Open
Conversation
Bumps [@devcontainers/cli](https://github.com/devcontainers/cli) from 0.81.1 to 0.84.0. - [Changelog](https://github.com/devcontainers/cli/blob/main/CHANGELOG.md) - [Commits](devcontainers/cli@v0.81.1...v0.84.0) --- updated-dependencies: - dependency-name: "@devcontainers/cli" dependency-version: 0.84.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [bats-assert](https://github.com/bats-core/bats-assert) from v2.2.0 to v2.2.4. - [Release notes](https://github.com/bats-core/bats-assert/releases) - [Commits](bats-core/bats-assert@d396ee3...f1e9280) --- updated-dependencies: - dependency-name: bats-assert dependency-version: f1e9280eaae8f86cbe278a687e6ba755bc802c1a dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [actions/github-script](https://github.com/actions/github-script) from 7.1.0 to 8.0.0. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@f28e40c...ed59741) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 3.0.0 to 4.1.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@977bb37...a2bbfa2) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Automated sync of `main` to `dev` found **merge conflicts** that require manual resolution.
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 8.0.1. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@d3f86a1...3e5f45b) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.3.1...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
…2 updates Bumps the actions-minor-patch group with 2 updates in the / directory: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `sigstore/cosign-installer` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@faadad0...ba7bc0a) Updates `anchore/sbom-action` from 0.22.2 to 0.23.1 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@28d7154...57aae52) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: anchore/sbom-action dependency-version: 0.23.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Merging from `main` removed the `## Unreleased` section.
## Summary - Consolidate Dependabot dependency updates from open PRs #302, #303, #305, #306, #307, #308, and #309 into a single branch based on `dev` - Update `CHANGELOG.md` (`## Unreleased` -> `### Changed`) with one grouped entry referencing all merged Dependabot PRs - Keep closed PR #304 out of scope because its actionable updates are already covered by #309/current `dev` state ## Validation - Ran `just build no_cache && just test` - Result: success (command exited 0) ## Includes - #302 #302 - #303 #303 - #305 #305 - #306 #306 - #307 #307 - #308 #308 - #309 #309
Bumps [actions/attest-sbom](https://github.com/actions/attest-sbom) from 3.0.0 to 4.0.0. - [Release notes](https://github.com/actions/attest-sbom/releases) - [Changelog](https://github.com/actions/attest-sbom/blob/main/RELEASE.md) - [Commits](actions/attest-sbom@4651f80...07e74fc) --- updated-dependencies: - dependency-name: actions/attest-sbom dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 2.2.1 to 3.0.0. - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@29824e6...f8d387b) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@c94ce9f...b45d80f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
…on (#396) ## Description Fix smoke-test dispatch failures caused by GitHub CLI `--ref` argument validation changes and downstream release workflow issues in containerized jobs. The preflight check now uses `--yaml` with `--ref` for workflow validation, release workflows are hardened with proper image resolution and permissions, and containerized jobs explicitly pin bash to avoid POSIX `sh` incompatibilities. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [x] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - **`assets/workspace/.github/workflows/repository-dispatch.yml`** — Update preflight to use `gh workflow view --yaml --ref` instead of bare `--ref`, preventing false failures from newer gh CLI argument validation - **`assets/workspace/.github/workflows/release.yml`** — Decouple rollback container startup from `needs.core.outputs.image_tag` by adding a dedicated `resolve-image` job; add dispatch header comments - **`assets/workspace/.github/workflows/release-core.yml`** — Add `safe.directory` config and explicit `actions`/`pull-requests` permissions for containerized release jobs - **`assets/workspace/.github/workflows/release-publish.yml`** — Add `safe.directory` config in containerized publish steps - **`assets/workspace/.github/workflows/prepare-release.yml`** — Add `defaults.run.shell: bash` for containerized prepare jobs - **`assets/workspace/.github/workflows/sync-main-to-dev.yml`** — Add `safe.directory` config and explicit shell in containerized sync jobs - **`tests/bats/just.bats`** — Assert