v1.7.0

1.7.0 (2026-06-18)

Features

• deps: update dependency wrangler ( 4.95.0 ➔ 4.97.0 ) [automerge] (#158) (3d14dd6)
• deps: update dependency wrangler ( 4.97.0 ➔ 4.98.0 ) [automerge] (#162) (c04ee2c)
• deps: update dependency wrangler ( 4.98.0 ➔ 4.100.0 ) [automerge] (#174) (416eecb)
• renovate: add digest-pinned container image custom manager (#172) (aa43930)
• renovate: branch-automerge dotfiles devcontainer digest updates without tests (#161) (5657813)
• renovate: merge dotfiles devcontainer digests anytime and fix dprint failure (#164) (a0618e2)

Bug Fixes

• github-release: update mise ( v2026.5.11 ➔ v2026.5.14 ) [automerge] (#153) (56550d3)
• github-release: update mise ( v2026.5.14 ➔ v2026.5.15 ) [automerge] (#159) (334758a)
• github-release: update mise ( v2026.5.15 ➔ v2026.5.16 ) [automerge] (#167) (7b793ad)
• make go-lint version optional since we don't always lint go (61a23c2)
• mise: update tool lefthook ( 2.1.6 ➔ 2.1.8 ) [automerge] (#154) (947b145)
• mise: update tool lefthook ( 2.1.8 ➔ 2.1.9 ) [automerge] (#169) (566ce48)
• mise: update tool pipx:checkov ( 3.2.529 ➔ 3.2.530 ) [automerge] (#168) (11841c5)
• prevent shellcheck/shfmt failure when no shell scripts exist (42655d5)
• renovate: add minimumReleaseAge 0 to autoMerge configuration (40ac871)
• renovate: expand CODEOWNERS bot-bump exceptions to cover manifests (df89220)
• renovate: strip leading v from mise node version pins (#176) (ec1a62a)
• temp update base.json5 to allow unsafe executions (652fcb3)

v1.6.1

1.6.1 (2026-06-01)

Bug Fixes

• workflows: restore persisted creds on caller checkout for open-pr (#147) (2ffca5f)

v1.6.0

1.6.0 (2026-06-01)

Features

• config sync nested codeowners (#146) (f296be4)
• config-sync: support nested paths and centrally manage CODEOWNERS (#144) (4683261)

v1.5.0

1.5.0 (2026-06-01)

Features

• deps: Update dependency wrangler ( 3.114.17 ➔ 4.92.0 ) (#132) (459b7b5)
• deps: update dependency wrangler ( 4.92.0 ➔ 4.95.0 ) (#135) (92f7b7a)
• mise: update tool zizmor ( 1.24.1 ➔ 1.25.0 ) (#122) (89b97e8)
• pages: support Cloudflare production deploys (a8f6fb5)
• renovate: append [automerge] suffix to auto-merge PR titles (#129) (c23a538)
• renovate: auto-merge non-major updates after soak and enforce custom-manager governance (20c696b)
• renovate: prevent lockfile refreshes not working due to minimum release age (70e9026)

