0.3.9

Fixed

• Stop promote-release cleanup from orphaning RC draft pre-releases (#623)
  • The cleanup step deleted RC draft pre-releases with gh release delete <tag>, which cannot resolve a draft, then deleted the git RC tag anyway — stranding the draft and making it undiscoverable on later runs (the loop was seeded from git tags)
  • Cleanup now enumerates RC draft pre-releases from the releases list, deletes them by release id, removes a git RC tag only when no release is attached, and fails loudly if any RC draft survives — also reclaiming drafts whose tag was already removed by an earlier partial run

0.3.8

Fixed

• Prevent prepare-release from branching release/X.Y.Z at the pre-freeze dev SHA (#617)
  • The "Create release branch from dev" step now polls dev until it advances past the captured pre-freeze SHA before branching, and hard-fails if it never does, closing a read-after-write race that could create a release branch missing the ## [X.Y.Z] - TBD freeze
• Make smoke-test dispatch idempotent across candidate→final on one base version (#612)
  • prepare-changelog finalize is now a no-op when the version heading is already dated, instead of erroring
  • prepare-changelog prepare folds an existing same-version heading back into a single ## [X.Y.Z] - TBD section instead of stacking a duplicate
  • New prepare-changelog reset-version <version> command reverts a dated heading back to - TBD (idempotent); the smoke-test dispatch template runs it at dispatch start and scopes its deploy-seed check to the Unreleased section
• Fix release PR body truncation when changelog bullets quote a version heading (#620)
  • The "Extract CHANGELOG content for PR body" step now anchors its sed range to start-of-line headings, so an inline backtick-quoted heading inside a bullet no longer ends the range early

0.3.7

Changed

• Consolidate Renovate dependency updates (588, 589, 606, 607) (#588, #589, #606, #607)
  • Update actions/checkout to v7.0.0, taiki-e/install-action digest to ab08a3b, astral-sh/setup-uv to 0.11.23, and the aquasecurity/trivy-action scanner to v0.71.2
  • Bump Python deps: pytest 9.1.1, ruff 0.15.18 (root); numpy 2.5.0, scipy 1.18.0 (workspace template); lockfile refreshed

Fixed

• Prune RC draft pre-releases in promote cleanup (#600)
  • Cleanup now deletes X.Y.Z-rcN draft pre-releases (and their now-orphaned tags); guarded to never touch published releases

Security

• Consolidate container-image vulnerability scanning to a single source of truth (#604)
  • PR CI Trivy is now a blocking gate only (fail on fixable HIGH/CRITICAL) and no longer uploads SARIF to the Security tab
  • The nightly scheduled scan of the published :latest image (container-image-latest) is now the single authoritative scan for the GitHub Security tab, ending duplicate/stale alert categories
  • Dismissed orphaned container-image-scheduled and stale container-image code-scanning alerts that could no longer auto-close

0.3.6

Changed

• Migrate actions/create-github-app-token to client-id (#576)
  • Replace deprecated app-id input with client-id across root, workspace template, and smoke-test workflows
  • Requires org-level COMMIT_APP_CLIENT_ID and RELEASE_APP_CLIENT_ID secrets (GitHub App Client ID, not numeric App ID)
• Consolidate Renovate dependency updates (586–589) (#586, #587, #588, #589)
  • Bump python:3.14-slim-bookworm base image to multi-arch index digest sha256:7e2f304…
  • Update taiki-e/install-action digest to bafb217, astral-sh/setup-uv to 0.11.21, and other GitHub Actions minor/patch versions
  • Bump requires-python to ==3.14.6 and Python deps: pytest 9.1.0, ruff 0.15.17, github-backup 0.63.0 (lockfile refreshed)

Fixed

• Smoke-test prepare-release failed on empty Unreleased section (#597)

  • The smoke-test fixture has no hand-authored changelog entries, so each release freeze left ## Unreleased empty and the downstream prepare-release gate rejected it ("Unreleased section has no entries")
  • The deploy step in repository-dispatch.yml now seeds a deploy entry into ## Unreleased when it is empty, so the smoke-test release pipeline can always proceed

• sync-main-to-dev could silently drop the fresh ## Unreleased scaffold (#590)

