Merged
Conversation
Strip empty Unreleased section from release branch. Release date TBD (set during finalization).
## Description The release finalize job used the Release App token for `vig-os/commit-action`, but branch protection / rulesets treat that app differently than the Commit App. The workflow now generates a dedicated token from `COMMIT_APP_ID` / `COMMIT_APP_PRIVATE_KEY` (same pattern as `prepare-release.yml`) and passes it to `commit-action` as `GH_TOKEN`. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `.github/workflows/release.yml` — Add `Generate Commit App Token` step in the finalize job; wire `commit-action` `GH_TOKEN` to `steps.commit-app-token.outputs.token` instead of the Release App token. - `CHANGELOG.md` — Document the fix under Unreleased / Fixed. - `assets/workspace/.devcontainer/CHANGELOG.md` — Same changelog entry (mirrored). ## Changelog Entry ### Fixed - **Release finalize commit blocked by Release protection ruleset** ([#487](#487)) - Generate a dedicated Commit App token (`COMMIT_APP_ID`) for the `commit-action` step in the `finalize` job of `release.yml`, matching the pattern used by `prepare-release.yml` and other workflows; the previous Release App token lacked ruleset bypass ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A — workflow-only change; verify on the next release run after merge. ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published ## Additional Notes Ensure repository secrets `COMMIT_APP_ID` and `COMMIT_APP_PRIVATE_KEY` are configured for the Commit App with the permissions needed to push to `release/*` per your ruleset design. Refs: #487
Bumps [@devcontainers/cli](https://github.com/devcontainers/cli) from 0.84.1 to 0.85.0. - [Changelog](https://github.com/devcontainers/cli/blob/main/CHANGELOG.md) - [Commits](devcontainers/cli@v0.84.1...v0.85.0) --- updated-dependencies: - dependency-name: "@devcontainers/cli" dependency-version: 0.85.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the actions-minor-patch group with 1 update: [docker/login-action](https://github.com/docker/login-action). Updates `docker/login-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@b45d80f...4907a6d) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>
## Summary Cherry-picks dependency updates from open Dependabot PRs targeting `dev` so `release/0.3.2` stays aligned. ## Changes - **#488** — Bump `@devcontainers/cli` from `0.84.1` to `0.85.0` (`package.json`, `package-lock.json`) - **#489** — Bump `docker/login-action` from `4.0.0` to `4.1.0` (`.github/workflows/release.yml`, `.github/workflows/promote-release.yml`) ## Changelog - Added Dependabot batch entry under `## [0.3.2] - TBD` → `### Changed` in root and workspace `CHANGELOG.md`. Refs: #488, #489
## Description Removes the nightly `schedule` trigger from `.github/workflows/ci.yml` and all schedule-only checkout `ref` overrides, as agreed in #492. PR and `workflow_dispatch` behavior is unchanged. Updates `security-scan.yml` header comments so they no longer reference the removed 04:00 UTC CI run. Changelog for 0.3.2 is adjusted: drop the unreleased “Nightly CI schedule” (#461) bullet from **Changed** and document the removal under **Removed** (#492). ## Type of Change - [ ] `feat` -- New feature - [ ] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [x] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [x] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - **`.github/workflows/ci.yml`** — Remove `schedule` (`cron: '0 4 * * *'`); remove nightly trigger from file header; drop `with: ref: ${{ github.event_name == 'schedule' && 'dev' || github.ref }}` from all checkout steps (default ref for PR/dispatch). - **`.github/workflows/security-scan.yml`** — Header: describe PR-based full CI + Trivy; remove “after nightly CI at 04:00 UTC”; keep nightly 05:00 UTC scan behavior unchanged. - **`CHANGELOG.md`** / **`assets/workspace/.devcontainer/CHANGELOG.md`** — Remove **Nightly CI schedule** (#461) from **Changed**; add **Nightly full CI schedule from `ci.yml`** (#492) under **Removed** with sub-bullets. ## Changelog Entry Release section `## [0.3.2] - TBD` (this branch targets `release/0.3.2`, not `## Unreleased`): ### Removed - **Nightly full CI schedule from `ci.yml`** ([#492](#492)) - Remove the `schedule` trigger and schedule-only checkout overrides; CI remains on pull requests and `workflow_dispatch` only - Nightly GHCR `:latest` scan in `security-scan.yml` is unchanged ### Changed (edit relative to prior 0.3.2 draft) - Removed the **Nightly CI schedule** ([#461](#461)) bullet from **Changed** so the release notes no longer claim a nightly full CI run. ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A — workflow YAML and changelog only; validation via CI on this PR. ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[0.3.2] - TBD` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published ## Additional Notes N/A Refs: #492
Set release date to 2026-04-07 and regenerate release docs. Refs: #486
## Summary Reverts the corrupted finalize + sync commits, fixes finalize job so `just` is installed before `docs/generate.py`, and makes `get_just_help()` exit non-zero on failure. ## Remote cleanup (done) **vig-os/devcontainer** - Draft GitHub Release `0.3.2` deleted - Git tag `0.3.2` deleted - GHCR final images `0.3.2`, `0.3.2-arm64`, `0.3.2-amd64` deleted (RC tags kept) **vig-os/devcontainer-smoke-test** (so re-dispatch does not fail on tag SHA mismatch in downstream `release-core.yml`) - Draft GitHub Release `0.3.2` deleted - Git tag `0.3.2` deleted - Kept: `0.3.2-rc1` tag and draft pre-release; merged deploy/release PRs are historical only ## After merge Run `just finalize-release 0.3.2` to complete the release. Refs: #494
## Description `prepare-changelog finalize` now writes version headings with a markdown link to the GitHub release tag (`https://github.com/owner/repo/releases/tag/X.Y.Z`). The repository slug is taken from `GITHUB_REPOSITORY` (as in GitHub Actions) or from a new `--github-repository` CLI flag. `unprepare` accepts linked `## [semver](url) - …` headings so release rollback still works. ## Type of Change - [x] `feat` -- New feature - [ ] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - **`packages/vig-utils/src/vig_utils/prepare_changelog.py`** - Add `_validate_github_repository_slug` and `_resolve_github_repository`; `finalize_release_date` accepts optional `github_repository` and emits linked headings; `unprepare_changelog` regex allows optional `(url)` after the version; `finalize` subcommand adds `--github-repository`; help text updated. - **`packages/vig-utils/tests/test_prepare_changelog.py`** - Coverage for linked headings, env vs flag slug, validation errors, and subprocess/CLI behavior. - **`docs/RELEASE_CYCLE.md`**, **`packages/vig-utils/README.md`** - Document `finalize` signature, `GITHUB_REPOSITORY`, and `--github-repository` example. - **`CHANGELOG.md`**, **`assets/workspace/.devcontainer/CHANGELOG.md`** - Unreleased entry for #496. **Commits (vs `release/0.3.2`):** `test: …`, `feat(vigutils): …`, `docs: …` (Refs: #496). ## Changelog Entry ### Changed - **prepare-changelog finalize adds GitHub release link to version headings** ([#496](#496)) - `finalize_release_date` writes `## [X.Y.Z](https://github.com/owner/repo/releases/tag/X.Y.Z) - date`; repository slug comes from `GITHUB_REPOSITORY` (set in Actions) or from `prepare-changelog finalize ... --github-repository owner/repo` - `unprepare` recognizes linked `## [semver](url) - …` headings ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) Full `just test` was not run. **vig-utils only:** `uv run pytest packages/vig-utils/tests/test_prepare_changelog.py` — 121 passed. ### Manual Testing Details N/A (CLI and library behavior covered by unit and subprocess tests in `packages/vig-utils/tests/test_prepare_changelog.py`). ## Checklist - [x] My code follows the project's style guidelines - [ ] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [x] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [x] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes N/A Refs: #496
Set release date to 2026-04-07 and regenerate release docs. Refs: #486
The `if "$@"; then return 0; fi; rc=$?` pattern always set rc=0 because bash's `if` compound command exits 0 when the condition fails and there is no `else` clause. Replace with `"$@" && return 0`. Refs: #500
