diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 63f9169b..dcebbf1e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -502,7 +502,6 @@ jobs:
uses: ./.github/actions/setup-env
with:
sync-dependencies: 'true'
- install-just: 'false'
- name: Set release date in CHANGELOG
if: needs.validate.outputs.release_kind == 'final'
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 318b3088..37182ee6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-## [0.3.2] - 2026-04-07
+## [0.3.2] - TBD
### Added
@@ -80,6 +80,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Omitting secrets (e.g. forks) keeps prior anonymous-pull behavior
- **Release finalize commit blocked by Release protection ruleset** ([#487](https://github.com/vig-os/devcontainer/issues/487))
- Generate a dedicated Commit App token (`COMMIT_APP_ID`) for the `commit-action` step in the `finalize` job of `release.yml`, matching the pattern used by `prepare-release.yml` and other workflows; the previous Release App token lacked ruleset bypass
+- **Release finalize installs just for doc generation** ([#494](https://github.com/vig-os/devcontainer/issues/494))
+ - Remove `install-just: 'false'` from the finalize job `setup-env` step so `docs/generate.py` can run `just --list`
+ - `get_just_help()` exits non-zero on failure instead of writing placeholder content into generated docs
### Security
diff --git a/CONTRIBUTE.md b/CONTRIBUTE.md
index 460b988c..48624ec9 100644
--- a/CONTRIBUTE.md
+++ b/CONTRIBUTE.md
@@ -157,7 +157,70 @@ When contributing to this project, follow this workflow:
## Just Recipes
```text
-
+Available recipes:
+ [build]
+ build no_cache="" # Build local development image
+ clean version="dev" # Remove image (default: dev)
+ clean-test-containers # Clean up lingering test containers
+
+ [git]
+ branch # Show current branch + list recent branches
+ log # Pretty one-line git log (last 20 commits)
+
+ [github]
+ gh-issues # List open issues and PRs grouped by milestone [alias: gh-i]
+
+ [info]
+ default # Show available commands (default)
+ docs # Generate documentation from templates
+ help # Show available commands
+ info # Show image information
+ init *args # Install system dependencies and setup development environment
+ login # Test login to GHCR
+ sync-workspace # Sync workspace templates from repo root to assets/workspace/
+
+ [podman]
+ podman-kill name # Stop and remove a container by name or ID [alias: pdm-kill]
+ podman-kill-all # Stop and remove all containers (with confirmation) [alias: pdm-kill-all]
+ podman-kill-project # Stop and remove project-related containers [alias: pdm-kill-project]
+ podman-prune # Prune unused containers, images, networks, and volumes [alias: pdm-prune]
+ podman-prune-all # Full cleanup: prune including volumes [alias: pdm-prune-all]
+ podman-ps *args # List containers/images (--all for all podman resources) [alias: pdm-ps]
+ podman-rmi image # Remove an image by name, tag, or ID [alias: pdm-rmi]
+ podman-rmi-all # Remove all images (with confirmation) [alias: pdm-rmi-all]
+ podman-rmi-dangling # Remove dangling images (untagged) [alias: pdm-rmi-dangling]
+ podman-rmi-project # Remove project-related images [alias: pdm-rmi-project]
+
+ [quality]
+ format # Format code
+ lint # Run all linters
+ precommit # Run pre-commit hooks on all files
+
+ [release]
+ finalize-release version ref="" *flags # Finalize and publish release via GitHub Actions workflow (step 3, after testing)
+ prepare-release version ref="" *flags # Prepare release branch for testing (step 1)
+ promote-release version ref="" *flags # Promote final release: GHCR :latest, publish draft GitHub Release, merge release PR (after downstream smoke-test final release)
+ publish-candidate version ref="" *flags # Publish release candidate via GitHub Actions workflow
+ pull version="latest" # Pull image from registry (default: latest)
+ reset-changelog # Reset CHANGELOG Unreleased section (after merging release to dev)
+
+ [test]
+ test version="dev" # Run all test suites
+ test-bats # Run BATS shell script tests
+ test-image version="dev" # Run image tests only
+ test-install # Run install script tests only
+ test-integration version="dev" # Run integration tests only
+ test-utils # Run utils tests only
+ test-validate-commit-msg # Run validate commit msg tests only
+ test-vig-utils # Run check action pins tests only
+
+ [worktree]
+ worktree-attach issue # before attaching. See tests/bats/worktree.bats for integration tests. [alias: wt-attach]
+ worktree-clean mode="" # Default (no args): clean only stopped worktrees. Use 'all' to clean everything. [alias: wt-clean]
+ worktree-list # List active worktrees and their tmux sessions [alias: wt-list]
+ worktree-start issue prompt="" reviewer="" # Create a worktree for an issue, open tmux session, launch cursor-agent [alias: wt-start]
+ worktree-stop issue # Stop a worktree's tmux session and remove the worktree [alias: wt-stop]
+
```
## Release Workflow
diff --git a/README.md b/README.md
index 9b1dcad5..98d2d982 100644
--- a/README.md
+++ b/README.md
@@ -108,7 +108,70 @@ After installation, open the project in VS Code. It will detect `.devcontainer/d
## Available Commands
```text
-
+Available recipes:
+ [build]
+ build no_cache="" # Build local development image
+ clean version="dev" # Remove image (default: dev)
+ clean-test-containers # Clean up lingering test containers
+
+ [git]
+ branch # Show current branch + list recent branches
+ log # Pretty one-line git log (last 20 commits)
+
+ [github]
+ gh-issues # List open issues and PRs grouped by milestone [alias: gh-i]
+
+ [info]
+ default # Show available commands (default)
+ docs # Generate documentation from templates
+ help # Show available commands
+ info # Show image information
+ init *args # Install system dependencies and setup development environment
+ login # Test login to GHCR
+ sync-workspace # Sync workspace templates from repo root to assets/workspace/
+
+ [podman]
+ podman-kill name # Stop and remove a container by name or ID [alias: pdm-kill]
+ podman-kill-all # Stop and remove all containers (with confirmation) [alias: pdm-kill-all]
+ podman-kill-project # Stop and remove project-related containers [alias: pdm-kill-project]
+ podman-prune # Prune unused containers, images, networks, and volumes [alias: pdm-prune]
