Skip to content

Release 1.5.0 (2026-05-11)

Bug fixes

  • scope standalone markdownlint step to README.md only (#197) (#13) The standalone markdownlint CI step was using markdownlint . which lints every markdown file including CLAUDE.md and other operational files. Scope it to README.md only — the security-and-standards job already runs markdown-standards for full docs/site/ coverage.

  • update trivyignore for new CVEs and pin go-test-coverage (#21) Add Go stdlib CVEs in shfmt binary (no affected code paths exercised), new kernel CVEs (containers use host kernel), and npm tar GHSA. Pin go-test-coverage to v2.18.3 for hadolint DL3062.

  • add CVE-2026-29786 (tar) to trivyignore (#30) Hardlink path traversal in npm tar package, transitive dependency of markdownlint-cli@0.47.0. No fix available without an upstream markdownlint-cli release.

  • add CVE-2025-15558 (gh docker/cli, Windows-only) to trivyignore (#40)

  • scan locally-built image with Trivy, not published :latest (#56) The Trivy step was scanning the GHCR-namespaced tag, which Trivy resolves by pulling from the registry — meaning every run scanned the already-published :latest, not the freshly-built local image. Once a HIGH/CRITICAL CVE landed in the published image, push was permanently gated on a stale artifact that could not roll forward. Result: dev-* images frozen at 2026-03-10 for 6+ weeks despite repeated rebuild triggers from standard-tooling releases.

Build with a local-only candidate tag (dev--candidate: / dev-base-candidate:latest), point Trivy at that tag, then docker tag + push to the GHCR ref. Local-only namespace cannot collide with anything published, so Trivy is forced to use the freshly-built daemon image.

  • bump pip to >=26.1 (CVE-2026-3219) (#63) CVE-2026-3219 / GHSA-58qw-9mgm-455v: pip <=26.0.1 has a TAR/ZIP polyglot bug in archive parsing. pip 26.1 (released 2026-04-26) is the fix. The python:3.14-slim upstream base image still ships 26.0.1, so dev-python and dev-base images carry the vulnerable pip until this lands.

Upgrade system pip to >=26.1 in dev-python and dev-base Dockerfile.templates, before the existing yamllint + uv install step.

Verified locally on a freshly-built dev-python:3.14:

  • pip --version → 26.1
  • In a uv-managed venv, pip-audit -r req.txt against pip==26.0.1 correctly flags CVE-2026-3219; against pip==26.1, clean.

  • uv 0.7.12 (current pin) already resolves pip to 26.1 when installing pip-audit, so no uv bump needed.

  • triage HIGH/CRITICAL CVEs blocking docker-publish (#68)

  • pin standard-tooling-pip fragment to v1.3 (#73) The pip fragment was cloning -b develop, while the parallel uv fragment pins to the rolling-minor release tag (v1.3). Net effect: non-Python images (dev-ruby/go/java/rust) carried whatever was on develop at build time, including unreleased commits, while the Python images (dev-python, dev-base) got the latest released standard-tooling. Concretely visible after PR #68: dev-python:3.14 shipped 1.3.4, dev-ruby:3.4 shipped 1.3.5 from the same publish run.

Mirror standard-tooling-uv.dockerfile shape — ARG ST_TOOLING_TAG defaulted to v1.3, identical comment block explaining the rolling- minor pin and the release-dispatch rebuild policy.

After this lands and images rebuild, all six image kinds will report the same standard-tooling version, advancing only on actual standard-tooling releases.

  • bump stale standard-actions trivy pins from @v1.1 to @v1.3 (#80)
  • triage jq CVEs blocking docker-publish (post-#78) (#82)
  • fix semgrep build and triage new Trivy CVEs (#110) Install build-essential before uv tool install semgrep to provide gcc for native extension compilation, then purge it to keep the image slim.

