chore: release 0.3.3#516
Merged
vig-os-release-app[bot] merged 38 commits intomainfrom Apr 10, 2026
Merged
Conversation
…-to-dev-4-1 Add Unreleased sectoin to CHANGELOG
Automated sync of `main` to `dev` found **merge conflicts** that required manual resolution.
gh api does not support --arg (that is a jq flag). Split the call into gh api --paginate followed by piped jq -s --arg. In the RC tag cleanup steps, distinguish API failure (skip deletion with warning) from confirmed "no release" (proceed with deletion). Refs: #507
## Description
The promote-release validate step queried `GET
/repos/{owner}/{repo}/releases/tags/{tag}`, which does not return draft
releases (404). The workflow now uses the paginated releases list API
and jq to select the release by `tag_name`, so draft releases created by
`release.yml` are found. The RC git tag cleanup step uses the same
lookup so “release exists” stays correct for drafts if they ever apply.
## Type of Change
- [ ] `feat` -- New feature
- [x] `fix` -- Bug fix
- [ ] `docs` -- Documentation only
- [ ] `chore` -- Maintenance task (deps, config, etc.)
- [ ] `refactor` -- Code restructuring (no behavior change)
- [ ] `test` -- Adding or updating tests
- [x] `ci` -- CI/CD pipeline changes
- [ ] `build` -- Build system or dependency changes
- [ ] `revert` -- Reverts a previous commit
- [ ] `style` -- Code style (formatting, whitespace)
### Modifiers
- [ ] Breaking change (`!`) -- This change breaks backward compatibility
## Changes Made
- `.github/workflows/promote-release.yml` — Draft release verification
and RC tag cleanup use `gh api …/releases --paginate` with `jq` to match
`tag_name` instead of the per-tag endpoint.
- `assets/workspace/.github/workflows/promote-release.yml` — Same
behavior for the downstream template.
- `CHANGELOG.md` — Unreleased **Fixed** entry for #507.
- `assets/workspace/.devcontainer/CHANGELOG.md` — Synced copy of the
changelog entry (manifest sync).
## Changelog Entry
### Fixed
- **Promote-release draft release validation**
([#507](#507))
- Use the paginated releases list API with jq instead of `GET
/releases/tags/{tag}`, which returns 404 for draft releases
- Apply the same release lookup for RC git tag cleanup in upstream and
workspace `promote-release.yml`
## Testing
- [ ] Tests pass locally (`just test`)
- [ ] Manual testing performed (describe below)
### Manual Testing Details
N/A — workflow-only change; not exercised locally against GitHub.
Pre-commit (yaml/yamllint) passed on commit.
## Checklist
- [ ] My code follows the project's style guidelines
- [ ] I have performed a self-review of my code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have updated the documentation accordingly (edit
`docs/templates/`, then run `just docs`)
- [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and
pasted the entry above)
- [ ] My changes generate no new warnings or errors
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] New and existing unit tests pass locally with my changes
- [ ] Any dependent changes have been merged and published
## Additional Notes
N/A
Refs: #507
GitHub Actions sets GITHUB_REPOSITORY for the job; subshells inherited it and short-circuited resolve_github_repository before reading git origin. Refs: #509
…ngelog (#513) ## Description Implements [#509](#509) (switch from Dependabot to Renovate for dependency updates, including template paths Dependabot could not scan) and [#506](#506) (automatic `CHANGELOG.md` updates on Renovate PRs via `pull_request_target` and `renovate-changelog-pr`). Adds `.vig-os` + `resolve-image` so `sync-issues` and `sync-main-to-dev` run in the pinned devcontainer image; `install.sh` / `init-workspace.sh` resolve `GITHUB_REPOSITORY` for templated `renovate.json`. ## Type of Change - [x] `feat` -- New feature - [ ] `fix` -- Bug fix - [x] `docs` -- Documentation only - [x] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [x] `test` -- Adding or updating tests - [x] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - **27 files**, ~1164 insertions / ~247 deletions vs `dev` (includes merge commit from `origin/dev`). - **Renovate / Dependabot:** Remove root and workspace `dependabot.yml`; add `renovate.json`, `assets/workspace/renovate.json`, `renovate-default.json`, smoke-test `renovate.json`; update `CODEOWNERS`. - **CI image pinning:** Add `.vig-os`, `.github/actions/resolve-image/`, `release.yml` step to bump `DEVCONTAINER_VERSION` on final release; `sync-issues.yml` / `sync-main-to-dev.yml` use resolved GHCR tag, `safe.directory`, drop `setup-env` / inlined retry; sync branch creation uses `git push`. - **Workspace init:** `parse-github-remote-lib.sh`, `Containerfile` placeholder manifest, `install.sh --repo`, `init-workspace.sh` + BATS/install/conftest updates. - **Changelog