Bug Fixes

• ci: disable setup-node caching by default in Pages workflow (#139) (40674e1)
• ci: scope release-please App token to least privilege (#137) (f992e18)
• github-release: update release golangci/golangci-lint ( v2.12.1 ➔ v2.12.2 ) (#110) (7af578a)
• github-release: update release jdx/mise ( v2026.5.0 ➔ v2026.5.2 ) (#112) (429d8e2)
• github-release: update release jdx/mise ( v2026.5.10 ➔ v2026.5.11 ) [automerge] (#143) (b184c9d)
• github-release: update release jdx/mise ( v2026.5.2 ➔ v2026.5.3 ) (#114) (21453b2)
• github-release: update release jdx/mise ( v2026.5.3 ➔ v2026.5.4 ) (#115) (8e503a5)
• github-release: update release jdx/mise ( v2026.5.4 ➔ v2026.5.5 ) (#116) (d4a7feb)
• github-release: update release jdx/mise ( v2026.5.5 ➔ v2026.5.9 ) (#119) (ef9510d)
• github-release: update release jdx/mise ( v2026.5.9 ➔ v2026.5.10 ) [automerge] (#134) (7900749)
• mise: update tool pipx:checkov ( 3.2.526 ➔ 3.2.527 ) (#113) (276901b)
• mise: update tool pipx:checkov ( 3.2.527 ➔ 3.2.528 ) (#117) (644da14)
• mise: update tool pipx:checkov ( 3.2.528 ➔ 3.2.529 ) (#120) (1fe6ea3)
• mise: update tool zizmor ( 1.25.0 ➔ 1.25.2 ) [automerge] (#127) (f786192)
• move automerge label closer to the automerge setting (9d9d9d5)
• pages: require Cloudflare credentials for production (827f771)
• renovate: automerge github action pin prs (897927e)
• renovate: expand custom-managed dependencies to full version (#141) (1c0531e)
• renovate: support non-github-releases datasources in workflow custom manager (#131) (82e0381)
• Update wrangler version to 4.92.0 (bf64a09)

Reverts

• renovate: reverse ineffective custom.regex pin rule from #141 (#142) (40aa05b)

v1.4.0

1.4.0 (2026-05-18)

Features

• ci: add Go linting to reusable lint workflow (#100) (52ead33)
• github-release: update release golangci/golangci-lint ( v2.11.4 ➔ v2.12.0 ) (#104) (6af6652)
• github-release: update release jdx/mise ( v2026.4.28 ➔ v2026.5.0 ) (#106) (b369ce2)
• mise: update tool git-cliff ( 2.12.0 ➔ 2.13.1 ) (#93) (425478e)
• renovate: Add auto-merge label for DevSecNinja devcontainer digest updates (ce1beeb)
• renovate: auto-merge DevSecNinja devcontainer digest updates (#96) (a99ea13)
• renovate: don't assign code owners as reviewers (094aefe)
• renovate: skip release-age delay for DevSecNinja packages (#90) (5d465c7)

Bug Fixes

• github-release: update release golangci/golangci-lint ( v2.12.0 ➔ v2.12.1 ) (#105) (e3a3962)
• github-release: update release jdx/mise ( v2026.4.17 ➔ v2026.4.18 ) (#79) (24aae60)
• github-release: update release jdx/mise ( v2026.4.18 ➔ v2026.4.20 ) (#86) (82dce5e)
• github-release: update release jdx/mise ( v2026.4.20 ➔ v2026.4.22 ) (#92) (e63517c)
• github-release: update release jdx/mise ( v2026.4.22 ➔ v2026.4.28 ) (#102) (e0f2d98)
• lint: exclude generated release notes from dprint (#77) (24015c4)
• mise: update tool pipx:checkov ( 3.2.522 ➔ 3.2.524 ) (#87) (a9feb95)
• mise: update tool pipx:checkov ( 3.2.524 ➔ 3.2.525 ) (#94) (839a1c8)
• mise: update tool pipx:checkov ( 3.2.525 ➔ 3.2.526 ) (#103) (e6bee2a)
• renovate: apply wait time to all dependency updates (#98) (17f0e3d)
• renovate: centralize devcontainer lookup rules (8ea6360)
• renovate: scope devcontainer feature suppression (c73ec21)

v1.3.0

1.3.0 (2026-05-03)

⚠ BREAKING CHANGES

• mise: Update tool cocogitto ( 6.4.0 ➔ 7.0.0 ) (#43)

Features

• lint: add self lint and auto-fix callers with shared config support (#66) (02a3e49)
• mise: Update tool cocogitto ( 6.4.0 ➔ 7.0.0 ) (#43) (b6a0cad)
• mise: update tool git-cliff ( 2.8.0 ➔ 2.12.0 ) (#38) (085b778)
• mise: update tool trivy ( 0.69.3 ➔ 0.70.0 ) (#48) (81a5c41)

