for `candidate` runs - Smoke-test `repository-dispatch.yml` passes `create-release=true` when triggering downstream `release.yml` - `just publish-candidate` forwards `create-release` in `justfile.gh` and the workspace template copy ### Changed - **RELEASE_APP permissions and GHCR cleanup token model** ([#463](vig-os/devcontainer#463)) - Document Packages read/write on the org for `promote-release` cleanup, align the app table in `docs/RELEASE_CYCLE.md`, and explain why cleanup uses the GitHub App token instead of `GITHUB_TOKEN` - **Promote-release cleans up stale RC artifacts after merge** ([#463](vig-os/devcontainer#463)) - Best-effort job deletes GHCR package versions for `${VERSION}-rc*` and `sha256-*`-only orphans, and deletes remote git RC tags for that base version when no GitHub Release exists; does not fail the workflow on error - **Downstream release helper recipes via GitHub justfile import** ([#373](vig-os/devcontainer#373)) - Move `prepare-release`, `finalize-release`, `publish-candidate`, and `reset-changelog` into `justfile.gh` so downstream workspace templates expose these release helpers by default - Keep root recipe availability (including `pull`) through `import 'justfile.gh'` while consolidating release helper ownership in the GitHub-focused recipe file; the workspace template copy omits the `pull` recipe - **Split final release into publish and promote phases** ([#456](vig-os/devcontainer#456)) - Final `release.yml` publishes versioned GHCR tags and a draft GitHub Release but no longer updates `:latest` - New `promote-release.yml` runs after downstream smoke-test publishes its final release: updates `:latest`, publishes the draft release, merges the release PR to `main` - Add `just promote-release` in `justfile.gh` (and workspace template copy) - **Smoke-test dispatch fails fast when deploy PR checks fail** ([#381](vig-os/devcontainer#381)) - `wait-deploy-merge` in `assets/smoke-test/.github/workflows/repository-dispatch.yml` exits as soon as all required checks have completed with failures instead of waiting for the merge poll timeout (`gh pr checks --required`) - **Nightly CI schedule** ([#461](vig-os/devcontainer#461)) - `ci.yml` adds a `schedule` trigger at 04:00 UTC that checks out `dev` and runs all test suites; checkout `ref` and `vcs-ref` are resolved correctly for scheduled runs - **Scheduled security scan pulls GHCR `:latest` instead of rebuilding** ([#461](vig-os/devcontainer#461)) - Runs nightly at 05:00 UTC, pulls the published image, gates on fixable HIGH/CRITICAL vulnerabilities, auto-creates a deduplicated GitHub issue on failure, and uploads SARIF under `container-image-latest` - **Dependabot dependency update batch** ([#474](vig-os/devcontainer#474)) - Bump `github/codeql-action` from `4.34.1` to `4.35.1` - Bump `sigstore/cosign-installer` from `4.1.0` to `4.1.1` - **Simplify `just pull` in `justfile.gh`** ([#482](vig-os/devcontainer#482)) - Pull `ghcr.io/vig-os/devcontainer` by tag; drop redundant shell fallback, per-recipe `repo` argument, and unused `REGISTRY_TEST` TLS path (imported `justfile.gh` cannot reference root `repo`) ### Removed - **One-time GHCR/git RC prune script** ([#463](vig-os/devcontainer#463)) - Remove `scripts/prune-ghcr-tags.sh`; RC and `sha256-*` orphan cleanup remains in root `promote-release.yml` - **Downstream RC pre-release gate from release validate job** ([#463](vig-os/devcontainer#463)) - Removed dead `if: false` steps from `release.yml`; downstream final release is verified only in `promote-release.yml` before promote ### Fixed - **Prepare-release changelog commits silently skipped due to FILE_PATHS delimiter mismatch** ([#483](vig-os/devcontainer#483)) - Change `FILE_PATHS` from space-separated to comma-separated in all `commit-action` steps of `prepare-release.yml` so the action correctly commits both `CHANGELOG.md` and `assets/workspace/.devcontainer/CHANGELOG.md` - Join finalization changed files with commas in `release.yml` (`Collect finalization files`) so `commit-action` receives multiple paths correctly - **`publish-candidate` recipe sends unknown `create-release` input** ([#479](vig-os/devcontainer#479)) - Remove `create-release` parameter and `-f` flag from upstream `justfile.gh`; the input was added to the downstream workflow only but the recipe was updated in both places - **Image tests