+ podman-prune-all # Full cleanup: prune including volumes [alias: pdm-prune-all]
+ podman-ps *args # List containers/images (--all for all podman resources) [alias: pdm-ps]
+ podman-rmi image # Remove an image by name, tag, or ID [alias: pdm-rmi]
+ podman-rmi-all # Remove all images (with confirmation) [alias: pdm-rmi-all]
+ podman-rmi-dangling # Remove dangling images (untagged) [alias: pdm-rmi-dangling]
+ podman-rmi-project # Remove project-related images [alias: pdm-rmi-project]
+
+ [quality]
+ format # Format code
+ lint # Run all linters
+ precommit # Run pre-commit hooks on all files
+
+ [release]
+ finalize-release version ref="" *flags # Finalize and publish release via GitHub Actions workflow (step 3, after testing)
+ prepare-release version ref="" *flags # Prepare release branch for testing (step 1)
+ promote-release version ref="" *flags # Promote final release: GHCR :latest, publish draft GitHub Release, merge release PR (after downstream smoke-test final release)
+ publish-candidate version ref="" *flags # Publish release candidate via GitHub Actions workflow
+ pull version="latest" # Pull image from registry (default: latest)
+ reset-changelog # Reset CHANGELOG Unreleased section (after merging release to dev)
+
+ [test]
+ test version="dev" # Run all test suites
+ test-bats # Run BATS shell script tests
+ test-image version="dev" # Run image tests only
+ test-install # Run install script tests only
+ test-integration version="dev" # Run integration tests only
+ test-utils # Run utils tests only
+ test-validate-commit-msg # Run validate commit msg tests only
+ test-vig-utils # Run check action pins tests only
+
+ [worktree]
+ worktree-attach issue # before attaching. See tests/bats/worktree.bats for integration tests. [alias: wt-attach]
+ worktree-clean mode="" # Default (no args): clean only stopped worktrees. Use 'all' to clean everything. [alias: wt-clean]
+ worktree-list # List active worktrees and their tmux sessions [alias: wt-list]
+ worktree-start issue prompt="" reviewer="" # Create a worktree for an issue, open tmux session, launch cursor-agent [alias: wt-start]
+ worktree-stop issue # Stop a worktree's tmux session and remove the worktree [alias: wt-stop]
+
```
For detailed command descriptions, run `just --list --unsorted` or `just --help`.
@@ -119,7 +182,7 @@ For detailed command descriptions, run `just --list --unsorted` or `just --help`
- **Registry**: `ghcr.io/vig-os/devcontainer`
- **Architecture**: Multi-platform support (AMD64, ARM64)
- **License**: Apache
-- **Latest Version**: [0.3.2](https://github.com/vig-os/devcontainer/releases/tag/0.3.2) - 2026-04-07
+- **Latest Version**: [0.3.1](https://github.com/vig-os/devcontainer/releases/tag/0.3.1) - 2026-03-26
- **Image tags**: bare semver (`0.2.1`, `latest`) — git tags use `v` prefix (`v0.2.1`) but image tags do not
## Features
diff --git a/assets/workspace/.devcontainer/CHANGELOG.md b/assets/workspace/.devcontainer/CHANGELOG.md
index 318b3088..37182ee6 100644
--- a/assets/workspace/.devcontainer/CHANGELOG.md
+++ b/assets/workspace/.devcontainer/CHANGELOG.md
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-## [0.3.2] - 2026-04-07
+## [0.3.2] - TBD
### Added
@@ -80,6 +80,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Omitting secrets (e.g. forks) keeps prior anonymous-pull behavior
- **Release finalize commit blocked by Release protection ruleset** ([#487](https://github.com/vig-os/devcontainer/issues/487))
- Generate a dedicated Commit App token (`COMMIT_APP_ID`) for the `commit-action` step in the `finalize` job of `release.yml`, matching the pattern used by `prepare-release.yml` and other workflows; the previous Release App token lacked ruleset bypass
+- **Release finalize installs just for doc generation** ([#494](https://github.com/vig-os/devcontainer/issues/494))
+ - Remove `install-just: 'false'` from the finalize job `setup-env` step so `docs/generate.py` can run `just --list`
+ - `get_just_help()` exits non-zero on failure instead of writing placeholder content into generated docs
### Security
diff --git a/docs/generate.py b/docs/generate.py
index ac498e4e..476149cd 100644
--- a/docs/generate.py
+++ b/docs/generate.py
@@ -32,8 +32,8 @@ def get_just_help() -> str:
)
return result.stdout
except (subprocess.CalledProcessError, FileNotFoundError) as e:
- print(f"Warning: Could not get just help: {e}", file=sys.stderr)
- return ""
+ print(f"Error: Could not get just help: {e}", file=sys.stderr)
+ sys.exit(1)
def get_version_from_changelog() -> str:
diff --git a/docs/issues/issue-487.md b/docs/issues/issue-487.md
deleted file mode 100644
index 83b07c6d..00000000
--- a/docs/issues/issue-487.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-type: issue
-state: closed
-created: 2026-04-05T18:35:25Z
-updated: 2026-04-07T08:00:01Z
-author: github-actions[bot]
-author_url: https://github.com/github-actions[bot]
-url: https://github.com/vig-os/devcontainer/issues/487
-comments: 1
-labels: bug, area:ci
-assignees: c-vigo
-milestone: none
-projects: none
-parent: none
-children: none
-synced: 2026-04-07T09:28:10.577Z
----
-
-# [Issue 487]: [Release 0.3.2 failed -- automatic rollback](https://github.com/vig-os/devcontainer/issues/487)
-
-
-Release 0.3.2 encountered an error during the automated release workflow.
-
-**Failed Jobs:** finalize, build-and-test, publish
-
-**Workflow Run:** [View logs](https://github.com/vig-os/devcontainer/actions/runs/24007826951)
-
-**Release PR:** #486
-
-**Rollback Results:**
-- Branch rollback: success
-
-**Tag status (forward-fix policy):**
-- Release tags are **not** deleted by automation (workflow choice; not the same as GitHub immutable-release lock-in).
-- If the tag was pushed before the failure, it remains on the remote; use a new release candidate to validate fixes, then re-run the final release when ready.
-
-**Actions Taken:**
-- Release branch reset to pre-finalization state (best-effort)
-- This issue created for investigation
-
-**Manual Cleanup May Be Needed:**
-- If images were pushed to GHCR before the failure, they are **not** automatically deleted. Check `ghcr.io/vig-os/devcontainer:0.3.2-*` and remove any orphaned images manually.
-- If a **draft** GitHub Release exists for this tag, edit or manage it from the Releases UI (**publishing** locks the linked tag and assets when **immutable releases** are enabled).
