Release 2.0.28 (2026-05-21)¶
Bug fixes¶
- remove repository-type gate from vrg-release preflight
- chdir into cloned repo so git commands in later wizard steps find .git
- route wait_for_checks and watch_workflow through GitHub retry wrapper
- emit run-codeql: false for languages CodeQL does not support
- emit container-suffix and container-tag for audit and test CI jobs
- include Table of Contents section in generated README
-
add container-suffix to audit and test workflow calls The audit and test jobs omitted container-suffix, relying on the reusable workflow fallback to inputs.language. That fallback is being changed to 'base' (vergil-actions#534), so callers must pass the suffix explicitly. Ref #961
-
rationalize publish config and confirm-publish phase Remove the docs_workflow config field from PublishConfig — all repos use the same standardized CD workflow (cd.yml) so the field was unnecessary (and defaulted to "Documentation" which never existed). Rewrite the confirm-publish phase to watch a single CD workflow run instead of two separate workflows (publish.yml and Documentation). Gate release artifact verification on the publish.release boolean and add a publish.docs guard so setting docs=false actually skips the docs confirmation. Update vrg-finalize-repo to check the CD workflow instead of the non-existent Documentation workflow. Replace the per-workflow context fields (publish_run_id/url, docs_run_id/url) with a unified cd_run_id/cd_run_url pair. Update the release summary and orchestrator phase details accordingly. Ref #963
-
emit release job in render_cd_workflow when publish_release is true
-
fix validation issues from identity refactor Address lint, typecheck, coverage, and formatting issues from the single-account identity changes. Update vrg-scorecard to use get_installation_token instead of deleted _human_token. Remove dead token-injection block from compound-command path in vrg-git.
-
restore sys import dropped during rebase
- skip CI jobs not required by CI gates ruleset render_ci_workflow() unconditionally emitted audit and test jobs for all languages. Languages without command registry entries (shell, claude-plugin, none) ran these jobs even though the CI gates ruleset never required them — wasting compute and misleading maintainers.
Now consults the same language_commands() registry that desired_ci_gates_ruleset() uses: audit and test jobs are only emitted when the language has the corresponding check commands (or when integration tests are enabled for the test job).
- sync stale VERSION file with pyproject.toml and restore 100% coverage
Chores¶
- bump version to 2.0.28
-
organize plans into lifecycle subdirectories Move 16 completed plans to completed/, 7 VM/identity plans to in-progress/. Update cross-references between in-progress plans. Remove .gitkeep from in-progress/ (now has real files).
-
enumerate VM plan numbers (p1-p6) in filenames Add plan sequence numbers to VM plan filenames for easier ordering. Update cross-reference in single-account-identity plan.
-
use vrg-github-repo-init for vergil-vm bootstrap Replace the 9-step manual prerequisite sequence with the interactive vrg-github-repo-init wizard. Update file map, Task 1, and Task 5 to account for init-generated files (.gitignore extended, ci.yml replaced).
-
remove bespoke CI task from vergil-vm plan The standard CI generated by vrg-github-repo-init already runs vrg-validate, which includes shellcheck and yamllint as common checks for shell-language repos. No custom CI workflow is needed. Delete Task 5, clean up references, renumber Task 6 to Task 5.
-
correct vergil-vm plan: docs=yes, dep=v2.0, bootstrap PR workflow
Documentation¶
-
agent identity design: GitHub Apps + VM isolation Retire multi-account identity model. Per-contributor GitHub Apps replace shadow-banned user accounts as the agent identity mechanism. Fine-grained PATs remain as a simpler fallback. Design covers merge control via branch protection, App-based token exchange in vrg-gh, SSH key elimination, and two-tier credential model.
-
update VM plans and specs for GitHub App credential model Replace SSH key references with App credential provisioning across all six VM plans and the isolation spec. Drop SSH key injection, SSH config, known_hosts setup. Git authenticates via HTTPS with App installation tokens. Set ssh.forwardAgent to false in Lima templates.
-
implementation plan for vergil-tooling identity changes Covers App token exchange (openssl JWT), vrg-gh simplification, vrg-git HTTPS injection, co-author env var, and github.py cleanup. Zero new dependencies.
-
reconcile VM plans with single-account identity design Update Plan 5 to remove superseded Tasks 3-4 (wrapper simplification now in #933). Align Plan 2 identities.toml schema with Plan 3 App credential fields. Fix Plan 5 scope in decomposition tables across Plans 1-6. Add #933 supersession note to identity VM isolation spec.
-
canonical VERSION file design for issue #970 Establishes the VERSION file at repo root as the universal, canonical version source for all vergil-managed repositories, with sync enforcement against language-specific version files.
-
apply pushback findings to canonical VERSION file design
- implementation plan for canonical VERSION file (#970)
Features¶
- add structured phase logging, --verbose flag, and subprocess output capture
-
GitHub App installation token exchange Add _load_app_config, _generate_jwt, and get_installation_token. Uses openssl for RS256 JWT signing — no new dependencies.
-
HTTPS token injection for remote git operations push/pull/fetch/ls-remote inject App installation token via http.extraHeader when available. Local operations are unaffected.
-
add unrecognized-key warnings to vergil.toml parser
- show reads from canonical VERSION file with language cross-check
- bump writes both VERSION and language-specific file
- add version prompt and VERSION file to init wizard
Refactoring¶
- extract shared retry module and wire into vrg-gh
-
remove credential selection from vrg-gh Replace _get_token/account discovery with github.get_installation_token. Wrapper is now pure workflow enforcement with optional App token injection.
-
replace account-based co-author with VRG_CO_AUTHOR env var Co-author identity now comes from the AI harness via env var. Remove --agent flag and resolve_co_author_trailer dependency.
-
delete multi-account credential functions Remove _discover_accounts, resolve_co_author_trailer, _human_token. Rewrite _gh_env to use get_installation_token.
Styling¶
- apply ruff formatting to version module