v1.10.6-rc.2

🚀 What's Changed

📋 Commits since v1.10.4:

• feat(scripts): add sync-gitignore.py for managed ignore block across repos (1e106b5)
• chore(gitignore): sync managed ignore block (64f69dc)
• fix(ci): handle missing artifacts dir in reusable-release cleanup step (aac93cb)
• fix(ci): update jdfalk/* action pins to current SHAs (fe1e308)
• feat(ci): add reusable-ci-minimal workflow with manual cache (cf20689)
• docs(config): default packages.registries to false; annotate github: true risk (e9e5ec4)
• fix(scaffold): default docker base to ubuntu:22.04 + drop --break-system-packages (ed36e5b)
• fix(release): replace secrets-in-if with env-bridge guard step (dd8fae1)
• fix(release): pass GH_TOKEN to Publish-to-GitHub-Packages step (dac2f69)
• deps(deps): bump the dependencies group with 7 updates (96c132f)
• feat(scaffold): add --with-docker, --with-reusable-workflows, --with-{changelog,todo,claudemd} (e94e3e9)
• fix(release): skip app-token mint when CI_APP_ID is unset; add migrate-loop (c46f978)
• fix(bootstrap): quote dependabot schedule.time; clear interaction-limits (d413e65)
• chore: register 26 action repos in bootstrap registry (83d2981)
• chore: register magnet-handler bootstrap; gitignore Claude local settings (4be3e97)
• fix(bootstrap-repo): replace mapfile with bash 3.2-compatible read loop (ec6ba08)
• feat(bootstrap-repo): add cli flavor and adopted-repos registry (458d4a7)
• fix(bootstrap-repo): correct sync script invocations after dry-run (4dbc211)
• feat: add bootstrap-repo skill (80f40c1)
• deps(deps-dev): bump the dependencies group with 2 updates (ef2f775)
• feat(release): mint App token in Build Go job for workflow-touching tags (9796749)
• fix(scripts): open manifest URL in private window to dodge EMU sessions (e06855e)
• fix(scripts): user-owned GitHub Apps can't be private (452f95e)
• feat(scripts): setup-ci-app.sh — one-shot GitHub App creator (c99e337)
• feat(release): keep 5 most recent RC prereleases on stable cleanup (f9633c8)
• fix(release): clean up superseded drafts/RCs on stable cuts (9719257)
• fix(release): also strip GoReleaser metadata from release assets (6b32d20)
• feat(release): add previous-version override for changelog diffing (659c291)
• fix(release): correct changelog diff base + remove frontend JS from assets (ea8b522)
• chore: update gha-release-* composite action SHAs for Node.js 24 (7d1de69)
• deps(deps): bump super-linter/super-linter in the dependencies group (492da20)
• fix: remove empty artifact files before GitHub release upload (609558c)
• fix: remove Windows builds, skip empty release assets (959c35e)
• fix(ci): remove conflicting allow-licenses from dependency-review-config (3d89ccc)
• fix(security): pin all workflow action references to SHA hashes (86e7797)
• deps(deps): bump the dependencies group across 1 directory with 15 updates (83352d4)
• fix: resolve shellcheck warnings and CI lint issues (06d833f)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 1e106b5

v1.10.6-rc.1

🚀 What's Changed

📋 Commits since v1.10.4:

