v6.14.0

Note

6.14.0 is available on 🐍 PyPI and 🐙 GitHub.

• Add Sphinx documentation site with Furo theme and MyST-Parser. Splits the monolithic readme.md (1139 lines) into focused pages: installation, configuration reference (auto-generated from Config dataclass docstrings), CLI parameters (auto-generated via click_extra.sphinx), reusable workflow reference, security practices, Claude Code skills, and a tool runner tutorial covering the 4-level config precedence chain, available tools, [tool.X] bridge, binary caching, and version overrides. Deployed to GitHub Pages via the existing docs.yaml workflow.
• Add repomatic.myst_docstrings Sphinx extension and repomatic.myst_converter utility module. The extension hooks into autodoc-process-docstring to convert MyST markdown in Python docstrings to reST at Sphinx build time, so sphinx.ext.autodoc works without modification. Supports colon-fenced and backtick-fenced directives (:::{note} and ```{note}), cross-references with hyphenated names (like {eval-rst}, {code-block}), markdown links, and inline code. The converter is a standalone migration utility that rewrites Python source files from reST to MyST in place. Both are idempotent.
• Add --sort-by option to show-config, metadata --list-keys, run --list, and cache show commands via click-extra 7.11.0's SortByOption. Each command defaults to a natural sort column and accepts any column name.
• Add incremental mode to the brand-assets skill. When base SVGs already exist, skip the design exploration menu and proceed directly: scan existing assets, identify gaps against the four expected variants, create missing SVGs and PNGs, and wire new assets into docs/conf.py.
• Add check_stale_gh_pages_branch lint check and setup guide instructions for deleting leftover gh-pages branches after switching to GitHub Actions deployment.
• Fix Matrix.prune() keeping exclude directives that reference keys absent from the matrix axes. GitHub Actions rejects these with "Matrix exclude key does not match any key within the matrix". Affects downstream projects whose [tool.repomatic.test-matrix] config defines variations and exclude entries referencing those axes: the PR matrix (which omits variations) retained the stale excludes.
• Fix setup guide Pages step: treat None (unconfigured) as incomplete for Sphinx projects so the issue reopens with the Pages setup step, and add both POST (first-time enable) and PUT (update existing) commands to the template. Previously, check_pages_deployment_source returning None was treated as passing, and the template assumed Pages was already enabled.
• Fix sponsor-label workflow job missing actions/checkout step in labels.yaml, causing the job to fail.

Full changelog: v6.13.0...v6.14.0

---

🛡️ VirusTotal scans

Binary	Detections	Analysis
repomatic-6.14.0-linux-arm64.bin	0 / 64	View scan
repomatic-6.14.0-linux-x64.bin	0 / 65	View scan
repomatic-6.14.0-macos-arm64.bin	4 / 63	View scan
repomatic-6.14.0-macos-x64.bin	2 / 64	View scan
repomatic-6.14.0-windows-arm64.exe	2 / 67	View scan
repomatic-6.14.0-windows-x64.exe	24 / 71	View scan

v6.13.0

Note

6.13.0 is available on 🐍 PyPI and 🐙 GitHub.