expect current `just` minor** ([#479](vig-os/devcontainer#479)) - Align `EXPECTED_VERSIONS["just"]` with the latest `just` release installed by the Containerfile (1.49.x) - **Git commit now falls back to nano when editor config is unusable** ([#383](vig-os/devcontainer#383)) - `setup-git-conf.sh` now validates the effective Git editor and sets `core.editor=nano` only when the configured editor is missing or invalid in-container - Add integration regression coverage to ensure invalid editor settings are corrected during setup - **Release finalize no longer races sync-issues; CHANGELOG TBD verified after reset** ([#455](vig-os/devcontainer#455)) - Run `sync-issues` after capturing finalize SHA so downstream build/publish use the finalized commit
vig-os-release-app Bot
added a commit
to vig-os/devcontainer-smoke-test
that referenced
this pull request
Apr 7, 2026
# Release 0.3.2 This PR prepares release 0.3.2 for merge to main. ## [0.3.2] - TBD ### Added - **Downstream `promote-release.yml` workspace template** ([#463](vig-os/devcontainer#463)) - Add `assets/workspace/.github/workflows/promote-release.yml` as the counter-party to root `promote-release.yml`: validate draft release and release PR, publish the release, merge to `main`, best-effort git RC tag cleanup (no GHCR/cosign/smoke-test gate) - Document in `docs/DOWNSTREAM_RELEASE.md` and align `docs/RELEASE_CYCLE.md` Phase 5 for consumer vs upstream paths - **Optional draft pre-release for downstream release candidates** ([#463](vig-os/devcontainer#463)) - Workspace `release.yml` adds `create-release` (`workflow_dispatch`, default `false`); `release-publish.yml` creates a draft GitHub pre-release only when set for `candidate` runs - Smoke-test `repository-dispatch.yml` passes `create-release=true` when triggering downstream `release.yml` - `just publish-candidate` forwards `create-release` in `justfile.gh` and the workspace template copy ### Changed - **RELEASE_APP permissions and GHCR cleanup token model** ([#463](vig-os/devcontainer#463)) - Document Packages read/write on the org for `promote-release` cleanup, align the app table in `docs/RELEASE_CYCLE.md`, and explain why cleanup uses the GitHub App token instead of `GITHUB_TOKEN` - **Promote-release cleans up stale RC artifacts after merge** ([#463](vig-os/devcontainer#463)) - Best-effort job deletes GHCR package versions for `${VERSION}-rc*` and `sha256-*`-only orphans, and deletes remote git RC tags for that base version when no GitHub Release exists; does not fail the workflow on error - **Downstream release helper recipes via GitHub justfile import** ([#373](vig-os/devcontainer#373)) - Move `prepare-release`, `finalize-release`, `publish-candidate`, and `reset-changelog` into `justfile.gh` so downstream workspace templates expose these release helpers by default - Keep root recipe availability (including `pull`) through `import 'justfile.gh'` while consolidating release helper ownership in the GitHub-focused recipe file; the workspace template copy omits the `pull` recipe - **Split final release into publish and promote phases** ([#456](vig-os/devcontainer#456)) - Final `release.yml` publishes versioned GHCR tags and a draft GitHub Release but no longer updates `:latest` - New `promote-release.yml` runs after downstream smoke-test publishes its final release: updates `:latest`, publishes the draft release, merges the release PR to `main` - Add `just promote-release` in `justfile.gh` (and workspace template copy) - **Smoke-test dispatch fails fast when deploy PR checks fail** ([#381](vig-os/devcontainer#381)) - `wait-deploy-merge` in `assets/smoke-test/.github/workflows/repository-dispatch.yml` exits as soon as all required checks have completed with failures instead of waiting for the merge poll timeout (`gh pr checks --required`) - **Scheduled security scan pulls GHCR `:latest` instead of rebuilding** ([#461](vig-os/devcontainer#461)) - Runs nightly at 05:00 UTC, pulls the published image, gates on fixable HIGH/CRITICAL vulnerabilities, auto-creates a deduplicated GitHub issue on failure, and uploads SARIF under `container-image-latest` - **Dependabot dependency update batch** ([#474](vig-os/devcontainer#474)) - Bump `github/codeql-action` from `4.34.1` to `4.35.1` - Bump `sigstore/cosign-installer` from `4.1.0` to `4.1.1` - **Dependabot dependency update