preflight uses `--yaml` with `--ref`; cover rollback image resolution and workflow hardening - **`CHANGELOG.md`** / **`assets/workspace/.devcontainer/CHANGELOG.md`** — Document fixes under Unreleased ## Changelog Entry ### Fixed - **Smoke-test preflight now uses gh CLI ref-compatible workflow validation** ([#392](#392)) - Update `assets/smoke-test/.github/workflows/repository-dispatch.yml` preflight checks to call `gh workflow view` with `--yaml` when `--ref` is set - Prevent false preflight failures caused by newer GitHub CLI argument validation before `prepare-release` dispatch - **Downstream release workflow templates hardened for smoke-test orchestration** ([#394](#394)) - Add missing `git config --global --add safe.directory "$GITHUB_WORKSPACE"` in containerized release and sync jobs that run git after checkout - Decouple `release.yml` rollback container startup from `needs.core.outputs.image_tag` by resolving the image in a dedicated `resolve-image` job - Add explicit release caller/reusable workflow permissions for `actions` and `pull-requests` operations, and update dispatch header comments to reference only current CI workflows - **Workspace containerized workflows now pin bash for run steps** ([#395](#395)) - Set `defaults.run.shell: bash` in containerized workspace release and prepare jobs so `set -euo pipefail` scripts do not execute under POSIX `sh` - Prevent downstream smoke-test failures caused by `set: Illegal option -o pipefail` in container jobs ## Testing - [x] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes This PR bundles three closely related smoke-test orchestration fixes discovered during the 0.3.1 release candidate cycle. Each fix addresses a different failure point in the dispatch-to-rollback pipeline. Refs: #392, #394, #395
…atch (#399) ## Description Document the missing `RELEASE_APP` permission needed by downstream smoke-test orchestration after issue `#397` RCA. This updates release-cycle documentation and changelog entries so the required `Actions` write scope is explicit for workflow dispatch operations. ## Type of Change - [ ] `feat` -- New feature - [ ] `fix` -- Bug fix - [x] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `docs/RELEASE_CYCLE.md` - Added `Actions read/write` to `RELEASE_APP` permission requirements - Clarified downstream validation repository requirements for `repository_dispatch` and workflow dispatch orchestration - `CHANGELOG.md` - Added a `Fixed` entry for issue `#397` documenting the permission requirement correction - `assets/workspace/.devcontainer/CHANGELOG.md` - Synced changelog mirror via manifest hook to keep workspace template aligned ## Changelog Entry ### Fixed - **Release app permission docs now include downstream workflow dispatch requirements** ([#397](#397)) - Update `docs/RELEASE_CYCLE.md` to require `Actions` read/write for `RELEASE_APP` on the validation repository - Clarify this is required so downstream `repository-dispatch.yml` can trigger release orchestration workflows via `workflow_dispatch` ## Testing - [ ] Tests pass locally (`just test`) - [x] Manual testing performed (describe below) ### Manual Testing Details - Confirmed issue RCA evidence in failing run `23339858643` (`HTTP 403: Resource not accessible by integration` on workflow dispatch) - Verified docs update and changelog updates committed cleanly with pre-commit hooks passing ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [x] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes N/A Refs: #397
## Description Hardens downstream release workflow templates to avoid protected-branch failures by requiring explicit Commit/Release app tokens instead of falling back to `github.token` on write paths. ## Type of Change - [x] `fix` -- Bug fix - [ ] `feat` -- New feature - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - Updated `assets/workspace/.github/workflows/prepare-release.yml` - Generate Commit App and Release App tokens - Route protected branch/ref writes to Commit App token - Route PR operations to Release App token - Updated `assets/workspace/.github/workflows/release-core.yml` - Remove `github.token` fallback in auth resolution - Generate explicit app tokens and use Commit App token for `commit-action` writes - Updated `assets/workspace/.github/workflows/release-publish.yml` - Remove `github.token` fallback in auth resolution - Resolve fallback to explicit Release App token - Updated `assets/workspace/.github/workflows/release.yml` - Use explicit Release App token for rollback issue creation - Updated `assets/workspace/.github/workflows/sync-issues.yml` - Remove `github.token` fallback from cache deletion and commit-action steps - Updated docs: - `docs/DOWNSTREAM_RELEASE.md` - `docs/CROSS_REPO_RELEASE_GATE.md` - Added required token/secrets model for downstream projects - Updated changelog: - `CHANGELOG.md` - `assets/workspace/.devcontainer/CHANGELOG.md` ## Changelog Entry ### Changed - **Downstream release templates now require explicit app tokens for write paths** ([#400](#400)) - Update `assets/workspace/.github/workflows/prepare-release.yml`, `release-core.yml`, `release-publish.yml`, `release.yml`, and `sync-issues.yml` to remove `github.token` fallback from protected write operations - Route protected branch/ref writes through Commit App tokens and release orchestration/issue operations through Release App tokens - Document downstream token requirements in `docs/DOWNSTREAM_RELEASE.md` and `docs/CROSS_REPO_RELEASE_GATE.md` ## Testing - [ ] Tests pass locally (`just test`) - [x] Manual testing performed (describe below) ### Manual Testing Details - Ran repository hooks via commit flow (YAML lint/checks, commit message validation, manifest sync checks) and all passed. - Verified no `github.token` usages remain in `assets/workspace/.github/workflows/*.yml`. - Verified branch is rebased/merged with `origin/release/0.3.1` and has no merge conflicts. ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [x] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes Assumes downstream repositories provide both `COMMIT_APP_*` and `RELEASE_APP_*` secrets, matching the documented gate contract. Refs: #400
Replace GitHub Refs API branch creation with git push in sync-main-to-dev.yml so the push event triggers CI on the resulting PR. API-created branches do not emit push events, leaving sync PRs blocked by required status checks. Refs: #398
## Description Split smoke-test dispatch into two phases to remove release PR self-approval and long in-job merge polling, while preserving automated upstream failure reporting. Also fix sync-to-dev branch creation so downstream CI is triggered reliably on sync PRs. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `assets/smoke-test/.github/workflows/repository-dispatch.yml` - Remove release-branch CHANGELOG sync, PR self-approval, release PR merge polling, and in-workflow `trigger-release` job - Keep phase 1 focused on release PR readiness; add release-kind labeling and auto-merge enablement - Update summary/failure reporting to the new phase 1 scope - `assets/smoke-test/.github/workflows/on-release-pr-merge.yml` (new) - Add phase 2 workflow triggered by merged `release/*` PRs into `main` - Extract version + release kind, dispatch `release.yml`, wait for completion, and report failures upstream - `assets/workspace/.github/workflows/sync-main-to-dev.yml` - Replace API ref creation with `git checkout -b ...` + `git push` so push/pull_request CI checks are emitted - `CHANGELOG.md` and `assets/workspace/.devcontainer/CHANGELOG.md` - Add Unreleased entries for #402 and #398 ## Changelog Entry ### Changed - **Smoke-test release orchestration now runs as two phases** ([#402](#402)) - Keep `repository-dispatch.yml` focused on deploy/prepare/release-PR readiness and move release dispatch to a dedicated merged-PR workflow (`on-release-pr-merge.yml`) - Add release-kind labeling and auto-merge enablement for release PRs, and keep upstream failure notifications in both phases ### Fixed - **Smoke-test dispatch no longer fails on release PR self-approval** ([#402](#402)) - Remove bot self-approval from `repository-dispatch.yml` and replace with release-kind labeling plus auto-merge enablement - Remove in-job polling for release PR merge and downstream release execution from phase 1 orchestration - **Sync-main-to-dev PRs now trigger CI reliably in downstream repos** ([#398](#398)) - Replace API-based sync branch creation with `git push` in `assets/workspace/.github/workflows/sync-main-to-dev.yml` so PR-related CI checks are emitted ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes - Base branch for this PR is `release/0.3.1`. - The new workflow under `assets/smoke-test/` requires manual deploy/promotion in `vig-os/devcontainer-smoke-test` to become effective on downstream `main`. Refs: #402, #398
## Description Removes the post–sync-PR `workflow_dispatch` step from `sync-main-to-dev` in this repo and in the workspace template. That dispatch did not appear in the PR status check rollup, so it could not satisfy branch protection ([issue #405](#405) analysis). Also drops `actions: write` from the sync job, which was only needed to run workflows via the API. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [x] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - `.github/workflows/sync-main-to-dev.yml` - Remove "Trigger CI on sync branch" step (`gh workflow run ci.yml`) - Remove `actions: write` from the sync job - Update header pipeline comment - `assets/workspace/.github/workflows/sync-main-to-dev.yml` — same workflow changes for downstream copies - `CHANGELOG.md` — replace the prior #405 entry describing the dispatch workaround with one documenting its removal - `assets/workspace/.devcontainer/CHANGELOG.md` — manifest sync of root changelog `git diff --stat origin/release/0.3.1...HEAD`: 4 files, +12 / −6 lines. ## Changelog Entry Target branch is `release/0.3.1`; entry is under `## [0.3.1] - TBD` (not `## Unreleased`). ### Fixed - **Sync-main-to-dev no longer dispatches CI via workflow_dispatch** ([#405](#405)) - `workflow_dispatch` runs are omitted from the PR status check rollup, so they do not satisfy branch protection on the sync PR - Remove the post-PR `gh workflow run ci.yml` step and drop `actions: write` from the sync job in `.github/workflows/sync-main-to-dev.yml` and `assets/workspace/.github/workflows/sync-main-to-dev.yml` ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A — workflow YAML and changelog only; behavior verified via analysis on #405. ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [ ] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes - Changelog updated under `## [0.3.1] - TBD` per release-branch convention (see `.cursor/rules/changelog.mdc`). - Branch history vs `release/0.3.1` includes earlier commits that introduced then adjusted the dispatch; net result matches the final commit message. Refs: #405
## Description Hardens `.github/actions/setup-env` so a transient failure while `astral-sh/setup-uv` downloads `uv` from GitHub Releases (e.g. HTTP 404 from CDN) does not immediately fail the job. The first attempt uses `continue-on-error`; on failure we wait 15s and run a second identical install step. The composite action output `uv-version` prefers the retry step output when present. Addresses the **Publish Release** failure described in #407 (RCA posted on the issue). ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [ ] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - **`.github/actions/setup-env/action.yml`** - First `Install uv` step: `continue-on-error: true` - New `Wait before retrying uv install` (`sleep 15`) when first attempt fails - New `Install uv (retry)` step (same `astral-sh/setup-uv` inputs), id `setup-uv-retry` - `outputs.uv-version`: `steps.setup-uv-retry.outputs.uv-version || steps.setup-uv.outputs.uv-version` - **`CHANGELOG.md`** - ### Fixed entry under `## [0.3.1] - TBD` for #407 - **`assets/workspace/.devcontainer/CHANGELOG.md`** - Synced from root `CHANGELOG.md` via pre-commit manifest sync ## Changelog Entry This branch targets `release/0.3.1`; per project changelog rules, the entry is under **`## [0.3.1] - TBD`** (not `## Unreleased`). ### Fixed - **setup-env retries uv install on transient GitHub Releases download failures** ([#407](#407)) - Add `continue-on-error` plus a delayed second attempt for `astral-sh/setup-uv` in `.github/actions/setup-env/action.yml` - Reduce flaky release publish failures when GitHub CDN returns transient HTTP errors for uv release assets ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A — workflow behavior is validated on GitHub Actions after merge; change mirrors existing retry patterns in `release.yml` (SBOM / attestation). ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [x] I have updated `CHANGELOG.md` in the active release section (`## [0.3.1] - TBD`; see entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes N/A Refs: #407
## Description Fixes false-positive merge conflict detection in `sync-main-to-dev`: the workflow used a working-tree `git merge` with stderr discarded, so any non-zero exit was treated as conflicts. Sync PRs were mislabeled `merge-conflict`, titles got `(conflicts)`, and auto-merge was skipped even when GitHub reported a clean merge. Replaces that with `git merge-tree --write-tree origin/dev origin/main` (in-memory, same merge semantics as `git merge`), distinguishes exit 1 (real conflicts) from other failures, and fails the step on unexpected errors instead of mislabeling. ## Type of Change - [ ] `feat` -- New feature - [x] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [x] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - **`.github/workflows/sync-main-to-dev.yml`** - Document pipeline as merge-tree-based conflict detection - Replace trial `git merge` + `merge --abort` with `git fetch origin main dev` and `git merge-tree --write-tree`; set `conflict` output from exit code; log/warn/error accordingly - **`assets/workspace/.github/workflows/sync-main-to-dev.yml`** - Same conflict-detection logic for the workspace/downstream template - **`CHANGELOG.md`** - Add Fixed entry