• Add nuitka.entry-points config option to select which [project.scripts] entries produce Nuitka binaries. When unset, deduplicates by callable target: keeps the first entry point for each unique module:callable pair, so alias entry points (like both mpm and meta-package-manager pointing to the same function) don't produce duplicate binaries.
• Add two-phase VirusTotal scanning: phase 1 uploads binaries and writes an initial table with scan links (binary names link to their GitHub release download URLs), phase 2 (--poll) polls for analysis completion and replaces the table with a Detections column showing flagged / total engine counts. The workflow uses two sequential steps so users see scan links immediately while detection stats populate asynchronously.
• Add av-false-positive skill to scan release binaries on VirusTotal and generate per-vendor false-positive submission files for flagged artifacts. Derives project metadata (name, license, maintainer, URLs) from pyproject.toml and git config instead of hardcoding.
• Add update-checksums.yaml workflow that triggers on Renovate pushes to renovate/** branches modifying repomatic/tool_runner.py. Downloads each binary tool at its new version, computes the SHA-256, and commits corrected checksums to the PR branch. Works around renovatebot/renovate#42263 where postUpgradeTasks silently drops changes to the same file the regex manager updated.
• Include release notes for all intermediate versions in sync-uv-lock PR bodies. When a package jumps from 11.0.3 to 11.0.5, both 11.0.4 and 11.0.5 release notes are shown.
• Config include entries now bypass RepoScope filtering, matching the behavior of explicit CLI component naming. include = ["skills"] in a non-awesome repository produces all skills including awesome-only ones; qualified entries like include = ["skills/awesome-triage"] implicitly select the parent component. Scope-bypassed components fall through to config-key and file-level checks instead of being unconditionally skipped.
• Add baseline criteria for GitHub repositories in awesome list contributing guidelines: minimum 50 stars, not archived, and updated within 3 years. Includes exceptions for static resources and high-adoption archived repos.
• Add --min-savings-bytes option to format-images (default 1024 bytes). Skips optimized files where the absolute byte savings are negligible, preventing noisy diffs for tiny images where even a high percentage represents minimal actual reduction.
• Add cross-platform binary support for all tools in the registry. actionlint, biome, gitleaks, labelmaker, lychee, shfmt, and typos now ship binaries for macOS (arm64, x64), Linux (arm64, x64), and Windows (x64) where upstream releases are available. Add ZIP archive extraction and per-platform archive format overrides to BinarySpec. Replace hand-rolled OS/arch detection in _get_platform_key() with extra-platforms' current_platform() and current_architecture(), and replace string platform keys with PlatformKey tuples ((Platform | Group, Architecture)) for richer detection heuristics.
• Add a progress bar during binary tool downloads when the server provides a Content-Length header. Displays on interactive terminals only; silent in CI.
• Add two-layer integrity model for cached binaries. The archive checksum from the registry is verified at download time. After extraction, a .sha256 sidecar file is written next to the binary and checked on every subsequent cache hit, defending against local cache tampering between runs.
• Enable [tool.actionlint] bridge support. actionlint config from pyproject.toml is now translated to YAML and written to .github/actionlint.yaml at invocation time (CWD-discovery, cleaned up after the run).
• Cache downloaded tool binaries across CI runs with actions/cache. Each workflow job that invokes a binary tool (actionlint, biome, gitleaks, labelmaker, lychee, shfmt, typos) restores from a per-tool cache key scoped to OS, architecture, and tool registry hash.
• Replace peaceiris/actions-gh-pages with GitHub's native actions/upload-pages-artifact + actions/deploy-pages for Sphinx documentation deployment. Add a lint-repo check and setup guide step that verify the repository's Pages source is set to "GitHub Actions" instead of branch-based deployment.
• Add benchmark-update skill to create and maintain competitive benchmark pages (docs/benchmark.md) comparing projects against alternatives. Supports audit, init, add, and refresh-badges modes.
• Add upstream-audit skill to create and maintain upstream contribution tracking pages (docs/upstream.md). Discovers merged PRs, reported issues, workarounds, and declined features across dependencies. Supports audit, init, refresh, and sync-git modes.
• Restructure Config to use nested dataclasses (CacheConfig, DependencyGraphConfig, DocsConfig, GitignoreConfig, LabelsConfig, TestPlanConfig, WorkflowConfig) with click_extra.config_path metadata. Config fields are now accessed as config.cache.dir instead of config.cache_dir. The [tool.repomatic] TOML key structure is unchanged. Eliminates the _NESTED_PREFIXES mapping in favor of click-extra's schema-aware dataclass instantiation.
• Upgrade macOS Intel runner from macos-15-intel to macos-26-intel across binary builds, test matrix, and Nuitka compilation.
• Run lint-repo workflow job on all repositories, not just Python projects. Generic checks (funding file, stale draft releases, tag protection rules, fork PR approval policy, workflow permissions, PAT checks) were being skipped on non-Python repos like awesome lists.
• Centralize GitHub token resolution in run_gh_command: priority is REPOMATIC_PAT > GH_TOKEN > GITHUB_TOKEN, with automatic fallback to GITHUB_TOKEN on 401 Bad Credentials (expired or revoked PAT). The --has-pat flag on setup-guide and lint-repo auto-detects from the REPOMATIC_PAT environment variable when not specified, replacing the HAS_REPOMATIC_PAT env var. Normalize all workflow token references to GH_TOKEN with github.token as the default, and fix missing GH_TOKEN in sync-dev-release, sponsor-label, setup-guide, lint-repo, check-renovate, and scan-virustotal workflow steps.
• Fix exclude-newer-package handling in pyproject.toml: remove orphaned comments when the section is fully pruned, and fix inline table rendering to produce pyproject-fmt-compatible formatting (tomlkit's InlineTable.append() left malformed whitespace: doubled spaces after commas, missing inner-brace spaces).
• Add pre-flight shutil.which check in run_exiftool for a clear error when exiftool is not installed, instead of a bare FileNotFoundError. Verify exiftool is on PATH after choco install in the Windows binary build step, catching silent Chocolatey CDN failures.
• Create parent directories for --output file paths in repomatic run, fixing lychee Cannot write status output to file errors when the output directory doesn't exist.
• Sanitize @mentions, #issue references, and github.com URLs in Lychee and Sphinx linkcheck output before embedding in the broken links GitHub issue body. Reuses the same zero-width space sanitization already applied to upstream release notes in sync-uv-lock PR bodies.