Bug Fixes

• github-release: update release jdx/mise ( v2026.4.9 ➔ v2026.4.17 ) (#28) (1937cb6)
• mise: update tool lefthook ( 2.1.4 ➔ 2.1.6 ) (#21) (ae88aec)
• mise: update tool pipx:checkov ( 3.2.521 ➔ 3.2.522 ) (#73) (2b1bf6c)
• notify-irm: remove ${{ }} templates from description blocks (#53) (b250963)
• renovate: pin Renovate version ranges by default (#70) (1cf2a9c)
• update title in bug_report.md (a3db2f9)
• update title in feature_request.md (acdef53)
• workflows: exclude Renovate issues from codeowner assignment (2ad05e7)

Miscellaneous Chores

• release 1.2.0 (7c98ece)
• release 1.3.0 (2e2c691)

v1.2.0

1.2.0 (2026-05-01)

Features

• actions: add notify-irm composite action (#51) (a877d35)
• labels: rename automerge to merge: auto and add release-please labels (#45) (fa92001)
• mise: update tool zizmor ( 1.23.1 ➔ 1.24.1 ) (9e3203f)
• mise: update tool zizmor ( 1.23.1 ➔ 1.24.1 ) (#39) (e3291b1)
• open-pr: add composite action to open or update PRs from working tree (#49) (6764c0f)
• renovate: add merge: manual label rules (#46) (f447e9e)

v1.1.0

1.1.0 (2026-05-01)

Features

• add custom manager for Ansible inventory YAML files (46eb1be)
• add host rules and registry aliases for dhi.io (641aa02)
• add labels and vulnerability alerts to Renovate configuration (b9273f0)
• config-sync: ensure label exists before opening a PR (1cc371b)
• labeler: add issue labeling via github/issue-labeler (794bec0)
• lint: add auto-fix mode reusable workflow and template (f163ca1)
• lint: add shellcheck/shfmt exclude inputs (17aa697)
• lint: add shellcheck/shfmt exclude inputs to reusable lint workflow (0c4551a)
• mise: update tool dprint ( 0.53.2 ➔ 0.54.0 ) (963e1d1)
• release-please: wire GitHub App token + onboarding doc (217074e)
• release-please: wire GitHub App token + onboarding doc (e29c6a9)
• release: add release-please reusable workflow (4890fa8)
• release: add release-please reusable workflow (7ed381a)
• release: add release-publish composite action (ee0804b)
• release: add release-publish composite action (1f5bcf2)
• release: onboard .github repo to release-please (7d8ca17)
• release: onboard .github repo to release-please (0e0be6d)
• renovate: add custom manager for dotfiles log.sh release pin (aab92ba)
• renovate: expand auto-merge to all minor/patch updates (78be78d)
• todo-to-issue: add auto_assign and label inputs, fix todo-to-issue label (f830665)
• update Renovate configuration to extend best practices and remove deprecated settings (632d58e)
• workflow-templates: pin all template refs to v1.0.0 and add changelog category (8b63cf9)

Bug Fixes

• checkov: filter skipped checks from SARIF before upload (36b12c2)
• config-sync: replace stash with force-checkout and restore from tmp (26b001e)
• config-sync: stash untracked files before branch checkout and auto-create label (b9b199e)
• github-release: update release jdx/mise ( v2026.4.5 ➔ v2026.4.9 ) (bb51292)
• mise: update tool pipx:checkov ( 3.2.513 ➔ 3.2.521 ) (48fd48b)
• mise: update tool shfmt ( 3.13.0 ➔ 3.13.1 ) (f268d08)
• renovate: auto-merge github-actions pinDigest updates (5979dc3)
• workflow-templates: update event types format in assign-issue-to-codeowners.yml (edb5985)
• workflows: quote IDENTIFIERS expression in todo-to-issue workflow (27869fe)