automation:** `renovate_changelog_pr.py`, tests, console script in `pyproject.toml`, root + workspace `renovate-changelog.yml`; `scripts/manifest.toml` syncs new paths. - **Docs:** `CHANGELOG.md` and synced `assets/workspace/.devcontainer/CHANGELOG.md`. ## Changelog Entry ### Added - **Renovate changelog automation** ([#506](#506)) - `renovate-changelog-pr` CLI tool parses Renovate PR metadata and inserts Keep-a-Changelog entries under `## Unreleased` - `renovate-changelog` workflow runs on `pull_request_target` for `renovate[bot]` PRs in both upstream and workspace template - **Devcontainer image version pinning** ([#509](#509)) - `.vig-os` file at repo root declares `DEVCONTAINER_VERSION` as the single source of truth for CI container image tags - `resolve-image` composite action resolves the image tag and validates it exists in GHCR - **`GITHUB_REPOSITORY` resolution for workspace init** ([#509](#509)) - `parse-github-remote-lib.sh` extracts `owner/repo` from HTTPS, SSH, and `git@` GitHub URLs - `install.sh` gains `--repo` flag; `init-workspace.sh` replaces `{{GITHUB_REPOSITORY}}` in workspace template files ### Changed - **Switch from Dependabot to Renovate** ([#509](#509)) - Replace `.github/dependabot.yml` with `renovate.json` and shared `renovate-default.json` preset - Renovate covers all ecosystems previously tracked (github-actions, pip, npm, docker) plus template directories not reachable by Dependabot - **Sync workflows run in devcontainer image** ([#509](#509)) - `sync-issues` and `sync-main-to-dev` use `resolve-image` and run inside the pinned devcontainer, removing the `setup-env` composite action dependency and the inlined retry helper - `sync-main-to-dev` creates sync branches via `git push` instead of the GitHub refs API ### Removed - **Dependabot configuration** ([#509](#509)) - Delete `.github/dependabot.yml` and `assets/workspace/.github/dependabot.yml` ## Testing - [x] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A (CI and scripted tests cover changes; Renovate/changelog workflow validates in GitHub after merge). ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published ## Additional Notes - Branch merged latest `origin/dev` before PR (includes unrelated doc sync under `docs/pull-requests/`). - Commit 6 subject is `docs:` (not `docs(changelog):`) due to commit-msg scope allowlist. Refs: #509, #506
- Pin python:3.12-slim-bookworm base image to latest digest - Add targeted libssl3/openssl upgrade to 3.0.19-1~deb12u2 (CVE-2026-28390, CVE-2026-31790) - Refresh .trivyignore: - Drop resolved: CVE-2025-68121, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-15558, CVE-2026-33186 - Add gh Go stdlib: CVE-2026-32281, CVE-2026-32288, CVE-2026-32289 - Add typos dependency: CVE-2026-25727 - Add jwt-token false positive suppression Refs: #512
#514) ## Description Remediate HIGH/CRITICAL vulnerabilities found by the nightly Trivy security scan on the `:latest` image. Upgrades fixable packages (OpenSSL) and refreshes `.trivyignore` with properly documented suppressions for unfixable base-image CVEs and Go stdlib issues in vendored binaries. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - **`Containerfile`** — Update `python:3.12-slim-bookworm` pinned digest; add targeted `apt-get install --only-upgrade` for `libssl3` and `openssl` to `3.0.19-1~deb12u2` (CVE-2026-28390, CVE-2026-31790). - **`.trivyignore`** — Drop resolved suppressions (gh/docker-cli CVE-2025-15558, gRPC CVE-2026-33186, older Go stdlib CVEs); add suppressions for unfixable base-image CVEs (ncurses CVE-2025-69720, SQLite CVE-2025-7458, systemd CVE-2026-29111, zlib/minizip CVE-2023-45853), new Go stdlib CVEs in gh (CVE-2026-32281, CVE-2026-32288, CVE-2026-32289), typos dependency (CVE-2026-25727), and `jwt-token` false positive. - **`CHANGELOG.md`** / **`assets/workspace/.devcontainer/CHANGELOG.md`** — Add Security entry under Unreleased. ## Changelog Entry ### Security - **Nightly Trivy gate remediation (OpenSSL, gh, typos)** ([#512](#512)) - Pin `python:3.12-slim-bookworm` to current digest and add targeted `libssl3`/`openssl` upgrade to `3.0.19-1~deb12u2` (CVE-2026-28390, CVE-2026-31790) - Refresh `.trivyignore`: drop resolved gh/docker-cli and gRPC entries; add Go stdlib and typos-related suppressions plus `jwt-token` false positive - Suppress unfixable base-image CVEs: ncurses (CVE-2025-69720), SQLite (CVE-2025-7458), systemd (CVE-2026-29111), zlib/minizip (CVE-2023-45853) ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A — changes are to Containerfile build directives and Trivy suppression metadata. Verification will occur via the CI image build and nightly Trivy scan. ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [x] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes This PR addresses the automated issue opened by the nightly Trivy security scan workflow. The OpenSSL CVEs are fixable via an apt upgrade; remaining findings are unfixable in Debian bookworm stable and are suppressed with risk assessments and expiration dates in `.trivyignore`. Refs: #512