  • prepare-release no longer strips ## Unreleased from the release branch, so main keeps an empty ## Unreleased above the dated release (matching dev)
  • With the section present on both branches it is stable common context in the main↔dev merge base, so the sync merge preserves it cleanly instead of resolving in main's favour and dropping it
  • Applied to both the canonical workflow and the workspace template so adopters (e.g. part-registry) inherit the fix

• devcontainer-upgrade / install URL 404s (#591)

  • Replace the unhosted vig-os.github.io/devcontainer/install.sh Pages URL with the canonical raw.githubusercontent.com/vig-os/devcontainer/main/install.sh already used in README.md
  • Pipe the installer to bash instead of sh (the script has a #!/bin/bash shebang and uses bashisms), matching the canonical form
  • Fixes the actual just devcontainer-upgrade host command plus error hints, the version-check upgrade nag, smoke-test install docs, and install.sh usage/--help output

• GHCR RC artifacts never pruned after promote-release (#583)

  • Switch GHCR package-version deletes to GITHUB_TOKEN with repo Admin on the devcontainer package (one-time Manage Actions access grant)
  • Replace blanket sha256-* deletion with digest-aware selection that prunes RC images and matching RC cosign signatures only
  • Fail the cleanup step loudly when deletes fail or RC tags remain (job still uses continue-on-error)

0.3.5

Changed

• Consolidate Renovate dependency updates (#550)

  • Python 3.12 → 3.14.5 (Containerfile, requires-python, and lockfile)
  • CI runners ubuntu-22.04 → 24.04 and Node.js 22 → 24
  • GitHub Actions major bumps: setup-node v6, setup-uv v8, github-script v9
  • SHA-pinned digest updates for checkout, codeql, create-github-app-token, and taiki-e/install-action
  • Pin Python, npm, and workspace template dependencies to exact versions (#530)
  • @devcontainers/cli 0.87.0 (#538)

• Bump expected tool versions in image tests

  • gh 2.92 → 2.93, just 1.50 → 1.52, cargo-binstall 1.18 → 1.20 to match latest upstream releases

• Consolidate Renovate dependency updates (553–556) (#553, #554, #555, #556)

  • Pin pytest to 9.0.3, bump pytest-cov to 7.1.0, rich to 15.0.0
  • Bump github-backup to 0.62.1, pre-commit to 4.6.0, ruff to 0.15.16, pip-licenses to 5.5.5
  • Bump expected pre-commit version in image tests to 4.6
  • Bump actions/dependency-review-action to v5.0.0

Fixed

• Renovate PR CI gates expired or broken (#550)

  • Renovate changelog workflow now runs under bash so set -euo pipefail works inside the container
  • Taplo lint hook no longer fetches remote schema catalogs (fetch started failing in taplo 0.10)
  • Renewed dependency-review allow-list exception for bats-file false positive (GHSA-wvrr-2x4r-394v)

• Image tests red on stale cargo-binstall pin (#557)

  • Bump expected cargo-binstall to 1.20 to match the latest upstream release the image installs

• arm64 release build failed with "exec format error" (#578)

  • Restore the multi-arch index digest for python:3.14-slim-bookworm (sha256:a9bee155…); the previous bump pinned the amd64-only child manifest, so the arm64 build pulled an amd64 image and the first RUN died with exec /bin/sh: exec format error
  • Document in Containerfile that manual base-image pins must use the index digest, never a per-platform child manifest

Security

• Accept Debian won't-fix LOW CVEs in .trivyignore (#566)

  • Document 78 unfixed LOW Debian OS-package CVEs from the next-release image with shared risk note and 2026-12-01 expiration
  • Add check-expirations utility with pre-commit and CI enforcement so expired .trivyignore entries fail the pipeline
  • Security tab LOW count drops after the next release refreshes :latest

• Bump base image digest and clear fixable OS-package CVEs (#565)

  • Keep python:3.14-slim-bookworm pinned to its multi-arch index digest (sha256:a9bee155…)
  • Retain targeted libgnutls30=3.7.9-2+deb12u7 upgrade (base ships deb12u6; fixable GnuTLS CVEs require deb12u7)
  • CI Trivy gate passes with zero fixable HIGH/CRITICAL OS findings after rebuild

• Patch fixable OpenSSL HIGH CVE blocking the 0.3.5 release (#580)