-
-**Next Steps:**
-1. Review the workflow logs to identify the root cause
-2. Check rollback results above; fix any partial rollback manually
-3. Fix the issue on the release branch
-4. Publish a new release candidate to validate the fix; re-run the final workflow when ready
-
-For details, check the workflow run linked above.
-
----
-
-# [Comment #1]() by [c-vigo]()
-
-_Posted on April 7, 2026 at 06:51 AM_
-
-## Root Cause Analysis
-
-### Summary
-
-The `finalize` job failed because the "Release protection" ruleset (ID `14268611`) blocked the `vig-os/commit-action` from pushing the finalization commit directly to `release/0.3.2`.
-
-### Failed Step
-
-**"Commit finalization changes via API"** in the `finalize` job. The API returned:
-
-> Repository rule violations found
-> - Changes must be made through a pull request.
-> - Required status check "Test Summary" is expected.
-
-### Direct Cause
-
-The `vig-os/commit-action@v0.2.0` pushes commits by calling [`PATCH /repos/{owner}/{repo}/git/refs/{ref}`](https://docs.github.com/rest/git/refs#update-a-reference). The "Release protection" ruleset enforces two rules on `refs/heads/release/*`:
-
-| Rule | Effect |
-|------|--------|
-| `pull_request` | Requires changes via PR (blocks direct ref updates) |
-| `required_status_checks` | Requires "Test Summary" to pass |
-
-The ruleset grants bypass to **one** actor:
-
-| Actor | Type | App ID |
-|-------|------|--------|
-| `commit-action-bot` | Integration | 2433383 |
-
-However, the finalize job authenticates with a token from **`vig-os-release-app`** (app ID 2930017), generated via `actions/create-github-app-token` using `RELEASE_APP_ID` / `RELEASE_APP_PRIVATE_KEY`. This token is passed to `commit-action` as `GH_TOKEN`. Since `vig-os-release-app` is **not** in the bypass list, the API rejects the ref update.
-
-### Triggering Event
-
-The "Release protection" ruleset was **updated on 2026-04-05 at 11:26 UTC** — approximately 7 hours before the failed final release (18:34 UTC). The 0.3.1 final release on March 26 used the identical workflow and commit-action version (`v0.2.0`) with the same `GH_TOKEN` source, and succeeded. This confirms the April 5 ruleset update introduced the blocking condition.
-
-### Why It Wasn't Caught Earlier
-
-- The **RC run** (same day, 11:38 UTC — 12 minutes after the ruleset update) succeeded because `release-kind=candidate` **skips** the entire finalize-commit path (no changelog date set, no commit-action invocation).
-- No other mechanism exercises direct pushes to `release/*` branches between RC and final.
-
-### Cascade
-
-```
-finalize FAILED
- → build-and-test SKIPPED (depends on finalize)
- → publish SKIPPED (depends on build-and-test)
- → smoke-test SKIPPED (depends on publish)
- → rollback SUCCEEDED (reset release/0.3.2 to pre-finalize SHA)
-```
-
-No tag was pushed, no images were published to GHCR, no GitHub Release draft was created.
-
-### Timeline
-
-| Time (UTC) | Event |
-|------------|-------|
-| Mar 24 | "Release protection" ruleset created |
-| Mar 26 17:52 | 0.3.1 final release — `commit-action` finalize **succeeded** |
-| Apr 05 11:26 | "Release protection" ruleset **updated** |
-| Apr 05 11:38 | 0.3.2 RC — succeeded (skips finalize-commit path) |
-| Apr 05 18:34 | 0.3.2 final — `commit-action` finalize **failed** |
-| Apr 05 18:35 | Rollback job — branch reset succeeded, this issue created |
-
-
diff --git a/docs/issues/issue-492.md b/docs/issues/issue-492.md
deleted file mode 100644
index 8265e733..00000000
--- a/docs/issues/issue-492.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-type: issue
-state: closed
-created: 2026-04-07T08:05:29Z
-updated: 2026-04-07T09:26:36Z
-author: c-vigo
-author_url: https://github.com/c-vigo
-url: https://github.com/vig-os/devcontainer/issues/492
-comments: 0
-labels: chore, area:ci
-assignees: c-vigo
-milestone: none
-projects: none
-parent: none
-children: none
-synced: 2026-04-07T09:28:10.262Z
----
-
-# [Issue 492]: [[CHORE] Remove scheduled CI build+test from ci.yml](https://github.com/vig-os/devcontainer/issues/492)
-
-### Chore Type
-
-CI / Build change
-
-### Description
-
-The nightly CI schedule (`cron: '0 4 * * *'`) added in #461 rebuilds the container image from `dev` and runs all test suites daily. In practice this generates noise rather than signal.
-
-**Why the current approach fails**
-
-- Image tests assert on specific package versions and file checksums that are only valid at release time. A freshly built image pulls the latest upstream packages (e.g. `just 1.49.0` vs expected `1.48.x`), causing test failures that are not bugs — they are expected drift.
-- The failing nightly run ([#482](https://github.com/vig-os/devcontainer/actions/runs/24066340992)) demonstrates this: 2 failures from version drift and CHANGELOG checksum mismatch, both non-actionable until the next release.
-- Integration tests and project checks do not regress without code changes — there is nothing new to catch between PRs.
-- Cost: ~7 min of CI time daily (~210 min/month) plus notification fatigue.
-
-**Options evaluated**
-
-| Option | Description | Verdict |
-|--------|-------------|---------|
-| **A. Status quo** (full nightly CI) | Rebuild image from `dev`, run all suites | High noise from version drift. Failures are not actionable. Not recommended. |
-| **B. Nightly tests against published image** | Pull `:latest` from GHCR, run test suite | Tests already passed at release. No code changed, so functional tests will not suddenly fail. Very low value-add. Not recommended. |
-| **C. Security-only nightly** | Remove `schedule` from `ci.yml`; keep `security-scan.yml` as-is | Catches the one thing that actually changes overnight (new CVE publications). Already implemented, green, cheap. **Recommended.** |
-
-**Why Option C is sufficient**
-
-- `security-scan.yml` already runs nightly at 05:00 UTC — pulls `:latest` from GHCR, runs Trivy, generates SBOM, uploads SARIF, auto-creates issues on fixable HIGH/CRITICAL findings.
-- `codeql.yml` and `scorecard.yml` run weekly for source-level security.