Replace merge-release-pr with wait-release-pr-ci that polls required checks on the release PR (fail/cancel fast, 30m timeout). Add a final-only job that dispatches promote-release.yml on dev with the base version and waits for success so the downstream draft GitHub Release is published, the release PR merges to main, and RC tag cleanup can run. Preflight now requires promote-release.yml alongside prepare-release and release. Summary treats trigger-promote-release as mandatory success for final dispatches and as skipped-only for candidates. notify-failure lists the new jobs. Document the workflow contract, receiver steps, and promote gate in docs/CROSS_REPO_RELEASE_GATE.md. Record the change under Unreleased in CHANGELOG.md and the workspace devcontainer changelog mirror. Refs: #511
Fail fast on closed/merged PR and on gh CLI errors instead of spinning silently until timeout. Refs: #511
## Description Updates the smoke-test `repository-dispatch` workflow so **final** releases dispatch downstream `promote-release.yml` (publish draft release, merge release PR, RC tag cleanup) instead of merging the release PR from the listener alone. **RC** dispatches wait for required checks on the release PR and stop with the PR left open. Preflight now requires `promote-release.yml` on the `dev` ref. Cross-repo gate docs describe the split behavior and that the canonical flow no longer needs a manual publish on smoke-test before upstream promote. ## Type of Change - [ ] `feat` -- New feature - [ ] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [x] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `assets/smoke-test/.github/workflows/repository-dispatch.yml` - Add `promote-release.yml` to preflight `REQUIRED_WORKFLOWS`. - Replace `merge-release-pr` with `wait-release-pr-ci` (`gh pr checks --required`, fail/cancel handling, 30m timeout). - Add `trigger-promote-release` for `release_kind == final` only: dispatch and poll `promote-release.yml` on `dev` with `version` = base semver. - Update `summary` / `notify-failure` dependencies and result checks (final requires promote success; candidate requires promote skipped). - `docs/CROSS_REPO_RELEASE_GATE.md` — contract, receiver steps, promote gate wording for automated downstream publish. - `CHANGELOG.md` and `assets/workspace/.devcontainer/CHANGELOG.md` — Unreleased **Changed** entry for #511. ## Changelog Entry ```diff @@ -27,6 +27,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - **Sync workflows run in devcontainer image** ([#509](#509)) - `sync-issues` and `sync-main-to-dev` use `resolve-image` and run inside the pinned devcontainer, removing the `setup-env` composite action dependency and the inlined retry helper - `sync-main-to-dev` creates sync branches via `git push` instead of the GitHub refs API +- **Smoke-test dispatch triggers promote-release for final releases** ([#511](#511)) + - Final releases dispatch downstream `promote-release.yml` instead of merging the release PR directly, publishing the draft GitHub Release and satisfying the upstream promote-time downstream gate + - RC releases wait for release PR required checks but no longer merge the PR to `main` ### Deprecated ``` ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A — GitHub Actions workflow and documentation only; end-to-end validation happens after the template is deployed to `vig-os/devcontainer-smoke-test` (see issue prerequisite: PR #510 merged there). ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes N/A Refs: #511
Move Unreleased content to [0.3.3] - TBD and create fresh empty Unreleased section for continued development.
Strip empty Unreleased section from release branch. Release date TBD (set during finalization).
c-vigo
approved these changes
Apr 10, 2026
Set release date to 2026-04-10 and regenerate release docs. Refs: #516
The GitHub API only returns draft releases to tokens with push access. The validate job had contents:read, so the draft release check always failed. Elevate to contents:write and use github.token for the workspace template variant (upstream already used github.token). TDD skipped: CI workflow YAML — only verifiable via GitHub Actions run. Refs: #517
## Description
The Promote Release workflow always fails at the "Verify draft GitHub
Release exists" step in the `validate` job. The GitHub API only returns
draft releases to tokens with push access (`contents: write`), but the
`validate` job had `contents: read` and the workspace template variant
was using the release app token which also lacked push-level
permissions.