Triage four new HIGH CVEs blocking docker-publish: - CVE-2026-4878 (libcap2): TOCTOU race, requires CAP_SETFCAP - CVE-2026-33845 (libgnutls30t64): DTLS DoS, not used by image - CVE-2026-31568 (linux-libc-dev): kernel s390/mm, container FP - CVE-2026-35386 (openssh-client): metachar injection, known hosts only

  • add /github/home/.local/bin to PATH for GitHub Actions compatibility (#116) GitHub Actions forces HOME=/github/home in container jobs (actions/runner#863), causing uv tool install to write executables to /github/home/.local/bin instead of /root/.local/bin. Include both paths so tools installed via uv are found in CI and local Docker contexts. Closes #115

  • triage 8 new linux-libc-dev kernel CVEs blocking docker-publish (#118) All 8 CVEs are linux-libc-dev kernel header false positives in containers (containers use the host kernel, not headers in the image). Status affected, no fix version. Added to .trivyignore to unblock Ruby, Go, and Rust image publishing. Ref #117

  • triage linux-libc-dev kernel CVE blocking docker-publish (#129) Add CVE-2026-31777 (kernel ALSA ctxfi index mapping) to .trivyignore. Container false positive: containers use the host kernel, not the kernel headers in the base image. Same rationale as existing linux-libc-dev entries.

  • remove candidate tag cleanup that deletes promoted images (#134) The delete-candidate-tag step destroys the final image because imagetools create promotes by retagging the same manifest digest. Deleting the candidate version by ID removes the shared manifest, making the promoted tag (e.g. dev-base:latest) unavailable. Remove both cleanup steps. Stale candidate tags are harmless since they point to the same content as the final tag. Part of #111.

  • triage CVE-2026-33846 and fix trailing blank lines in workflow (#135) Add CVE-2026-33846 (libgnutls30t64 heap buffer overflow) to .trivyignore. Same package as existing CVE-2026-33845; curl only connects to known hosts. Also remove trailing blank lines in docker-publish.yml left by the candidate cleanup removal. Part of #111.

  • install uv in non-Python dev images (#136) The docker cache layer runs uv tool install standard-tooling inside all dev containers, but uv was only available in Python and base images. Add uv==0.7.12 to the python-support common fragment so Go, Java, Ruby, and Rust images can build the cache layer successfully. Closes #127

  • add /workspace/.venv/bin to PATH for uv sync entry points (#142)

  • revert /workspace/.venv/bin PATH addition from #141 (#144) The static /workspace path never resolves in CI (Actions overrides WORKDIR to /__w//) and is redundant locally (uv run activates the .venv automatically). The correct fix is inline PATH prepend in the workflow run blocks (standard-actions #362). Closes #143

  • suppress CVE-2026-42246 (net-imap) in Trivy ignore list (#150)

  • suppress new linux-libc-dev kernel CVEs in Trivy ignore list (#151)
  • suppress new gnutls, libssh2, and linux-libc-dev CVEs in Trivy ignore list (#158)

  • use dev-base container for hadolint instead of downloading binary (#162) Hadolint is pre-installed in the dev-base container image. Remove the curl download step from both ci.yml and docker-publish.yml hadolint jobs and run them inside the container instead.

  • pass boolean to ci-security reusable workflow inputs (#163) The security reusable workflow declares run-standards and run-security as type: boolean. The caller was passing values via the || operator which produces strings, causing the reusable workflow to fail silently. Use the != 'false' pattern to produce actual booleans. Ref wphillipmoore/standard-tooling#632

  • ensure both Trivy scans run before gating on vulnerabilities (#166) The arm64 Trivy scan was skipped when the amd64 scan found vulnerabilities, because the amd64 step failure prevented subsequent steps from running. Add continue-on-error to both scan steps so they always produce SARIF reports, then re-assert the hard gate in a dedicated step that checks step outcomes.