Full changelog: v6.12.0...v6.13.0

---

🛡️ VirusTotal scans

Binary	Detections	Analysis
repomatic-6.13.0-linux-arm64.bin	0 / 54	View scan
repomatic-6.13.0-linux-x64.bin	0 / 65	View scan
repomatic-6.13.0-macos-arm64.bin	3 / 63	View scan
repomatic-6.13.0-macos-x64.bin	1 / 62	View scan
repomatic-6.13.0-windows-arm64.exe	2 / 65	View scan
repomatic-6.13.0-windows-x64.exe	20 / 70	View scan

v6.12.0

Note

6.12.0 is available on 🐍 PyPI and 🐙 GitHub.

• Add repomatic cache subcommands (show, clean, path) and a global binary cache for downloaded tool executables under ~/Library/Caches/repomatic on macOS and ~/.cache/repomatic on Linux. Cached binaries are re-verified against their registry SHA-256 checksum on every use; stale entries are auto-purged after 30 days (configurable via REPOMATIC_CACHE_MAX_AGE). Add --no-cache to repomatic run to bypass the cache.
• Add HTTP response cache for PyPI metadata (24h TTL) and GitHub release bodies (24h for all-releases, 7d for single-release) to avoid redundant API calls across changelog, sync-uv-lock, and sync-github-releases invocations. Add --namespace to repomatic cache clean for targeted cleanup.
• Route generated tool configs through the cache directory (~/.cache/repomatic/config/{tool}/{filename}) instead of /tmp or the repository root. Tools with a --config flag now receive an explicit --config <cache_path> argument, making repomatic's involvement visible in logs and eliminating cleanup issues from interrupted runs. .editorconfig serialization for CWD-discovery tools like shfmt now translates [tool.X] sections from pyproject.toml and writes the result to the cache. Tools without a --config flag (mdformat, shfmt) remain CWD-discovery exceptions.
• Add --version, --checksum, and --skip-checksum options to repomatic run to override the pinned tool version and SHA-256 verification at invocation time.
• Add structured logging to repomatic run. --verbosity INFO reports the config precedence level, full command line, and exit code. --verbosity DEBUG adds the parsed [tool.X] content and translated config file details.
• Add skills.location config option to override the Claude Code skills directory. Defaults to ./.claude/skills/; useful for repos where .claude/ is not at the root.
• Add changelog.location config option to override the changelog file path. Defaults to ./changelog.md. All CLI commands (changelog, release-prep, sync-github-releases, sync-dev-release), metadata extraction, and init now read from this single source.
• Add .claude/package-skills.sh to package each Claude Code skill as a ZIP for manual upload to Claude Desktop via Settings > Customize > Skills. Refs #2540.
• Sanitize @mentions, #issue references, and github.com URLs in upstream release notes embedded in sync-uv-lock PR bodies. Inserts Unicode zero-width spaces to prevent GitHub from auto-linking mentions and issue references. Rewrites github.com URLs to redirect.github.com to prevent backlink cross-references. Code fences and inline code spans are preserved. Closes #2542.
• Use REPOMATIC_PAT token in all peter-evans/create-pull-request steps across autofix.yaml, changelog.yaml, and renovate.yaml. PRs created with the default GITHUB_TOKEN do not trigger other workflows.
• Rename shell_files metadata key to shfmt_files. Exclude Zsh files (.zsh, .zshrc, etc.) and .sh files with a Zsh shebang from shfmt processing. shfmt's Zsh support is experimental (v3.13.0+) and fails on common Zsh constructs (see mvdan/sh#1203).
• Make the uv sync step in the lint-types job conditional on is_python_project, so repositories with Python files but no lockfile can still be type-checked.
• Fix format-json autofix job failing with flag --config-path is not valid in this context when a [tool.biome] section exists. Biome's bpaf-based CLI scopes --config-path inside the subcommand; the flag is now spliced after the subcommand name via a new config_after_subcommand field in ToolSpec.
• Improve file-bug-report skill to check organization-level community health files from the org's .github repo before scanning per-repo files. GitHub allows orgs to define default CONTRIBUTING.md, CODE_OF_CONDUCT.md, SECURITY.md, and issue templates that repos inherit unless they provide their own copy.