-- Python security (Bandit + Safety) runs on every PR — new advisories are caught when the next PR opens.
-- Build breakage from upstream is caught at PR time, which is when it becomes actionable anyway.
-
-### Acceptance Criteria
-
-- [ ] Remove `schedule` trigger from `ci.yml`
-- [ ] Remove the `schedule`-specific checkout ref logic (`github.event_name == 'schedule' && 'dev'`) from all jobs
-- [ ] Update `ci.yml` header comments to remove nightly references
-- [ ] Verify `security-scan.yml` continues running nightly unchanged
-- [ ] Verify PR-triggered and manual-dispatch CI behavior is unchanged
-
-### Implementation Notes
-
-- In `ci.yml`: remove lines 39-41 (`schedule` trigger) and the ternary `ref: ${{ github.event_name == 'schedule' && 'dev' || github.ref }}` in checkout steps (lines 69, 123, 151, 188, 206, 266) — simplify to just `${{ github.ref }}` (or remove the `ref` key entirely since `github.ref` is the default).
-- No changes needed to `security-scan.yml`, `codeql.yml`, or `scorecard.yml`.
-
-### Related Issues
-
-Reverses the nightly CI portion of #461. The security scan portion of #461 (`security-scan.yml` upgrade to nightly) remains unchanged and is working well.
-
-### Priority
-
-Medium
-
-### Changelog Category
-
-No changelog needed
-
-### Additional Context
-
-- Failing run: https://github.com/vig-os/devcontainer/actions/runs/24066340992
-- Nightly history: 2/5 recent scheduled CI runs failed from upstream drift (Apr 6-7), while `security-scan.yml` has been green for 5+ consecutive runs.
-
diff --git a/docs/pull-requests/pr-486.md b/docs/pull-requests/pr-486.md
deleted file mode 100644
index dc493417..00000000
--- a/docs/pull-requests/pr-486.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-type: pull_request
-state: open
-branch: release/0.3.2 → main
-created: 2026-04-05T11:29:33Z
-updated: 2026-04-07T09:27:42Z
-author: vig-os-release-app[bot]
-author_url: https://github.com/vig-os-release-app[bot]
-url: https://github.com/vig-os/devcontainer/pull/486
-comments: 0
-labels: none
-assignees: c-vigo
-milestone: none
-projects: none
-synced: 2026-04-07T09:28:13.054Z
----
-
-# [PR 486](https://github.com/vig-os/devcontainer/pull/486) chore: release 0.3.2
-
-# [Release 0.3.2](https://github.com/vig-os/devcontainer/releases/tag/0.3.2) - 2026-04-07
-
-This PR prepares release 0.3.2 for merge to main.
-
-## [0.3.2] - 2026-04-07
-
-### Added
-
-- **Downstream `promote-release.yml` workspace template** ([#463](https://github.com/vig-os/devcontainer/issues/463))
- - Add `assets/workspace/.github/workflows/promote-release.yml` as the counter-party to root `promote-release.yml`: validate draft release and release PR, publish the release, merge to `main`, best-effort git RC tag cleanup (no GHCR/cosign/smoke-test gate)
- - Document in `docs/DOWNSTREAM_RELEASE.md` and align `docs/RELEASE_CYCLE.md` Phase 5 for consumer vs upstream paths
-- **Optional draft pre-release for downstream release candidates** ([#463](https://github.com/vig-os/devcontainer/issues/463))
- - Workspace `release.yml` adds `create-release` (`workflow_dispatch`, default `false`); `release-publish.yml` creates a draft GitHub pre-release only when set for `candidate` runs
- - Smoke-test `repository-dispatch.yml` passes `create-release=true` when triggering downstream `release.yml`
- - `just publish-candidate` forwards `create-release` in `justfile.gh` and the workspace template copy
-
-### Changed
-
-- **RELEASE_APP permissions and GHCR cleanup token model** ([#463](https://github.com/vig-os/devcontainer/issues/463))
- - Document Packages read/write on the org for `promote-release` cleanup, align the app table in `docs/RELEASE_CYCLE.md`, and explain why cleanup uses the GitHub App token instead of `GITHUB_TOKEN`
-- **Promote-release cleans up stale RC artifacts after merge** ([#463](https://github.com/vig-os/devcontainer/issues/463))
- - Best-effort job deletes GHCR package versions for `${VERSION}-rc*` and `sha256-*`-only orphans, and deletes remote git RC tags for that base version when no GitHub Release exists; does not fail the workflow on error
-- **Downstream release helper recipes via GitHub justfile import** ([#373](https://github.com/vig-os/devcontainer/issues/373))
- - Move `prepare-release`, `finalize-release`, `publish-candidate`, and `reset-changelog` into `justfile.gh` so downstream workspace templates expose these release helpers by default
- - Keep root recipe availability (including `pull`) through `import 'justfile.gh'` while consolidating release helper ownership in the GitHub-focused recipe file; the workspace template copy omits the `pull` recipe
-- **Split final release into publish and promote phases** ([#456](https://github.com/vig-os/devcontainer/issues/456))
- - Final `release.yml` publishes versioned GHCR tags and a draft GitHub Release but no longer updates `:latest`
- - New `promote-release.yml` runs after downstream smoke-test publishes its final release: updates `:latest`, publishes the draft release, merges the release PR to `main`
- - Add `just promote-release` in `justfile.gh` (and workspace template copy)
-- **Smoke-test dispatch fails fast when deploy PR checks fail** ([#381](https://github.com/vig-os/devcontainer/issues/381))
- - `wait-deploy-merge` in `assets/smoke-test/.github/workflows/repository-dispatch.yml` exits as soon as all required checks have completed with failures instead of waiting for the merge poll timeout (`gh pr checks --required`)
-- **Scheduled security scan pulls GHCR `:latest` instead of rebuilding** ([#461](https://github.com/vig-os/devcontainer/issues/461))
- - Runs nightly at 05:00 UTC, pulls the published image, gates on fixable HIGH/CRITICAL vulnerabilities, auto-creates a deduplicated GitHub issue on failure, and uploads SARIF under `container-image-latest`
-- **Dependabot dependency update batch** ([#474](https://github.com/vig-os/devcontainer/pull/474))
- - Bump `github/codeql-action` from `4.34.1` to `4.35.1`
- - Bump `sigstore/cosign-installer` from `4.1.0` to `4.1.1`