  • Targeted libssl3/openssl upgrade to 3.0.20-1~deb12u2 (base ships deb12u1); clears CVE-2026-45447 flagged by the release Trivy gate

• Refresh bundled gh and uv to clear Go and Rust CVEs (#564)

  • Fresh image build pulls latest gh v2.93.0 and uv v0.11.19, clearing all bundled-tool HIGH findings except one awaiting upstream
  • uv/uvx Rust crate CVEs (including rustls-webpki GHSA-82j2-j2ch-gfr8) no longer reported after rebuild
  • Remaining gh Go-stdlib HIGH (CVE-2026-42504) kept in .trivyignore until gh ships a Go 1.26.4 rebuild

• Update pytest to v9.0.3 (#528)

  • Security patch for pytest dependency bump

• Remediate nightly scan gate failures on :latest (#549)

  • Patched libgnutls30 to 3.7.9-2+deb12u7 for fixable GnuTLS CVEs (retained across the 3.14 base rebase; see #565)

• Resolve repo-owned workflow security findings (#562)

  • Split Renovate changelog automation into read-only pull_request build + privileged workflow_run commit, removing pull_request_target and PR-head checkout under elevated permissions (Scorecard DangerousWorkflowID)
  • Add GitHub Actions to CodeQL language matrix so stale actions/missing-workflow-permissions alerts auto-close on the next default-branch run
  • Add explicit permissions: to workspace release-extension.yml template; downstream smoke-test updates flow through release re-sync
  • Document accepted OpenSSF Scorecard posture (Fuzzing, CII) and verified branch-protection rulesets in SECURITY.md

• Update vulnerable Python dependencies (#563)

  • Bump urllib3 2.7.0, requests 2.34.2, idna 3.18, Pygments 2.20.0 in the repo lockfile
  • Constrain workspace-template jupyter stack to patched versions (notebook 7.5.6, jupyterlab 4.5.7, jupyter-server 2.18.0, mistune 3.2.1)

• Add downstream SECURITY.md template and close smoke-test Scorecard gaps (#568)

  • Add assets/workspace/SECURITY.md so generated and smoke-test repos ship a security policy (clears Scorecard SecurityPolicyID on the next release re-sync)
  • Document FuzzingID and CIIBestPracticesID as accepted won't-fix posture in the template policy
  • Document smoke-test-specific accepted findings (branch-protection, code-review, pinned download-then-run) in the assets/smoke-test/ overlay, accepted because the deploy-validation repo runs fully unattended

0.3.4

Added

• Renovate config validation on pull requests (#520)
  • Workflow discovers tracked renovate*.json files (excluding assets/workspace/renovate.json, whose extends uses an unresolved template placeholder) and runs renovate-config-validator --strict on the rest when renovate JSON changes
  • just test-renovate recipe mirrors the workflow locally and is included in just test

Changed

• Bump expected tool versions in image tests
  • gh 2.89 → 2.92, just 1.49 → 1.50, cargo-binstall 1.17 → 1.18 to match the latest upstream releases the image now installs

Fixed

• Renovate preset blocked all dependency updates (#520)
  • Split Python packageRules so matchUpdateTypes and rangeStrategy are not combined in one rule; rename baseBranches to baseBranchPatterns
  • Remove invalid uv from enabledManagers (pep621 continues to handle pyproject.toml and uv.lock)

0.3.3

Added

• Renovate changelog automation (#506)
  • renovate-changelog-pr CLI tool parses Renovate PR metadata and inserts Keep-a-Changelog entries under ## Unreleased
  • renovate-changelog workflow runs on pull_request_target for renovate[bot] PRs in both upstream and workspace template
• Devcontainer image version pinning (#509)
  • .vig-os file at repo root declares DEVCONTAINER_VERSION as the single source of truth for CI container image tags
  • resolve-image composite action resolves the image tag and validates it exists in GHCR
• GITHUB_REPOSITORY resolution for workspace init (#509)
  • parse-github-remote-lib.sh extracts owner/repo from HTTPS, SSH, and git@ GitHub URLs
  • install.sh gains --repo flag; init-workspace.sh replaces {{GITHUB_REPOSITORY}} in workspace template files