Full changelog: v6.11.3...v6.12.0

---

🛡️ VirusTotal scans

Binary	Analysis
repomatic-6.12.0-linux-arm64.bin	View scan
repomatic-6.12.0-linux-x64.bin	View scan
repomatic-6.12.0-macos-arm64.bin	View scan
repomatic-6.12.0-macos-x64.bin	View scan
repomatic-6.12.0-windows-arm64.exe	View scan
repomatic-6.12.0-windows-x64.exe	View scan

v6.11.3

Note

6.11.3 is available on 🐍 PyPI and 🐙 GitHub.

• Add lint-repo check warning when the GitHub Actions fork PR workflow approval policy is weaker than first_time_contributors. Queries /repos/{repo}/actions/permissions/fork-pr-contributor-approval and flags the default first_time_contributors_new_to_github setting, which only catches brand-new GitHub accounts. The setup guide includes a new step with a pre-filled gh api one-liner to fix the policy in place.
• Add readme.md § Supply chain security section mapping Astral's Open Source Security at Astral practices to concrete repomatic implementations, with a known-gap admonition for multi-person release approval.
• Fix rst_to_myst conversion leaving RST backslash escapes (\_) in headings and not wrapping dotted Python module names in backticks. sphinx-apidoc uses \_ to prevent RST reference interpretation; these are meaningless in markdown and cause mdformat to strip them on every reformat pass.
• Fix format-pyproject autofix job failing with exit code 123. xargs translates pyproject-fmt's exit code 1 (file reformatted) to 123, and the default bash -e shell aborted before the exit code guard could run.
• Disable uv cache in the publish-pypi release job, which has no checkout step. Without a workspace, setup-uv cannot find lockfiles to hash and emits spurious cache-miss warnings on every run.

Full changelog: v6.11.2...v6.11.3

---

🛡️ VirusTotal scans

Binary	Analysis
repomatic-6.11.3-linux-arm64.bin	View scan
repomatic-6.11.3-linux-x64.bin	View scan
repomatic-6.11.3-macos-arm64.bin	View scan
repomatic-6.11.3-macos-x64.bin	View scan
repomatic-6.11.3-windows-arm64.exe	View scan
repomatic-6.11.3-windows-x64.exe	View scan

v6.11.2

Note

6.11.2 is available on 🐍 PyPI and 🐙 GitHub.

• Add shfmt shell formatter to the tool runner (repomatic run shfmt). Downloads the binary for the current platform and invokes it with managed version pinning and .editorconfig discovery.
• Add format-shell autofix job to auto-format shell scripts with shfmt.
• Replace crazy-max/ghaction-virustotal GitHub Action with a native repomatic scan-virustotal CLI command using vt-py. Fixes the release body update that was silently skipped because the action required a release event but the workflow triggers on push.
• Deduplicate release attestations: Python packages are now attested once in build-package instead of three times across build-package, publish-pypi, and create-release. The attestation bundle is forwarded as an artifact to create-release for upload to the GitHub release. Also fixes create-release accidentally attesting .gitignore via the release_artifact/* glob.

Full changelog: v6.11.1...v6.11.2

---

🛡️ VirusTotal scans

Binary	Analysis
repomatic-6.11.2-linux-arm64.bin	View scan
repomatic-6.11.2-linux-x64.bin	View scan
repomatic-6.11.2-macos-arm64.bin	View scan
repomatic-6.11.2-macos-x64.bin	View scan
repomatic-6.11.2-windows-arm64.exe	View scan
repomatic-6.11.2-windows-x64.exe	View scan

v6.11.1

Note

6.11.1 is available on 🐍 PyPI and 🐙 GitHub.