-- **Dependabot dependency update batch** ([#488](https://github.com/vig-os/devcontainer/pull/488), [#489](https://github.com/vig-os/devcontainer/pull/489))
- - Bump `@devcontainers/cli` from `0.84.1` to `0.85.0`
- - Bump `docker/login-action` from `4.0.0` to `4.1.0`
-- **Simplify `just pull` in `justfile.gh`** ([#482](https://github.com/vig-os/devcontainer/issues/482))
- - Pull `ghcr.io/vig-os/devcontainer` by tag; drop redundant shell fallback, per-recipe `repo` argument, and unused `REGISTRY_TEST` TLS path (imported `justfile.gh` cannot reference root `repo`)
-
-### Removed
-
-- **One-time GHCR/git RC prune script** ([#463](https://github.com/vig-os/devcontainer/issues/463))
- - Remove `scripts/prune-ghcr-tags.sh`; RC and `sha256-*` orphan cleanup remains in root `promote-release.yml`
-- **Downstream RC pre-release gate from release validate job** ([#463](https://github.com/vig-os/devcontainer/issues/463))
- - Removed dead `if: false` steps from `release.yml`; downstream final release is verified only in `promote-release.yml` before promote
-- **Nightly full CI schedule from `ci.yml`** ([#492](https://github.com/vig-os/devcontainer/issues/492))
- - Remove the `schedule` trigger and schedule-only checkout overrides; CI remains on pull requests and `workflow_dispatch` only
- - Nightly GHCR `:latest` scan in `security-scan.yml` is unchanged
-
-### Fixed
-
-- **Prepare-release changelog commits silently skipped due to FILE_PATHS delimiter mismatch** ([#483](https://github.com/vig-os/devcontainer/issues/483))
- - Change `FILE_PATHS` from space-separated to comma-separated in all `commit-action` steps of `prepare-release.yml` so the action correctly commits both `CHANGELOG.md` and `assets/workspace/.devcontainer/CHANGELOG.md`
- - Join finalization changed files with commas in `release.yml` (`Collect finalization files`) so `commit-action` receives multiple paths correctly
-- **`publish-candidate` recipe sends unknown `create-release` input** ([#479](https://github.com/vig-os/devcontainer/issues/479))
- - Remove `create-release` parameter and `-f` flag from upstream `justfile.gh`; the input was added to the downstream workflow only but the recipe was updated in both places
-- **Image tests expect current `just` minor** ([#479](https://github.com/vig-os/devcontainer/issues/479))
- - Align `EXPECTED_VERSIONS["just"]` with the latest `just` release installed by the Containerfile (1.49.x)
-- **Git commit now falls back to nano when editor config is unusable** ([#383](https://github.com/vig-os/devcontainer/issues/383))
- - `setup-git-conf.sh` now validates the effective Git editor and sets `core.editor=nano` only when the configured editor is missing or invalid in-container
- - Add integration regression coverage to ensure invalid editor settings are corrected during setup
-- **Release finalize no longer races sync-issues; CHANGELOG TBD verified after reset** ([#455](https://github.com/vig-os/devcontainer/issues/455))
- - Run `sync-issues` after capturing finalize SHA so downstream build/publish use the finalized commit
- - Fail finalize if `CHANGELOG.md` still contains `## [version] - TBD` after `git reset --hard`
-- **generate-docs pre-commit runs when CHANGELOG.md changes** ([#455](https://github.com/vig-os/devcontainer/issues/455))
- - Keeps README “Latest Version” and other generated docs aligned with the changelog
-- **prepare-release tolerates GitHub API ref propagation and reliable CHANGELOG rollback** ([#453](https://github.com/vig-os/devcontainer/issues/453))
- - Poll until the new release branch ref resolves before `commit-action` commits to it
- - Fetch dev `CHANGELOG.md` by resolved commit SHA during rollback so Contents API staleness does not skip the rollback commit
-- **sync-main-to-dev sync job no longer depends on dev's setup-env** ([#459](https://github.com/vig-os/devcontainer/issues/459))
- - Inline the same `retry` shell helper used by `setup-env` so the job works when `main`'s workflow expects helpers not yet on `dev`
-- **CI container build avoids shared-runner Docker Hub rate limits** ([#473](https://github.com/vig-os/devcontainer/issues/473))
- - `build-image` logs in to `docker.io` before `setup-buildx-action` when `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN` secrets are set; `ci.yml` and `release.yml` pass them
- - Omitting secrets (e.g. forks) keeps prior anonymous-pull behavior
-- **Release finalize commit blocked by Release protection ruleset** ([#487](https://github.com/vig-os/devcontainer/issues/487))
- - Generate a dedicated Commit App token (`COMMIT_APP_ID`) for the `commit-action` step in the `finalize` job of `release.yml`, matching the pattern used by `prepare-release.yml` and other workflows; the previous Release App token lacked ruleset bypass
-
-### Security
-
-- **Nightly vulnerability gate for published container image** ([#461](https://github.com/vig-os/devcontainer/issues/461))
- - Scheduled security scan now fails on fixable HIGH/CRITICAL CVEs and auto-files a GitHub issue, replacing the previous non-blocking weekly scan
-
diff --git a/docs/pull-requests/pr-488.md b/docs/pull-requests/pr-488.md
deleted file mode 100644
index 294b51d1..00000000
--- a/docs/pull-requests/pr-488.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-type: pull_request
-state: closed
-branch: dependabot/npm_and_yarn/dev/devcontainers/cli-0.85.0 → dev
-created: 2026-04-06T02:27:36Z
-updated: 2026-04-07T07:49:58Z
-author: dependabot[bot]
-author_url: https://github.com/dependabot[bot]
-url: https://github.com/vig-os/devcontainer/pull/488
-comments: 2
-labels: dependencies, javascript
-assignees: none
-milestone: none
-projects: none
-synced: 2026-04-07T09:28:17.051Z
----
-
-# [PR 488](https://github.com/vig-os/devcontainer/pull/488) build(deps): bump @devcontainers/cli from 0.84.1 to 0.85.0
-
-Bumps [@devcontainers/cli](https://github.com/devcontainers/cli) from 0.84.1 to 0.85.0.
-
-Changelog
-Sourced from @devcontainers/cli's changelog.