Changed

• Switch from Dependabot to Renovate (#509)
  • Replace .github/dependabot.yml with renovate.json and shared renovate-default.json preset
  • Renovate covers all ecosystems previously tracked (github-actions, pip, npm, docker) plus template directories not reachable by Dependabot
• Sync workflows run in devcontainer image (#509)
  • sync-issues and sync-main-to-dev use resolve-image and run inside the pinned devcontainer, removing the setup-env composite action dependency and the inlined retry helper
  • sync-main-to-dev creates sync branches via git push instead of the GitHub refs API
• Smoke-test dispatch triggers promote-release for final releases (#511)
  • Final releases dispatch downstream promote-release.yml instead of merging the release PR directly, publishing the draft GitHub Release and satisfying the upstream promote-time downstream gate
  • RC releases wait for release PR required checks but no longer merge the PR to main

Removed

• Dependabot configuration (#509)
  • Delete .github/dependabot.yml and assets/workspace/.github/dependabot.yml

Fixed

• Promote-release draft release validation (#507)
  • Use the paginated releases list API with jq instead of GET /releases/tags/{tag}, which returns 404 for draft releases
  • Apply the same release lookup for RC git tag cleanup in upstream and workspace promote-release.yml

Security

• Nightly Trivy gate remediation (OpenSSL, gh, typos) (#512)
  • Pin python:3.12-slim-bookworm to current digest and add targeted libssl3/openssl upgrade to 3.0.19-1~deb12u2 (CVE-2026-28390, CVE-2026-31790)
  • Refresh .trivyignore: drop resolved gh/docker-cli and gRPC entries; add Go stdlib and typos-related suppressions plus jwt-token false positive
  • Suppress unfixable base-image CVEs: ncurses (CVE-2025-69720), SQLite (CVE-2025-7458), systemd (CVE-2026-29111), zlib/minizip (CVE-2023-45853)

0.3.2

Added

• Downstream promote-release.yml workspace template (#463)
  • Add assets/workspace/.github/workflows/promote-release.yml as the counter-party to root promote-release.yml: validate draft release and release PR, publish the release, merge to main, best-effort git RC tag cleanup (no GHCR/cosign/smoke-test gate)
  • Document in docs/DOWNSTREAM_RELEASE.md and align docs/RELEASE_CYCLE.md Phase 5 for consumer vs upstream paths
• Optional draft pre-release for downstream release candidates (#463)
  • Workspace release.yml adds create-release (workflow_dispatch, default false); release-publish.yml creates a draft GitHub pre-release only when set for candidate runs
  • Smoke-test repository-dispatch.yml passes create-release=true when triggering downstream release.yml
  • just publish-candidate forwards create-release in justfile.gh and the workspace template copy

Changed

• RELEASE_APP permissions and GHCR cleanup token model (#463)
  • Document Packages read/write on the org for promote-release cleanup, align the app table in docs/RELEASE_CYCLE.md, and explain why cleanup uses the GitHub App token instead of GITHUB_TOKEN
• Promote-release cleans up stale RC artifacts after merge (#463)
  • Best-effort job deletes GHCR package versions for ${VERSION}-rc* and sha256-*-only orphans, and deletes remote git RC tags for that base version when no GitHub Release exists; does not fail the workflow on error
• Downstream release helper recipes via GitHub justfile import (#373)
  • Move prepare-release, finalize-release, publish-candidate, and reset-changelog into justfile.gh so downstream workspace templates expose these release helpers by default
  • Keep root recipe availability (including pull) through import 'justfile.gh' while consolidating release helper ownership in the GitHub-focused recipe file; the workspace template copy omits the pull recipe
• Split final release into publish and promote phases (#456)
  • Final release.yml publishes versioned GHCR tags and a draft GitHub Release but no longer updates :latest
  • New promote-release.yml runs after downstream smoke-test publishes its final release: updates :latest, publishes the draft release, merges the release PR to main
  • Add just promote-release in justfile.gh (and workspace template copy)
• Smoke-test dispatch fails fast when deploy PR checks fail (#381)
  • wait-deploy-merge in assets/smoke-test/.github/workflows/repository-dispatch.yml exits as soon as all required checks have completed with failures instead of waiting for the merge poll timeout (gh pr checks --required)
• Scheduled security scan pulls GHCR :latest instead of rebuilding (#461)
  • Runs nightly at 05:00 UTC, pulls the published image, gates on fixable HIGH/CRITICAL vulnerabilities, auto-creates a deduplicated GitHub issue on failure, and uploads SARIF under container-image-latest
• Dependabot dependency update batch (#474)
  • Bump github/codeql-action from 4.34.1 to 4.35.1
  • Bump sigstore/cosign-installer from 4.1.0 to 4.1.1
• Dependabot dependency update batch (#488, #489)
  • Bump @devcontainers/cli from 0.84.1 to 0.85.0
  • Bump docker/login-action from 4.0.0 to 4.1.0
• Simplify just pull in justfile.gh (#482)
  • Pull ghcr.io/vig-os/devcontainer by tag; drop redundant shell fallback, per-recipe repo argument, and unused REGISTRY_TEST TLS path (imported justfile.gh cannot reference root repo)
• prepare-changelog finalize adds GitHub release link to version headings (#496)
  • finalize_release_date writes ## [X.Y.Z](https://github.com/owner/repo/releases/tag/X.Y.Z) - date; repository slug comes from GITHUB_REPOSITORY (set in Actions) or from prepare-changelog finalize ... --github-repository owner/repo
  • unprepare recognizes linked ## [semver](url) - … headings