Branch protection rulesets reject force-push on release/* branches, causing silent rollback failures. Create a revert commit via the Git Data API (fast-forward update) instead. Refs: #500
## Description Fixes [#500](#500): the CI `retry` helper now returns the failed command’s non-zero exit status after exhausting retries (so jobs fail correctly). Release workflow rollback no longer force-pushes; it creates a revert commit via the Git API so it works with branch protection on `release/*`. Includes BATS coverage for `retry` exit-code behavior. The branch also contains `revert: undo finalize release 0.3.2` so the release line can be corrected before re-finalizing. ## Type of Change - [x] `fix` -- Bug fix - [ ] `feat` -- New feature - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `.github/actions/setup-env/action.yml` — `retry` propagates the last non-zero exit code when all attempts fail. - `.github/workflows/release.yml` — Rollback uses a GitHub API revert commit instead of force-push; aligns with protected `release/*` branches. - `.github/workflows/sync-main-to-dev.yml` — Inline `retry` helper matches `setup-env`: run `"$@" && return 0` so the command’s exit code is observed (same pattern as the fixed `retry` in `setup-env`). - `CHANGELOG.md` — `## Unreleased` / **Fixed** entry for [#500](#500). - `assets/workspace/.devcontainer/CHANGELOG.md` — Same entry mirrored for the workspace template changelog. - `README.md` — “Latest Version” rolled back to 0.3.1 with the revert of finalize 0.3.2 (will move forward again when the release is re-finalized). - `tests/bats/fixtures/retry_helper.bash` — Fixture shell `retry` matching CI behavior for tests. - `tests/bats/retry.bats` — BATS tests asserting exit-code propagation from `retry`. **Commits (vs `origin/release/0.3.2`):** `57789cc` test: BATS for retry exit codes; `fcad7ef` fix(ci): propagate retry exit code; `4c7a4a4` fix(ci): revert-commit rollback; `e033833` revert: undo finalize release 0.3.2; `e307f57` docs: changelog for retry and rollback fixes. ## Changelog Entry ```markdown ## Unreleased ### Fixed - **Release rollback and CI `retry` exit codes** ([#500](#500)) - `retry` shell helper now propagates the command's non-zero exit code when all attempts fail - Release rollback creates a fast-forward revert commit via the Git API instead of force-pushing, compatible with branch protection on `release/*` ``` (Same **Fixed** block appears under `## Unreleased` in `assets/workspace/.devcontainer/CHANGELOG.md`.) ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A — workflow and shell-helper behavior; rely on CI and BATS. Re-run `just test` locally before merge if the full suite was not green in your environment. ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [x] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes - **Base branch:** `release/0.3.2` (hotfix PR), not `dev`. Remote `release/0.3.2` may already show a dated `## [0.3.2](…)` heading; this branch includes a revert of finalize so the corrected changelog and workflows can land before a new finalize. - **Changelog convention:** On `release/*`, some teams fold fixes into `## [0.3.2] - TBD` instead of `## Unreleased`. Confirm with release owners whether to move the [#500](#500) bullets under the version section before merge. Refs: #500
## Description When finalize fails and the release workflow rolls back the release branch, the release PR description could be left out of sync. This change extends the `rollback` job in `release.yml` so that, for final releases, it restores the PR body from the pre-finalization `CHANGELOG.md` (TBD / prepare-release format) using `RELEASE_APP`, and surfaces the outcome in the failure issue and job summary. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `.github/workflows/release.yml` - Add rollback step(s) to restore release PR body after branch rollback when `release_kind` is final, using changelog-derived description and `RELEASE_APP`. - `CHANGELOG.md` / `assets/workspace/.devcontainer/CHANGELOG.md` - Document the fix under `## [0.3.2] - TBD` → Fixed. ## Changelog Entry ```diff @@ -91,6 +91,8 @@ - Release rollback creates a fast-forward revert commit via the Git API instead of force-pushing, compatible with branch protection on `release/*` - Rollback Git Data API steps authenticate with the Commit app token (same as finalize) so protected `release/*` ref updates are not blocked - Canonical `retry()` implementation lives in `.github/scripts/retry.sh`; `setup-env` and BATS source it so CI and tests stay aligned (`sync-main-to-dev.yml` keeps an inline copy documented as in sync) +- **Release rollback restores release PR body after finalize** ([#502](#502)) + - `rollback` job in `release.yml` restores the PR description from pre-finalization `CHANGELOG.md` (TBD / prepare-release format) using RELEASE_APP when `release_kind` is final, after branch rollback; failure issue and job summary report the step outcome ### Security ``` ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A (CI workflow change; tests not run for this submission.) ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` under `## [0.3.2] - TBD` (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes N/A Refs: #502
Set release date to 2026-04-08 and regenerate release docs. Refs: #486
## Description Fix release notes extraction in the `publish` job of `release.yml`. After #496 added GitHub release links to finalized changelog headings, the `awk` command that extracts version-specific notes stopped matching because it expected `## [X.Y.Z] - date` but got `## [X.Y.Z](url) - date`. This changes the match to use the `## [VERSION]` prefix only. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - **`.github/workflows/release.yml`** -- Changed the `awk` command in the publish job to match on `## [VERSION]` prefix instead of `## [VERSION] - `, so that linked headings (`## [X.Y.Z](url) - date`) are correctly matched for GitHub Release notes extraction. - **`CHANGELOG.md`** / **`assets/workspace/.devcontainer/CHANGELOG.md`** -- Added changelog entry under Fixed for #504. ## Changelog Entry ### Fixed - **Final release notes extraction after linked changelog headings** ([#504](#504)) - Publish job `awk` matches `## [VERSION]` prefix so finalized `## [X.Y.Z](url) - date` headings produce GitHub Release notes (regression after prepare-changelog linked headings in #496) ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes N/A Refs: #504
Set release date to 2026-04-08 and regenerate release docs. Refs: #486
# [Release 0.3.2](https://github.com/vig-os/devcontainer/releases/tag/0.3.2) - 2026-04-08 This PR prepares release 0.3.2 for merge to main. ## [0.3.2](https://github.com/vig-os/devcontainer/releases/tag/0.3.2) - 2026-04-08 ### Added - **Downstream `promote-release.yml` workspace template** ([#463](#463)) - Add `assets/workspace/.github/workflows/promote-release.yml` as the counter-party to root `promote-release.yml`: validate draft release and release PR, publish the release, merge to `main`, best-effort git RC tag cleanup (no GHCR/cosign/smoke-test gate) - Document in `docs/DOWNSTREAM_RELEASE.md` and align `docs/RELEASE_CYCLE.md` Phase 5 for consumer vs upstream paths - **Optional draft pre-release for downstream release candidates** ([#463](#463)) - Workspace `release.yml` adds `create-release` (`workflow_dispatch`, default `false`); `release-publish.yml` creates a draft GitHub pre-release only when set for `candidate` runs - Smoke-test `repository-dispatch.yml` passes `create-release=true` when triggering downstream `release.yml` - `just publish-candidate` forwards `create-release` in `justfile.gh` and the workspace template copy ### Changed - **RELEASE_APP permissions and GHCR cleanup token model** ([#463](#463)) - Document Packages read/write on the org for `promote-release` cleanup, align the app table in `docs/RELEASE_CYCLE.md`, and explain why cleanup uses the GitHub App token instead of `GITHUB_TOKEN` - **Promote-release cleans up stale RC artifacts after merge** ([#463](#463)) - Best-effort job deletes GHCR package versions for `${VERSION}-rc*` and `sha256-*`-only orphans, and deletes remote git RC tags for that base version when no GitHub Release exists; does not fail the workflow on error - **Downstream release helper recipes via GitHub justfile import** ([#373](#373)) - Move `prepare-release`, `finalize-release`, `publish-candidate`, and `reset-changelog` into `justfile.gh` so downstream workspace templates expose these release helpers by default - Keep root recipe availability (including `pull`) through `import 'justfile.gh'` while consolidating release helper ownership in the GitHub-focused recipe file; the workspace template copy omits the `pull` recipe - **Split final release into publish and promote phases** ([#456](#456)) - Final `release.yml` publishes versioned GHCR tags and a draft GitHub Release but no longer updates `:latest` - New `promote-release.yml` runs after downstream smoke-test publishes its final release: updates `:latest`, publishes the draft release, merges the release PR to `main` - Add `just promote-release` in `justfile.gh` (and workspace template copy) - **Smoke-test dispatch fails fast when deploy PR checks fail** ([#381](#381)) - `wait-deploy-merge` in `assets/smoke-test/.github/workflows/repository-dispatch.yml` exits as soon as all required checks have completed with failures instead of waiting for the merge poll timeout (`gh pr checks --required`) - **Scheduled security scan pulls GHCR `:latest` instead of rebuilding** ([#461](#461)) - Runs nightly at 05:00 UTC, pulls the published image, gates on fixable HIGH/CRITICAL vulnerabilities, auto-creates a deduplicated GitHub issue on failure, and uploads SARIF under `container-image-latest` - **Dependabot dependency update batch** ([#474](#474)) - Bump `github/codeql-action` from `4.34.1` to `4.35.1` - Bump `sigstore/cosign-installer` from `4.1.0` to `4.1.1` - **Dependabot dependency update batch** ([#488](#488), [#489](#489)) - Bump `@devcontainers/cli` from `0.84.1` to `0.85.0` - Bump `docker/login-action` from `4.0.0` to `4.1.0` - **Simplify `just pull` in `justfile.gh`** ([#482](#482)) - Pull `ghcr.io/vig-os/devcontainer` by tag; drop redundant shell fallback, per-recipe `repo` argument, and unused `REGISTRY_TEST` TLS path (imported `justfile.gh` cannot reference root `repo`) - **prepare-changelog finalize adds GitHub release link to version headings** ([#496](#496)) - `finalize_release_date` writes `## [X.Y.Z](https://github.com/owner/repo/releases/tag/X.Y.Z) - date`; repository slug comes from `GITHUB_REPOSITORY` (set in Actions) or from `prepare-changelog finalize ... --github-repository owner/repo` - `unprepare` recognizes linked `## [semver](url) - …` headings ### Removed - **One-time GHCR/git RC prune script** ([#463](#463)) - Remove `scripts/prune-ghcr-tags.sh`; RC and `sha256-*` orphan cleanup remains in root `promote-release.yml` - **Downstream RC pre-release gate from release validate job** ([#463](#463)) - Removed dead `if: false` steps from `release.yml`; downstream final release is verified only in `promote-release.yml` before promote - **Nightly full CI schedule from `ci.yml`** ([#492](#492)) - Remove the `schedule` trigger and schedule-only checkout overrides; CI remains on pull requests and `workflow_dispatch` only - Nightly GHCR `:latest` scan in `security-scan.yml` is unchanged ### Fixed - **Prepare-release changelog commits silently skipped due to FILE_PATHS delimiter mismatch** ([#483](#483)) - Change `FILE_PATHS` from space-separated to comma-separated in all `commit-action` steps of `prepare-release.yml` so the action correctly commits both `CHANGELOG.md` and `assets/workspace/.devcontainer/CHANGELOG.md` - Join finalization changed files with commas in `release.yml` (`Collect finalization files`) so `commit-action` receives multiple paths correctly - **`publish-candidate` recipe sends unknown `create-release` input** ([#479](#479)) - Remove `create-release` parameter and `-f` flag from upstream `justfile.gh`; the input was added to the downstream workflow only but the recipe was updated in both places - **Image tests expect current `just` minor** ([#479](#479)) - Align `EXPECTED_VERSIONS["just"]` with the latest `just` release installed by the Containerfile (1.49.x) - **Git commit now falls back to nano when editor config is unusable** ([#383](#383)) - `setup-git-conf.sh` now