Skip to content

Release 1.1.1 (2026-02-26)

Bug fixes

  • bootstrap standards documentation Add AGENTS.md and repository standards overlay. Normalize docs formatting for markdownlint and make docs validation bash-compatible.

  • add autobuild step for compiled language support CodeQL requires a build step between init and analyze for compiled languages (Java, Go, C++). The autobuild action handles this automatically and is a no-op for interpreted languages.

  • sync shared tooling to v1.0.2 Update sync-tooling.sh from standard-tooling v1.0.2:

  • Fix --actions-compat flag leaking during self-update re-exec

  • Add canonical source comment to repo-profile.sh

  • sync lint scripts from standards-and-conventions (#28) Accept git-generated Revert commit messages in the CI commit message validator and support cross-repo owner/repo#123 issue linkage in the PR issue linkage validator.

Ref wphillipmoore/mq-rest-admin-common#62

  • pass release notes via env var to prevent shell injection (#44)
  • fix(publish): pass release notes via env var to prevent shell injection

Backticks in markdown code fences within release-notes were interpreted as bash command substitution when directly interpolated via ${{ }}. This caused go get commands in installation examples to be executed during the release step.

Pass release-notes through an environment variable ($RELEASE_NOTES) instead, which is not subject to shell interpretation.

  • replace mapfile with bash 3.2-compatible alternative (#49) macOS ships bash 3.2 which lacks mapfile. Replace with a simple variable capture and xargs pipe.

  • set dev as default version when no default exists (#57) The root GitHub Pages URL returns 404 because mike only sets a default version when deploying from main (latest alias). For pre-release repos deploying only from develop, set dev as the default so the root URL redirects to dev/.

  • remove redundant close/reopen cycle (#66)

  • update add-to-project action to v1.0.2 (#69)

  • resolve event-payload race in version-bump-pr issue linkage (#73) The action previously created the PR with a simple body then edited it to add issue linkage. The CI standards-compliance check reads the PR body from the event payload, which is frozen at PR creation time, so the linkage was never seen. This fix adds a tracking-issue input with auto-discovery fallback and constructs the complete body before PR creation, eliminating the race condition.

  • add diagnostics to version-bump-pr tracking issue resolution (#81) Remove silent error suppression (2>/dev/null || true) from gh issue list so failures are visible in CI logs. Add echo statements showing what was searched, what was found, and when no issue is found. Document the tracking-issue input in the published action docs.

  • handle missing version on main in version-divergence check (#87) When main has no version file (no prior release), the check now passes gracefully instead of failing. The divergence gate is only meaningful after the first release.

  • search all issue states when resolving bump PR tracking issue (#95) The release PR to main closes the tracking issue before the bump PR step runs. Searching with --state open finds nothing, so the bump PR body has no issue linkage and fails the pr-issue-linkage CI gate. Change to --state all.

  • add semgrep-language input for Go compatibility (#101) Semgrep uses p/golang but CodeQL uses go. Add a separate semgrep-language input that defaults to the language input but can be overridden.

  • preserve severity filter in SARIF output for Trivy scans (#123) Add limit-severities-for-sarif to both fs and image scan steps. Without this, aquasecurity/trivy-action unsets TRIVY_SEVERITY when format is sarif, causing the exit code to reflect all severities rather than the configured CRITICAL,HIGH filter.

  • install pyyaml when mike-command is not mike (#128)

  • correct corrupted VERSION file to 1.1.1 (#133)

CI

  • add publish workflow for tag, release, and version bump (#131) Adapted from standard-tooling publish workflow. Uses VERSION file instead of pyproject.toml. Includes workflow_dispatch trigger to process the existing v1.1.0 merge on main.

Documentation

  • align standards entrypoint with repo type Reorganize the standards entrypoint to list core and library references.

  • add repository bootstrap guide Document the standards-based repository bootstrap steps. Link the guide from development overview.

  • ban MEMORY.md usage in CLAUDE.md (#48) Add auto-memory policy requiring agents to discuss behavioral rules with the human rather than storing them in unmanaged MEMORY.md files.

  • ban heredocs in shell commands (#50) Add explicit ban on heredocs for multi-line CLI arguments. Always use temp files instead.