Removed

• One-time GHCR/git RC prune script (#463)
  • Remove scripts/prune-ghcr-tags.sh; RC and sha256-* orphan cleanup remains in root promote-release.yml
• Downstream RC pre-release gate from release validate job (#463)
  • Removed dead if: false steps from release.yml; downstream final release is verified only in promote-release.yml before promote
• Nightly full CI schedule from ci.yml (#492)
  • Remove the schedule trigger and schedule-only checkout overrides; CI remains on pull requests and workflow_dispatch only
  • Nightly GHCR :latest scan in security-scan.yml is unchanged

Fixed

• Prepare-release changelog commits silently skipped due to FILE_PATHS delimiter mismatch (#483)
  • Change FILE_PATHS from space-separated to comma-separated in all commit-action steps of prepare-release.yml so the action correctly commits both CHANGELOG.md and assets/workspace/.devcontainer/CHANGELOG.md
  • Join finalization changed files with commas in release.yml (Collect finalization files) so commit-action receives multiple paths correctly
• publish-candidate recipe sends unknown create-release input (#479)
  • Remove create-release parameter and -f flag from upstream justfile.gh; the input was added to the downstream workflow only but the recipe was updated in both places
• Image tests expect current just minor (#479)
  • Align EXPECTED_VERSIONS["just"] with the latest just release installed by the Containerfile (1.49.x)
• Git commit now falls back to nano when editor config is unusable (#383)
  • setup-git-conf.sh now validates the effective Git editor and sets core.editor=nano only when the configured editor is missing or invalid in-container
  • Add integration regression coverage to ensure invalid editor settings are corrected during setup
• Release finalize no longer races sync-issues; CHANGELOG TBD verified after reset (#455)
  • Run sync-issues after capturing finalize SHA so downstream build/publish use the finalized commit
  • Fail finalize if CHANGELOG.md still contains ## [version] - TBD after git reset --hard
• generate-docs pre-commit runs when CHANGELOG.md changes (#455)
  • Keeps README “Latest Version” and other generated docs aligned with the changelog
• prepare-release tolerates GitHub API ref propagation and reliable CHANGELOG rollback (#453)
  • Poll until the new release branch ref resolves before commit-action commits to it
  • Fetch dev CHANGELOG.md by resolved commit SHA during rollback so Contents API staleness does not skip the rollback commit
• sync-main-to-dev sync job no longer depends on dev's setup-env (#459)
  • Inline the same retry shell helper used by setup-env so the job works when main's workflow expects helpers not yet on dev
• CI container build avoids shared-runner Docker Hub rate limits (#473)
  • build-image logs in to docker.io before setup-buildx-action when DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets are set; ci.yml and release.yml pass them
  • Omitting secrets (e.g. forks) keeps prior anonymous-pull behavior
• Release finalize commit blocked by Release protection ruleset (#487)
  • Generate a dedicated Commit App token (COMMIT_APP_ID) for the commit-action step in the finalize job of release.yml, matching the pattern used by prepare-release.yml and other workflows; the previous Release App token lacked ruleset bypass
• Release finalize installs just for doc generation (#494)
  • Remove install-just: 'false' from the finalize job setup-env step so docs/generate.py can run just --list
  • get_just_help() exits non-zero on failure instead of writing placeholder content into generated docs
• Release rollback and CI retry exit codes (#500)
  • retry shell helper now propagates the command's non-zero exit code when all attempts fail
  • Release rollback creates a fast-forward revert commit via the Git API instead of force-pushing, compatible with branch protection on release/*
  • Rollback Git Data API steps authenticate with the Commit app token (same as finalize) so protected release/* ref updates are not blocked
  • Canonical retry() implementation lives in .github/scripts/retry.sh; setup-env and BATS source it so CI and tests stay aligned (sync-main-to-dev.yml keeps an inline copy documented as in sync)
• Release rollback restores release PR body after finalize (#502)
  • rollback job in ...

