0.3.1

Added

• Split downstream release workflow with project-owned extension hook (#326)
  • Add local workflow_call release phases (release-core.yml, release-publish.yml) and a lightweight release.yml orchestrator in assets/workspace/.github/workflows/
  • Add release_kind support with candidate mode (X.Y.Z-rcN) and final mode (X.Y.Z) in downstream release workflows
  • Candidate mode now auto-computes the next RC tag, skips CHANGELOG finalization/sync-issues, and publishes a GitHub pre-release
  • Add project-owned release-extension.yml stub and preserve it during init-workspace.sh --force upgrades
  • Add validate-contract composite action for single-source contract version validation
  • Add downstream release contract documentation and GHCR extension example in docs/DOWNSTREAM_RELEASE.md
• jq in devcontainer image (#425)
  • Install the jq CLI in the GHCR image so containerized workflows (e.g. release-core validate / downstream Release Core) can pipe JSON through jq

Changed

• Dependabot dependency update batch (#302, #303, #305, #306, #307, #308, #309)
  • Bump @devcontainers/cli from 0.81.1 to 0.84.0 and bats-assert from v2.2.0 to v2.2.4
  • Bump GitHub Actions: actions/download-artifact (4.3.0 -> 8.0.1), actions/github-script (7.1.0 -> 8.0.0), actions/attest-build-provenance (3.0.0 -> 4.1.0), actions/checkout (4.3.1 -> 6.0.2)
  • Bump release workflow action pins: sigstore/cosign-installer (4.0.0 -> 4.1.0) and anchore/sbom-action (0.22.2 -> 0.23.1)
• Dependabot dependency update batch (#314, #315, #316, #317)
  • Bump GitHub Actions: actions/attest-sbom (3.0.0 -> 4.0.0), actions/upload-artifact (4.6.2 -> 7.0.0), actions/create-github-app-token (2.2.1 -> 3.0.0)
  • Bump docker/login-action from 3.7.0 to 4.0.0
  • Bump just minor version from 1.46 to 1.47
• Node24-ready GitHub Actions pin refresh for shared composite actions (#321)
  • Update Docker build path pins in build-image (docker/setup-buildx-action, docker/metadata-action, docker/build-push-action) to Node24-compatible releases
  • Set setup-env default Node runtime to 24 and upgrade actions/setup-node
  • Align test composite actions with newer pins (actions/checkout, actions/cache, actions/upload-artifact)
• Smoke-test dispatch payload now carries source run traceability metadata (#289)
  • Candidate release dispatches now include source repo/workflow/run/SHA metadata plus a deterministic correlation_id
  • Smoke-test dispatch receiver logs normalized source context, derives source run URL when possible, and writes it to workflow summary output
  • Release-cycle docs now define required vs optional dispatch payload keys and the future callback contract path for publish-candidate
• Smoke-test repository dispatch now runs for final releases too (#173)
  • release.yml now triggers the existing smoke-test dispatch contract for both candidate and final release kinds
  • Final release summaries and release-cycle documentation now reflect dispatch behavior for both release modes
• Workspace CI templates now use a single container-based workflow (#327)
  • Consolidate assets/workspace/.github/workflows/ci.yml as the canonical CI workflow and remove the obsolete ci-container.yml template
  • Extract reusable assets/workspace/.github/actions/resolve-image and run workspace release tests in the same containerized workflow model
  • Update smoke-test and release-cycle documentation to reference the single CI workflow contract
• Final release now requires downstream RC pre-release gate (#331)
  • Add upstream final-release validation that requires a downstream GitHub pre-release for the latest published RC tag
  • Move smoke-test dispatch to a dedicated release job and include release_kind in the dispatch payload
  • Add downstream repository-dispatch.yml template that runs smoke tests and creates pre-release/final release artifacts
• Ship changelog into workspace payload and smoke-test deploy root (#333)