  • update CI gate docs to reflect actual state (#56) Update CI gate documentation to match the now-consistent CI configuration across all repos: add Java Library column, add dependency-audit and release gates rows, update docs-only pattern to per-step guards, remove push triggers from examples, remove non-PR events section.

  • add repository rulesets documentation (#58) Add new Repository Rulesets page documenting the three-ruleset pattern (Branch protection, CI gates, Tag protection) used across all managed repos. Update required-checks and index pages to reference rulesets instead of legacy branch protection.

  • add branch targeting guidance to rulesets page (#59) Document that ~DEFAULT_BRANCH must not be used in ruleset conditions because it resolves to develop (not main), silently leaving main unprotected.

  • add branch targeting guidance to rulesets page (#60)

  • docs: add repository rulesets documentation

Add new Repository Rulesets page documenting the three-ruleset pattern (Branch protection, CI gates, Tag protection) used across all managed repos. Update required-checks and index pages to reference rulesets instead of legacy branch protection.

  • add repository configuration documentation (#76) Covers secrets (PROJECT_TOKEN, APP_ID, APP_PRIVATE_KEY), GitHub App setup, project integration, workflow permissions, auto-merge, and new repository onboarding checklist.

  • update SonarCloud documentation with lessons learned and beta status (#83) Reflects advisory-only gate status, Go source/test separation requirement, post-merge workflow pattern, SonarCloud configuration steps, and free tier limitations.

  • document version matrix for unit and integration tests, add Ruby column, explain duplicate security checks (#88)

  • replace stale script references with st-* commands (#94)
  • add publish workflow ordering guide (#117)
  • docs: add publish workflow ordering guide

Documents the canonical step ordering for publish.yml workflows across consuming repositories. Covers why tagging must happen before registry publish, how to gate the publish step on credentials, idempotency gates, and the Go exception. Fixes #116.

  • fix secret gate example in publish workflow guide (#118) The secrets context cannot be used bare in step-level if conditions. Updated the example to use a job-level env var pattern. Ref #116.

  • add version bump PR guidance to publish workflow guide (#121) Document regex quoting gotcha (use \x27 for single quotes) and lock file update requirements (post-bump-command and extra-files). Ref #116.

Features

  • add initial composite actions for docs-only detection, standards compliance, and Python setup (#10) Build the first batch of reusable composite actions extracted from pymqrest CI workflows:

  • docs-only-detect: detects documentation-only PRs via gh api

  • standards-compliance: validates markdown, commit messages, PR linkage, and repository profile with bundled lint scripts
  • python/setup: sets up Python, installs uv, and configures caching

The standards-compliance action accepts a commit-cutoff-sha input so consuming repos can pass their own cutoff instead of hardcoding it.

  • exempt docs/site from structural markdown checks (#11) Documentation site generators (MkDocs, Hugo, etc.) use docs/site/ the same way Sphinx uses docs/sphinx/. These pages have integrated navigation so structural checks (Table of Contents, single H1) do not apply. Markdownlint still runs on these files.

Consolidates the Sphinx-only exemption into a generic doc-site loop that covers both docs/sphinx and docs/site directories.

  • add CodeQL SAST composite action Wraps github/codeql-action init and analyze steps into a reusable composite action with language and queries inputs.

Ref wphillipmoore/mq-rest-admin-common#20

  • add Trivy and Semgrep composite actions for Tier 2 security tooling Trivy action supports filesystem vulnerability scanning (SARIF), CycloneDX SBOM generation, and container image scanning. Semgrep action runs language-specific rulesets plus cross-cutting p/security-audit and p/secrets rules with SARIF upload to the GitHub Security tab.

Ref mq-rest-admin-common#11, #24, #25

  • add shared tooling staleness gate and sync scripts Add sync-tooling.sh and synced canonical scripts from standard-tooling v1.0.0. Add staleness gate step to standards-compliance action that checks shared scripts are up to date on develop-targeted PRs.

Reconciles pr-issue-linkage.sh to accept all GitHub closing keywords (Fixes/Closes/Resolves/Ref).

  • add CI workflow, CLAUDE.md, and repository infrastructure (#24) Add self-referencing CI with docs-only, standards-compliance, actionlint, and shellcheck jobs. Add skip-sync-check input to standards-compliance action for repos that are the canonical tooling source. Create CLAUDE.md and update PR template with validation commands.

