Skip to content

Release 1.4.1 (2026-04-24)

Bug fixes

  • pass version-replacement to version-bump-pr composite; bump 1.4.1 Hit live during the v1.4.0 dogfood: publish.yml's version-bump-pr step exploded with a bash syntax error because the composite's required version-replacement input was never passed from this workflow. The generated Python re.sub had an empty replacement string, which broke the runner's bash heredoc.

Latent since v1.3.0. Prior releases died earlier at the CHANGELOG add/add conflict (standard-actions#186), masking this. That earlier bug is now fixed on v1.2.0 of standard-actions; we reached step 2 of the composite for the first time and it blew up.

Fix

Pass version-replacement: '\g<1>{version}\g<2>' to the composite. The existing regex (\s*"version":\s*").*("\s*) has two capture groups around the version value; this preserves the surrounding quote+whitespace.

Release hygiene

  • Back-merges origin/main (with -X theirs) into develop to pick up CHANGELOG v1.4.0 and releases/v1.4.0.md — the step publish.yml would have done automatically if it had not crashed.
  • Bumps plugin.json 1.4.0 -> 1.4.1.

Same manual-bump pattern as plugin#63 and plugin#68.

Documentation

  • reorder publish skill phases so bump PR merge runs in parallel with slow publish Swap Phases 3 and 4 in library-release mode of the publish skill.

Previous order serialized the fastest step (bump PR merge, ~60-90s) behind the slowest (publish.yml external work — registry publication, docs deploy, etc., multi-minute). Reordered:

  • Phase 2: Merge release PR (triggers publish.yml async)
  • Phase 3 (was 4): Merge bump PR — fast, runs in parallel with publish.yml
  • Phase 4 (was 3): Confirm publish — blocks on the slow async work last

Also rewrote Phase 4's body to frame it as "block until publish.yml succeeds, then verify artifacts" — explicitly state that a failed publish after merges leaves the repo half-released and stop.

Updated cross-references (Policy section, TOC) to match the new order.

Caught live during the v1.4.0 dogfood cycle today.

Release

  • 1.3.0 (#62)
  • feat(hooks): add 5 core PreToolUse guardrail hooks (#1)

Implements P1 from issue standard-tooling#177: mechanical enforcement of workflow rules via PreToolUse hooks delivered through the plugin.

Hooks added: - block-raw-git-commit: forces use of st-commit - block-raw-gh-pr-create: forces use of st-submit-pr - block-protected-branch-work: prevents commits on main/develop - block-heredoc: prevents shell escaping failures from heredoc syntax - block-memory-writes: enforces auto-memory policy (no MEMORY.md writes)

All hooks use the permissionDecision deny mechanism with actionable error messages explaining the correct alternative.

  • 1.3.1 (#67)
  • feat(hooks): add 5 core PreToolUse guardrail hooks (#1)

Implements P1 from issue standard-tooling#177: mechanical enforcement of workflow rules via PreToolUse hooks delivered through the plugin.

Hooks added: - block-raw-git-commit: forces use of st-commit - block-raw-gh-pr-create: forces use of st-submit-pr - block-protected-branch-work: prevents commits on main/develop - block-heredoc: prevents shell escaping failures from heredoc syntax - block-memory-writes: enforces auto-memory policy (no MEMORY.md writes)

All hooks use the permissionDecision deny mechanism with actionable error messages explaining the correct alternative.