  • suppress new linux-libc-dev kernel CVEs in Trivy ignore list (#171)

  • suppress new linux-libc-dev kernel CVEs in Trivy ignore list (#177)
  • suppress CVE-2026-43500 linux-libc-dev kernel CVE in Trivy ignore list (#178)
  • pin go-test-coverage to v2.18.3 for hadolint DL3062

CI

  • publish dev-docs container to GHCR (#27)
  • ci: publish dev-docs container and use it for docs CI

Add standalone publish-docs job to docker-publish.yml to build, scan, and push ghcr.io/wphillipmoore/dev-docs:latest alongside the language images.

Switch docs.yml to run inside the dev-docs container, removing the manual Python setup step and updating the action ref to @develop.

  • bump docker/login-action to v4 and attest-build-provenance to v4 for Node.js 24 (#114) Both actions now run on Node.js 24, resolving the deprecation warnings. Node.js 20 will be forced off June 2, 2026 and removed September 16, 2026.

  • bump Docker actions to Node.js 24-compatible versions (#133)

  • adopt standard-actions v1.5 reusable workflows and bump to 1.5.0 (#146) Replace bespoke ci-security.yml@v1.4 call with standardized workflow suite from standard-actions v1.5: add ci-quality.yml for common/lint checks, ci-release.yml for version-bump gate, and update ci-security.yml to v1.5 with proper boolean inputs. Keep bespoke hadolint and shellcheck jobs (require template generation and repo-specific file lists). Bump VERSION from 1.0.0 to 1.5.0.

  • remove redundant bespoke shellcheck job (#148)

Chores

  • suppress four new CVEs in trivyignore Add two Linux kernel CVEs (CVE-2025-71152, CVE-2026-23226) — false positives for containers which use the host kernel, not the kernel headers in the base image.

Add two minimatch CVEs (CVE-2026-27903, CVE-2026-27904) — transitive npm dependencies of markdownlint-cli@0.47.0, no fix available without an upstream release.

  • use .markdownlintignore for lint exclusions (#190) (#9) Add .markdownlintignore and change CI and docs from markdownlint '**/*.md' to markdownlint . so exclusions are respected automatically.

  • install standard-tooling plugin via marketplace (#12)

  • ban MEMORY.md usage in CLAUDE.md (#35) MEMORY.md files are project-scoped and cause inconsistent behavior across repos. All persistent instructions belong in version-controlled documentation.

Fixes wphillipmoore/standards-and-conventions#347

  • add trivy-out.json to .gitignore (#36)
  • vendor .githooks gate + .yamllint; clean stale CLAUDE.md refs (#53) (#54)

  • migrate standard-actions refs from @develop to @v1.3 (#70) Pins ci-security.yml and docs-deploy to the @v1.3 rolling minor tag.

  • remove add-to-project.yml workflow (#76) GitHub Projects are no longer used for issue tracking. The workflow auto-added issues to a project board on creation but frequently failed (missing PROJECT_TOKEN, project drift) adding noise without value.

  • upgrade standard-actions from @v1.3 to @v1.4 (#83) Ref wphillipmoore/standard-actions#245

  • bump ST_TOOLING_TAG from v1.3 to v1.4 (#85) standard-tooling v1.4.0 released with rolling tag v1.4. Updates both fragment files so all images install from v1.4. Closes #84.

  • bootstrap st-config.toml for cache-first docker workflow (#93)

  • strip pre-baked standard-tooling from all dev container images (#94) (#95)
  • seed standard-tooling.toml (#98)

  • strip config sections from repository-standards.md (#100) Remove AI co-authors, Repository profile, and Validation policy sections. These values now live in standard-tooling.toml and are read by the TOML-based config reader in standard-tooling v1.4.6.