batch** ([#488](vig-os/devcontainer#488), [#489](vig-os/devcontainer#489)) - Bump `@devcontainers/cli` from `0.84.1` to `0.85.0` - Bump `docker/login-action` from `4.0.0` to `4.1.0` - **Simplify `just pull` in `justfile.gh`** ([#482](vig-os/devcontainer#482)) - Pull `ghcr.io/vig-os/devcontainer` by tag; drop redundant shell fallback, per-recipe `repo` argument, and unused `REGISTRY_TEST` TLS path (imported `justfile.gh` cannot reference root `repo`) ### Removed - **One-time GHCR/git RC prune script** ([#463](vig-os/devcontainer#463)) - Remove `scripts/prune-ghcr-tags.sh`; RC and `sha256-*` orphan cleanup remains in root `promote-release.yml` - **Downstream RC pre-release gate from release validate job** ([#463](vig-os/devcontainer#463)) - Removed dead `if: false` steps from `release.yml`; downstream final release is verified only in `promote-release.yml` before promote - **Nightly full CI schedule from `ci.yml`** ([#492](vig-os/devcontainer#492)) - Remove the `schedule` trigger and schedule-only checkout overrides; CI remains on pull requests and `workflow_dispatch` only - Nightly GHCR `:latest` scan in `security-scan.yml` is unchanged ### Fixed - **Prepare-release changelog commits silently skipped due to FILE_PATHS delimiter mismatch** ([#483](vig-os/devcontainer#483)) - Change `FILE_PATHS` from space-separated to comma-separated in all `commit-action` steps of `prepare-release.yml` so the action correctly commits both `CHANGELOG.md` and `assets/workspace/.devcontainer/CHANGELOG.md` - Join finalization changed files with commas in `release.yml` (`Collect finalization files`) so `commit-action` receives multiple paths correctly - **`publish-candidate` recipe sends unknown `create-release` input** ([#479](vig-os/devcontainer#479)) - Remove `create-release` parameter and `-f` flag from upstream `justfile.gh`; the input was added to the downstream workflow only but the recipe was updated in both places - **Image tests expect current `just` minor** ([#479](vig-os/devcontainer#479)) - Align `EXPECTED_VERSIONS["just"]` with the latest `just` release installed by the Containerfile (1.49.x) - **Git commit now falls back to nano when editor config is unusable** ([#383](vig-os/devcontainer#383)) - `setup-git-conf.sh` now validates the effective Git editor and sets `core.editor=nano` only when the configured editor is missing or invalid in-container - Add integration regression coverage to ensure invalid editor settings are corrected during setup - **Release finalize no longer races sync-issues; CHANGELOG TBD verified after reset** ([#455](vig-os/devcontainer#455)) - Run `sync-issues` after capturing finalize SHA so downstream build/publish use the finalized commit
vig-os-release-app Bot
added a commit
to vig-os/devcontainer-smoke-test
that referenced
this pull request
Apr 7, 2026
# Release 0.3.2 This PR prepares release 0.3.2 for merge to main. ## [0.3.2] - TBD ### Added - **Downstream `promote-release.yml` workspace template** ([#463](vig-os/devcontainer#463)) - Add `assets/workspace/.github/workflows/promote-release.yml` as the counter-party to root `promote-release.yml`: validate draft release and release PR, publish the release, merge to `main`, best-effort git RC tag cleanup (no GHCR/cosign/smoke-test gate) - Document in `docs/DOWNSTREAM_RELEASE.md` and align `docs/RELEASE_CYCLE.md` Phase 5 for consumer vs upstream paths - **Optional draft pre-release for downstream release candidates** ([#463](vig-os/devcontainer#463)) - Workspace `release.yml` adds `create-release` (`workflow_dispatch`, default `false`); `release-publish.yml` creates a draft GitHub pre-release only when set for `candidate` runs - Smoke-test `repository-dispatch.yml` passes `create-release=true` when triggering downstream `release.yml` - `just publish-candidate` forwards `create-release` in `justfile.gh` and the workspace template copy ### Changed - **RELEASE_APP permissions and GHCR cleanup token model** ([#463](vig-os/devcontainer#463)) - Document Packages read/write on the org for `promote-release` cleanup, align the app table in `docs/RELEASE_CYCLE.md`, and explain why cleanup uses the GitHub App token instead of `GITHUB_TOKEN` - **Promote-release cleans up stale RC artifacts after merge** ([#463](vig-os/devcontainer#463)) - Best-effort job deletes GHCR package versions for `${VERSION}-rc*` and `sha256-*`-only orphans, and deletes remote git RC tags for that base version when no GitHub Release exists; does not fail the workflow on error - **Downstream release helper recipes via GitHub justfile import** ([#373](vig-os/devcontainer#373)) - Move `prepare-release`, `finalize-release`, `publish-candidate`, and `reset-changelog` into `justfile.gh` so downstream workspace templates expose these release helpers by default - Keep root recipe availability (including `pull`) through `import 'justfile.gh'` while consolidating release helper ownership in the GitHub-focused recipe file; the workspace template copy omits the `pull` recipe - **Split final release into publish and promote phases** ([#456](vig-os/devcontainer#456)) - Final `release.yml` publishes versioned GHCR tags and a draft GitHub Release but no longer updates `:latest` - New `promote-release.yml` runs after downstream smoke-test publishes its final release: updates `:latest`, publishes the draft release, merges the release PR to `main` - Add `just promote-release` in `justfile.gh` (and workspace template copy) - **Smoke-test dispatch fails fast when deploy PR checks fail** ([#381](vig-os/devcontainer#381)) - `wait-deploy-merge` in `assets/smoke-test/.github/workflows/repository-dispatch.yml` exits as soon as all required checks have completed with failures instead of waiting for the merge poll timeout (`gh pr checks --required`) - **Scheduled security scan pulls GHCR `:latest` instead of rebuilding** ([#461](vig-os/devcontainer#461)) - Runs nightly at 05:00 UTC, pulls the published image, gates on fixable HIGH/CRITICAL vulnerabilities, auto-creates a deduplicated GitHub issue on failure, and uploads SARIF under `container-image-latest` - **Dependabot dependency update batch** ([#474](vig-os/devcontainer#474)) - Bump `github/codeql-action` from `4.34.1` to `4.35.1` - Bump `sigstore/cosign-installer` from `4.1.0` to `4.1.1` - **Dependabot dependency update batch** ([#488](vig-os/devcontainer#488), [#489](vig-os/devcontainer#489)) - Bump `@devcontainers/cli` from `0.84.1` to `0.85.0` - Bump `docker/login-action` from `4.0.0` to `4.1.0` - **Simplify `just pull` in `justfile.gh`** ([#482](vig-os/devcontainer#482)) - Pull `ghcr.io/vig-os/devcontainer` by tag; drop redundant shell fallback, per-recipe `repo` argument, and unused `REGISTRY_TEST` TLS path (imported `justfile.gh` cannot reference root `repo`) - **prepare-changelog finalize adds GitHub release link to version headings** ([#496](vig-os/devcontainer#496))
vig-os-release-app Bot
added a commit
to vig-os/devcontainer-smoke-test
that referenced
this pull request
Apr 8, 2026
# Release 0.3.2 This PR prepares release 0.3.2 for merge to main. ## [0.3.2] - TBD ### Added - **Downstream `promote-release.yml` workspace template** ([#463](vig-os/devcontainer#463)) - Add `assets/workspace/.github/workflows/promote-release.yml` as the counter-party to root `promote-release.yml`: validate draft release and release PR, publish the release, merge to `main`, best-effort git RC tag cleanup (no GHCR/cosign/smoke-test gate) - Document in `docs/DOWNSTREAM_RELEASE.md` and align `docs/RELEASE_CYCLE.md` Phase 5 for consumer vs upstream paths - **Optional draft pre-release for downstream release candidates** ([#463](vig-os/devcontainer#463)) - Workspace `release.yml` adds `create-release` (`workflow_dispatch`, default `false`); `release-publish.yml` creates a draft GitHub pre-release only when set for `candidate` runs - Smoke-test `repository-dispatch.yml` passes `create-release=true` when triggering downstream `release.yml` - `just publish-candidate` forwards `create-release` in `justfile.gh` and the workspace template copy ### Changed - **RELEASE_APP permissions and GHCR cleanup token model** ([#463](vig-os/devcontainer#463)) - Document Packages read/write on the org for `promote-release` cleanup, align the app table in `docs/RELEASE_CYCLE.md`, and explain why cleanup uses the GitHub App token instead of `GITHUB_TOKEN` - **Promote-release cleans up stale RC artifacts after merge** ([#463](vig-os/devcontainer#463)) - Best-effort job deletes GHCR package versions for `${VERSION}-rc*` and `sha256-*`-only orphans, and deletes remote git RC tags for that base version when no GitHub Release exists; does not fail the workflow on error - **Downstream release helper recipes via GitHub