• Parallelize release workflow: compile-binaries now starts right after metadata instead of waiting for create-release, and publish-pypi runs concurrently with create-tag and create-release. Binary and attestation uploads to the GitHub release are deferred to publish-release. The PyPI admonition in release notes is applied by publish-release after confirming PyPI publication succeeded.
• Fall back to PyPI project_urls changelog link when no GitHub Release exists for a package. Release notes sections now render a [Changelog](url) link instead of silently omitting the package.
• Fix release workflow uploading attestation bundle before the GitHub release draft exists. The upload step now runs after release creation.
• Skip exclude-newer-package exemptions for packages whose fixed version already falls within the exclude-newer cooldown window. Previously, fix-vulnerable-deps persisted "0 day" overrides for all upgraded packages unconditionally.
• Fix --delete-excluded not detecting scope-excluded BundledComponent files that still exist on disk. Component-level scope exclusion (e.g., codecov in awesome repos) skipped recording file entries, so stale files were invisible to the deletion pass.
• Fix awesome-template sync overwriting pyproject.toml instead of merging. _copy_template_tree replaced the entire file with the bundled template, stripping user-managed [tool.*] sections (e.g., [tool.gitleaks]). The lychee config is now a ToolConfigComponent with AWESOME_ONLY scope, so it goes through the standard _init_tool_configs merge path. pyproject.toml is removed from the awesome-template bundle.
• Fix repomatic init <component> silently ignoring explicitly-requested components in repos where their scope doesn't match. Scope exclusions now only apply during bare repomatic init, matching the existing guard on user-config exclusions. This fixes repomatic init renovate failing in awesome repos where the renovate workflow materializes renovate.json5 at runtime.
• Fix --delete-excluded removing opt-in workflow files in the source repo. Config-key exclusions (e.g., notification.unsubscribe) now skip the source repo, matching the existing scope-exclusion guard. Previously, the sync-repomatic job would delete .github/workflows/unsubscribe.yaml from upstream, breaking the symlink in repomatic/data/ and all downstream workflow_call references.
• Fix format-pyproject autofix step running with no input files and masking tool errors. The pyproject_files metadata key was missing, so pyproject-fmt ran against an empty file list and || true swallowed all non-zero exit codes. The key is now requested and the step tolerates only exit code 1 (file reformatted).

Full changelog: v6.11.0...v6.11.1

v6.10.0

Note

6.10.0 is available on 🐍 PyPI and 🐙 GitHub.

• Add brand-assets skill to create and export project logo/banner SVG assets to light/dark PNG variants.
• Add babysit-ci skill to monitor CI test workflows, diagnose failures, fix code, and loop until all stable jobs pass.
• Add file-bug-report skill to write upstream bug reports. Exhaustively reads contribution guidelines, issue templates, security policies, and community norms before producing a markdown file.
• Add test-matrix.replace and test-matrix.remove configuration to modify axis values in both full and PR test matrices. replace swaps values (e.g., replace.os = { "ubuntu-slim" = "ubuntu-24.04" }), remove drops values before solve() runs. Stale exclude directives referencing removed values are pruned with a warning.
• Add SyncMode enum and preserved_keys field to ToolConfigComponent. Tool configs can now declare sync_mode=ONGOING to opt into repeated syncing that preserves local additions. Preserve local [[tool.bumpversion.files]] entries during sync-bumpversion as the first consumer.
• Add --output-format [markdown|github-actions] to sync-uv-lock, fix-vulnerable-deps, pr-body, and format-images. Replaces implicit $GITHUB_OUTPUT environment variable detection with an explicit flag. Remove -o short option from pr-body and format-images (prefer long-form --output).
• Add .claude/scheduled_tasks.lock to the default .gitignore extra content.
• Append workflow metadata block to issue lifecycle comments (Condition recurred., Superseded by #N., close comments). Each comment now includes a collapsible table with trigger, actor, commit, job, workflow, and run link.
• Make setup-guide issue body conditional: each step is a collapsible section with a status indicator (completed steps are collapsed with a checkmark, incomplete steps are expanded with a warning). Add branch ruleset and Dependabot settings checks to the closing criteria. The issue now closes only when PAT, permissions, vulnerability alerts, and branch protection are all verified.
• Rework sync-uv-lock CLI output: default to a terminal table via click-extra's --table-format, add --release-notes/--no-release-notes and --table/--no-table flags, move markdown formatting to --output for CI use only. Prune stale exclude-newer-package entries from pyproject.toml before relocking.
• Change renovate component to opt-in (init_default=EXCLUDE). Exclude renovate and codecov components from awesome-list repositories.
• Echo metadata output to stderr when --output targets a file, so computed matrices are visible in CI logs.
• Remove Python 3.15t (free-threaded) from the default test matrix.
• Warn instead of crashing on unknown [tool.repomatic] configuration keys. Old repomatic versions encountering config from a newer release now log a warning and continue.
• Add repomatic update-docs CLI command consolidating sphinx-apidoc, RST-to-MyST conversion, and docs/docs_update.py execution into a single orchestrated step. Projects using MyST-Parser get RST stubs automatically converted to markdown with {eval-rst} blocks.
• Add docs.apidoc-extra-args, docs.apidoc-exclude, and docs.update-script configuration options.
• Add uses_myst metadata property detecting MyST-Parser in Sphinx configuration.
• Move sync-uv-lock job from renovate.yaml to autofix.yaml. The renovate workflow's path filter prevented the job from running on most pushes to main, leaving stale PRs with merge conflicts.
• Fix CLI crash when test-matrix.variations or test-matrix.replace contain nested keys. Click-extra's generic config flattening was converting them to invalid field names. The CLI now routes config loading through load_repomatic_config which preserves the test-matrix sub-section structure.

