0.3.4

Added

• Renovate config validation on pull requests (#520)
  • Workflow discovers tracked renovate*.json files (excluding assets/workspace/renovate.json, whose extends uses an unresolved template placeholder) and runs renovate-config-validator --strict on the rest when renovate JSON changes
  • just test-renovate recipe mirrors the workflow locally and is included in just test

Changed

• Bump expected tool versions in image tests
  • gh 2.89 → 2.92, just 1.49 → 1.50, cargo-binstall 1.17 → 1.18 to match the latest upstream releases the image now installs

Fixed

• Renovate preset blocked all dependency updates (#520)
  • Split Python packageRules so matchUpdateTypes and rangeStrategy are not combined in one rule; rename baseBranches to baseBranchPatterns
  • Remove invalid uv from enabledManagers (pep621 continues to handle pyproject.toml and uv.lock)

0.3.3

Added

• Renovate changelog automation (#506)
  • renovate-changelog-pr CLI tool parses Renovate PR metadata and inserts Keep-a-Changelog entries under ## Unreleased
  • renovate-changelog workflow runs on pull_request_target for renovate[bot] PRs in both upstream and workspace template
• Devcontainer image version pinning (#509)
  • .vig-os file at repo root declares DEVCONTAINER_VERSION as the single source of truth for CI container image tags
  • resolve-image composite action resolves the image tag and validates it exists in GHCR
• GITHUB_REPOSITORY resolution for workspace init (#509)
  • parse-github-remote-lib.sh extracts owner/repo from HTTPS, SSH, and git@ GitHub URLs
  • install.sh gains --repo flag; init-workspace.sh replaces {{GITHUB_REPOSITORY}} in workspace template files

Changed

• Switch from Dependabot to Renovate (#509)
  • Replace .github/dependabot.yml with renovate.json and shared renovate-default.json preset
  • Renovate covers all ecosystems previously tracked (github-actions, pip, npm, docker) plus template directories not reachable by Dependabot
• Sync workflows run in devcontainer image (#509)
  • sync-issues and sync-main-to-dev use resolve-image and run inside the pinned devcontainer, removing the setup-env composite action dependency and the inlined retry helper
  • sync-main-to-dev creates sync branches via git push instead of the GitHub refs API
• Smoke-test dispatch triggers promote-release for final releases (#511)
  • Final releases dispatch downstream promote-release.yml instead of merging the release PR directly, publishing the draft GitHub Release and satisfying the upstream promote-time downstream gate
  • RC releases wait for release PR required checks but no longer merge the PR to main

Removed

• Dependabot configuration (#509)
  • Delete .github/dependabot.yml and assets/workspace/.github/dependabot.yml

Fixed

• Promote-release draft release validation (#507)
  • Use the paginated releases list API with jq instead of GET /releases/tags/{tag}, which returns 404 for draft releases
  • Apply the same release lookup for RC git tag cleanup in upstream and workspace promote-release.yml

Security

• Nightly Trivy gate remediation (OpenSSL, gh, typos) (#512)
  • Pin python:3.12-slim-bookworm to current digest and add targeted libssl3/openssl upgrade to 3.0.19-1~deb12u2 (CVE-2026-28390, CVE-2026-31790)
  • Refresh .trivyignore: drop resolved gh/docker-cli and gRPC entries; add Go stdlib and typos-related suppressions plus jwt-token false positive
  • Suppress unfixable base-image CVEs: ncurses (CVE-2025-69720), SQLite (CVE-2025-7458), systemd (CVE-2026-29111), zlib/minizip (CVE-2023-45853)

0.3.2

Added

• Downstream promote-release.yml workspace template (#463)
  • Add assets/workspace/.github/workflows/promote-release.yml as the counter-party to root promote-release.yml: validate draft release and release PR, publish the release, merge to main, best-effort git RC tag cleanup (no GHCR/cosign/smoke-test gate)
  • Document in docs/DOWNSTREAM_RELEASE.md and align docs/RELEASE_CYCLE.md Phase 5 for consumer vs upstream paths
• Optional draft pre-release for downstream release candidates (#463)
  • Workspace release.yml adds create-release (workflow_dispatch, default false); release-publish.yml creates a draft GitHub pre-release only when set for candidate runs
  • Smoke-test repository-dispatch.yml passes create-release=true when triggering downstream release.yml
  • just publish-candidate forwards create-release in justfile.gh and the workspace template copy