  • remove legacy st-config.toml (#102)

  • add [workflows.post-merge] section listing docker-publish (#120) The pr-workflow skill checks this section to verify post-merge async workflows. Without it, docker-publish failures went undetected after merges to develop. Stopgap until a dedicated st-wait-for-post-merge tool replaces the agent-interpreted check. Ref #119

  • add memory management policy (#122)

  • chore: add memory management policy

  • remove standalone markdownlint CI job (standard-tooling#476) (#124)

  • update st-validate-local reference to st-validate (#159) st-validate-local was decommissioned in standard-tooling v1.4.22/v1.4.23 in favor of the Docker-first st-validate path. Update the edge case matrix in the issue #91 plan doc accordingly. Ref #154

  • fleet-wide config and workflow cleanup (#160)

  • chore(config): fleet-wide config and workflow cleanup

Remove stale linter configs (.yamllint, .markdownlint.yaml, .markdownlintignore) superseded by st-validate bundled configs. Add canonical issue templates from standard-tooling. Ref wphillipmoore/standard-tooling#626

  • shorten issue template header comments to fit yamllint line-length (#164) Remove the word canonical from the source-pointer header to bring both template files under the 80-character yamllint line-length limit. Ref wphillipmoore/standard-tooling#626

  • migrate to reusable publish/docs workflows (#167)

  • chore: migrate to reusable publish/docs workflows

  • add [ci] section to standard-tooling.toml (#174)

  • prepare release 1.0.0
  • merge main into release/1.0.0
  • prepare release 1.0.0

Documentation

  • add MkDocs/mike documentation site (#4) Add versioned documentation site following the standard-tooling-plugin pattern.

Files added: - VERSION (1.0.0) - docs/site/mkdocs.yml with Material theme and mike versioning - docs/site/docs/ pages: Home, Images, Architecture, Changelog, Release Notes - .github/workflows/docs.yml using standard-actions/docs-deploy - releases/.gitkeep for future release notes

  • document GHCR package access prerequisites for publishing (#6) Add GHCR publishing prerequisites to CLAUDE.md and README.md covering per-package write access grants, GITHUB_TOKEN permissions, and the user-namespace image URL model.

  • add GHCR publishing prerequisites to MkDocs site (#8) Expand the Architecture > Publishing section with image namespace model, authentication details, and per-package GHCR access grant instructions.

  • update documentation for templating system and current tooling inventory (#43) Architecture docs now describe the Dockerfile.template + generate.sh + @include fragment system. Images docs reflect the full common layer (gh, shfmt, actionlint, git-cliff, standard-tooling). README updated with build system section and current common tooling list. Validation command updated to run generate.sh before hadolint. Fixes #31.

  • add cliff config + regenerate CHANGELOG; sanity-check docs accuracy (#58) Adds the changelog/release-notes automation that the rest of the standard-tooling ecosystem uses (verbatim copies of cliff.toml and cliff-release-notes.toml from standard-tooling), regenerates CHANGELOG.md from conventional-commit history, and corrects three factual drift items in the docs:

  • architecture: docs/Dockerfile.template → base/Dockerfile.template (renamed in #44); added python-support fragment to the common-layer description; expanded standard-tooling fragment description to cover the rolling-minor pin and release-dispatch rebuild.

  • images: standard-tooling row showed develop, now v1.3; added missing Go tools (goimports, go-test-coverage); cargo-deny 0.18.2 → 0.19.0.

Skipping releases/v*.md until v1.0.0 is actually tagged — the docs-deploy action handles the empty case by writing "No releases yet." to the staged releases/index.md.

  • remove include directives and downgrade standards-and-conventions refs (#87)

  • add versioned image tags spec and pushback review (#88) Design spec for issue #60: three-tier versioned image tags, branch-aware publishing, release coordination model, and fleet migration plan. Includes paad:pushback review with all resolutions.

  • comprehensive documentation review for consistency (#90) Fixes documentation drift after recent PRs (#73-#88). Changes: CLAUDE.md updated image layout to show templates and generate.sh, corrected Node.js install method (NodeSource not multi-stage), expanded common layer tool list (jq, shfmt, actionlint, git-cliff, gh, standard-tooling), added dev-base to GHCR package list, added generate.sh to validation commands. ci.yml bumped markdownlint-cli from 0.41.0 to 0.47.0 and expanded lint scope from README.md to all markdown. repository-standards.md corrected ShellCheck scope. CHANGELOG.md regenerated via git-cliff to include all recent work. Added docs/specs/ and paad/ to .markdownlintignore (design docs with wide tables).