0.3.1

Added

• Split downstream release workflow with project-owned extension hook (#326)
  • Add local workflow_call release phases (release-core.yml, release-publish.yml) and a lightweight release.yml orchestrator in assets/workspace/.github/workflows/
  • Add release_kind support with candidate mode (X.Y.Z-rcN) and final mode (X.Y.Z) in downstream release workflows
  • Candidate mode now auto-computes the next RC tag, skips CHANGELOG finalization/sync-issues, and publishes a GitHub pre-release
  • Add project-owned release-extension.yml stub and preserve it during init-workspace.sh --force upgrades
  • Add validate-contract composite action for single-source contract version validation
  • Add downstream release contract documentation and GHCR extension example in docs/DOWNSTREAM_RELEASE.md
• jq in devcontainer image (#425)
  • Install the jq CLI in the GHCR image so containerized workflows (e.g. release-core validate / downstream Release Core) can pipe JSON through jq

Changed

• Dependabot dependency update batch (#302, #303, #305, #306, #307, #308, #309)
  • Bump @devcontainers/cli from 0.81.1 to 0.84.0 and bats-assert from v2.2.0 to v2.2.4
  • Bump GitHub Actions: actions/download-artifact (4.3.0 -> 8.0.1), actions/github-script (7.1.0 -> 8.0.0), actions/attest-build-provenance (3.0.0 -> 4.1.0), actions/checkout (4.3.1 -> 6.0.2)
  • Bump release workflow action pins: sigstore/cosign-installer (4.0.0 -> 4.1.0) and anchore/sbom-action (0.22.2 -> 0.23.1)
• Dependabot dependency update batch (#314, #315, #316, #317)
  • Bump GitHub Actions: actions/attest-sbom (3.0.0 -> 4.0.0), actions/upload-artifact (4.6.2 -> 7.0.0), actions/create-github-app-token (2.2.1 -> 3.0.0)
  • Bump docker/login-action from 3.7.0 to 4.0.0
  • Bump just minor version from 1.46 to 1.47
• Node24-ready GitHub Actions pin refresh for shared composite actions (#321)
  • Update Docker build path pins in build-image (docker/setup-buildx-action, docker/metadata-action, docker/build-push-action) to Node24-compatible releases
  • Set setup-env default Node runtime to 24 and upgrade actions/setup-node
  • Align test composite actions with newer pins (actions/checkout, actions/cache, actions/upload-artifact)
• Smoke-test dispatch payload now carries source run traceability metadata (#289)
  • Candidate release dispatches now include source repo/workflow/run/SHA metadata plus a deterministic correlation_id
  • Smoke-test dispatch receiver logs normalized source context, derives source run URL when possible, and writes it to workflow summary output
  • Release-cycle docs now define required vs optional dispatch payload keys and the future callback contract path for publish-candidate
• Smoke-test repository dispatch now runs for final releases too (#173)
  • release.yml now triggers the existing smoke-test dispatch contract for both candidate and final release kinds
  • Final release summaries and release-cycle documentation now reflect dispatch behavior for both release modes
• Workspace CI templates now use a single container-based workflow (#327)
  • Consolidate assets/workspace/.github/workflows/ci.yml as the canonical CI workflow and remove the obsolete ci-container.yml template
  • Extract reusable assets/workspace/.github/actions/resolve-image and run workspace release tests in the same containerized workflow model
  • Update smoke-test and release-cycle documentation to reference the single CI workflow contract
• Final release now requires downstream RC pre-release gate (#331)
  • Add upstream final-release validation that requires a downstream GitHub pre-release for the latest published RC tag
  • Move smoke-test dispatch to a dedicated release job and include release_kind in the dispatch payload
  • Add downstream repository-dispatch.yml template that runs smoke tests and creates pre-release/final release artifacts
• Ship changelog into workspace payload and smoke-test deploy root (#333)