justfile import** ([#373](vig-os/devcontainer#373)) - Move `prepare-release`, `finalize-release`, `publish-candidate`, and `reset-changelog` into `justfile.gh` so downstream workspace templates expose these release helpers by default - Keep root recipe availability (including `pull`) through `import 'justfile.gh'` while consolidating release helper ownership in the GitHub-focused recipe file; the workspace template copy omits the `pull` recipe - **Split final release into publish and promote phases** ([#456](vig-os/devcontainer#456)) - Final `release.yml` publishes versioned GHCR tags and a draft GitHub Release but no longer updates `:latest` - New `promote-release.yml` runs after downstream smoke-test publishes its final release: updates `:latest`, publishes the draft release, merges the release PR to `main` - Add `just promote-release` in `justfile.gh` (and workspace template copy) - **Smoke-test dispatch fails fast when deploy PR checks fail** ([#381](vig-os/devcontainer#381)) - `wait-deploy-merge` in `assets/smoke-test/.github/workflows/repository-dispatch.yml` exits as soon as all required checks have completed with failures instead of waiting for the merge poll timeout (`gh pr checks --required`) - **Scheduled security scan pulls GHCR `:latest` instead of rebuilding** ([#461](vig-os/devcontainer#461)) - Runs nightly at 05:00 UTC, pulls the published image, gates on fixable HIGH/CRITICAL vulnerabilities, auto-creates a deduplicated GitHub issue on failure, and uploads SARIF under `container-image-latest` - **Dependabot dependency update batch** ([#474](vig-os/devcontainer#474)) - Bump `github/codeql-action` from `4.34.1` to `4.35.1` - Bump `sigstore/cosign-installer` from `4.1.0` to `4.1.1` - **Dependabot dependency update batch** ([#488](vig-os/devcontainer#488), [#489](vig-os/devcontainer#489)) - Bump `@devcontainers/cli` from `0.84.1` to `0.85.0` - Bump `docker/login-action` from `4.0.0` to `4.1.0` - **Simplify `just pull` in `justfile.gh`** ([#482](vig-os/devcontainer#482)) - Pull `ghcr.io/vig-os/devcontainer` by tag; drop redundant shell fallback, per-recipe `repo` argument, and unused `REGISTRY_TEST` TLS path (imported `justfile.gh` cannot reference root `repo`) - **prepare-changelog finalize adds GitHub release link to version headings** ([#496](vig-os/devcontainer#496))
c-vigo
added a commit
that referenced
this pull request
Apr 8, 2026
# [Release 0.3.2](https://github.com/vig-os/devcontainer/releases/tag/0.3.2) - 2026-04-08 This PR prepares release 0.3.2 for merge to main. ## [0.3.2](https://github.com/vig-os/devcontainer/releases/tag/0.3.2) - 2026-04-08 ### Added - **Downstream `promote-release.yml` workspace template** ([#463](#463)) - Add `assets/workspace/.github/workflows/promote-release.yml` as the counter-party to root `promote-release.yml`: validate draft release and release PR, publish the release, merge to `main`, best-effort git RC tag cleanup (no GHCR/cosign/smoke-test gate) - Document in `docs/DOWNSTREAM_RELEASE.md` and align `docs/RELEASE_CYCLE.md` Phase 5 for consumer vs upstream paths - **Optional draft pre-release for downstream release candidates** ([#463](#463)) - Workspace `release.yml` adds `create-release` (`workflow_dispatch`, default `false`); `release-publish.yml` creates a draft GitHub pre-release only when set for `candidate` runs - Smoke-test `repository-dispatch.yml` passes `create-release=true` when triggering downstream `release.yml` - `just publish-candidate` forwards `create-release` in `justfile.gh` and the workspace template copy ### Changed - **RELEASE_APP permissions and GHCR cleanup token model** ([#463](#463)) - Document Packages read/write on the org for `promote-release` cleanup, align the app table in `docs/RELEASE_CYCLE.md`, and explain why cleanup uses the GitHub App token instead of `GITHUB_TOKEN` - **Promote-release cleans up stale RC artifacts after merge** ([#463](#463)) - Best-effort job deletes GHCR package versions for `${VERSION}-rc*` and `sha256-*`-only orphans, and deletes remote git RC tags for that base version when no GitHub Release exists; does not fail the workflow on error - **Downstream release helper recipes via GitHub justfile import** ([#373](#373)) - Move `prepare-release`, `finalize-release`, `publish-candidate`, and `reset-changelog` into `justfile.gh` so downstream workspace templates