chore: deploy 0.3.1-rc24

.devcontainer/CHANGELOG.md

@@ -75,6 +75,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **cursor-agent install is now resilient to CDN failures** ([#434](https://github.com/vig-os/devcontainer/issues/434))
   - Retries 3 times with backoff before giving up
   - Build succeeds without cursor-agent when Cursor's CDN is unavailable
+- **Immutable GitHub releases, tag rulesets, and forward-fix policy** ([#446](https://github.com/vig-os/devcontainer/issues/446))
+  - Final releases create a **draft** GitHub Release for human review before publishing; rollback no longer deletes remote tags
+  - Release workflows skip redundant tag push when the tag already matches the finalized commit; workspace `release-core` / `release-publish` and smoke-test failure guidance updated accordingly
+  - Document tag rulesets, immutable releases, and recovery in `docs/RELEASE_CYCLE.md`, `docs/DOWNSTREAM_RELEASE.md`, and `docs/CROSS_REPO_RELEASE_GATE.md`
+
+### Removed
+
+- **PR Title Check GitHub Actions workflow** ([#444](https://github.com/vig-os/devcontainer/issues/444))
+  - Remove `.github/workflows/pr-title-check.yml`; commit message rules remain enforced via local hooks and `validate-commit-msg`
+  - Remove `--subject-only` from `validate-commit-msg` (it existed only for PR title CI)
 
 ### Fixed
 
@@ -190,6 +200,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Downstream candidate RC tag can match upstream dispatch** ([#441](https://github.com/vig-os/devcontainer/issues/441))
   - Workspace `release.yml` / `release-core.yml` accept optional `rc-number` so candidate tags are not always recomputed from local tags only
   - Smoke-test `repository-dispatch.yml` exposes `base_version` and `rc_number` job outputs for orchestration that calls workspace `release.yml`
+- **Release validate fails early when GitHub Release already exists** ([#443](https://github.com/vig-os/devcontainer/issues/443))
+  - Validate job in `.github/workflows/release.yml` queries `GET /repos/.../releases/tags/<PUBLISH_VERSION>` with retries and classifies errors like the downstream RC gate; only a documented not-found response is treated as “no release,” and ambiguous API failures fail closed before build/sign/publish
+  - Publish job uses the same existence checks before and after `gh release create` instead of `gh release view` with discarded stderr
+- **Release tag resolution and GitHub Release view retries** ([#446](https://github.com/vig-os/devcontainer/issues/446))
+  - Fall back to plain `refs/tags/<tag>` when the peeled ref is empty (lightweight remote tags) in `.github/workflows/release.yml`, `release-core.yml`, and `release-publish.yml`
+  - Use one retried `gh release view` in workspace `release-publish.yml` so draft/prerelease skip paths parse JSON from the same successful response
 
 ### Security
 

.github/agent-blocklist.toml

@@ -1,5 +1,5 @@
 # Canonical blocklist for AI agent identity fingerprints.
-# Referenced by: validate-commit-msg, pre-commit hooks, pr-title-check CI.
+# Referenced by: validate-commit-msg, pre-commit hooks.
 # Refs: #163
 
 [patterns]

.github/workflows/prepare-release.yml

@@ -286,12 +286,10 @@ jobs:
           CHANGELOG_CONTENT: ${{ steps.changelog.outputs.changelog }}
         run: |
           set -euo pipefail
-          PR_BODY="## Release $VERSION
+          PR_BODY="# Release $VERSION
 
           This PR prepares release $VERSION for merge to main.
 
-          ### Release Content
-
           $CHANGELOG_CONTENT
           "
 

.vig-os

@@ -1,2 +1,2 @@
 # vig-os devcontainer configuration
-DEVCONTAINER_VERSION=0.3.1-rc23
+DEVCONTAINER_VERSION=0.3.1-rc24

CHANGELOG.md

@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.3.1] - TBD
+## Unreleased
 
 ### Added
 
@@ -75,6 +75,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **cursor-agent install is now resilient to CDN failures** ([#434](https://github.com/vig-os/devcontainer/issues/434))
   - Retries 3 times with backoff before giving up
   - Build succeeds without cursor-agent when Cursor's CDN is unavailable
+- **Immutable GitHub releases, tag rulesets, and forward-fix policy** ([#446](https://github.com/vig-os/devcontainer/issues/446))
+  - Final releases create a **draft** GitHub Release for human review before publishing; rollback no longer deletes remote tags
+  - Release workflows skip redundant tag push when the tag already matches the finalized commit; workspace `release-core` / `release-publish` and smoke-test failure guidance updated accordingly
+  - Document tag rulesets, immutable releases, and recovery in `docs/RELEASE_CYCLE.md`, `docs/DOWNSTREAM_RELEASE.md`, and `docs/CROSS_REPO_RELEASE_GATE.md`
+
+### Removed
+
+- **PR Title Check GitHub Actions workflow** ([#444](https://github.com/vig-os/devcontainer/issues/444))
+  - Remove `.github/workflows/pr-title-check.yml`; commit message rules remain enforced via local hooks and `validate-commit-msg`
+  - Remove `--subject-only` from `validate-commit-msg` (it existed only for PR title CI)
 
 ### Fixed
 
@@ -190,6 +200,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Downstream candidate RC tag can match upstream dispatch** ([#441](https://github.com/vig-os/devcontainer/issues/441))
   - Workspace `release.yml` / `release-core.yml` accept optional `rc-number` so candidate tags are not always recomputed from local tags only
   - Smoke-test `repository-dispatch.yml` exposes `base_version` and `rc_number` job outputs for orchestration that calls workspace `release.yml`
+- **Release validate fails early when GitHub Release already exists** ([#443](https://github.com/vig-os/devcontainer/issues/443))
+  - Validate job in `.github/workflows/release.yml` queries `GET /repos/.../releases/tags/<PUBLISH_VERSION>` with retries and classifies errors like the downstream RC gate; only a documented not-found response is treated as “no release,” and ambiguous API failures fail closed before build/sign/publish
+  - Publish job uses the same existence checks before and after `gh release create` instead of `gh release view` with discarded stderr
+- **Release tag resolution and GitHub Release view retries** ([#446](https://github.com/vig-os/devcontainer/issues/446))
+  - Fall back to plain `refs/tags/<tag>` when the peeled ref is empty (lightweight remote tags) in `.github/workflows/release.yml`, `release-core.yml`, and `release-publish.yml`
+  - Use one retried `gh release view` in workspace `release-publish.yml` so draft/prerelease skip paths parse JSON from the same successful response
 
 ### Security