for #410 under `## [0.3.1] - TBD` - **`assets/workspace/.devcontainer/CHANGELOG.md`** - Synced from root `CHANGELOG.md` via manifest (pre-commit) ## Changelog Entry This PR targets `release/0.3.1`; the entry is under **`## [0.3.1] - TBD` → `### Fixed`** (not `## Unreleased`): ```markdown - **Sync-main-to-dev conflict detection uses merge-tree** ([#410](#410)) - Replace working-tree trial merge with `git merge-tree --write-tree` so clean merges are not mislabeled as conflicts - Enable auto-merge when dev merges cleanly with main; print merge-tree output on conflicts; fail the step on unexpected errors ``` ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A — workflow-only change; verify on next `sync-main-to-dev` run (clean merge → auto-merge enabled, no false `merge-conflict` label). ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [ ] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published ## Additional Notes Release branch: changelog entry is under `## [0.3.1] - TBD` → `### Fixed` (not `## Unreleased`), per project changelog rules. Downstream `devcontainer-smoke-test` keeps a decoupled copy of this workflow; align it on the next template sync or a follow-up PR there. Refs: #410
Extend NEEDS_CHOWN when root CHANGELOG.md exists but is unreadable. Inject deploy line only after the first ### Changed via GNU sed range. Update BATS regression for workspace changelog scaffold. Refs: #403
Smoke-test deploy keeps the workspace scaffold only; remap top version header when needed for prepare-release. Sync changelog copy and BATS. Refs: #403
## Description
Smoke-test `repository-dispatch` deploy job no longer replaces root
`CHANGELOG.md` with a minimal stub. It keeps the scaffold produced by
`init-workspace`, injects the deploy bullet under the first `###
Changed`, and remaps a leading `## [X.Y.Z] - …` (TBD or release date) to
`## Unreleased` when needed so downstream `prepare-release` validation
succeeds across RC and final cycles.
## Type of Change
- [ ] `feat` -- New feature
- [x] `fix` -- Bug fix
- [ ] `docs` -- Documentation only
- [ ] `chore` -- Maintenance task (deps, config, etc.)
- [ ] `refactor` -- Code restructuring (no behavior change)
- [ ] `test` -- Adding or updating tests
- [ ] `ci` -- CI/CD pipeline changes
- [ ] `build` -- Build system or dependency changes
- [ ] `revert` -- Reverts a previous commit
- [ ] `style` -- Code style (formatting, whitespace)
### Modifiers
- [ ] Breaking change (`!`) -- This change breaks backward compatibility
## Changes Made
- **`assets/smoke-test/.github/workflows/repository-dispatch.yml`**
- Require existing readable `CHANGELOG.md` after install (workspace
scaffold).
- Detect first `##` section: if `## Unreleased`, leave as-is; if `##
[version] - …`, rewrite first such line to `## Unreleased` via GNU
`sed`.
- Append `- Deploy devcontainer ${TAG}` after the first `### Changed`
line.
- **`CHANGELOG.md`** and
**`assets/workspace/.devcontainer/CHANGELOG.md`**
- Document fix under `## [0.3.1] - TBD` → **Fixed** (issue #403).
## Changelog Entry
This branch uses the active release section `## [0.3.1] - TBD` (not `##
Unreleased`). Entry added under **Fixed**:
### Fixed
- **Smoke-test deploy keeps workspace scaffold as root CHANGELOG**
([#403](#403))
- Stop overwriting `CHANGELOG.md` with a minimal stub in
`assets/smoke-test/.github/workflows/repository-dispatch.yml`
- Inject the deploy line into the `## Unreleased` scaffold from
`init-workspace` so downstream `prepare-release` validation matches
shipped workspace layout
- When the first changelog section is `## [X.Y.Z] - …` (TBD or a release
date), remap that top version header to `## Unreleased` before injecting
the deploy entry so downstream `prepare-release` can run
## Testing
- [ ] Tests pass locally (`just test`)
- [ ] Manual testing performed (describe below)
### Manual Testing Details
N/A — workflow shell logic only; validated `sed` remap behavior locally
for dated and TBD headers.
## Checklist
- [x] My code follows the project's style guidelines
- [x] I have performed a self-review of my code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have updated the documentation accordingly (edit
`docs/templates/`, then run `just docs`)
- [ ] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and
pasted the entry above)
- [ ] My changes generate no new warnings or errors
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] New and existing unit tests pass locally with my changes
- [ ] Any dependent changes have been merged and published
## Additional Notes
- Downstream `prepare-release` expects `## Unreleased` with at least one
`-` entry; remapping supports post-release `CHANGELOG` layouts where the
top section is still a version header.
