vig-os · vig-os-release-app · Apr 10, 2026 · Apr 10, 2026 · Apr 10, 2026 · Apr 10, 2026
@@ -39,7 +39,7 @@ jobs:
     runs-on: ubuntu-22.04
     timeout-minutes: 15
     permissions:
-      contents: read
+      contents: write
       packages: read
     outputs:
       version: ${{ steps.vars.outputs.version }}

diff --git a/.vig-os b/.vig-os
@@ -1,2 +1,2 @@
 # vig-os devcontainer configuration
-DEVCONTAINER_VERSION=0.3.2
+DEVCONTAINER_VERSION=0.3.3
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,21 +5,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## Unreleased
-
-### Added
-
-### Changed
-
-### Deprecated
-
-### Removed
-
-### Fixed
-
-### Security
-
-## [0.3.3] - TBD
+## [0.3.3](https://github.com/vig-os/devcontainer/releases/tag/0.3.3) - 2026-04-10
 
 ### Added
 
@@ -55,6 +41,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Promote-release draft release validation** ([#507](https://github.com/vig-os/devcontainer/issues/507))
   - Use the paginated releases list API with jq instead of `GET /releases/tags/{tag}`, which returns 404 for draft releases
   - Apply the same release lookup for RC git tag cleanup in upstream and workspace `promote-release.yml`
+- **Promote-release validate job cannot see draft releases** ([#517](https://github.com/vig-os/devcontainer/issues/517))
+  - Elevate `validate` job permissions to `contents: write` so the token has push-level access required by the GitHub API to list draft releases
+  - Use `github.token` instead of the release app token for the draft release check in workspace `promote-release.yml`
 
 ### Security
 

diff --git a/README.md b/README.md
@@ -182,7 +182,7 @@ For detailed command descriptions, run `just --list --unsorted` or `just --help`
 - **Registry**: `ghcr.io/vig-os/devcontainer`
 - **Architecture**: Multi-platform support (AMD64, ARM64)
 - **License**: Apache
-- **Latest Version**: [0.3.2](https://github.com/vig-os/devcontainer/releases/tag/0.3.2) - 2026-04-08
+- **Latest Version**: [0.3.3](https://github.com/vig-os/devcontainer/releases/tag/0.3.3) - 2026-04-10
 - **Image tags**: bare semver (`0.2.1`, `latest`) — git tags use `v` prefix (`v0.2.1`) but image tags do not
 
 ## Features

diff --git a/assets/workspace/.devcontainer/CHANGELOG.md b/assets/workspace/.devcontainer/CHANGELOG.md
@@ -5,21 +5,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## Unreleased
-
-### Added
-
-### Changed
-
-### Deprecated
-
-### Removed
-
-### Fixed
-
-### Security
-
-## [0.3.3] - TBD
+## [0.3.3](https://github.com/vig-os/devcontainer/releases/tag/0.3.3) - 2026-04-10
 
 ### Added
 
@@ -55,6 +41,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Promote-release draft release validation** ([#507](https://github.com/vig-os/devcontainer/issues/507))
   - Use the paginated releases list API with jq instead of `GET /releases/tags/{tag}`, which returns 404 for draft releases
   - Apply the same release lookup for RC git tag cleanup in upstream and workspace `promote-release.yml`
+- **Promote-release validate job cannot see draft releases** ([#517](https://github.com/vig-os/devcontainer/issues/517))
+  - Elevate `validate` job permissions to `contents: write` so the token has push-level access required by the GitHub API to list draft releases
+  - Use `github.token` instead of the release app token for the draft release check in workspace `promote-release.yml`
 
 ### Security
 

diff --git a/assets/workspace/.github/workflows/promote-release.yml b/assets/workspace/.github/workflows/promote-release.yml
@@ -53,7 +53,7 @@ jobs:
     outputs:
       version: ${{ steps.vars.outputs.version }}
     permissions:
-      contents: read
+      contents: write
       pull-requests: read
     defaults:
       run:
@@ -87,7 +87,7 @@ jobs:
 
       - name: Verify draft GitHub Release exists
         env:
-          GH_TOKEN: ${{ steps.release_app_token.outputs.token }}
+          GH_TOKEN: ${{ github.token }}
           VERSION: ${{ steps.vars.outputs.version }}
         run: |
           set -euo pipefail