-
-[0.85.0]
-
-- Inline buildx global build and target platform envvars when resolving base image and user. (devcontainers/cli#1169)
-
-
-
-
-Commits
-
-39685cf Merge pull request #1185 from devcontainers/chrmarti/imaginative-duck218a1b9 0.85.060a4580 Update dependencies with security fixes217ae9c Inline buildx global build and target platform envvars when resolving base im...- See full diff in compare view
-
-
-
-
-
-[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
-
-Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
-
-[//]: # (dependabot-automerge-start)
-[//]: # (dependabot-automerge-end)
-
----
-
-
-Dependabot commands and options
-
-
-You can trigger Dependabot actions by commenting on this PR:
-- `@dependabot rebase` will rebase this PR
-- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
-- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
-- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
-- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
-- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
-
-
-
-
-
----
----
-
-# Comments (2)
-
-## [Comment #1](https://github.com/vig-os/devcontainer/pull/488#issuecomment-4197380881) by [@c-vigo](https://github.com/c-vigo)
-
-_Posted on April 7, 2026 at 07:49 AM_
-
-Superseded by #491
-
----
-
-## [Comment #2](https://github.com/vig-os/devcontainer/pull/488#issuecomment-4197381121) by [@dependabot[bot]](https://github.com/apps/dependabot)
-
-_Posted on April 7, 2026 at 07:49 AM_
-
-OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting `@dependabot ignore this major version` or `@dependabot ignore this minor version`. You can also ignore all major, minor, or patch releases for a dependency by adding an [`ignore` condition](https://docs.github.com/en/code-security/supply-chain-security/configuration-options-for-dependency-updates#ignore) with the desired `update_types` to your config file.
-
-If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
-
----
----
-
-## Commits
-
-### Commit 1: [e61e837](https://github.com/vig-os/devcontainer/commit/e61e837ab1c0ddc3b9e2dc4d5038233c53635f43) by [dependabot[bot]](https://github.com/apps/dependabot) on April 6, 2026 at 02:27 AM
-build(deps): bump @devcontainers/cli from 0.84.1 to 0.85.0, 10 files modified (package-lock.json, package.json)
diff --git a/docs/pull-requests/pr-489.md b/docs/pull-requests/pr-489.md
deleted file mode 100644
index 636bf4fd..00000000
--- a/docs/pull-requests/pr-489.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-type: pull_request
-state: closed
-branch: dependabot/github_actions/dev/actions-minor-patch-cb5fd4910d → dev
-created: 2026-04-06T02:28:47Z
-updated: 2026-04-07T07:49:43Z
-author: dependabot[bot]
-author_url: https://github.com/dependabot[bot]
-url: https://github.com/vig-os/devcontainer/pull/489
-comments: 2
-labels: dependencies, github_actions
-assignees: none
-milestone: none
-projects: none
-synced: 2026-04-07T09:28:18.450Z
----
-
-# [PR 489](https://github.com/vig-os/devcontainer/pull/489) ci(deps): bump docker/login-action from 4.0.0 to 4.1.0 in the actions-minor-patch group
-
-Bumps the actions-minor-patch group with 1 update: [docker/login-action](https://github.com/docker/login-action).
-
-Updates `docker/login-action` from 4.0.0 to 4.1.0
-
-Release notes
-Sourced from docker/login-action's releases.
-
-v4.1.0
-
-Full Changelog: https://github.com/docker/login-action/compare/v4.0.0...v4.1.0
-
-
-
-Commits
-
-4907a6d Merge pull request #930 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...1e233e6 chore: update generated content6c24ead build(deps): bump the aws-sdk-dependencies group with 2 updatesee034d7 Merge pull request #958 from docker/dependabot/npm_and_yarn/lodash-4.18.11527209 Merge pull request #937 from docker/dependabot/npm_and_yarn/proxy-agent-depen...d39362a build(deps): bump lodash from 4.17.23 to 4.18.1a6f092b chore: update generated content60953f0 build(deps): bump the proxy-agent-dependencies group with 2 updates62c6885 Merge pull request #936 from docker/dependabot/npm_and_yarn/docker/actions-to...102c0e6 chore: update generated content- Additional commits viewable in compare view
-
-
-
-
-
-[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
-
-Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
-
-[//]: # (dependabot-automerge-start)
-[//]: # (dependabot-automerge-end)
-
----
-
-
-Dependabot commands and options
-
-
-You can trigger Dependabot actions by commenting on this PR:
-- `@dependabot rebase` will rebase this PR
-- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
-- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
-- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
-- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
-- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
-- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
-- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
-
-
-
-
-
----
----
-
-# Comments (2)
-
-## [Comment #1](https://github.com/vig-os/devcontainer/pull/489#issuecomment-4197379730) by [@c-vigo](https://github.com/c-vigo)
-
-_Posted on April 7, 2026 at 07:49 AM_
-
-Superseded by #491
-
----
-
-## [Comment #2](https://github.com/vig-os/devcontainer/pull/489#issuecomment-4197379924) by [@dependabot[bot]](https://github.com/apps/dependabot)
-
-_Posted on April 7, 2026 at 07:49 AM_
-
-This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.
-
-To ignore these dependencies, configure [ignore rules](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore) in dependabot.yml
-
----
----
-
-## Commits
-
-### Commit 1: [3ca319f](https://github.com/vig-os/devcontainer/commit/3ca319fa08adbb6476f142879c79cc2600a487dd) by [dependabot[bot]](https://github.com/apps/dependabot) on April 6, 2026 at 02:28 AM
-ci(deps): bump docker/login-action in the actions-minor-patch group, 6 files modified (.github/workflows/promote-release.yml, .github/workflows/release.yml)
diff --git a/docs/pull-requests/pr-490.md b/docs/pull-requests/pr-490.md
deleted file mode 100644
index 4024d0f1..00000000
--- a/docs/pull-requests/pr-490.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-type: pull_request
-state: closed (merged)
-branch: bugfix/487-release-0-3-2-failure → release/0.3.2
-created: 2026-04-07T07:23:10Z
-updated: 2026-04-07T07:29:23Z
-author: c-vigo
-author_url: https://github.com/c-vigo
-url: https://github.com/vig-os/devcontainer/pull/490
-comments: 0
-labels: none
-assignees: c-vigo
-milestone: none
-projects: none
-merged: 2026-04-07T07:29:22Z
-synced: 2026-04-07T09:28:19.586Z
----
-
-# [PR 490](https://github.com/vig-os/devcontainer/pull/490) fix(ci): use Commit App token for release finalize commit
-
-## Description
-
-The release finalize job used the Release App token for `vig-os/commit-action`, but branch protection / rulesets treat that app differently than the Commit App. The workflow now generates a dedicated token from `COMMIT_APP_ID` / `COMMIT_APP_PRIVATE_KEY` (same pattern as `prepare-release.yml`) and passes it to `commit-action` as `GH_TOKEN`.
