Skip to content

Release 1.2.1 (2026-02-26)

Bug fixes

  • resolve commit-msg hook fallback relative to hook directory, not consuming repo (#90) The fallback path used git rev-parse --show-toplevel which resolves to the consuming repo root. Repos without scripts/bin/commit-message (e.g., standard-actions) would fail. Now resolves relative to the hook script's own directory.

  • disable fail-fast in docker-publish matrix (#100)

  • bump Go dev images from 1.23 to 1.25 and 1.26 (#105) golangci-lint v2.10.1 requires Go >= 1.25, breaking the Go 1.23 image build. Replace the single Go 1.23 image with Go 1.25 and 1.26 to match consuming repo test matrices.

  • use v2 module path for go-licenses (#107) go-licenses v2.0.1 moved to github.com/google/go-licenses/v2 per Go module conventions. The old import path fails on Go 1.26.

  • use hadolint binary instead of container to avoid musl/node24 incompatibility (#122) The hadolint Alpine container uses musl libc which is incompatible with the Node 24 binary that actions/checkout@v6 requires. Download the static binary directly instead.

  • suppress DL3028 hadolint warning for gem version pinning (#123) Dev images install bundler without version pinning, same rationale as DL3008 for apt packages.

  • exclude auto-generated markdown from markdownlint (#125)

  • fix: exclude auto-generated markdown from markdownlint

Remove markdownlint validation of CHANGELOG.md and releases/*.md from both markdown-standards and st-prepare-release. These files are auto-generated by git-cliff and should not be held to handwritten markdown standards. Fixes #124.

  • add SHELL pipefail directive to all Dockerfiles (#127) Hadolint DL4006 requires SHELL with -o pipefail before RUN commands that use pipes. This ensures pipe failures are properly caught.

  • expand trivyignore with upstream-unfixable CVEs (#128) Add cpython, glibc, GnuPG, and npm transitive dependency CVEs that have no fix available in Debian bookworm or markdownlint-cli@0.47.0. Also add Node.js CVEs as safety net pending scan verification after Node 22.22.0 upgrade.

CI

  • migrate CI to three-tier model (#112)
  • ci: migrate CI to three-tier model

Rewrite ci.yml as reusable workflow_call workflow with run-security and run-release-gates inputs. Add ci-push.yml thin wrapper for push CI. Add scripts/dev/test.sh, lint.sh, audit.sh for Docker-first local testing. Update CLAUDE.md with three-tier CI and Docker-First Testing sections.

Documentation

  • add three-tier CI architecture guide (#109)
  • docs: add three-tier CI architecture guide

Documents the three-tier CI model (local pre-commit, push CI, PR CI), the reusable workflow pattern, shared security workflow, dev container images, CI gate naming, and implementation steps.

Features

  • add Ruby ecosystem detection to st-prepare-release (#88) Detect Ruby projects via Gemfile marker and **/version.rb glob, matching the VERSION constant pattern. Registered between Go and VERSION-file detectors.

  • add st-observatory CLI for cross-repo health reports (#91)

  • allow dots in branch name validation (#93)

  • add Docker dev images and docker-test script (#96) Add Dockerfiles for Ruby, Python, Java, and Go dev containers. Add docker/build.sh to build all images locally. Add scripts/bin/docker-test for auto-detecting language and running tests inside containers. Update CLAUDE.md with Docker Dev Images documentation.

  • publish dev container images to GHCR (#98) Pin Go tool versions, add gocyclo, create docker-publish.yml workflow, expand build.sh to cover full version matrix, and document GHCR publishing in CLAUDE.md.

  • add shellcheck and markdownlint to all dev images (#110) Install shellcheck, Node.js, npm, and markdownlint-cli@0.47.0 in all four language dev images (ruby, python, java, go). This closes the gap where st-validate-local required these tools on the host PATH, breaking the Docker-is-the-only-prerequisite contract.

  • generate per-release verbose release notes files (#114) When cliff-release-notes.toml exists in the repo root, st-prepare-release now generates a per-release notes file at releases/v{version}.md alongside the compact CHANGELOG.md. The release notes use a separate git-cliff config that can include full commit bodies. Skipped silently when the config file is absent.

  • add CI quality gates for dev container images (#121) Add hadolint linting, Trivy image scanning (blocking on CRITICAL/HIGH), and build provenance attestation to the docker-publish workflow. Images are now scanned between build and push so vulnerable images never reach GHCR.

  • harden dev images with patched base packages, Node 22 LTS, shellcheck 0.11.0 (#126)

  • Add apt-get upgrade to all images to pick up base image security patches
  • Replace Debian-packaged Node.js (18.x, CVE-2025-55130 critical) with Node 22.22.0 LTS via multi-stage COPY from official node image
  • Install shellcheck 0.11.0 from GitHub release binary (Debian ships 0.9.0)
  • Pin gocyclo to v0.6.0 (was @latest)
  • Add .trivyignore for Linux kernel CVEs (irrelevant in containers)
  • Pass trivyignores to Trivy scan step in docker-publish workflow

Refactoring

  • remove --docs-only flag from st-submit-pr (#117)
  • refactor: remove --docs-only flag from st-submit-pr

Remove the --docs-only argument, its implementation block, and two associated test cases from submit_pr. Update repository-standards, submit-pr reference docs, and CLAUDE.md to remove all --docs-only references.