Changed

• RELEASE_APP permissions and GHCR cleanup token model (#463)
  • Document Packages read/write on the org for promote-release cleanup, align the app table in docs/RELEASE_CYCLE.md, and explain why cleanup uses the GitHub App token instead of GITHUB_TOKEN
• Promote-release cleans up stale RC artifacts after merge (#463)
  • Best-effort job deletes GHCR package versions for ${VERSION}-rc* and sha256-*-only orphans, and deletes remote git RC tags for that base version when no GitHub Release exists; does not fail the workflow on error
• Downstream release helper recipes via GitHub justfile import (#373)
  • Move prepare-release, finalize-release, publish-candidate, and reset-changelog into justfile.gh so downstream workspace templates expose these release helpers by default
  • Keep root recipe availability (including pull) through import 'justfile.gh' while consolidating release helper ownership in the GitHub-focused recipe file; the workspace template copy omits the pull recipe
• Split final release into publish and promote phases (#456)
  • Final release.yml publishes versioned GHCR tags and a draft GitHub Release but no longer updates :latest
  • New promote-release.yml runs after downstream smoke-test publishes its final release: updates :latest, publishes the draft release, merges the release PR to main
  • Add just promote-release in justfile.gh (and workspace template copy)
• Smoke-test dispatch fails fast when deploy PR checks fail (#381)
  • wait-deploy-merge in assets/smoke-test/.github/workflows/repository-dispatch.yml exits as soon as all required checks have completed with failures instead of waiting for the merge poll timeout (gh pr checks --required)
• Scheduled security scan pulls GHCR :latest instead of rebuilding (#461)
  • Runs nightly at 05:00 UTC, pulls the published image, gates on fixable HIGH/CRITICAL vulnerabilities, auto-creates a deduplicated GitHub issue on failure, and uploads SARIF under container-image-latest
• Dependabot dependency update batch (#474)
  • Bump github/codeql-action from 4.34.1 to 4.35.1
  • Bump sigstore/cosign-installer from 4.1.0 to 4.1.1
• Dependabot dependency update batch (#488, #489)
  • Bump @devcontainers/cli from 0.84.1 to 0.85.0
  • Bump docker/login-action from 4.0.0 to 4.1.0
• Simplify just pull in justfile.gh (#482)
  • Pull ghcr.io/vig-os/devcontainer by tag; drop redundant shell fallback, per-recipe repo argument, and unused REGISTRY_TEST TLS path (imported justfile.gh cannot reference root repo)
• prepare-changelog finalize adds GitHub release link to version headings (#496)
  • finalize_release_date writes ## [X.Y.Z](https://github.com/owner/repo/releases/tag/X.Y.Z) - date; repository slug comes from GITHUB_REPOSITORY (set in Actions) or from prepare-changelog finalize ... --github-repository owner/repo
  • unprepare recognizes linked ## [semver](url) - … headings

Removed

• One-time GHCR/git RC prune script (#463)
  • Remove scripts/prune-ghcr-tags.sh; RC and sha256-* orphan cleanup remains in root promote-release.yml
• Downstream RC pre-release gate from release validate job (#463)
  • Removed dead if: false steps from release.yml; downstream final release is verified only in promote-release.yml before promote
• Nightly full CI schedule from ci.yml (#492)
  • Remove the schedule trigger and schedule-only checkout overrides; CI remains on pull requests and workflow_dispatch only
  • Nightly GHCR :latest scan in security-scan.yml is unchanged