diff --git a/docs/issues/issue-511.md b/docs/issues/issue-511.md
@@ -0,0 +1,66 @@
+---
+type: issue
+state: closed
+created: 2026-04-10T06:32:05Z
+updated: 2026-04-10T13:19:49Z
+author: c-vigo
+author_url: https://github.com/c-vigo
+url: https://github.com/vig-os/devcontainer/issues/511
+comments: 0
+labels: feature, area:ci
+assignees: c-vigo
+milestone: none
+projects: none
+parent: none
+children: none
+synced: 2026-04-10T13:54:27.274Z
+---
+
+# [Issue 511]: [[FEATURE] Smoke-test dispatch: trigger promote-release for final; wait on CI for RC](https://github.com/vig-os/devcontainer/issues/511)
+
+## Description
+
+Update the smoke-test `repository-dispatch` workflow so **final** releases dispatch downstream `promote-release.yml` (publish release, merge PR, cleanup RC tags) instead of only merging the release PR; and so **RC** triggers verify release-PR CI but **do not** merge to `main`.
+
+## Problem statement
+
+- Issue #507 / PR #510 fixed draft-release handling in `promote-release.yml`.
+- Today `assets/smoke-test/.github/workflows/repository-dispatch.yml` runs `merge-release-pr` for **both** RC and final: it enables auto-merge and polls.
+- Downstream `release.yml` creates a **draft** final release; nobody publishes it, so the release stays draft.
+- Upstream `.github/workflows/promote-release.yml` requires a **published** (non-draft, non-prerelease) downstream final release before it proceeds — so automation fails unless someone publishes manually.
+- For RC, merging the release PR to `main` on every candidate is unnecessary; the branch is recreated on the next dispatch.
+
+## Proposed solution
+
+Behavior split by `release_kind`:
+
+**Common path (RC + final):** existing steps through `trigger-release` unchanged in intent; then replace terminal merge behavior as below.
+
+1. **Remove** the `merge-release-pr` job.
+2. **Add** `wait-release-pr-ci` (RC + final): after `trigger-release`, poll required checks on the release PR (`gh pr checks`); succeed when green; fail on failure or timeout (e.g. 30 min). For RC this is terminal — PR stays open.
+3. **Add** `trigger-promote-release` (**final only**): `if: needs.validate.outputs.release_kind == 'final'`; repository-dispatch `promote-release.yml` on `dev` with `version=$BASE_VERSION`; same dispatch-and-poll pattern as `trigger-release` / `trigger-prepare-release`. Downstream `promote-release` validates draft + PR, publishes release, merges PR, cleans RC tags.
+4. **Update** `summary` and `notify-failure`: depend on `wait-release-pr-ci` and `trigger-promote-release`; treat skipped `trigger-promote-release` on RC as success, not failure.
+
+**Docs:** Update `docs/CROSS_REPO_RELEASE_GATE.md` — receiver triggers `promote-release` for final; RC path no longer merges.
+
+**Scope:** `assets/smoke-test/.github/workflows/repository-dispatch.yml` + `docs/CROSS_REPO_RELEASE_GATE.md`. Do **not** change upstream or workspace-template `promote-release.yml` in this issue.
+
+## Alternatives considered
+
+- Duplicate publish/merge/cleanup logic in `repository-dispatch.yml` — rejected (DRY; dogfood `promote-release` template).
+
+## Additional context
+
+- Workspace template already ships `assets/workspace/.github/workflows/promote-release.yml` via `init-workspace.sh`.
+- **Prerequisite:** PR #510 merged and deployed to the smoke-test repo before exercising this change end-to-end.
+- Related: #507 (draft release API), #510 (fix).
+
+## Impact
+
+- Unblocks upstream `promote-release` by publishing the downstream final release automatically.
+- RC flow stops merging prematurely; aligns with cross-repo gate contract for pre-releases.
+
+**Changelog category:** Changed
+
+- [ ] TDD compliance (see `.cursor/rules/tdd.mdc`)
+
diff --git a/docs/issues/issue-512.md b/docs/issues/issue-512.md
@@ -0,0 +1,29 @@
+---
+type: issue
+state: closed
+created: 2026-04-10T06:54:22Z
+updated: 2026-04-10T13:20:01Z
+author: github-actions[bot]
+author_url: https://github.com/github-actions[bot]
+url: https://github.com/vig-os/devcontainer/issues/512
+comments: 0
+labels: security, security-scan
+assignees: c-vigo
+milestone: none
+projects: none
+parent: none
+children: none
+synced: 2026-04-10T13:54:26.944Z
+---
+
+# [Issue 512]: [Nightly security scan: HIGH/CRITICAL vulnerabilities in :latest](https://github.com/vig-os/devcontainer/issues/512)
+
+Nightly scan found **fixable HIGH/CRITICAL** vulnerabilities in the resolved image below (after `.trivyignore`).
+
+- **Image (resolved):** `ghcr.io/vig-os/devcontainer@sha256:b59c4b5ee13f06729400516309255f011b456e1e2001ca11fabb0ebefa4e2416`
+- **Tag pulled:** `ghcr.io/vig-os/devcontainer:latest`
+- **Scan date (UTC):** 2026-04-10T06:54:20Z
+- **Workflow run:** https://github.com/vig-os/devcontainer/actions/runs/24230540059
+- **Security tab:** https://github.com/vig-os/devcontainer/security
+
+Close this issue after the image is remediated and the next scheduled run passes the gate.