• chore(gitignore): sync managed ignore block (64f69dc)
• fix(ci): handle missing artifacts dir in reusable-release cleanup step (aac93cb)
• fix(ci): update jdfalk/* action pins to current SHAs (fe1e308)
• feat(ci): add reusable-ci-minimal workflow with manual cache (cf20689)
• docs(config): default packages.registries to false; annotate github: true risk (e9e5ec4)
• fix(scaffold): default docker base to ubuntu:22.04 + drop --break-system-packages (ed36e5b)
• fix(release): replace secrets-in-if with env-bridge guard step (dd8fae1)
• fix(release): pass GH_TOKEN to Publish-to-GitHub-Packages step (dac2f69)
• deps(deps): bump the dependencies group with 7 updates (96c132f)
• feat(scaffold): add --with-docker, --with-reusable-workflows, --with-{changelog,todo,claudemd} (e94e3e9)
• fix(release): skip app-token mint when CI_APP_ID is unset; add migrate-loop (c46f978)
• fix(bootstrap): quote dependabot schedule.time; clear interaction-limits (d413e65)
• chore: register 26 action repos in bootstrap registry (83d2981)
• chore: register magnet-handler bootstrap; gitignore Claude local settings (4be3e97)
• fix(bootstrap-repo): replace mapfile with bash 3.2-compatible read loop (ec6ba08)
• feat(bootstrap-repo): add cli flavor and adopted-repos registry (458d4a7)
• fix(bootstrap-repo): correct sync script invocations after dry-run (4dbc211)
• feat: add bootstrap-repo skill (80f40c1)
• deps(deps-dev): bump the dependencies group with 2 updates (ef2f775)
• feat(release): mint App token in Build Go job for workflow-touching tags (9796749)
• fix(scripts): open manifest URL in private window to dodge EMU sessions (e06855e)
• fix(scripts): user-owned GitHub Apps can't be private (452f95e)
• feat(scripts): setup-ci-app.sh — one-shot GitHub App creator (c99e337)
• feat(release): keep 5 most recent RC prereleases on stable cleanup (f9633c8)
• fix(release): clean up superseded drafts/RCs on stable cuts (9719257)
• fix(release): also strip GoReleaser metadata from release assets (6b32d20)
• feat(release): add previous-version override for changelog diffing (659c291)
• fix(release): correct changelog diff base + remove frontend JS from assets (ea8b522)
• chore: update gha-release-* composite action SHAs for Node.js 24 (7d1de69)
• deps(deps): bump super-linter/super-linter in the dependencies group (492da20)
• fix: remove empty artifact files before GitHub release upload (609558c)
• fix: remove Windows builds, skip empty release assets (959c35e)
• fix(ci): remove conflicting allow-licenses from dependency-review-config (3d89ccc)
• fix(security): pin all workflow action references to SHA hashes (86e7797)
• deps(deps): bump the dependencies group across 1 directory with 15 updates (83352d4)
• fix: resolve shellcheck warnings and CI lint issues (06d833f)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 64f69dc

v1.10.5

Draft release for v1.10.5 — will be published when ready.

Latest RC: v1.10.5-rc.7

🚀 What's Changed

📋 Commits since v1.10.5-rc.6:

• chore: update gha-release-* composite action SHAs for Node.js 24 (7d1de69)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

v1.10.5-rc.7

🚀 What's Changed

📋 Commits since v1.10.5-rc.6:

• chore: update gha-release-* composite action SHAs for Node.js 24 (7d1de69)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 7d1de69

v1.10.5-rc.6

🚀 What's Changed

📋 Commits since v1.10.5-rc.5:

• deps(deps): bump super-linter/super-linter in the dependencies group (492da20)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 492da20

v1.10.5-rc.5

🚀 What's Changed

📋 Commits since v1.10.5-rc.4:

• fix: remove empty artifact files before GitHub release upload (609558c)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 609558c

v1.10.5-rc.4

🚀 What's Changed

📋 Commits since v1.10.5-rc.3:

• fix: remove Windows builds, skip empty release assets (959c35e)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 959c35e

v1.10.5-rc.3

🚀 What's Changed

📋 Commits since v1.10.5-rc.2:

• fix(ci): remove conflicting allow-licenses from dependency-review-config (3d89ccc)
• fix(security): pin all workflow action references to SHA hashes (86e7797)

🎯 Release Information

• Branch: main
• Release Type: prerelease
• Primary Language: unknown

⚠️ This is a pre-release version - use for testing purposes.