-
-## Type of Change
-
-- [ ] `feat` -- New feature
-- [x] `fix` -- Bug fix
-- [ ] `docs` -- Documentation only
-- [ ] `chore` -- Maintenance task (deps, config, etc.)
-- [ ] `refactor` -- Code restructuring (no behavior change)
-- [ ] `test` -- Adding or updating tests
-- [ ] `ci` -- CI/CD pipeline changes
-- [ ] `build` -- Build system or dependency changes
-- [ ] `revert` -- Reverts a previous commit
-- [ ] `style` -- Code style (formatting, whitespace)
-
-### Modifiers
-
-- [ ] Breaking change (`!`) -- This change breaks backward compatibility
-
-## Changes Made
-
-- `.github/workflows/release.yml` — Add `Generate Commit App Token` step in the finalize job; wire `commit-action` `GH_TOKEN` to `steps.commit-app-token.outputs.token` instead of the Release App token.
-- `CHANGELOG.md` — Document the fix under Unreleased / Fixed.
-- `assets/workspace/.devcontainer/CHANGELOG.md` — Same changelog entry (mirrored).
-
-## Changelog Entry
-
-### Fixed
-
-- **Release finalize commit blocked by Release protection ruleset** ([#487](https://github.com/vig-os/devcontainer/issues/487))
- - Generate a dedicated Commit App token (`COMMIT_APP_ID`) for the `commit-action` step in the `finalize` job of `release.yml`, matching the pattern used by `prepare-release.yml` and other workflows; the previous Release App token lacked ruleset bypass
-
-## Testing
-
-- [ ] Tests pass locally (`just test`)
-- [ ] Manual testing performed (describe below)
-
-### Manual Testing Details
-
-N/A — workflow-only change; verify on the next release run after merge.
-
-## Checklist
-
-- [x] My code follows the project's style guidelines
-- [x] I have performed a self-review of my code
-- [ ] I have commented my code, particularly in hard-to-understand areas
-- [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`)
-- [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above)
-- [x] My changes generate no new warnings or errors
-- [ ] I have added tests that prove my fix is effective or that my feature works
-- [ ] New and existing unit tests pass locally with my changes
-- [x] Any dependent changes have been merged and published
-
-## Additional Notes
-
-Ensure repository secrets `COMMIT_APP_ID` and `COMMIT_APP_PRIVATE_KEY` are configured for the Commit App with the permissions needed to push to `release/*` per your ruleset design.
-
-Refs: #487
-
-
-
----
----
-
-## Commits
-
-### Commit 1: [b9ffa6a](https://github.com/vig-os/devcontainer/commit/b9ffa6a37533f9b65400c6d55d920828cb9bf5fe) by [c-vigo](https://github.com/c-vigo) on April 7, 2026 at 07:17 AM
-fix(ci): use Commit App token for release finalize commit, 13 files modified (.github/workflows/release.yml, CHANGELOG.md, assets/workspace/.devcontainer/CHANGELOG.md)
diff --git a/docs/pull-requests/pr-491.md b/docs/pull-requests/pr-491.md
deleted file mode 100644
index bbc613d7..00000000
--- a/docs/pull-requests/pr-491.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-type: pull_request
-state: closed (merged)
-branch: chore/update-deps → release/0.3.2
-created: 2026-04-07T07:48:02Z
-updated: 2026-04-07T07:54:33Z
-author: c-vigo
-author_url: https://github.com/c-vigo
-url: https://github.com/vig-os/devcontainer/pull/491
-comments: 0
-labels: none
-assignees: none
-milestone: none
-projects: none
-merged: 2026-04-07T07:54:32Z
-synced: 2026-04-07T09:28:15.434Z
----
-
-# [PR 491](https://github.com/vig-os/devcontainer/pull/491) chore: cherry-pick dependency updates (#488, #489)
-
-## Summary
-
-Cherry-picks dependency updates from open Dependabot PRs targeting `dev` so `release/0.3.2` stays aligned.
-
-## Changes
-
-- **#488** — Bump `@devcontainers/cli` from `0.84.1` to `0.85.0` (`package.json`, `package-lock.json`)
-- **#489** — Bump `docker/login-action` from `4.0.0` to `4.1.0` (`.github/workflows/release.yml`, `.github/workflows/promote-release.yml`)
-
-## Changelog
-
-- Added Dependabot batch entry under `## [0.3.2] - TBD` → `### Changed` in root and workspace `CHANGELOG.md`.
-
-Refs: #488, #489
-
-
----
----
-
-## Commits
-
-### Commit 1: [6551444](https://github.com/vig-os/devcontainer/commit/65514441c03445cf1a4fd4debbbefb3510f86222) by [dependabot[bot]](https://github.com/apps/dependabot) on April 6, 2026 at 02:27 AM
-build(deps): bump @devcontainers/cli from 0.84.1 to 0.85.0, 10 files modified (package-lock.json, package.json)
-
-### Commit 2: [643ed7e](https://github.com/vig-os/devcontainer/commit/643ed7e7cc48c2bb50e8c5061c4cb44197af48f1) by [dependabot[bot]](https://github.com/apps/dependabot) on April 6, 2026 at 02:28 AM
-ci(deps): bump docker/login-action in the actions-minor-patch group, 6 files modified (.github/workflows/promote-release.yml, .github/workflows/release.yml)
-
-### Commit 3: [53073ee](https://github.com/vig-os/devcontainer/commit/53073ee60701595c42a43b000a214ee53786db69) by [c-vigo](https://github.com/c-vigo) on April 7, 2026 at 07:44 AM
-chore: update changelog for dependency bumps (#488, #489), 6 files modified (CHANGELOG.md, assets/workspace/.devcontainer/CHANGELOG.md)
diff --git a/docs/pull-requests/pr-493.md b/docs/pull-requests/pr-493.md
deleted file mode 100644
index 9c8de143..00000000
--- a/docs/pull-requests/pr-493.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-type: pull_request
-state: closed (merged)
-branch: chore/492-remove-scheduled-ci → release/0.3.2
-created: 2026-04-07T08:38:44Z
-updated: 2026-04-07T08:46:09Z
-author: c-vigo
-author_url: https://github.com/c-vigo
-url: https://github.com/vig-os/devcontainer/pull/493
-comments: 0
-labels: none
-assignees: c-vigo
-milestone: none
-projects: none
-merged: 2026-04-07T08:46:08Z
-synced: 2026-04-07T09:28:14.273Z
----
-
-# [PR 493](https://github.com/vig-os/devcontainer/pull/493) chore(ci): remove scheduled full CI from ci.yml
-
-## Description
-
-Removes the nightly `schedule` trigger from `.github/workflows/ci.yml` and all schedule-only checkout `ref` overrides, as agreed in #492. PR and `workflow_dispatch` behavior is unchanged. Updates `security-scan.yml` header comments so they no longer reference the removed 04:00 UTC CI run. Changelog for 0.3.2 is adjusted: drop the unreleased “Nightly CI schedule” (#461) bullet from **Changed** and document the removal under **Removed** (#492).
