chore: sync dev with main#155
Merged
Merged
Conversation
Strip empty Unreleased section from release branch. Release date TBD (set during finalization).
Set release date to 2026-06-10 in CHANGELOG.md Refs: #154
# Release 0.3.5 This PR prepares release 0.3.5 for merge to main. ## [0.3.5] - TBD ### Changed - **Consolidate Renovate dependency updates** ([#550](vig-os/devcontainer#550)) - Python 3.12 → 3.14.5 (`Containerfile`, `requires-python`, and lockfile) - CI runners `ubuntu-22.04` → `24.04` and Node.js 22 → 24 - GitHub Actions major bumps: `setup-node` v6, `setup-uv` v8, `github-script` v9 - SHA-pinned digest updates for checkout, codeql, create-github-app-token, and taiki-e/install-action - Pin Python, npm, and workspace template dependencies to exact versions ([#530](vig-os/devcontainer#530)) - `@devcontainers/cli` 0.87.0 ([#538](vig-os/devcontainer#538)) - **Bump expected tool versions in image tests** - `gh` 2.92 → 2.93, `just` 1.50 → 1.52, `cargo-binstall` 1.18 → 1.20 to match latest upstream releases - **Consolidate Renovate dependency updates (553–556)** ([#553](vig-os/devcontainer#553), [#554](vig-os/devcontainer#554), [#555](vig-os/devcontainer#555), [#556](vig-os/devcontainer#556)) - Pin `pytest` to 9.0.3, bump `pytest-cov` to 7.1.0, `rich` to 15.0.0 - Bump `github-backup` to 0.62.1, `pre-commit` to 4.6.0, `ruff` to 0.15.16, `pip-licenses` to 5.5.5 - Bump expected `pre-commit` version in image tests to 4.6 - Bump `actions/dependency-review-action` to v5.0.0 ### Fixed - **Renovate PR CI gates expired or broken** ([#550](vig-os/devcontainer#550)) - Renovate changelog workflow now runs under `bash` so `set -euo pipefail` works inside the container - Taplo lint hook no longer fetches remote schema catalogs (fetch started failing in taplo 0.10) - Renewed dependency-review allow-list exception for bats-file false positive (`GHSA-wvrr-2x4r-394v`) - **Image tests red on stale cargo-binstall pin** ([#557](vig-os/devcontainer#557)) - Bump expected `cargo-binstall` to 1.20 to match the latest upstream release the image installs - **arm64 release build failed with "exec format error"** ([#578](vig-os/devcontainer#578)) - Restore the multi-arch index digest for `python:3.14-slim-bookworm` (`sha256:a9bee155…`); the previous bump pinned the amd64-only child manifest, so the arm64 build pulled an amd64 image and the first `RUN` died with `exec /bin/sh: exec format error` - Document in `Containerfile` that manual base-image pins must use the index digest, never a per-platform child manifest ### Security - **Accept Debian won't-fix LOW CVEs in .trivyignore** ([#566](vig-os/devcontainer#566)) - Document 78 unfixed LOW Debian OS-package CVEs from the next-release image with shared risk note and 2026-12-01 expiration - Add `check-expirations` utility with pre-commit and CI enforcement so expired `.trivyignore` entries fail the pipeline - Security tab LOW count drops after the next release refreshes `:latest` - **Bump base image digest and clear fixable OS-package CVEs** ([#565](vig-os/devcontainer#565)) - Keep `python:3.14-slim-bookworm` pinned to its multi-arch index digest (`sha256:a9bee155…`) - Retain targeted `libgnutls30=3.7.9-2+deb12u7` upgrade (base ships `deb12u6`; fixable GnuTLS CVEs require `deb12u7`) - CI Trivy gate passes with zero fixable HIGH/CRITICAL OS findings after rebuild - **Patch fixable OpenSSL HIGH CVE blocking the 0.3.5 release** ([#580](vig-os/devcontainer#580)) - Targeted `libssl3`/`openssl` upgrade to `3.0.20-1~deb12u2` (base ships `deb12u1`); clears `CVE-2026-45447` flagged by the release Trivy gate - **Refresh bundled gh and uv to clear Go and Rust CVEs** ([#564](vig-os/devcontainer#564)) - Fresh image build pulls latest `gh` v2.93.0 and `uv` v0.11.19, clearing all bundled-tool HIGH findings except one awaiting upstream - `uv`/`uvx` Rust crate CVEs (including `rustls-webpki` GHSA-82j2-j2ch-gfr8) no longer reported after rebuild - Remaining `gh` Go-stdlib HIGH (CVE-2026-42504) kept in `.trivyignore` until `gh` ships a Go 1.26.4 rebuild - **Update pytest to v9.0.3** ([#528](vig-os/devcontainer#528)) - Security patch for pytest dependency bump - **Remediate nightly scan gate failures on :latest** ([#549](vig-os/devcontainer#549)) - Patched `libgnutls30` to `3.7.9-2+deb12u7` for fixable GnuTLS CVEs (retained across the 3.14 base rebase; see #565) - **Resolve repo-owned workflow security findings** ([#562](vig-os/devcontainer#562)) - Split Renovate changelog automation into read-only `pull_request` build + privileged `workflow_run` commit, removing `pull_request_target` and PR-head checkout under elevated permissions (Scorecard `DangerousWorkflowID`) - Add GitHub Actions to CodeQL language matrix so stale `actions/missing-workflow-permissions` alerts auto-close on the next default-branch run - Add explicit `permissions:` to workspace `release-extension.yml` template; downstream smoke-test updates flow through release re-sync - Document accepted OpenSSF Scorecard posture (Fuzzing, CII) and verified branch-protection rulesets in `SECURITY.md` - **Update vulnerable Python dependencies** ([#563](vig-os/devcontainer#563)) - Bump `urllib3` 2.7.0, `requests` 2.34.2, `idna` 3.18, `Pygments` 2.20.0 in the repo lockfile - Constrain workspace-template jupyter stack to patched versions (`notebook` 7.5.6, `jupyterlab` 4.5.7, `jupyter-server` 2.18.0, `mistune` 3.2.1) - **Add downstream SECURITY.md template and close smoke-test Scorecard gaps** ([#568](vig-os/devcontainer#568)) - Add `assets/workspace/SECURITY.md` so generated and smoke-test repos ship a security policy (clears Scorecard `SecurityPolicyID` on the next release re-sync) - Document `FuzzingID` and `CIIBestPracticesID` as accepted won't-fix posture in the template policy - Document smoke-test-specific accepted findings (branch-protection, code-review, pinned `download-then-run`) in the `assets/smoke-test/` overlay, accepted because the deploy-validation repo runs fully unattended
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Syncs
devwithmain(sync-main-to-dev workflow).