chore: release 0.3.5#151
Closed
vig-os-release-app[bot] wants to merge 14 commits into
Closed
Conversation
Syncs `dev` with `main` (sync-main-to-dev workflow).
…l (refs #568, #562)
## Description Add explicit least-privilege workflow permissions to `release-extension.yml`. This workflow is listed in `PRESERVE_FILES` during smoke-test re-sync, so the upstream #562 fix does not auto-propagate; this PR applies the same `contents: read` default directly in the smoke-test repo (refs #568, #562). ## Type of Change - [ ] `feat` -- New feature - [ ] `fix` -- Bug fix - [ ] `docs` -- Documentation only - [ ] `chore` -- Maintenance task (deps, config, etc.) - [ ] `refactor` -- Code restructuring (no behavior change) - [ ] `test` -- Adding or updating tests - [x] `ci` -- CI/CD pipeline changes - [ ] `build` -- Build system or dependency changes - [ ] `revert` -- Reverts a previous commit - [ ] `style` -- Code style (formatting, whitespace) ### Modifiers - [ ] Breaking change (`!`) -- This change breaks backward compatibility ## Changes Made - **`.github/workflows/release-extension.yml`** - Add top-level `permissions: contents: read` so the reusable extension hook runs with least privilege instead of inheriting broader defaults ## Changelog Entry No changelog needed — internal CI permissions tweak with no user-visible behavior change. ## Testing - [ ] Tests pass locally (`just test`) - [ ] Manual testing performed (describe below) ### Manual Testing Details N/A — workflow permissions only; no runtime behavior change. ## Checklist - [x] My code follows the project's style guidelines - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have updated the documentation accordingly (edit `docs/templates/`, then run `just docs`) - [ ] I have updated `CHANGELOG.md` in the `[Unreleased]` section (and pasted the entry above) - [x] My changes generate no new warnings or errors - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published ## Additional Notes `release-extension.yml` is preserved on smoke-test re-sync (`PRESERVE_FILES` in upstream `init-workspace.sh`), so this one-time direct fix is required alongside the template change tracked in upstream #562. Refs: #568, #562
Automated smoke-test deployment commit created by repository_dispatch. - Dispatch tag: 0.3.5-rc1 - Branch: chore/deploy-0.3.5-rc1 - Target: dev
Move Unreleased content to [0.3.5] - TBD and create fresh empty Unreleased section for continued development.
Strip empty Unreleased section from release branch. Release date TBD (set during finalization).
vig-os-release-app
Bot
added
the
release-kind:candidate
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release 0.3.5
This PR prepares release 0.3.5 for merge to main.
[0.3.5] - TBD
Changed
Consolidate Renovate dependency updates (#550)
Containerfile,requires-python, and lockfile)ubuntu-22.04→24.04and Node.js 22 → 24setup-nodev6,setup-uvv8,github-scriptv9@devcontainers/cli0.87.0 (#538)Bump expected tool versions in image tests
gh2.92 → 2.93,just1.50 → 1.52,cargo-binstall1.18 → 1.20 to match latest upstream releasesConsolidate Renovate dependency updates (553–556) (#553, #554, #555, #556)
pytestto 9.0.3, bumppytest-covto 7.1.0,richto 15.0.0github-backupto 0.62.1,pre-committo 4.6.0,ruffto 0.15.16,pip-licensesto 5.5.5pre-commitversion in image tests to 4.6actions/dependency-review-actionto v5.0.0Fixed
Renovate PR CI gates expired or broken (#550)
bashsoset -euo pipefailworks inside the containerGHSA-wvrr-2x4r-394v)Image tests red on stale cargo-binstall pin (#557)
cargo-binstallto 1.20 to match the latest upstream release the image installsarm64 release build failed with "exec format error" (#578)
python:3.14-slim-bookworm(sha256:a9bee155…); the previous bump pinned the amd64-only child manifest, so the arm64 build pulled an amd64 image and the firstRUNdied withexec /bin/sh: exec format errorContainerfilethat manual base-image pins must use the index digest, never a per-platform child manifestSecurity
Accept Debian won't-fix LOW CVEs in .trivyignore (#566)
check-expirationsutility with pre-commit and CI enforcement so expired.trivyignoreentries fail the pipeline:latestBump base image digest and clear fixable OS-package CVEs (#565)
python:3.14-slim-bookwormpinned to its multi-arch index digest (sha256:a9bee155…)libgnutls30=3.7.9-2+deb12u7upgrade (base shipsdeb12u6; fixable GnuTLS CVEs requiredeb12u7)Patch fixable OpenSSL HIGH CVE blocking the 0.3.5 release (#580)
libssl3/opensslupgrade to3.0.20-1~deb12u2(base shipsdeb12u1); clearsCVE-2026-45447flagged by the release Trivy gateRefresh bundled gh and uv to clear Go and Rust CVEs (#564)
ghv2.93.0 anduvv0.11.19, clearing all bundled-tool HIGH findings except one awaiting upstreamuv/uvxRust crate CVEs (includingrustls-webpkiGHSA-82j2-j2ch-gfr8) no longer reported after rebuildghGo-stdlib HIGH (CVE-2026-42504) kept in.trivyignoreuntilghships a Go 1.26.4 rebuildUpdate pytest to v9.0.3 (#528)
Remediate nightly scan gate failures on :latest (#549)
libgnutls30to3.7.9-2+deb12u7for fixable GnuTLS CVEs (retained across the 3.14 base rebase; see #565)Resolve repo-owned workflow security findings (#562)
pull_requestbuild + privilegedworkflow_runcommit, removingpull_request_targetand PR-head checkout under elevated permissions (ScorecardDangerousWorkflowID)actions/missing-workflow-permissionsalerts auto-close on the next default-branch runpermissions:to workspacerelease-extension.ymltemplate; downstream smoke-test updates flow through release re-syncSECURITY.mdUpdate vulnerable Python dependencies (#563)
urllib32.7.0,requests2.34.2,idna3.18,Pygments2.20.0 in the repo lockfilenotebook7.5.6,jupyterlab4.5.7,jupyter-server2.18.0,mistune3.2.1)Add downstream SECURITY.md template and close smoke-test Scorecard gaps (#568)
assets/workspace/SECURITY.mdso generated and smoke-test repos ship a security policy (clears ScorecardSecurityPolicyIDon the next release re-sync)FuzzingIDandCIIBestPracticesIDas accepted won't-fix posture in the template policydownload-then-run) in theassets/smoke-test/overlay, accepted because the deploy-validation repo runs fully unattended