- **Base `release/0.3.1`:** Changelog entry is under `## [0.3.1] - TBD`
→ **Fixed**, matching the release branch.
Refs: #403
Bumps [@devcontainers/cli](https://github.com/devcontainers/cli) from 0.84.0 to 0.84.1. - [Changelog](https://github.com/devcontainers/cli/blob/main/CHANGELOG.md) - [Commits](devcontainers/cli@v0.84.0...v0.84.1) --- updated-dependencies: - dependency-name: "@devcontainers/cli" dependency-version: 0.84.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
) ## Summary Cherry-picks onto `release/0.3.1` (via `chore/dependabot-updates`): - **#414** — GitHub Actions minor/patch group (codeql-action, anchore/sbom-action, actions/cache in sync-issues); `release.yml` keeps SBOM retry steps and `actions/attest` for SBOM attestation. - **#413** — `@devcontainers/cli` `0.84.0` → `0.84.1` (`package.json` / `package-lock.json`). ## Changelog - `CHANGELOG.md` + synced `assets/workspace/.devcontainer/CHANGELOG.md` ## After merge Close superseded dependabot PRs **#413** and **#414** (delete branches). `dev` will catch up via `sync-main-to-dev.yml` when this release reaches `main`. Refs: #413, #414
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release 0.3.1
This PR prepares release 0.3.1 for merge to main.
Release Content
[0.3.1] - TBD
Added
workflow_callrelease phases (release-core.yml,release-publish.yml) and a lightweightrelease.ymlorchestrator inassets/workspace/.github/workflows/release_kindsupport with candidate mode (X.Y.Z-rcN) and final mode (X.Y.Z) in downstream release workflowsrelease-extension.ymlstub and preserve it duringinit-workspace.sh --forceupgradesvalidate-contractcomposite action for single-source contract version validationdocs/DOWNSTREAM_RELEASE.mdChanged
@devcontainers/clifrom0.81.1to0.84.0andbats-assertfromv2.2.0tov2.2.4actions/download-artifact(4.3.0->8.0.1),actions/github-script(7.1.0->8.0.0),actions/attest-build-provenance(3.0.0->4.1.0),actions/checkout(4.3.1->6.0.2)sigstore/cosign-installer(4.0.0->4.1.0) andanchore/sbom-action(0.22.2->0.23.1)actions/attest-sbom(3.0.0->4.0.0),actions/upload-artifact(4.6.2->7.0.0),actions/create-github-app-token(2.2.1->3.0.0)docker/login-actionfrom3.7.0to4.0.0justminor version from1.46to1.47build-image(docker/setup-buildx-action,docker/metadata-action,docker/build-push-action) to Node24-compatible releasessetup-envdefault Node runtime to24and upgradeactions/setup-nodeactions/checkout,actions/cache,actions/upload-artifact)correlation_idpublish-candidaterelease.ymlnow triggers the existing smoke-test dispatch contract for bothcandidateandfinalrelease kindsassets/workspace/.github/workflows/ci.ymlas the canonical CI workflow and remove the obsoleteci-container.ymltemplateassets/workspace/.github/actions/resolve-imageand run workspace release tests in the same containerized workflow modelrelease_kindin the dispatch payloadrepository-dispatch.ymltemplate that runs smoke tests and creates pre-release/final release artifactsCHANGELOG.mdinto both workspace root and.devcontainer/template paths.devcontainer/CHANGELOG.mdto repository root so deploy output keeps a root changelog.github/workflows/release.ymlthat creates a GitHub Release forX.Y.ZCHANGELOG.mdsection and fail the run if notes extraction or release publishing fails.github/workflows/release.ymland decouple rollback from downstream completion timingassets/smoke-test/.github/workflows/repository-dispatch.ymlto prevent overlapping dispatch racesFixed
generate-docsdoes not fail CI with tracked file diffsCHANGELOG.mdSecurity
assets/smoke-test/.github/workflows/repository-dispatch.ymlworkflow token permissions from write to read by defaultcontents: writeonly topublish-release, the single job that creates or edits GitHub Releases