-
-## Type of Change
-
-- [ ] `feat` -- New feature
-- [ ] `fix` -- Bug fix
-- [ ] `docs` -- Documentation only
-- [x] `chore` -- Maintenance task (deps, config, etc.)
-- [ ] `refactor` -- Code restructuring (no behavior change)
-- [ ] `test` -- Adding or updating tests
-- [x] `ci` -- CI/CD pipeline changes
-- [ ] `build` -- Build system or dependency changes
-- [ ] `revert` -- Reverts a previous commit
-- [ ] `style` -- Code style (formatting, whitespace)
-
-### Modifiers
-
-- [ ] Breaking change (`!`) -- This change breaks backward compatibility
-
-## Changes Made
-
-- **`.github/workflows/ci.yml`** — Remove `schedule` (`cron: '0 4 * * *'`); remove nightly trigger from file header; drop `with: ref: ${{ github.event_name == 'schedule' && 'dev' || github.ref }}` from all checkout steps (default ref for PR/dispatch).
-- **`.github/workflows/security-scan.yml`** — Header: describe PR-based full CI + Trivy; remove “after nightly CI at 04:00 UTC”; keep nightly 05:00 UTC scan behavior unchanged.
-- **`CHANGELOG.md`** / **`assets/workspace/.devcontainer/CHANGELOG.md`** — Remove **Nightly CI schedule** (#461) from **Changed**; add **Nightly full CI schedule from `ci.yml`** (#492) under **Removed** with sub-bullets.
-
-## Changelog Entry
-
-Release section `## [0.3.2] - TBD` (this branch targets `release/0.3.2`, not `## Unreleased`):
-
-### Removed
-
-- **Nightly full CI schedule from `ci.yml`** ([#492](https://github.com/vig-os/devcontainer/issues/492))
- - Remove the `schedule` trigger and schedule-only checkout overrides; CI remains on pull requests and `workflow_dispatch` only
- - Nightly GHCR `:latest` scan in `security-scan.yml` is unchanged
-
-### Changed (edit relative to prior 0.3.2 draft)
-
-- Removed the **Nightly CI schedule** ([#461](https://github.com/vig-os/devcontainer/issues/461)) bullet from **Changed** so the release notes no longer claim a nightly full CI run.
-
-## Testing
-
-- [ ] Tests pass locally (`just test`)
-- [ ] Manual testing performed (describe below)
-
-### Manual Testing Details
-
-N/A — workflow YAML and changelog only; validation via CI on this PR.
-
-## Checklist
-
-- [x] My code follows the project's style guidelines
-- [x] I have performed a self-review of my code
-- [ ] I have commented my code, particularly in hard-to-understand areas
-- [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`)
-- [x] I have updated `CHANGELOG.md` in the `[0.3.2] - TBD` section (and pasted the entry above)
-- [x] My changes generate no new warnings or errors
-- [ ] I have added tests that prove my fix is effective or that my feature works
-- [ ] New and existing unit tests pass locally with my changes
-- [x] Any dependent changes have been merged and published
-
-## Additional Notes
-
-N/A
-
-Refs: #492
-
-
-
----
----
-
-## Commits
-
-### Commit 1: [0092897](https://github.com/vig-os/devcontainer/commit/00928971853b275616153a8817b6ca75f5d3a6a5) by [c-vigo](https://github.com/c-vigo) on April 7, 2026 at 08:30 AM
-chore(ci): remove scheduled CI from ci.yml, 22 files modified (.github/workflows/ci.yml, .github/workflows/security-scan.yml)
-
-### Commit 2: [037f050](https://github.com/vig-os/devcontainer/commit/037f050e4799b1771df456505a6daa6380049fe6) by [c-vigo](https://github.com/c-vigo) on April 7, 2026 at 08:32 AM
-docs(ci): note removal of nightly CI schedule, 10 files modified (CHANGELOG.md, assets/workspace/.devcontainer/CHANGELOG.md)
diff --git a/tests/bats/just.bats b/tests/bats/just.bats
index 582bd4f4..9be54bd5 100644
--- a/tests/bats/just.bats
+++ b/tests/bats/just.bats
@@ -55,6 +55,11 @@ setup() {
assert_success
}
+@test "release workflow finalize job does not disable just install" {
+ run bash -lc "awk '/^ finalize:/{flag=1} /^ build-and-test:/{flag=0} flag {print}' .github/workflows/release.yml | grep -Fq -- \"install-just: 'false'\""
+ assert_failure
+}
+
@test "prepare-release PR body omits persistent checklist and related sections" {
run bash -lc "! awk '/^ - name: Create draft PR to main/{flag=1} /^ - name: Roll back prepare-release side effects on failure/{flag=0} flag {print}' .github/workflows/prepare-release.yml | grep -Fq -- '### Testing Checklist' && ! awk '/^ - name: Create draft PR to main/{flag=1} /^ - name: Roll back prepare-release side effects on failure/{flag=0} flag {print}' .github/workflows/prepare-release.yml | grep -Fq -- '### When Ready to Release' && ! awk '/^ - name: Create draft PR to main/{flag=1} /^ - name: Roll back prepare-release side effects on failure/{flag=0} flag {print}' .github/workflows/prepare-release.yml | grep -Fq -- '### Related'"
assert_success
diff --git a/tests/test_utils.py b/tests/test_utils.py
index d0dba535..34613aa9 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -56,21 +56,26 @@ def test_returns_string(self):
assert isinstance(result, str)
assert len(result) > 0
- def test_fallback_when_just_not_found(self):
- """Should return HTML comment fallback when 'just' binary is missing."""
- with patch("subprocess.run", side_effect=FileNotFoundError("no just")):
- result = generate.get_just_help()
- assert "just --list" in result
- assert "