Full changelog: v6.9.0...v6.10.0

v6.9.0

Note

6.9.0 is available on 🐍 PyPI and 🐙 GitHub.

• Add per-project test matrix configuration via [tool.repomatic.test-matrix] in pyproject.toml. Supports exclude, include, and variations fields that map directly to the Matrix class API.
• Replace audit-deps lint job with fix-vulnerable-deps autofix job. Creates PRs that upgrade affected packages using uv lock --upgrade-package with --exclude-newer-package bypass for security fixes.
• Add codecov bundled component. Syncs .github/codecov.yaml to suppress PR comments unless coverage drops or the diff introduces uncovered lines.
• Extend tool runner config resolution to support CWD-discovery tools (no --config flag). Bundled defaults are written to disk and cleaned up after invocation. Move mdformat number default to a bundled mdformat.toml so downstream repos can override via [tool.mdformat] or .mdformat.toml.
• Replace dict-based config loading with click-extra's typed config resolution. [tool.repomatic] is auto-discovered from pyproject.toml and exposed as a typed Config dataclass via get_tool_config(). Rename config subcommand to show-config to resolve a naming conflict with click-extra's --config option.
• Expand PAT validation in lint-repo and check-renovate. lint-repo gains repository scope check, tag ruleset detection, and workflows permission probe. check-renovate validates all PAT permissions (contents, issues, pull requests, vulnerability alerts, workflows) as warnings.
• Auto-exclude changelog.md for awesome-list repositories and remove redundant [tool.repomatic] exclude entries from the awesome template. Refactor the component registry to support scope, target, and config_key fields, replacing hardcoded dispatch with a type-driven loop. init CLI help text is now auto-generated from the registry.
• Remove prebake-version and prebake-tag-sha CLI commands. Use click-extra prebake all, click-extra prebake version, or click-extra prebake field instead. Rename __tag_sha__ to __git_tag_sha__ to align with click-extra's git_* naming convention.
• Migrate from actions/attest-build-provenance to actions/attest.
• Rename pr-metadata.md template to .md.noformat extension to prevent mdformat from mangling the $rerun_row table-row placeholder.
• Skip Codecov uploads on sync-repomatic PRs.
• Unify PAT permission validation into check_all_pat_permissions() in token.py. lint-repo, setup-guide, and check-renovate all use the same code path. setup-guide now runs granular permission checks when the PAT is present and keeps the issue open with a diagnostic table when permissions are incomplete.
• Fix setup-guide job: add missing HAS_REPOMATIC_PAT env var and remove upstream repo carve-out so PAT detection works everywhere.
• Fix infinite cycle between migrate-to-renovate and sync-repomatic jobs.
• Include git stderr in git-tag CLI error messages.