expose these release helpers by default - Keep root recipe availability (including `pull`) through `import 'justfile.gh'` while consolidating release helper ownership in the GitHub-focused recipe file; the workspace template copy omits the `pull` recipe - **Split final release into publish and promote phases** ([#456](#456)) - Final `release.yml` publishes versioned GHCR tags and a draft GitHub Release but no longer updates `:latest` - New `promote-release.yml` runs after downstream smoke-test publishes its final release: updates `:latest`, publishes the draft release, merges the release PR to `main` - Add `just promote-release` in `justfile.gh` (and workspace template copy) - **Smoke-test dispatch fails fast when deploy PR checks fail** ([#381](#381)) - `wait-deploy-merge` in `assets/smoke-test/.github/workflows/repository-dispatch.yml` exits as soon as all required checks have completed with failures instead of waiting for the merge poll timeout (`gh pr checks --required`) - **Scheduled security scan pulls GHCR `:latest` instead of rebuilding** ([#461](#461)) - Runs nightly at 05:00 UTC, pulls the published image, gates on fixable HIGH/CRITICAL vulnerabilities, auto-creates a deduplicated GitHub issue on failure, and uploads SARIF under `container-image-latest` - **Dependabot dependency update batch** ([#474](#474)) - Bump `github/codeql-action` from `4.34.1` to `4.35.1` - Bump `sigstore/cosign-installer` from `4.1.0` to `4.1.1` - **Dependabot dependency update batch** ([#488](#488), [#489](#489)) - Bump `@devcontainers/cli` from `0.84.1` to `0.85.0` - Bump `docker/login-action` from `4.0.0` to `4.1.0` - **Simplify `just pull` in `justfile.gh`** ([#482](#482)) - Pull `ghcr.io/vig-os/devcontainer` by tag; drop redundant shell fallback, per-recipe `repo` argument, and unused `REGISTRY_TEST` TLS path (imported `justfile.gh` cannot reference root `repo`) - **prepare-changelog finalize adds GitHub release link to version headings** ([#496](#496)) - `finalize_release_date` writes `## [X.Y.Z](https://github.com/owner/repo/releases/tag/X.Y.Z) - date`; repository slug comes from `GITHUB_REPOSITORY` (set in Actions) or from `prepare-changelog finalize ... --github-repository owner/repo` - `unprepare` recognizes linked `## [semver](url) - …` headings ### Removed - **One-time GHCR/git RC prune script** ([#463](#463)) - Remove `scripts/prune-ghcr-tags.sh`; RC and `sha256-*` orphan cleanup remains in root `promote-release.yml` - **Downstream RC pre-release gate from release validate job** ([#463](#463)) - Removed dead `if: false` steps from `release.yml`; downstream final release is verified only in `promote-release.yml` before promote - **Nightly full CI schedule from `ci.yml`** ([#492](#492)) - Remove the `schedule` trigger and schedule-only checkout overrides; CI remains on pull requests and `workflow_dispatch` only - Nightly GHCR `:latest` scan in `security-scan.yml` is unchanged ### Fixed - **Prepare-release changelog commits silently skipped due to FILE_PATHS delimiter mismatch** ([#483](#483)) - Change `FILE_PATHS` from space-separated to comma-separated in all `commit-action` steps of `prepare-release.yml` so the action correctly commits both `CHANGELOG.md` and `assets/workspace/.devcontainer/CHANGELOG.md` - Join finalization changed files with commas in `release.yml` (`Collect finalization files`) so `commit-action` receives multiple paths correctly - **`publish-candidate` recipe sends unknown `create-release` input** ([#479](#479)) - Remove `create-release` parameter and `-f` flag from upstream `justfile.gh`; the input was added to the downstream workflow only but the recipe was updated in both places - **Image tests expect current `just` minor** ([#479](#479)) - Align `EXPECTED_VERSIONS["just"]` with the latest `just` release installed by the Containerfile (1.49.x) - **Git commit now falls back to nano when editor config is unusable** ([#383](#383)) - `setup-git-conf.sh` now validates the effective Git editor and sets `core.editor=nano` only when the configured editor is missing or invalid in-container - Add integration regression coverage to ensure invalid editor settings are corrected during setup - **Release finalize no longer races sync-issues; CHANGELOG TBD verified after reset** ([#455](#455)) - Run `sync-issues` after capturing finalize SHA so downstream build/publish