  • add implementation plan and review docs for host-only tool guardrails (#96)

  • docs(guardrails): add implementation plan and review docs for host-only tool guardrails

  • add multi-arch design spec, implementation plan, and review reports (#126) Add design spec for publishing multi-arch (amd64 + arm64) dev container images. Includes pushback review (6 issues found and resolved) and alignment check (spec and plan verified consistent). Key design changes from pushback: QEMU setup step, dual-platform Trivy scans, attestation before promotion, semgrep arm64 prerequisite validation.

  • fix hadolint arch labels and add revised alignment review (#130) Correct hadolint architecture labels to canonical lowercase naming (linux-x86_64, linux-arm64) as verified against the GitHub Releases API. Add revised implementation plan (2026-05-04) and alignment review confirming plan-spec alignment. Part of #111.

  • update documentation to reflect current image contents and multi-arch publishing (#138) Remove references to standard-tooling being baked into images (stripped in 2d08ed8). Add hadolint, uv, and yamllint to common layer documentation. Document multi-arch (amd64 + arm64) publishing pipeline including candidate tag staging, dual-platform Trivy scanning, and SLSA attestation. Update architecture page fragment tree to match current state. Fix CI gates section to reflect consolidated security-and-standards workflow.

  • replace stale repository-standards.md references with standard-tooling.toml (#168)

  • review and update repository documentation (#169)
  • docs(images): add license_finder to Ruby image documentation

Features

  • initial repository with Docker dev container images Migrate Docker dev container images from standard-tooling into this dedicated repository. Includes Dockerfiles for Python, Java, Go, Ruby, and Rust, plus build script, GHCR publish workflow, CI workflow, and standard ecosystem documentation files.

Adds Rust images (1.92, 1.93) to the CI publish matrix and removes the paths filter from docker-publish.yml since the entire repo is Docker content.

  • add cross-language validation tools to all dev containers (#15)
  • feat: add shfmt, actionlint, taplo, and yamllint to all dev containers (#14)

Add cross-language validation tools to all 5 Dockerfiles (python, ruby, go, java, rust) to support PostToolUse hooks that validate files immediately on Write/Edit. Also adds goimports to the Go container.

  • add go-test-coverage to Go dev image (#17) Required for container-first validation where coverage threshold enforcement runs inside the dev container via scripts/dev/test.sh.

  • update cargo-deny to 0.19.0 for CVSS 4.0 support (#24)

  • add dev-docs image for containerised MkDocs preview (#26) Adds a dedicated dev-docs Docker image (python:3.14-slim + mkdocs-material
  • mike + uv) so documentation preview and build runs inside a container, closing the last gap in the docker-first tooling strategy.

Resolves vergil-docker#10

  • install standard-tooling in all dev container images (#29)
  • feat: install standard-tooling in all dev container images

Clone standard-tooling into /opt/standard-tooling and install it in an isolated venv using uv sync. All st-* entry points are now available on PATH in every dev container.

Non-Python images (java, rust, go, ruby) use uv python install 3.14 to get a controlled Python rather than depending on system python3. Dev deps are excluded with --no-group dev to keep images lean.

  • add Node.js and markdownlint-cli to dev-docs image (#32)
  • feat: add Node.js and markdownlint-cli to dev-docs image

The standards-compliance action now runs inside the dev-docs container and requires markdownlint on PATH. Add Node.js (multi-stage copy from node-donor, matching the language images) and markdownlint-cli@0.47.0.

  • install gh CLI in all dev container images (#33) Add gh CLI v2.67.0 to all six Dockerfiles so st-submit-pr can create pull requests from inside containers. The docs image also gains curl as an apt dependency (already present in the other images).

