Releases: netresearch/github-release-skill
Release list
v0.8.4
v0.8.3
What's Changed
- fix(templates): pin release-generic.yml actions to commit SHAs by @CybotTM in #46
- fix(release-prepare): populate and backfill CHANGELOG entries by @CybotTM in #47
- docs: bump CHANGELOG footer link-references when cutting a release by @CybotTM in #48
- docs: credit contributors inline per change (GitHub renders the row from @mentions) by @CybotTM in #49
- chore(release): v0.8.3 by @CybotTM in #50
Full Changelog: v0.8.2...v0.8.3
v0.8.2
What's Changed
- docs(skill): add no-editorializing rule for written output by @CybotTM in #44
- chore(release): v0.8.2 by @CybotTM in #45
Full Changelog: v0.8.1...v0.8.2
v0.8.1
v0.8.0
What's Changed
- ci: re-sync labeler.yml with skill template (clears drift) by @CybotTM in #35
- feat(release): harvest contributors incl. issue reporters for release notes by @CybotTM in #36
- fix(harvest-contributors): only credit PRs from the subject line, not body refs by @CybotTM in #37
- chore(deps): update actions/checkout action to v7 by @renovate[bot] in #38
- Add field-tested release-notes and retag/CI gotchas by @CybotTM in #39
- chore(release): v0.8.0 by @CybotTM in #40
Full Changelog: v0.7.0...v0.8.0
v0.7.0
Highlights
Adds a first-release path that provisions release.yml and skips registry targets that were never published, plus mandates pre-tag HEAD verification and registry-aware recovery from a mistagged release.
What's Changed
- feat: first-release path — provision release.yml and skip unpublished targets by @CybotTM in #31
- docs: mandate pre-tag HEAD verification and registry-aware mistag recovery by @CybotTM in #32
- ci: adopt canonical skill template by @CybotTM in #33
- chore(release): v0.7.0 by @CybotTM in #34
Full Changelog: v0.6.1...v0.7.0
v0.6.1
Highlights
This patch release documents a known flake in the skill-repo release pipeline: the keyless Cosign signing step can fail with a transient Sigstore/Rekor HTTP 409 when uploading the SHA256SUMS signature to the transparency log. The skill's recovery procedures now explain why this happens, why it is not a tag or workflow problem, and that a single gh run rerun --failed resolves it. New eval cases assert that agents follow this recovery path instead of deleting tags or re-running the whole release.
Documentation
- Recovery procedures: documented the transient Sigstore/Rekor 409 on checksum signing, including the rerun-failed recovery path (#28)
- Evals: added assertions covering the 409 recovery behavior and softened an over-strict check-ordering claim
Full Changelog: v0.6.0...v0.6.1
v0.6.0
What's Changed
- feat(checkpoints): assert release notes were rewritten into a narrative (GR-R4) by @CybotTM in #26
- chore(release): v0.6.0 by @CybotTM in #27
Full Changelog: v0.5.0...v0.6.0
v0.5.0
What's Changed
- feat: add .pre-commit-config.yaml mirroring CI checks by @CybotTM in #24
- chore(release): v0.5.0 by @CybotTM in #25
Full Changelog: v0.4.0...v0.5.0
v0.4.0
Highlights
npm distribution — the skill now ships as an npm package via @netresearch/agent-skill-coordinator, joining Composer and the Claude Code marketplace as a first-class install path (#19).
Release-prep PR pattern + .sigstore.json lesson, codified — the skill now documents the merge-commit tagging sequence used across all netresearch/*-skill repos: bump on a branch, open a release-prep PR, merge, then sign the tag locally on main. Both the cosign output extension (.sigstore.json, not .sig) and the release-prep PR pattern are captured in SKILL.md and the corresponding checkpoint (#21).
TER publish gotchas documented — TYPO3 Extension Repository (TER) publishing now has a documented escape hatch for version-match failures and the v-prefix trap (git tag vX.Y.Z vs ext_emconf.php bare X.Y.Z). The validation source is now explicitly ext_emconf.php, with env-block expansion gotchas clarified (#22).
Checkpoint schema standardized — checkpoints across the skill consolidated on the target / pattern schema, and the cosign-output check broadened to cover both .sig and the newer .sigstore.json format produced by recent cosign sign-blob releases (#20).
Release pipeline maintenance
- Release caller granted
id-token: writeandattestations: writeso SLSA build-provenance and cosign signatures can be emitted (#17). - Removed the deprecated
with: bump:block and theworkflow_dispatch.bumpinput — releases now happen exclusively by pushing a locally-signed tag (#18). - Repo-local
.yamllint.ymlwith a 300-char line limit so workflow files stop tripping the default 80-col cap.
The SHA256SUMS.txt shipped with this release is keyless-signed via cosign, and every archive (.zip / .tar.gz) carries a SLSA build-provenance attestation verifiable with gh attestation verify against netresearch/github-release-skill.
Verification
gh attestation verify github-release-skill-v0.4.0.zip --repo netresearch/github-release-skill
cosign verify-blob \
--bundle SHA256SUMS.txt.bundle \
--certificate-identity-regexp '^https://github\.com/netresearch/skill-repo-skill/\.github/workflows/release\.yml@' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
SHA256SUMS.txt
sha256sum --check SHA256SUMS.txtInstall
# Claude Code plugin marketplace
/plugin install github-release@netresearch
# Composer
composer require netresearch/github-release-skill
# npm (new in this release)
npm i -D @netresearch/agent-skill-coordinator github:netresearch/github-release-skillFull changelog: v0.3.0...v0.4.0