Skip to content

Release 2.0.70 (2026-05-29)

Bug fixes

  • filter tracking issue search by exact title match GitHub search tokenizes on punctuation, so 'release: 2.0.9 in:title' matches any issue containing both tokens independently. This caused false positives when non-tracking issues like 'chore(release): bump version to 2.0.9' existed.

Switch from read_output with jq to read_json, fetch both url and title, and filter client-side for the exact title format 'release: '.

  • retry transient UNKNOWN mergeable state GitHub's API occasionally returns UNKNOWN for the PR mergeable state even after all checks pass. Instead of failing immediately, retry up to 3 times with a 5-second delay — the state typically resolves within one poll cycle.

  • skip bypass_actors audit with GitHub App credentials GitHub App tokens cannot see ruleset bypass_actors — the API returns an empty list regardless of actual configuration. Detect App mode and skip bypass_actors comparison to avoid false non-compliance reports.

  • symlink VM ~/.claude subdirs to path-preserved host mounts (#1296) The .claude/{projects,sessions,skills} mounts are path-preserved (mountPoint == host location), but the VM's HOME differs from the host's, so Claude inside the VM read its own VM-local ~/.claude/... instead of the mounted host path. Session history was therefore lost on every rebuild and never shared with the host.

Add link_claude_dirs() to point the VM's ~/.claude subdirs at the mounted host paths via symlinks, created inside the VM where $HOME resolves correctly. Idempotent; a non-empty real directory is left in place with a warning. Wired into the create, start, rebuild, and session flows alongside copy_claude_config.

Documentation

  • add AI contribution compliance review Map CPython's AI contribution guidelines to Vergil's enforcement mechanisms across seven principles. Identifies two areas for follow-up: explainability attestation (P3) and test integrity guardrails against assertion weakening (P6).

  • fix P4 evidence to match actual vrg-commit mechanism The co-author trailer comes from VRG_CO_AUTHOR env var, not a --agent flag. Corrected the compliance matrix evidence for P4.

  • agent permission model and identity architecture design spec

  • incorporate pushback review findings into design spec Adds three-layer security model (soft gates, hard gates, auditing), AI compliance cross-reference, migration strategy, identity-aware enforcement, push failure handling, shared filesystem documentation, and provisional flagging of audit identity.

  • add implementation plan for agent permission model (Track A tooling changes)

  • apply alignment resolutions to spec and plan

Features

  • add --allow-empty flag to vrg-commit
  • add --base flag to override auto-detected target branch When a branch tracks a different upstream than the intended PR target (e.g. release/post-* branches created from origin/main that need to PR into develop), the auto-detected target branch is wrong. The --base flag lets the caller specify the correct target explicitly.

  • print CD workflow run URL before watching Prints the GitHub Actions run URL immediately after the CD workflow run is found, before watch_workflow blocks. This lets the operator click through to follow long-running workflows (e.g. Docker image builds) in real time instead of staring at a silent terminal.

  • add --skip-audit flag to bypass repo config audit in preflight When the repo config audit cannot be fixed immediately, the operator can re-run vrg-release with --skip-audit to proceed without running vrg-github-repo-config audit during preflight.

The flag is explicit and opt-in — default behavior (run audit, abort on failure) is preserved.