validates the effective Git editor and sets `core.editor=nano` only when the configured editor is missing or invalid in-container - Add integration regression coverage to ensure invalid editor settings are corrected during setup - **Release finalize no longer races sync-issues; CHANGELOG TBD verified after reset** ([#455](#455)) - Run `sync-issues` after capturing finalize SHA so downstream build/publish use the finalized commit - Fail finalize if `CHANGELOG.md` still contains `## [version] - TBD` after `git reset --hard` - **generate-docs pre-commit runs when CHANGELOG.md changes** ([#455](#455)) - Keeps README “Latest Version” and other generated docs aligned with the changelog - **prepare-release tolerates GitHub API ref propagation and reliable CHANGELOG rollback** ([#453](#453)) - Poll until the new release branch ref resolves before `commit-action` commits to it - Fetch dev `CHANGELOG.md` by resolved commit SHA during rollback so Contents API staleness does not skip the rollback commit - **sync-main-to-dev sync job no longer depends on dev's setup-env** ([#459](#459)) - Inline the same `retry` shell helper used by `setup-env` so the job works when `main`'s workflow expects helpers not yet on `dev` - **CI container build avoids shared-runner Docker Hub rate limits** ([#473](#473)) - `build-image` logs in to `docker.io` before `setup-buildx-action` when `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN` secrets are set; `ci.yml` and `release.yml` pass them - Omitting secrets (e.g. forks) keeps prior anonymous-pull behavior - **Release finalize commit blocked by Release protection ruleset** ([#487](#487)) - Generate a dedicated Commit App token (`COMMIT_APP_ID`) for the `commit-action` step in the `finalize` job of `release.yml`, matching the pattern used by `prepare-release.yml` and other workflows; the previous Release App token lacked ruleset bypass - **Release finalize installs just for doc generation** ([#494](#494)) - Remove `install-just: 'false'` from the finalize job `setup-env` step so `docs/generate.py` can run `just --list` - `get_just_help()` exits non-zero on failure instead of writing placeholder content into generated docs - **Release rollback and CI `retry` exit codes** ([#500](#500)) - `retry` shell helper now propagates the command's non-zero exit code when all attempts fail - Release rollback creates a fast-forward revert commit via the Git API instead of force-pushing, compatible with branch protection on `release/*` - Rollback Git Data API steps authenticate with the Commit app token (same as finalize) so protected `release/*` ref updates are not blocked - Canonical `retry()` implementation lives in `.github/scripts/retry.sh`; `setup-env` and BATS source it so CI and tests stay aligned (`sync-main-to-dev.yml` keeps an inline copy documented as in sync) - **Release rollback restores release PR body after finalize** ([#502](#502)) - `rollback` job in `release.yml` restores the PR description from pre-finalization `CHANGELOG.md` (TBD / prepare-release format) using RELEASE_APP when `release_kind` is final, after branch rollback; failure issue and job summary report the step outcome - **Final release notes extraction after linked changelog headings** ([#504](#504)) - Publish job `awk` matches `## [VERSION]` prefix so finalized `## [X.Y.Z](url) - date` headings produce GitHub Release notes (regression after prepare-changelog linked headings in #496) ### Security - **Nightly vulnerability gate for published container image** ([#461](#461)) - Scheduled security scan now fails on fixable HIGH/CRITICAL CVEs and auto-files a GitHub issue, replacing the previous non-blocking weekly scan
…-to-dev-4-1 Add Unreleased sectoin to CHANGELOG
c-vigo
approved these changes
Apr 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated sync of
maintodevfound merge conflicts that require manual resolution.How to resolve
git fetch origin chore/sync-main-to-dev-4-1:chore/sync-main-to-dev-4-1 git checkout chore/sync-main-to-dev-4-1 git merge origin/dev # resolve conflicts git commit -S git push origin chore/sync-main-to-dev-4-1Once pushed, this PR will update and become mergeable.