Release Assets

This release includes organized packages for easy consumption:

Binaries

Pre-built binaries for multiple platforms with SHA256 checksums:

• Windows: *-windows-amd64.exe, *-windows-arm64.exe
• Linux: *-linux-amd64, *-linux-arm64
• macOS: *-darwin-amd64, *-darwin-arm64

Each binary includes a .sha256 checksum file for verification.

SDKs

• Go SDK: *-go-sdk.tar.gz / *-go-sdk.zip
• Python SDK: *-python-sdk.tar.gz / *-python-sdk.zip

Documentation

• API Documentation: *-docs.tar.gz / *-docs.zip

See MANIFEST.md in the release assets for a complete list of all files and their sizes.

---

Generated automatically from commit 3d89ccc

v1.10.4

v1.10.4

Breaking Changes

• Release sub-workflows removed — release-go.yml, release-python.yml, release-rust.yml, release-frontend.yml, release-docker.yml, release-protobuf.yml, and reusable-protobuf.yml have been replaced by external composite actions. If your repo references these workflows directly, update to the new actions (see migration guide below).

New Versioning Strategy

Every commit to main now creates a pre-release RC tag (e.g. v1.10.4-rc.1) instead of a full stable release. This prevents infinite update loops between ghcommon and consumer repos.

How it works:

• Push to main → v1.10.4-rc.N pre-release + draft v1.10.4 release
• Dependabot ignores pre-releases, breaking the update loop
• When ready, publish the draft → on-release-published.yml updates floating tags (v1, v1.10)
• Manual workflow_dispatch with stable: true creates a full release directly

Trivy Removal

All Trivy references have been removed from workflows, scripts, agent definitions, and configuration files following the Trivy supply chain compromise. Security scanning now relies on CodeQL, dependency review, gosec, bandit, and npm audit.

Composite Action Migration

Release sub-workflows have been replaced with standalone composite actions in separate repos. This eliminates reusable workflow nesting limits and the self-referencing SHA problem.

Old workflow	New action	Version
release-go.yml	jdfalk/gha-release-go	v1.0.1
release-python.yml	jdfalk/gha-release-python	v1.0.1
release-rust.yml	jdfalk/gha-release-rust	v1.0.1
release-frontend.yml	jdfalk/gha-release-frontend	v1.0.1
release-docker.yml	jdfalk/gha-release-docker	v1.0.1
release-protobuf.yml + reusable-protobuf.yml	jdfalk/gha-release-protobuf	v1.0.2

Language Detection Improvements

Updated detect-languages-action to v1.1.5 with more accurate detection:

• Protobuf: Requires buf.gen.yaml to exist, not just .proto files
• Python: Requires setup.py or pyproject.toml, not just requirements.txt
• Frontend: Requires actual source files (src/index.js, etc.), not just package.json for tooling
• Go: Removed false positive from bare cmd/ directory
• Matrix versions: Go 1.24, Python 3.13, Rust stable

SHA Pinning

• All action references across ghcommon and downstream action repos are now pinned to full commit SHAs
• actions/setup-python@v6 pinned in security-summary composite action
• All ghcommon script checkout ref: values use commit SHAs instead of main or v1 tags

All Changes

• feat: switch to RC pre-release versioning strategy
• refactor: replace release sub-workflows with composite actions
• fix: add permissions to release.yml, replace all tag refs with SHAs
• fix: update gha-release-* actions to v1.0.1 with SHA-pinned deps
• fix: update detect-languages-action to v1.1.5
• fix: call reusable-protobuf directly to avoid 4-level nesting limit
• fix: use external ref for nested reusable workflow in release-protobuf
• Remove Trivy - compromised supply chain
• fix: update self-referencing pins to latest main

For Consumer Repos

If your repo calls jdfalk/ghcommon/.github/workflows/reusable-release.yml, update your SHA pin to this release:

uses: jdfalk/ghcommon/.github/workflows/reusable-release.yml@378e23a  # v1.10.4

The release.yml caller now supports a stable input for manual stable releases:

workflow_dispatch:
  inputs:
    stable:
      description: 'Publish a stable (non-RC) release directly'
      type: boolean
      default: false