v1.10.5-rc.7

🚀 What's Changed

📋 Commits since v1.10.5-rc.6:

• chore: update gha-release-* composite action SHAs for Node.js 24 (7d1de69)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 7d1de69

v1.10.5-rc.6

🚀 What's Changed

📋 Commits since v1.10.5-rc.5:

• deps(deps): bump super-linter/super-linter in the dependencies group (492da20)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 492da20

v1.10.5-rc.5

🚀 What's Changed

📋 Commits since v1.10.5-rc.4:

• fix: remove empty artifact files before GitHub release upload (609558c)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 609558c

v1.10.5-rc.4

🚀 What's Changed

📋 Commits since v1.10.5-rc.3:

• fix: remove Windows builds, skip empty release assets (959c35e)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 959c35e

v1.10.5-rc.3

🚀 What's Changed

📋 Commits since v1.10.5-rc.2:

• fix(ci): remove conflicting allow-licenses from dependency-review-config (3d89ccc)
• fix(security): pin all workflow action references to SHA hashes (86e7797)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Windows: *-windows-amd64.exe, *-windows-arm64.exe
• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 3d89ccc

v1.10.5-rc.2

🚀 What's Changed

📋 Commits since v1.10.5-rc.1:

• deps(deps): bump the dependencies group across 1 directory with 15 updates (83352d4)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Windows: *-windows-amd64.exe, *-windows-arm64.exe
• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 83352d4

v1.10.5-rc.1

🚀 What's Changed

📋 Commits since v1:

• fix: resolve shellcheck warnings and CI lint issues (06d833f)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Windows: *-windows-amd64.exe, *-windows-arm64.exe
• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 06d833f

v1.10.4

v1.10.4

Breaking Changes

• Release sub-workflows removed — release-go.yml, release-python.yml, release-rust.yml, release-frontend.yml, release-docker.yml, release-protobuf.yml, and reusable-protobuf.yml have been replaced by external composite actions. If your repo references these workflows directly, update to the new actions (see migration guide below).

New Versioning Strategy

Every commit to main now creates a pre-release RC tag (e.g. v1.10.4-rc.1) instead of a full stable release. This prevents infinite update loops between ghcommon and consumer repos.

How it works:

• Push to main → v1.10.4-rc.N pre-release + draft v1.10.4 release
• Dependabot ignores pre-releases, breaking the update loop
• When ready, publish the draft → on-release-published.yml updates floating tags (v1, v1.10)
• Manual workflow_dispatch with stable: true creates a full release directly

Trivy Removal

All Trivy references have been removed from workflows, scripts, agent definitions, and configuration files following the Trivy supply chain compromise. Security scanning now relies on CodeQL, dependency review, gosec, bandit, and npm audit.

Composite Action Migration

Release sub-workflows have been replaced with standalone composite actions in separate repos. This eliminates reusable workflow nesting limits and the self-referencing SHA problem.

Old workflow	New action	Version
release-go.yml	jdfalk/gha-release-go	v1.0.1
release-python.yml	jdfalk/gha-release-python	v1.0.1
release-rust.yml	jdfalk/gha-release-rust	v1.0.1
release-frontend.yml	jdfalk/gha-release-frontend	v1.0.1
release-docker.yml	jdfalk/gha-release-docker	v1.0.1
release-protobuf.yml + reusable-protobuf.yml	jdfalk/gha-release-protobuf	v1.0.2

Language Detection Improvements

Updated detect-languages-action to v1.1.5 with more accurate detection:

• Protobuf: Requires buf.gen.yaml to exist, not just .proto files
• Python: Requires setup.py or pyproject.toml, not just requirements.txt
• Frontend: Requires actual source files (src/index.js, etc.), not just package.json for tooling
• Go: Removed false positive from bare cmd/ directory
• Matrix versions: Go 1.24, Python 3.13, Rust stable

SHA Pinning

• All action references across ghcommon and downstream action repos are now pinned to full commit SHAs
• actions/setup-python@v6 pinned in security-summary composite action
• All ghcommon script checkout ref: values use commit SHAs instead of main or v1 tags

All Changes

• feat: switch to RC pre-release versioning strategy
• refactor: replace release sub-workflows with composite actions
• fix: add permissions to release.yml, replace all tag refs with SHAs
• fix: update gha-release-* actions to v1.0.1 with SHA-pinned deps
• fix: update detect-languages-action to v1.1.5
• fix: call reusable-protobuf directly to avoid 4-level nesting limit
• fix: use external ref for nested reusable workflow in release-protobuf
• Remove Trivy - compromised supply chain
• fix: update self-referencing pins to latest main

For Consumer Repos

If your repo calls jdfalk/ghcommon/.github/workflows/reusable-release.yml, update your SHA pin to this release:

uses: jdfalk/ghcommon/.github/workflows/reusable-release.yml@378e23a  # v1.10.4

The release.yml caller now supports a stable input for manual stable releases:

workflow_dispatch:
  inputs:
    stable:
      description: 'Publish a stable (non-RC) release directly'
      type: boolean
      default: false

v1.10.4-rc.1

🚀 What's Changed

📋 Commits since v1:

• fix: update detect-languages-action to v1.1.5 (378e23a)
• fix: update detect-languages-action to v1.1.4 (62a3316)
• fix: update gha-release-* actions to v1.0.1 with SHA-pinned deps (2bd0b40)
• fix: add permissions to release.yml, replace all tag refs with SHAs (04d8d9a)
• refactor: replace release sub-workflows with composite actions (e04c222)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Windows: *-windows-amd64.exe, *-windows-arm64.exe
• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 378e23a

v1.0.0-rc.9

🐛 Bug Fixes

• release: enable automatic release on push to main
• release: use github.event.inputs for push event compatibility
• release: correct boolean input handling for workflow triggers

📝 Commits Since v1.0.0-rc.8

• fix(release): correct boolean input handling for workflow triggers (e85cd2d)
• fix(release): use github.event.inputs for push event compatibility (7ebc4fc)
• fix(release): enable automatic release on push to main (a9c9b81)
• chore(reusable-ci): update version to 1.9.0 and adjust permissions to read (9a28c40)