Releases: Glyndor/.github
Release list
v1.10.0
What's Changed
- chore(deps): set an explicit Dependabot open-PR limit by @Jaro-c in #91
- chore: relicense from Apache-2.0 to MIT by @Jaro-c in #93
- docs: org profile says MIT, not Apache-2.0 by @Jaro-c in #94
- ci: pin every tool the reusables install by @Jaro-c in #95
- ci: harden the reusables against fork code and unverifiable merges by @Jaro-c in #96
- ci: three new reusables, ps1 contract coverage, and collision-free namespacing by @Jaro-c in #97
- ci(powershell): add an exclude-rules input for deliberate rule violations by @Jaro-c in #98
Full Changelog: v1.9.1...v1.10.0
v1.9.1
Fixes v1.9.0's toolchain pin on Windows runners.
rust-ci (#90)
- Pin
test-extra's shell to bash.
Why
v1.9.0 replaced the literal stable with "$TOOLCHAIN" read from env:. On a Windows runner the default shell is PowerShell, where $TOOLCHAIN reads a PowerShell variable rather than the environment — so it expanded to the empty string and rustup failed:
error: invalid value '' for '[TOOLCHAIN]...': invalid toolchain name: ''
The literal never depended on the shell, so the bug arrived with the pin. test-extra is the only job that can land on a non-Linux runner (it's the one driven by extra-test-os); the other seven are ubuntu-latest, where bash is already the default. Same approach podup's release.yml already takes for its cross-OS matrix.
Upgrade note: if any consumer lists a Windows runner in
extra-test-os, v1.9.0 is unusable for it — take v1.9.1 instead. Verified on podup, whose matrix covers macOS and Windows.
v1.9.0
Stop rust-ci from upgrading the Rust toolchain behind your back.
rust-ci (#89)
- New
toolchaininput, default"1.97", used by the seven jobs that installedstable:lint,test,test-extra,coverage,package,semveranddoc. - The
msrvjob is unchanged and keeps its ownmsrvinput — the floor a user needs to compile is a separate question from which toolchain CI builds with. - The input goes through
env:, not shell interpolation, matchingrust-fuzzand the existing MSRV step.
Why
stable moves on its own the day upstream ships a release. Rust 1.97.0 landed on 2026-07-07 and widened clippy's question_mark lint to reach code that had been fine for months; with -D warnings that is fatal. Every open pull request in podup went red on Format & lint regardless of what it touched — blocking a security fix and a release — for a change nobody made.
This is the same pinning v1.8.0 gave python-ci's ruff/pytest, for the reason stated there: an unpinned tool changes lint and test behaviour for every consumer the day a new release ships, with no per-repo buffer. The Rust lane just missed it.
Upgrade note — adoption is a no-op today.
1.97resolves torustc 1.97.0 (2d8144b78 2026-07-07), which is exactly what CI already ran. Consumers get the compiler they already have and simply stop drifting. To adopt a newer toolchain, bump the pin here and cut a release: each repo then takes it deliberately, sees which lints it gained, and fixes them on its own schedule. Passtoolchain:to override per repo.
v1.8.0
Give shell-ci a test lane, close a main-guard bypass, and stop python-ci from tracking latest.
shell-ci (#87)
- New
test-commandinput runs the repository's own shell test suite after the lint job;apt-packagesinstalls whatever that suite needs. - The lane is skipped entirely when
test-commandis empty, so existing callers are unaffected.
main-guard (#87)
- Require the pull request head to live in this repository, not just to be named
develop. The branch name alone is forgeable — a fork can name any branchdevelopand satisfy the old check.
python-ci (#87)
ruff-versionandpytest-versionnow default to pins (0.12.0/8.4.0) instead of the empty "use latest" value. An unpinned tool changes lint and test behaviour for every Python consumer the day a new release ships, with no per-repo buffer.- Only enable pip caching when a dependency file actually exists —
cache: pipfailed outright on repos without one.
Concurrency (#87)
bun-ci,go-audit,go-ci,go-fuzz,python-ci,rust-audit,rust-ci,rust-fuzz,rust-supply-chainandshell-cinow key their concurrency group onworking-directory. Two directories in the same repo no longer cancel each other's runs.
Repo-local (no consumer impact)
- Run the DCO gate on this repository's own pull requests (#78).
- Retire the
profile-versionsbot (#84); refresh and restructure the org profile (#83, #85, #88); trim the README (#77).
Upgrade note:
python-ciconsumers that relied on the previous "empty = latest" default now get the pins above. Passruff-version/pytest-versionexplicitly to override, and bump the pins through a new.githubrelease so the change is reviewable per repo.
v1.7.0
Harden the reusable CI gates and bootstrap the repo's own license/ownership.
Reusable CI gates (#76)
- rust-ci: build/test and clippy now run with
--locked, so a driftedCargo.lockfails the PR. - rust-audit:
cargo audit --deny warnings— unmaintained, unsound and yanked advisories now fail, not just vulnerabilities. - rust-supply-chain: collect workspace-member SBOMs with a recursive glob.
- line-limit: stop counting Rust attributes (
#[...]) as comments. - shell-ci: also lint extensionless scripts with a shell shebang.
- profile-versions: drop the unused
pull-requestsgrant, add a concurrency group. - rust-fuzz/go-fuzz: pass caller inputs through
env:instead of shell interpolation.
Repo bootstrap (#75)
- Add the Apache-2.0
LICENSEand aCODEOWNERS.
rust-debian (#74)
- Split the offline cargo args without tripping shellcheck SC2086.
Upgrade note: the stricter Rust gates (
--locked,--deny warnings) can newly fail a consumer whoseCargo.lockhas drifted or that carries warning-class advisories. Bump deliberately and fix what surfaces.
v1.6.0
Add actionlint self-CI for the reusables. Fix shellcheck findings in python-ci and rust-debian (quoting/glob robustness; no behaviour change). Consumers' Dependabot will bump the SHA pin to this release.
v1.5.0
Bump pinned actions in the reusables (setup-go v6.5.0, setup-python v6.3.0, actions/cache v6.0.0). Additive editorconfig + .gitignore hygiene. Consumers' Dependabot will bump the SHA pin to this release.
v1.4.0
v1.3.0
Added
go-audit.ymlreusable — Go security audit (govulncheck + gosec), the counterpart torust-audit.yml. Tools run viago install(no third-party actions); Go version read from the caller's go.mod.
v1.2.0
feat(line-limit): the file-size check counts code lines only — blank lines and comment-only lines (including the required public-item doc comments) no longer count toward the 300/500 limit. Backward-compatible relaxation (code lines ≤ total). Consumers: bump the pinned line-limit.yml SHA via Dependabot.