v4.0.3

4.0.3 (2026-06-29)

Bug Fixes

• make Dependabot auto-merge match modern gh and indirect deps (1e7e5d8)

v4.0.2

4.0.2 (2026-06-29)

Bug Fixes

• merge: grant statuses:read for the legacy commit-status rollup (3bbf3b3)

v4.0.1

4.0.1 (2026-06-29)

Bug Fixes

• merge: grant checks:read so ff-merge can read the check-run rollup (5a651ab)

v4.0.0

4.0.0 (2026-06-29)

⚠ BREAKING CHANGES

• callers must now grant pages: write. GitHub resolves a reusable workflow's permissions as the union of every job and ignores if:, so the docs job's pages:write is required even on repos without a zensical.toml or the run fails at startup. Add pages: write to the caller's permissions block (see examples/release.yaml). Consuming repos should also delete their inline docs job and set Settings -> Pages -> Source -> GitHub Actions.

Features

• build and publish Zensical docs to Pages on release (c619e32)

v3.2.1

3.2.1 (2026-06-29)

Bug Fixes

• ci: verify committed dist/ after build; drop redundant npm ci (aaa75ed)
• release: verify dist/ in CI, not after the release is cut (f68fb68)

v3.2.0

3.2.0 (2026-06-28)

Features

• ci: set up uv when a pyproject.toml exists (53a25ac)
• release: expose release-please outputs to callers (e0317e4)

Bug Fixes

• release: drop ${{ }} braces from a workflow_call output description (e148d2c)

v3.1.0

3.1.0 (2026-06-28)

Features

• ci: add coverage input to make Codecov upload optional (0c184d2)
• close linked issues on fast-forward merge (554c035)

v3.0.0

3.0.0 (2026-06-24)

⚠ BREAKING CHANGES

• consuming repos must update their callers. merge.yaml callers drop the pull_request(labeled) and pull_request_review triggers and add the new required merge-review-ack.yaml companion (kept in the workflow_run list) — without it, approvals no longer trigger auto-merge (only /merge or the scheduled sweep do). dependabot-merge.yaml callers drop the pull_request_target trigger. Hand-adding the auto-merge label no longer attempts a merge immediately; it arms and the merge happens on the next workflow_run or scheduled sweep.

Features

• release: author the release as a GitHub App via optional app-client-id (19e0245)
• route auto-merge through events that add no PR checks (76308d7)

v2.0.0

2.0.0 (2026-06-21)

⚠ BREAKING CHANGES

• the reusable workflow moved from .github/workflows/codeql.yaml to .github/workflows/security.yaml. Consumers must update their caller's uses: from bitwise-media-group/github-workflows/.github/workflows/codeql.yaml@ to .../security.yaml@.
• auto-merge.yaml is removed; its behaviour now lives in merge.yaml (wire the four auto-merge triggers on the caller). merge.yaml no longer accepts a pr-number input (it resolves the PR from the event), and the auto-merge arming comment input is now 'arm-command' (was 'command'). Consumers pinned @v1 are unaffected until they move to @v2.
• the per-language workflow files are removed. Consumers must repoint uses: to ci.yaml/codeql.yaml/release.yaml@v2, provide the canonical Makefile targets (stubbing N/A ones as no-ops), and set vanity-tags: true to keep the floating major tag.

Features

• add a languages override and opt-in zizmor scan to the CodeQL workflow (ba40cbc)
• fold auto-merge into the merge workflow (6497957)
• generalize ci/codeql/release into language-agnostic workflows (bf13819)
• rename reusable codeql workflow to security, standardise names (75ae004)

Bug Fixes

• harden reusable workflow security posture (7f4724a)
• merge: do not cancel pending ff-merge events (048f8c2)
• merge: request workflows scope so ff-merge can push workflow-file changes (7ac5ca8)
• release-go: re-pin release-please-action to its current v5.0.0 commit (dfa6330)

v1.1.0

1.1.0 (2026-06-16)

Features

• dependabot: add reusable auto-approve + fast-forward merge workflow (34378a4)
• merge: add reusable auto-merge workflow (a090028)

Bug Fixes

• auto-merge: gate merge-on-review to same-repo PRs (forks lack pull_request_review secrets) (00e5e3f)
• auto-merge: mint app token in arm job so callers keep permissions: {} (94f22f4)