Full changelog: v6.8.0...v6.9.0

v6.8.0

Note

6.8.0 is available on 🐍 PyPI and 🐙 GitHub.

• Move test matrix definition from inline YAML to repomatic metadata using the Matrix class. The tests job now depends on the metadata job and consumes pre-computed test_matrix / test_matrix_pr outputs. Fixes the matrix context being unavailable in job-level if:.
• Reduce CI jobs on pull requests by skipping release builds, experimental Python versions, redundant architecture variants, and install/architecture verification tests. Full matrix still runs on push to main.
• Make exclude config additive to default exclusions (labels, skills). User exclude entries now add to the defaults instead of replacing them. Add include config to force-include components that are excluded by default.
• Add --delete-unmodified flag to repomatic init to automatically remove config files identical to bundled defaults instead of only reporting them. Renamed from --delete-redundant.
• Remove deprecated WORKFLOW_UPDATE_GITHUB_PAT secret and all backward-compatibility fallbacks. Downstream repos must use REPOMATIC_PAT.
• Auto-exclude awesome-triage skill for non-awesome repositories. The skill is only relevant to awesome-* repos and was previously installed in all downstream projects.
• Add --delete-excluded flag to repomatic init to remove excluded files that still exist on disk. Detects component-level exclusions, file-level exclusions, auto-excluded files (e.g., awesome-triage on non-awesome repos), and disabled opt-in workflows.
• Replace sync-workflows and clean-unmodified-configs autofix jobs with a single sync-repomatic job. Runs repomatic init --delete-unmodified --delete-excluded to sync all managed files and clean up stale ones in one PR. Renamed from clean-redundant-configs and --delete-redundant.
• Remove PAT setup hint steps and HAS_REPOMATIC_PAT env var from autofix.yaml and changelog.yaml workflows. The setup-guide job already creates an issue when the PAT is missing.
• Add PAT capability checks and repo configuration validation to lint-repo. Checks Renovate config exists, Dependabot security updates disabled, and vulnerability alerts enabled. When REPOMATIC_PAT is configured, validates contents, issues, pull requests, Dependabot alerts, and commit statuses permissions. Add REQUIRED_PAT_PERMISSIONS constant in token.py as the single source of truth for expected permissions.
• Add stale draft release detection to lint-repo. Warns about draft releases whose tag does not end with .dev0, which are leftovers from abandoned or failed release attempts.
• Relax abandoned dependency threshold from 1 year to 2 years in Renovate config.
• Fix thin-caller generation rendering workflow_dispatch input definitions as Python dict literals instead of block-style YAML.
• Add /sphinx-docs-sync skill for cross-project Sphinx documentation comparison and synchronization.
• Add /translation-sync skill to detect stale translations in readme.*.md and contributing.*.md files. Compares structure and content against the English source, flags drift, and drafts updated translations. Auto-excluded for non-awesome repos.
• Streamline Dependabot guidance in setup guide issue. Clarify that Renovate handles security PRs and that renovate.yaml auto-removes dependabot.yml. Link Actions tab directly to the autofix.yaml workflow.
• Allow repomatic init to accept qualified component/file selectors (e.g., repomatic init skills/repomatic-topics). Uses the same syntax as the exclude config option. Rename parse_exclude to parse_component_entries and _valid_file_ids to valid_file_ids to support the shared parsing path.
• Only auto-include awesome-template component for awesome-* repos when no explicit components are given. Previously, repomatic init skills/repomatic-topics on an awesome repo would also sync all awesome-template files.
• Stop persisting [tool.ruff] defaults into downstream pyproject.toml. Bundled ruff config is now injected at runtime via --config when no [tool.ruff], ruff.toml, or .ruff.toml exists. Remove the repomatic init ruff step from the format-python workflow job.
• Add package version diff table to sync-uv-lock PRs. Lists updated, added, and removed packages with their old and new versions. Package names link to PyPI. Shows release date and exclude-newer cutoff for visual verification. Includes collapsible release notes fetched from GitHub Releases.
• Document file naming conventions in claude.md: prefer .yaml over .yml and lowercase filenames everywhere, with a table of GitHub exceptions that require .yml or uppercase.
• Fix awesome-template URL rewriting to also process .yml files in .github/.
• Auto-exclude changelog.yaml, debug.yaml, and release.yaml workflows for awesome-* repositories. These package-oriented workflows are irrelevant to curated lists.
• Materialize bundled renovate.json5 at runtime in the Renovate workflow when the file is absent. Downstream repos can safely delete their renovate.json5 via clean-redundant-configs without breaking Renovate runs.
• Remove sync-renovate CLI command, autofix job, renovate.sync config toggle, and PR body template. The sync-repomatic job (via repomatic init --delete-redundant) already handles Renovate config sync, and the Renovate workflow now materializes the bundled default at runtime when the file is absent.
• Remove sync-bundled-config job from renovate.yaml. The bundled repomatic/data/renovate.json5 is now regenerated by repomatic init when it detects it's running in the source repository, folded into the sync-repomatic autofix job.
• Remove upstream exclusion from sync-repomatic job. The upstream repo's [tool.repomatic] exclude = ["workflows"] prevents thin-caller generation, while repomatic init handles the bundled renovate config regeneration.
• Pin GitHub Actions to SHA digests via Renovate's helpers:pinGitHubActionDigestsToSemver preset. Prevents supply chain attacks from mutable tags while keeping automated version updates.
• Add top-level permissions: {} to all workflow files. Denies all GITHUB_TOKEN permissions by default, requiring each job to declare its own minimal permissions explicitly.
• Merge /repomatic-deps-review into /repomatic-deps. The unified skill now supports two modes: graph (dependency tree visualization, previously the only mode) and review (declaration audit against version policy). Also checks for stale exclude-newer-package cooldown exceptions in [tool.uv].
• Consolidate 12+ scattered init constants into a declarative component registry (repomatic/registry.py). Each component declares its kind, init default, file entries, and behavioral flags in one place. All derived constants (ALL_COMPONENTS, COMPONENT_FILES, REUSABLE_WORKFLOWS, SKILL_PHASES, etc.) are computed from the registry.
• Fix sync-repomatic deleting the upstream repo's own skills. The source repo guard only covered auto-exclusions, not default exclusions (labels, skills).
• Rename "redundant" terminology to "unmodified" across the CLI, output, and codebase. --delete-redundant becomes --delete-unmodified, clean-redundant-configs becomes clean-unmodified-configs.
• Generalize opt_in_key into config_key/config_default on both FileEntry and Component. Replace the procedural awesome-template.sync check with a registry declaration.