  • Sync canonical CHANGELOG.md into both workspace root and .devcontainer/ template paths
  • Smoke-test dispatch now copies .devcontainer/CHANGELOG.md to repository root so deploy output keeps a root changelog
• Final release now publishes a GitHub Release with finalized notes (#310)
  • Add a final-only publish step in .github/workflows/release.yml that creates a GitHub Release for X.Y.Z
  • Source GitHub Release notes from the finalized CHANGELOG.md section and fail the run if notes extraction or release publishing fails
• Release dispatch and publish ordering hardened for 0.3.1 (#336)
  • Make smoke-test dispatch fire-and-forget in .github/workflows/release.yml and decouple rollback from downstream completion timing
  • Add bounded retries to the final-release downstream RC pre-release gate API check
  • Move final GitHub Release creation to the end of publish so artifact publication/signing completes before release object creation
  • Add concurrency control to assets/smoke-test/.github/workflows/repository-dispatch.yml to prevent overlapping dispatch races
  • Handle smoke-test dispatch failures with a targeted issue while avoiding destructive rollback after publish artifacts are already released
• Redesigned smoke-test dispatch release orchestration (#358)
  • Replace premature publish-release behavior with full downstream orchestration: deploy-to-dev merge gate, prepare-release.yml, release PR readiness/approval, and release.yml dispatch polling
  • Add upstream failure issue reporting with job-phase results and cleanup guidance when dispatch orchestration fails
• Smoke-test release orchestration now runs as two phases (#402)
  • Keep repository-dispatch.yml focused on deploy/prepare/release-PR readiness and move release dispatch to a dedicated merged-PR workflow (on-release-pr-merge.yml)
  • Add release-kind labeling and auto-merge enablement for release PRs, and keep upstream failure notifications in both phases
  • Remove release-branch upstream CHANGELOG.md sync from repository-dispatch.yml (previously added in #358)
• Dependabot dependency update batch (#414)
  • Bump github/codeql-action from 4.32.6 to 4.34.1 and anchore/sbom-action from 0.23.1 to 0.24.0
  • Bump actions/cache restore/save pins from 5.0.3 to 5.0.4 in sync-issues.yml
• Dependabot dependency update batch (#413)
  • Bump @devcontainers/cli from 0.84.0 to 0.84.1
• cursor-agent install is now resilient to CDN failures (#434)
  • Retries 3 times with backoff before giving up
  • Build succeeds without cursor-agent when Cursor's CDN is unavailable
• Immutable GitHub releases, tag rulesets, and forward-fix policy (#446)
  • Final releases create a draft GitHub Release for human review before publishing; rollback no longer deletes remote tags
  • Release workflows skip redundant tag push when the tag already matches the finalized commit; workspace release-core / release-publish and smoke-test failure guidance updated accordingly
  • Document tag rulesets, immutable releases, and recovery in docs/RELEASE_CYCLE.md, docs/DOWNSTREAM_RELEASE.md, and docs/CROSS_REPO_RELEASE_GATE.md
• Container image tests expect current GitHub CLI minor line
  • Update tests/test_image.py EXPECTED_VERSIONS["gh"] to 2.89. to match the CLI shipped in the image

Removed

• PR Title Check GitHub Actions workflow (#444)
  • Remove .github/workflows/pr-title-check.yml; commit message rules remain enforced via local hooks and validate-commit-msg
  • Remove --subject-only from validate-commit-msg (it existed only for PR title CI)

Fixed

• Smoke-test deploy restores workspace CHANGELOG for prepare-release (#417)
  • Add prepare-changelog unprepare to rename the top ## [semver] - … heading to ## Unreleased
  • init-workspace.sh --smoke-test copies .devcontainer/CHANGELOG.md into workspace CHANGELOG.md and runs unprepare; remove duplicate remap from smoke-test dispatch workflow
• Release app permission docs now include downstream workflow dispatch requirements (#397)
  • Update docs/RELEASE_CYCLE.md...