Ref wphillipmoore/mq-rest-admin-common#222

  • modernize tool installation and remove taplo from dev containers (#38)

  • feat: refactor dev containers to use dev-python:3.14 as base image

  • Install standard-tooling into system Python (no venv) to avoid .venv corruption when volume-mounting workspaces

  • Use dev-python:3.14 as BASE_IMAGE for go, rust, ruby, java, and docs images, eliminating duplicated tool installations
  • Replace Node.js multi-stage COPY with NodeSource apt repo
  • Replace gh CLI binary download with official apt repo
  • Install shellcheck and shfmt via apt instead of binary downloads
  • Install uv via pip instead of Docker image COPY
  • Remove taplo from all images
  • Add build-essential to rust image for cargo compilation
  • Update build.sh to build Python 3.14 first, then pass as BASE_IMAGE

  • Split docker-publish.yml into phased builds: Python 3.14 first, then all other images in parallel

  • replace Dockerfiles with templated fragments and add git-cliff (#41)

  • feat: replace Dockerfiles with templated fragments and add git-cliff

Extract common Dockerfile blocks into docker/common/ fragments. Each language image now has a Dockerfile.template with @include markers. build.sh generates final Dockerfiles at build time. Adds git-cliff to validation-tools fragment.

  • add openssh-client to all container images (#46)
  • feat: add openssh-client to all container images

Install openssh-client in every Dockerfile template so git can perform SSH remote operations (push, fetch) inside containers.

  • adopt git worktree convention for parallel AI agent development (#49) Applies Phase 3 of the worktree-convention rollout from wphillipmoore/standard-tooling#258.

Adds .worktrees/ to .gitignore and a Parallel AI agent development section to CLAUDE.md describing the structure, rules, and canonical Agent prompt contract. Links to the canonical spec in standard-tooling.

  • pin standard-tooling to rolling minor tag; rebuild on release (#51) (#52)

  • prune dangling images and stale build cache after local build (#74) Prevents local Docker disk bloat by cleaning up after docker/build.sh completes. Only removes dangling (untagged) images and build cache older than 30 days — tagged images and volumes are never touched. Closes #66.

  • add jq to all dev container images (#78) The docs-deploy composite action requires jq for version-command parsing. Adding it to the common system package set across all six image templates. Closes #77.

  • add ~/.local/bin to default PATH in all dev container images (#103) (#104)

  • bake pyyaml, semgrep, and hadolint into dev container images (#109)
  • feat(images): bake pyyaml, semgrep, and hadolint into dev container images

Add pyyaml to the MkDocs pip install block in dev-base, making the direct dependency explicit for docs-deploy nav-patching.

Add semgrep via uv tool install in dev-base so the security/semgrep action can use it without runtime installation.

Add hadolint v2.14.0 to the common validation-tools fragment so all images include it for local Dockerfile linting.

  • publish multi-arch (amd64 + arm64) dev container images (#131)
  • feat(images): parameterize binary tool downloads by TARGETARCH

Rewrite validation-tools.dockerfile to use a case block that maps Docker buildx's TARGETARCH (amd64/arm64) to each tool's release artifact naming convention. All 5 binary tools (shellcheck, shfmt, actionlint, git-cliff, hadolint) are consolidated into a single RUN layer. Part of #111.

  • add license_finder to dev-ruby image (#156)
  • adopt CI/CD workflow convention (#383) (#172)
  • add reusable docker-publish workflow with dev/prod naming and nightly rebuilds (#175)
  • docs(design): add design spec for release workflow, image naming, and nightly rebuilds

Refactoring

  • rename dev-docs to dev-base with full common tooling (#44) Rename the dev-docs image to dev-base to reflect its role as the base layer with all common tooling. The Dockerfile.template now includes validation-tools, yamllint, and uv fragments that were previously only in language-specific images.

Update docker-publish.yml, build.sh, generate.sh, docs, and README to reference dev-base throughout.

Styling

  • fix table alignment and code fence language for markdownlint (#5)
  • style: fix table alignment and code fence language for markdownlint