This PR elevates the `validate` job permissions to `contents: write` in
both the upstream and workspace `promote-release.yml`, and switches the
workspace template's draft release check to use `github.token` (the
upstream already used it).
## Type of Change
- [ ] `feat` -- New feature
- [x] `fix` -- Bug fix
- [ ] `docs` -- Documentation only
- [ ] `chore` -- Maintenance task (deps, config, etc.)
- [ ] `refactor` -- Code restructuring (no behavior change)
- [ ] `test` -- Adding or updating tests
- [x] `ci` -- CI/CD pipeline changes
- [ ] `build` -- Build system or dependency changes
- [ ] `revert` -- Reverts a previous commit
- [ ] `style` -- Code style (formatting, whitespace)
### Modifiers
- [ ] Breaking change (`!`) -- This change breaks backward compatibility
## Changes Made
- `.github/workflows/promote-release.yml` — change `validate` job
`contents: read` to `contents: write`
- `assets/workspace/.github/workflows/promote-release.yml` — change
`validate` job `contents: read` to `contents: write`; switch `GH_TOKEN`
in the draft release check step from the release app token to `${{
github.token }}`
- `CHANGELOG.md` — add Fixed entry for #517
- `assets/workspace/.devcontainer/CHANGELOG.md` — synced by pre-commit
hook
## Changelog Entry
### Fixed
- **Promote-release validate job cannot see draft releases**
([#517](#517))
- Elevate `validate` job permissions to `contents: write` so the token
has push-level access required by the GitHub API to list draft releases
- Use `github.token` instead of the release app token for the draft
release check in workspace `promote-release.yml`
## Testing
- [ ] Tests pass locally (`just test`)
- [ ] Manual testing performed (describe below)
### Manual Testing Details
TDD skipped: CI workflow YAML changes can only be verified by running
the actual GitHub Actions pipeline. Verification will occur when the
Promote Release workflow is re-run for 0.3.3.
## Checklist
- [x] My code follows the project's style guidelines
- [x] I have performed a self-review of my code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have updated the documentation accordingly (edit
`docs/templates/`, then run `just docs`)
- [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and
pasted the entry above)
- [x] My changes generate no new warnings or errors
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] New and existing unit tests pass locally with my changes
- [x] Any dependent changes have been merged and published
## Additional Notes
This fix affects both the upstream and workspace template
`promote-release.yml`. The upstream workflow already used `${{
github.token }}` for the draft release check but still had `contents:
read`, so only the permission needed changing. The workspace template
also needed the token source switched from the release app token to `${{
github.token }}`.
Refs: #517
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release 0.3.3 - 2026-04-10
This PR prepares release 0.3.3 for merge to main.
0.3.3 - 2026-04-10
Added
renovate-changelog-prCLI tool parses Renovate PR metadata and inserts Keep-a-Changelog entries under## Unreleasedrenovate-changelogworkflow runs onpull_request_targetforrenovate[bot]PRs in both upstream and workspace template.vig-osfile at repo root declaresDEVCONTAINER_VERSIONas the single source of truth for CI container image tagsresolve-imagecomposite action resolves the image tag and validates it exists in GHCRGITHUB_REPOSITORYresolution for workspace init (#509)parse-github-remote-lib.shextractsowner/repofrom HTTPS, SSH, andgit@GitHub URLsinstall.shgains--repoflag;init-workspace.shreplaces{{GITHUB_REPOSITORY}}in workspace template filesChanged
.github/dependabot.ymlwithrenovate.jsonand sharedrenovate-default.jsonpresetsync-issuesandsync-main-to-devuseresolve-imageand run inside the pinned devcontainer, removing thesetup-envcomposite action dependency and the inlined retry helpersync-main-to-devcreates sync branches viagit pushinstead of the GitHub refs APIpromote-release.ymlinstead of merging the release PR directly, publishing the draft GitHub Release and satisfying the upstream promote-time downstream gatemainRemoved
.github/dependabot.ymlandassets/workspace/.github/dependabot.ymlFixed
GET /releases/tags/{tag}, which returns 404 for draft releasespromote-release.ymlSecurity
python:3.12-slim-bookwormto current digest and add targetedlibssl3/opensslupgrade to3.0.19-1~deb12u2(CVE-2026-28390, CVE-2026-31790).trivyignore: drop resolved gh/docker-cli and gRPC entries; add Go stdlib and typos-related suppressions plusjwt-tokenfalse positive