Skip to content

Release 2.1.12 (2026-06-06)

Bug fixes

  • grant actions: read to the security job (#1473) ci-security.yml@v2.1.3 requests actions: read from its caller (codeql-action/upload-sarif needs it on private repositories). GitHub validates the request against the calling job's permissions at startup, so the security job must grant it before v2.1 is re-promoted to v2.1.3. The grant is backward-compatible with v2.1.2.

  • stream vrg-finalize-pr output through the progress session (#1471)

  • fix(release): stream vrg-finalize-pr output through the progress session

The close-finalize stage ran vrg-finalize-pr --cleanup-only with inherited stdout, a design that predates the progress framework. Under the RichRenderer, every raw line the child writes to the TTY advances the cursor beneath the rich.Live display, stranding stale copies of the completed-stage list on screen (the staircase of duplicated stage lines observed in the vergil-actions 2.1.3 release). The raw output also bypassed the run log entirely.

Route the child through progress.run so its output streams into the live display's rolling window and the run log. progress.run gains a stdin passthrough so the call site can keep the subprocess.DEVNULL guarantee from issue #1448 (the child can never block on a terminal read). Failure handling is preserved: CalledProcessError carries the captured stderr into ReleaseError.detail.