  • add add-to-project workflow for standards project Adds a GitHub Actions workflow that automatically adds new issues to the standards GitHub Project (#4).

  • add ci and build to allowed conventional commit types (#32) The commit-messages validator now accepts ci: and build: prefixes, aligning with the broader Conventional Commits specification.

  • add composite action for MkDocs/mike deployment (#33)

  • feat(docs-deploy): add composite action for MkDocs/mike deployment

Centralizes the shared docs deployment logic used across all mq-rest-admin repos into a reusable composite action. Handles git config, version detection, conditional common checkout, and mike deploy/set-default.

  • add VERSION file for release automation (#37) Adds VERSION file with 1.1.0 for prepare_release.py detection.

  • add reusable composite actions for tag-and-release, version-bump-pr, and version-divergence (#41) Three new composite actions to eliminate duplicated CI logic across mq-rest-admin-go, mq-rest-admin-java, and mq-rest-admin-python:

  • actions/publish/tag-and-release: annotated git tag, develop boundary tag, GitHub Release

  • actions/publish/version-bump-pr: next patch version, branch from develop merging main, regex version update, auto-merge PR

  • actions/release-gates/version-divergence: verifies PR version differs from main

  • add category prefixes to CI job names (#45) Standardize job display names with ci: category prefix so checks cluster naturally in the GitHub status list. Also add commit/PR wrapper warnings to CLAUDE.md.

  • adopt validate_local.sh dispatch architecture (#51)

  • feat(validate): adopt validate_local.sh dispatch architecture

Replace validate_actions.sh and validate_docs.sh with synced validate_local.sh driver from standard-tooling. Adds primary_language: shell to repo profile. Creates validate_local_custom.sh for actionlint. Updates synced managed files: repo-profile.sh, sync-tooling.sh.

  • add MkDocs documentation site with action reference and CI gate specs (#53) Implements MkDocs Material + mike documentation site with 10 action reference pages, CI gate requirements specification, development guides, and docs.yml workflow for automated deployment.

  • migrate to PATH-based standard-tooling consumption (#77) Re-architect standards-compliance action to checkout standard-tooling and consume validators via PATH instead of embedding synced script copies. Delete all 24 synced/embedded scripts (actions/standards-compliance/scripts/, scripts/lint/, scripts/git-hooks/, scripts/dev/*). Move validate_local_custom.sh to scripts/bin/validate-local-custom. Update CI shellcheck paths and CLAUDE.md for new workflow.

  • add SonarCloud composite action (#82) Thin composite wrapper around SonarSource/sonarqube-scan-action@v5 for unified code quality analysis across Go, Python, Java, Ruby, and Rust projects.

  • add Code Climate (Qlty) coverage upload action (#84) Thin composite wrapper around qltysh/qlty-action/coverage@v2 with OIDC authentication. Includes action definition, documentation with language-specific examples (Python, Go, Java), and action index update.

  • add reusable security and standards workflow (#99) Shared workflow_call workflow providing standards-compliance, CodeQL, Trivy, and Semgrep jobs. Parameterized by language, with string-based gates for disabling standards or security jobs.

  • add sarif-category input for unique SARIF uploads (#115) When multiple matrix entries upload SARIF results, hardcoded categories cause overwrites. The new sarif-category input lets callers set unique values per matrix entry while defaulting to existing trivy-fs/trivy-image categories when empty.

  • add trivyignores input for suppressing known-acceptable CVEs (#120)

Refactoring

  • remove commit message validation from CI (#78) Remove the commit-messages step from the standards-compliance action and the commit-cutoff-sha input. Commit message format is enforced by the git commit-msg hook at commit time; re-validating the full range in CI adds friction without meaningful value. Also removes fetch-depth: 0 from CI since full history was only needed for commit range validation.

  • remove docs-only-detect action and CI special-casing (#111) Delete the docs-only-detect composite action and remove the ci: docs-only job from CI. All per-step docs-only guards in actionlint and shellcheck jobs are removed so they run unconditionally. Update all documentation: required-checks matrix, CI gates index, repository-rulesets, mkdocs nav, getting-started, action reference, contributing guide, repository-bootstrap, and CLAUDE.md.