chore: sync dev with main#519
Merged
vig-os-release-app[bot] merged 6 commits intodevfrom Apr 10, 2026
Merged
Conversation
Strip empty Unreleased section from release branch. Release date TBD (set during finalization).
Set release date to 2026-04-10 and regenerate release docs. Refs: #516
The GitHub API only returns draft releases to tokens with push access. The validate job had contents:read, so the draft release check always failed. Elevate to contents:write and use github.token for the workspace template variant (upstream already used github.token). TDD skipped: CI workflow YAML — only verifiable via GitHub Actions run. Refs: #517
## Description
The Promote Release workflow always fails at the "Verify draft GitHub
Release exists" step in the `validate` job. The GitHub API only returns
draft releases to tokens with push access (`contents: write`), but the
`validate` job had `contents: read` and the workspace template variant
was using the release app token which also lacked push-level
permissions.
This PR elevates the `validate` job permissions to `contents: write` in
both the upstream and workspace `promote-release.yml`, and switches the
workspace template's draft release check to use `github.token` (the
upstream already used it).
## Type of Change
- [ ] `feat` -- New feature
- [x] `fix` -- Bug fix
- [ ] `docs` -- Documentation only
- [ ] `chore` -- Maintenance task (deps, config, etc.)
- [ ] `refactor` -- Code restructuring (no behavior change)
- [ ] `test` -- Adding or updating tests
- [x] `ci` -- CI/CD pipeline changes
- [ ] `build` -- Build system or dependency changes
- [ ] `revert` -- Reverts a previous commit
- [ ] `style` -- Code style (formatting, whitespace)
### Modifiers
- [ ] Breaking change (`!`) -- This change breaks backward compatibility
## Changes Made
- `.github/workflows/promote-release.yml` — change `validate` job
`contents: read` to `contents: write`
- `assets/workspace/.github/workflows/promote-release.yml` — change
`validate` job `contents: read` to `contents: write`; switch `GH_TOKEN`
in the draft release check step from the release app token to `${{
github.token }}`
- `CHANGELOG.md` — add Fixed entry for #517
- `assets/workspace/.devcontainer/CHANGELOG.md` — synced by pre-commit
hook
## Changelog Entry
### Fixed
- **Promote-release validate job cannot see draft releases**
([#517](#517))
- Elevate `validate` job permissions to `contents: write` so the token
has push-level access required by the GitHub API to list draft releases
- Use `github.token` instead of the release app token for the draft
release check in workspace `promote-release.yml`
## Testing
- [ ] Tests pass locally (`just test`)
- [ ] Manual testing performed (describe below)
### Manual Testing Details
TDD skipped: CI workflow YAML changes can only be verified by running
the actual GitHub Actions pipeline. Verification will occur when the
Promote Release workflow is re-run for 0.3.3.
## Checklist
- [x] My code follows the project's style guidelines
- [x] I have performed a self-review of my code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have updated the documentation accordingly (edit
`docs/templates/`, then run `just docs`)
- [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and
pasted the entry above)
- [x] My changes generate no new warnings or errors
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] New and existing unit tests pass locally with my changes
- [x] Any dependent changes have been merged and published
## Additional Notes
This fix affects both the upstream and workspace template
`promote-release.yml`. The upstream workflow already used `${{
github.token }}` for the draft release check but still had `contents:
read`, so only the permission needed changing. The workspace template
also needed the token source switched from the release app token to `${{
github.token }}`.
Refs: #517
# [Release 0.3.3](https://github.com/vig-os/devcontainer/releases/tag/0.3.3) - 2026-04-10 This PR prepares release 0.3.3 for merge to main. ## [0.3.3](https://github.com/vig-os/devcontainer/releases/tag/0.3.3) - 2026-04-10 ### Added - **Renovate changelog automation** ([#506](#506)) - `renovate-changelog-pr` CLI tool parses Renovate PR metadata and inserts Keep-a-Changelog entries under `## Unreleased` - `renovate-changelog` workflow runs on `pull_request_target` for `renovate[bot]` PRs in both upstream and workspace template - **Devcontainer image version pinning** ([#509](#509)) - `.vig-os` file at repo root declares `DEVCONTAINER_VERSION` as the single source of truth for CI container image tags - `resolve-image` composite action resolves the image tag and validates it exists in GHCR - **`GITHUB_REPOSITORY` resolution for workspace init** ([#509](#509)) - `parse-github-remote-lib.sh` extracts `owner/repo` from HTTPS, SSH, and `git@` GitHub URLs - `install.sh` gains `--repo` flag; `init-workspace.sh` replaces `{{GITHUB_REPOSITORY}}` in workspace template files ### Changed - **Switch from Dependabot to Renovate** ([#509](#509)) - Replace `.github/dependabot.yml` with `renovate.json` and shared `renovate-default.json` preset - Renovate covers all ecosystems previously tracked (github-actions, pip, npm, docker) plus template directories not reachable by Dependabot - **Sync workflows run in devcontainer image** ([#509](#509)) - `sync-issues` and `sync-main-to-dev` use `resolve-image` and run inside the pinned devcontainer, removing the `setup-env` composite action dependency and the inlined retry helper - `sync-main-to-dev` creates sync branches via `git push` instead of the GitHub refs API - **Smoke-test dispatch triggers promote-release for final releases** ([#511](#511)) - Final releases dispatch downstream `promote-release.yml` instead of merging the release PR directly, publishing the draft GitHub Release and satisfying the upstream promote-time downstream gate - RC releases wait for release PR required checks but no longer merge the PR to `main` ### Removed - **Dependabot configuration** ([#509](#509)) - Delete `.github/dependabot.yml` and `assets/workspace/.github/dependabot.yml` ### Fixed - **Promote-release draft release validation** ([#507](#507)) - Use the paginated releases list API with jq instead of `GET /releases/tags/{tag}`, which returns 404 for draft releases - Apply the same release lookup for RC git tag cleanup in upstream and workspace `promote-release.yml` ### Security - **Nightly Trivy gate remediation (OpenSSL, gh, typos)** ([#512](#512)) - Pin `python:3.12-slim-bookworm` to current digest and add targeted `libssl3`/`openssl` upgrade to `3.0.19-1~deb12u2` (CVE-2026-28390, CVE-2026-31790) - Refresh `.trivyignore`: drop resolved gh/docker-cli and gRPC entries; add Go stdlib and typos-related suppressions plus `jwt-token` false positive - Suppress unfixable base-image CVEs: ncurses (CVE-2025-69720), SQLite (CVE-2025-7458), systemd (CVE-2026-29111), zlib/minizip (CVE-2023-45853)
c-vigo
approved these changes
Apr 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Syncs
devwithmain(sync-main-to-dev workflow).