use the finalized commit - Fail finalize if `CHANGELOG.md` still contains `## [version] - TBD` after `git reset --hard` - **generate-docs pre-commit runs when CHANGELOG.md changes** ([#455](#455)) - Keeps README “Latest Version” and other generated docs aligned with the changelog - **prepare-release tolerates GitHub API ref propagation and reliable CHANGELOG rollback** ([#453](#453)) - Poll until the new release branch ref resolves before `commit-action` commits to it - Fetch dev `CHANGELOG.md` by resolved commit SHA during rollback so Contents API staleness does not skip the rollback commit - **sync-main-to-dev sync job no longer depends on dev's setup-env** ([#459](#459)) - Inline the same `retry` shell helper used by `setup-env` so the job works when `main`'s workflow expects helpers not yet on `dev` - **CI container build avoids shared-runner Docker Hub rate limits** ([#473](#473)) - `build-image` logs in to `docker.io` before `setup-buildx-action` when `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN` secrets are set; `ci.yml` and `release.yml` pass them - Omitting secrets (e.g. forks) keeps prior anonymous-pull behavior - **Release finalize commit blocked by Release protection ruleset** ([#487](#487)) - Generate a dedicated Commit App token (`COMMIT_APP_ID`) for the `commit-action` step in the `finalize` job of `release.yml`, matching the pattern used by `prepare-release.yml` and other workflows; the previous Release App token lacked ruleset bypass - **Release finalize installs just for doc generation** ([#494](#494)) - Remove `install-just: 'false'` from the finalize job `setup-env` step so `docs/generate.py` can run `just --list` - `get_just_help()` exits non-zero on failure instead of writing placeholder content into generated docs - **Release rollback and CI `retry` exit codes** ([#500](#500)) - `retry` shell helper now propagates the command's non-zero exit code when all attempts fail - Release rollback creates a fast-forward revert commit via the Git API instead of force-pushing, compatible with branch protection on `release/*` - Rollback Git Data API steps authenticate with the Commit app token (same as finalize) so protected `release/*` ref updates are not blocked - Canonical `retry()` implementation lives in `.github/scripts/retry.sh`; `setup-env` and BATS source it so CI and tests stay aligned (`sync-main-to-dev.yml` keeps an inline copy documented as in sync) - **Release rollback restores release PR body after finalize** ([#502](#502)) - `rollback` job in `release.yml` restores the PR description from pre-finalization `CHANGELOG.md` (TBD / prepare-release format) using RELEASE_APP when `release_kind` is final, after branch rollback; failure issue and job summary report the step outcome - **Final release notes extraction after linked changelog headings** ([#504](#504)) - Publish job `awk` matches `## [VERSION]` prefix so finalized `## [X.Y.Z](url) - date` headings produce GitHub Release notes (regression after prepare-changelog linked headings in #496) ### Security - **Nightly vulnerability gate for published container image** ([#461](#461)) - Scheduled security scan now fails on fixable HIGH/CRITICAL CVEs and auto-files a GitHub issue, replacing the previous non-blocking weekly scan
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the actions-minor-patch group with 2 updates in the / directory: github/codeql-action and sigstore/cosign-installer.
Updates
github/codeql-actionfrom 4.34.1 to 4.35.1Release notes
Sourced from github/codeql-action's releases.
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
c10b806Merge pull request #3782 from github/update-v4.35.1-d6d1743b8c5ffd06Update changelog for v4.35.1d6d1743Merge pull request #3781 from github/henrymercer/update-git-minimum-version65d2efaAdd changelog note2437b20Update minimum git version for overlay to 2.36.0ea5f719Merge pull request #3775 from github/dependabot/npm_and_yarn/node-forge-1.4.045ceeeaMerge pull request #3777 from github/mergeback/v4.35.0-to-main-b8bb9f2824448c9Rebuild7c51060Update changelog and version after v4.35.0b8bb9f2Merge pull request #3776 from github/update-v4.35.0-0078ad667Updates
sigstore/cosign-installerfrom 4.1.0 to 4.1.1Release notes
Sourced from sigstore/cosign-installer's releases.
Commits
cad07c2chore: update default cosign-release to v3.0.5 (#223)