v4.1.0

What's Changed

• deps: bump actions/checkout from 6.0.3 to 7.0.0 by @dependabot[bot] in #87
• feat(safety): add reusable non-bot dependency gate by @j7an in #92
• feat(security): add reusable security scan workflow by @j7an in #93
• feat: add reusable pre-commit autoupdate workflow by @j7an in #94
• Add caller-owned PyPI Trusted Publishing template by @j7an in #95
• docs: make AGENTS.md canonical by @j7an in #96

Full Changelog: v4.0...v4.1.0

v4.0.0

What's Changed

• deps: bump actions/checkout from 6.0.2 to 6.0.3 by @dependabot[bot] in #83
• deps: bump astral-sh/setup-uv from 8.1.0 to 8.2.0 by @dependabot[bot] in #84
• feat(safety)!: opt-in release-age policy and default-on auto-merge (#85) by @j7an in #86

Full Changelog: v3...v4.0.0

v3.0.2

What's Changed

• deps: bump step-security/harden-runner from 2.19.3 to 2.19.4 by @dependabot[bot] in #70
• fix: clear Zizmor 1.25 findings (github-app + online-audit 401) by @j7an in #78
• deps: bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 by @dependabot[bot] in #64
• fix(safety): explicit fork-PR behavior for read-only tokens (#79) by @j7an in #80
• chore: reliable workflow linting via lint-workflows.sh (#81) by @j7an in #82

Full Changelog: v3.0.1...v3.0.2

v3.0.1

What's Changed

• fix(safety): make dependency-safety/gate status clickable via env vars by @j7an in #77

Full Changelog: v3.0.0...v3.0.1

v3.0.0

Breaking changes

The legacy workflow paths
j7an/shared-workflows/.github/workflows/dependency-cooldown.yml and
.../cooldown-rescan.yml are absent from v3. Consumers still on
those paths should remain on frozen @v2 (last cooldown-bearing release,
no further updates) or migrate their callers to dependency-safety.yml
before moving to @v3. To migrate from v2 to v3:

1. Add native cooldown to .github/dependabot.yml:

   cooldown:
     default-days: 5

2. Update caller uses: line:

   - uses: j7an/shared-workflows/.github/workflows/dependency-cooldown.yml@v2
   + uses: j7an/shared-workflows/.github/workflows/dependency-safety.yml@v3

3. Rename input cooldown_days → minimum_release_age_days.
4. Drop fail_on_cooldown; use fail_on_age_violation instead.
5. Remove any caller using cooldown-rescan.yml — no rescan companion.
6. Update branch protection: rename required status dependency-cooldown / gate → dependency-safety / gate.
7. Remove stale cooldown-pending labels manually.

See README "v2 → v3 migration" for full details.

---

What's Changed

• fix(safety): add pyproject.toml parser support for uv/poetry Dependabot PRs by @j7an in #67
• chore!: remove deprecated cooldown workflows (v2 → v3) by @j7an in #69

Full Changelog: v2...v3.0.0

v2.6.0

What's Changed

• docs: add agent instructions (AGENTS.md + .claude/CLAUDE.md) by @j7an in #57
• deps: bump actions/create-github-app-token from 3.1.1 to 3.2.0 by @dependabot[bot] in #58
• feat(safety): add dependency-safety workflow with native-cooldown verification by @j7an in #61
• deps: bump step-security/harden-runner from 2.19.1 to 2.19.3 by @dependabot[bot] in #63
• fix(safety): trigger guard on partial extraction by @j7an in #65

Full Changelog: v2.5...v2.6.0

v2.5.3

What's Changed

• deps: bump step-security/harden-runner from 2.16.0 to 2.19.0 by @dependabot[bot] in #54
• deps: bump step-security/harden-runner from 2.19.0 to 2.19.1 by @dependabot[bot] in #55
• fix(tag-release): use Git Data API so commits and tags auto-sign by @j7an in #56

Full Changelog: v2.5.2...v2.5.3

v2.5.2

What's Changed

• fix(cooldown): extract deps from TOML lockfiles + fail-loud guard by @j7an in #53

Full Changelog: v2.5.1...v2.5.2

v2.5.1

What's Changed

• deps: bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 by @dependabot[bot] in #49
• fix(cooldown): accept large valid diffs in extract-deps by @j7an in #51

Full Changelog: v2.5.0...v2.5.1

v2.5.0

What's Changed

• feat(tag-release): support nested field paths in .version-bump.json by @j7an in #47
• feat(tag-release): accept bracket-quoted keys and [] iterator in path_expr by @j7an in #48

Full Changelog: v2.4...v2.5.0