  • Sync canonical CHANGELOG.md into both workspace root and .devcontainer/ template paths
  • Smoke-test dispatch now copies .devcontainer/CHANGELOG.md to repository root so deploy output keeps a root changelog
• Final release now publishes a GitHub Release with finalized notes (#310)
  • Add a final-only publish step in .github/workflows/release.yml that creates a GitHub Release for X.Y.Z
  • Source GitHub Release notes from the finalized CHANGELOG.md section and fail the run if notes extraction or release publishing fails
• Release dispatch and publish ordering hardened for 0.3.1 (#336)
  • Make smoke-test dispatch fire-and-forget in .github/workflows/release.yml and decouple rollback from downstream completion timing
  • Add bounded retries to the final-release downstream RC pre-release gate API check
  • Move final GitHub Release creation to the end of publish so artifact publication/signing completes before release object creation
  • Add concurrency control to assets/smoke-test/.github/workflows/repository-dispatch.yml to prevent overlapping dispatch races
  • Handle smoke-test dispatch failures with a targeted issue while avoiding destructive rollback after publish artifacts are already released
• Redesigned smoke-test dispatch release orchestration (#358)
  • Replace premature publish-release behavior with full downstream orchestration: deploy-to-dev merge gate, prepare-release.yml, release PR readiness/approval, and release.yml dispatch polling
  • Add upstream failure issue reporting with job-phase results and cleanup guidance when dispatch orchestration fails
• Smoke-test release orchestration now runs as two phases (#402)
  • Keep repository-dispatch.yml focused on deploy/prepare/release-PR readiness and move release dispatch to a dedicated merged-PR workflow (on-release-pr-merge.yml)
  • Add release-kind labeling and auto-merge enablement for release PRs, and keep upstream failure notifications in both phases
  • Remove release-branch upstream CHANGELOG.md sync from repository-dispatch.yml (previously added in #358)
• Dependabot dependency update batch (#414)
  • Bump github/codeql-action from 4.32.6 to 4.34.1 and anchore/sbom-action from 0.23.1 to 0.24.0
  • Bump actions/cache restore/save pins from 5.0.3 to 5.0.4 in sync-issues.yml
• Dependabot dependency update batch (#413)
  • Bump @devcontainers/cli from 0.84.0 to 0.84.1
• cursor-agent install is now resilient to CDN failures (#434)
  • Retries 3 times with backoff before giving up
  • Build succeeds without cursor-agent when Cursor's CDN is unavailable
• Immutable GitHub releases, tag rulesets, and forward-fix policy (#446)
  • Final releases create a draft GitHub Release for human review before publishing; rollback no longer deletes remote tags
  • Release workflows skip redundant tag push when the tag already matches the finalized commit; workspace release-core / release-publish and smoke-test failure guidance updated accordingly
  • Document tag rulesets, immutable releases, and recovery in docs/RELEASE_CYCLE.md, docs/DOWNSTREAM_RELEASE.md, and docs/CROSS_REPO_RELEASE_GATE.md
• Container image tests expect current GitHub CLI minor line
  • Update tests/test_image.py EXPECTED_VERSIONS["gh"] to 2.89. to match the CLI shipped in the image

Removed

• PR Title Check GitHub Actions workflow (#444)
  • Remove .github/workflows/pr-title-check.yml; commit message rules remain enforced via local hooks and validate-commit-msg
  • Remove --subject-only from validate-commit-msg (it existed only for PR title CI)

Fixed

• Smoke-test deploy restores workspace CHANGELOG for prepare-release (#417)
  • Add prepare-changelog unprepare to rename the top ## [semver] - … heading to ## Unreleased
  • init-workspace.sh --smoke-test copies .devcontainer/CHANGELOG.md into workspace CHANGELOG.md and runs unprepare; remove duplicate remap from smoke-test dispatch workflow
• Release app permission docs now include downstream workflow dispatch requirements (#397)
  • Update docs/RELEASE_CYCLE.md...