Full changelog: v6.7.0...v6.8.0

v6.7.0

Note

6.7.0 is available on 🐍 PyPI and 🐙 GitHub.

• Bundle awesome-template boilerplate files in repomatic instead of cloning from kdeldycke/awesome-template at runtime.
• Add pyproject_files metadata key listing all pyproject.toml files. The format-pyproject job now formats all of them instead of only the root file.
• Remove sync-skills, workflow create, and workflow sync CLI commands. All three are superseded by repomatic init which handles skills, thin-caller generation, and header-only sync in a single invocation.
• Add branch protection checklist to the setup guide issue. Links to a pre-filled ruleset creation form targeting the default branch with force-push and deletion protection.
• Add unsubscribe.yaml reusable workflow for scheduled cleanup of closed notification threads. Opt-in via notification.unsubscribe = true in [tool.repomatic]. Requires a classic PAT with notifications scope stored as REPOMATIC_NOTIFICATIONS_PAT. Introduce OPT_IN_WORKFLOWS mechanism for workflows that are excluded from thin-caller generation unless explicitly enabled.
• Surface actual gh CLI error messages in unsubscribe-threads warnings. Previously, RuntimeError details from failed API calls were discarded, making Phase 1 REST failures impossible to diagnose from CI logs.
• Enable delete-branch: true on all peter-evans/create-pull-request invocations. Stale automation PRs are now auto-closed when a subsequent workflow run finds no changes to commit.
• Add gitleaks to the tool runner registry with binary download support and [tool.gitleaks] configuration bridge. Migrate lint-secrets workflow job from gitleaks/gitleaks-action to repomatic run gitleaks.
• Move lychee config from lychee.toml to [tool.lychee] in pyproject.toml. The tool runner's TOML bridge translates it to a native config file at runtime. Downstream repos with a standalone lychee.toml can do the same.
• Fix format-images job failing because oxipng is not packaged in Ubuntu. Install from the GitHub release .deb instead, allowing the job to run on ubuntu-slim.

Full changelog: v6.6.0...v6.7.0