Fixed

• Prepare-release changelog commits silently skipped due to FILE_PATHS delimiter mismatch (#483)
  • Change FILE_PATHS from space-separated to comma-separated in all commit-action steps of prepare-release.yml so the action correctly commits both CHANGELOG.md and assets/workspace/.devcontainer/CHANGELOG.md
  • Join finalization changed files with commas in release.yml (Collect finalization files) so commit-action receives multiple paths correctly
• publish-candidate recipe sends unknown create-release input (#479)
  • Remove create-release parameter and -f flag from upstream justfile.gh; the input was added to the downstream workflow only but the recipe was updated in both places
• Image tests expect current just minor (#479)
  • Align EXPECTED_VERSIONS["just"] with the latest just release installed by the Containerfile (1.49.x)
• Git commit now falls back to nano when editor config is unusable (#383)
  • setup-git-conf.sh now validates the effective Git editor and sets core.editor=nano only when the configured editor is missing or invalid in-container
  • Add integration regression coverage to ensure invalid editor settings are corrected during setup
• Release finalize no longer races sync-issues; CHANGELOG TBD verified after reset (#455)
  • Run sync-issues after capturing finalize SHA so downstream build/publish use the finalized commit
  • Fail finalize if CHANGELOG.md still contains ## [version] - TBD after git reset --hard
• generate-docs pre-commit runs when CHANGELOG.md changes (#455)
  • Keeps README “Latest Version” and other generated docs aligned with the changelog
• prepare-release tolerates GitHub API ref propagation and reliable CHANGELOG rollback (#453)
  • Poll until the new release branch ref resolves before commit-action commits to it
  • Fetch dev CHANGELOG.md by resolved commit SHA during rollback so Contents API staleness does not skip the rollback commit
• sync-main-to-dev sync job no longer depends on dev's setup-env (#459)
  • Inline the same retry shell helper used by setup-env so the job works when main's workflow expects helpers not yet on dev
• CI container build avoids shared-runner Docker Hub rate limits (#473)
  • build-image logs in to docker.io before setup-buildx-action when DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets are set; ci.yml and release.yml pass them
  • Omitting secrets (e.g. forks) keeps prior anonymous-pull behavior
• Release finalize commit blocked by Release protection ruleset (#487)
  • Generate a dedicated Commit App token (COMMIT_APP_ID) for the commit-action step in the finalize job of release.yml, matching the pattern used by prepare-release.yml and other workflows; the previous Release App token lacked ruleset bypass
• Release finalize installs just for doc generation (#494)
  • Remove install-just: 'false' from the finalize job setup-env step so docs/generate.py can run just --list
  • get_just_help() exits non-zero on failure instead of writing placeholder content into generated docs
• Release rollback and CI retry exit codes (#500)
  • retry shell helper now propagates the command's non-zero exit code when all attempts fail
  • Release rollback creates a fast-forward revert commit via the Git API instead of force-pushing, compatible with branch protection on release/*
  • Rollback Git Data API steps authenticate with the Commit app token (same as finalize) so protected release/* ref updates are not blocked
  • Canonical retry() implementation lives in .github/scripts/retry.sh; setup-env and BATS source it so CI and tests stay aligned (sync-main-to-dev.yml keeps an inline copy documented as in sync)
• Release rollback restores release PR body after finalize (#502)
  • rollback job in ...

0.3.1

Added

• Split downstream release workflow with project-owned extension hook (#326)
  • Add local workflow_call release phases (release-core.yml, release-publish.yml) and a lightweight release.yml orchestrator in assets/workspace/.github/workflows/
  • Add release_kind support with candidate mode (X.Y.Z-rcN) and final mode (X.Y.Z) in downstream release workflows
  • Candidate mode now auto-computes the next RC tag, skips CHANGELOG finalization/sync-issues, and publishes a GitHub pre-release
  • Add project-owned release-extension.yml stub and preserve it during init-workspace.sh --force upgrades
  • Add validate-contract composite action for single-source contract version validation
  • Add downstream release contract documentation and GHCR extension example in docs/DOWNSTREAM_RELEASE.md
• jq in devcontainer image (#425)
  • Install the jq CLI in the GHCR image so containerized workflows (e.g. release-core validate / downstream Release Core) can pipe JSON through jq

Changed

• Dependabot dependency update batch (#302, #303, #305, #306, #307, #308, #309)
  • Bump @devcontainers/cli from 0.81.1 to 0.84.0 and bats-assert from v2.2.0 to v2.2.4
  • Bump GitHub Actions: actions/download-artifact (4.3.0 -> 8.0.1), actions/github-script (7.1.0 -> 8.0.0), actions/attest-build-provenance (3.0.0 -> 4.1.0), actions/checkout (4.3.1 -> 6.0.2)
  • Bump release workflow action pins: sigstore/cosign-installer (4.0.0 -> 4.1.0) and anchore/sbom-action (0.22.2 -> 0.23.1)
• Dependabot dependency update batch (#314, #315, #316, #317)
  • Bump GitHub Actions: actions/attest-sbom (3.0.0 -> 4.0.0), actions/upload-artifact (4.6.2 -> 7.0.0), actions/create-github-app-token (2.2.1 -> 3.0.0)
  • Bump docker/login-action from 3.7.0 to 4.0.0
  • Bump just minor version from 1.46 to 1.47
• Node24-ready GitHub Actions pin refresh for shared composite actions (#321)
  • Update Docker build path pins in build-image (docker/setup-buildx-action, docker/metadata-action, docker/build-push-action) to Node24-compatible releases
  • Set setup-env default Node runtime to 24 and upgrade actions/setup-node
  • Align test composite actions with newer pins (actions/checkout, actions/cache, actions/upload-artifact)
• Smoke-test dispatch payload now carries source run traceability metadata (#289)
  • Candidate release dispatches now include source repo/workflow/run/SHA metadata plus a deterministic correlation_id
  • Smoke-test dispatch receiver logs normalized source context, derives source run URL when possible, and writes it to workflow summary output
  • Release-cycle docs now define required vs optional dispatch payload keys and the future callback contract path for publish-candidate
• Smoke-test repository dispatch now runs for final releases too (#173)
  • release.yml now triggers the existing smoke-test dispatch contract for both candidate and final release kinds
  • Final release summaries and release-cycle documentation now reflect dispatch behavior for both release modes
• Workspace CI templates now use a single container-based workflow (#327)
  • Consolidate assets/workspace/.github/workflows/ci.yml as the canonical CI workflow and remove the obsolete ci-container.yml template
  • Extract reusable assets/workspace/.github/actions/resolve-image and run workspace release tests in the same containerized workflow model
  • Update smoke-test and release-cycle documentation to reference the single CI workflow contract
• Final release now requires downstream RC pre-release gate (#331)
  • Add upstream final-release validation that requires a downstream GitHub pre-release for the latest published RC tag
  • Move smoke-test dispatch to a dedicated release job and include release_kind in the dispatch payload
  • Add downstream repository-dispatch.yml template that runs smoke tests and creates pre-release/final release artifacts
• Ship changelog into workspace payload and smoke-test deploy root (#333)
  • Sync canonical CHANGELOG.md into both workspace root and .devcontainer/ template paths
  • Smoke-test dispatch now copies .devcontainer/CHANGELOG.md to repository root so deploy output keeps a root changelog
• Final release now publishes a GitHub Release with finalized notes (#310)
  • Add a final-only publish step in .github/workflows/release.yml that creates a GitHub Release for X.Y.Z
  • Source GitHub Release notes from the finalized CHANGELOG.md section and fail the run if notes extraction or release publishing fails
• Release dispatch and publish ordering hardened for 0.3.1 (#336)
  • Make smoke-test dispatch fire-and-forget in .github/workflows/release.yml and decouple rollback from downstream completion timing
  • Add bounded retries to the final-release downstream RC pre-release gate API check
  • Move final GitHub Release creation to the end of publish so artifact publication/signing completes before release object creation
  • Add concurrency control to assets/smoke-test/.github/workflows/repository-dispatch.yml to prevent overlapping dispatch races
  • Handle smoke-test dispatch failures with a targeted issue while avoiding destructive rollback after publish artifacts are already released
• Redesigned smoke-test dispatch release orchestration (#358)
  • Replace premature publish-release behavior with full downstream orchestration: deploy-to-dev merge gate, prepare-release.yml, release PR readiness/approval, and release.yml dispatch polling
  • Add upstream failure issue reporting with job-phase results and cleanup guidance when dispatch orchestration fails
• Smoke-test release orchestration now runs as two phases (#402)
  • Keep repository-dispatch.yml focused on deploy/prepare/release-PR readiness and move release dispatch to a dedicated merged-PR workflow (on-release-pr-merge.yml)
  • Add release-kind labeling and auto-merge enablement for release PRs, and keep upstream failure notifications in both phases
  • Remove release-branch upstream CHANGELOG.md sync from repository-dispatch.yml (previously added in #358)
• Dependabot dependency update batch (#414)
  • Bump github/codeql-action from 4.32.6 to 4.34.1 and anchore/sbom-action from 0.23.1 to 0.24.0
  • Bump actions/cache restore/save pins from 5.0.3 to 5.0.4 in sync-issues.yml
• Dependabot dependency update batch (#413)
  • Bump @devcontainers/cli from 0.84.0 to 0.84.1
• cursor-agent install is now resilient to CDN failures (#434)
  • Retries 3 times with backoff before giving up
  • Build succeeds without cursor-agent when Cursor's CDN is unavailable
• Immutable GitHub releases, tag rulesets, and forward-fix policy (#446)
  • Final releases create a draft GitHub Release for human review before publishing; rollback no longer deletes remote tags
  • Release workflows skip redundant tag push when the tag already matches the finalized commit; workspace release-core / release-publish and smoke-test failure guidance updated accordingly
  • Document tag rulesets, immutable releases, and recovery in docs/RELEASE_CYCLE.md, docs/DOWNSTREAM_RELEASE.md, and docs/CROSS_REPO_RELEASE_GATE.md
• Container image tests expect current GitHub CLI minor line
  • Update tests/test_image.py EXPECTED_VERSIONS["gh"] to 2.89. to match the CLI shipped in the image

Removed

• PR Title Check GitHub Actions workflow (#444)
  • Remove .github/workflows/pr-title-check.yml; commit message rules remain enforced via local hooks and validate-commit-msg
  • Remove --subject-only from validate-commit-msg (it existed only for PR title CI)

Fixed

• Smoke-test deploy restores workspace CHANGELOG for prepare-release (#417)
  • Add prepare-changelog unprepare to rename the top ## [semver] - … heading to ## Unreleased
  • init-workspace.sh --smoke-test copies .devcontainer/CHANGELOG.md into workspace CHANGELOG.md and runs unprepare; remove duplicate remap from smoke-test dispatch workflow
• Release app permission docs now include downstream workflow dispatch requirements (#397)
  • Update docs/RELEASE_CYCLE.md...