Skip to content

Releases: SymPress/workflows

1.0.2

Choose a tag to compare

@brianvarskonst brianvarskonst released this 19 Jun 02:37
Immutable release. Only release title and notes can be modified.

Workflows 1.0.2

Patch release for repository health and security maintenance on the stable v1 line.

This release does not change callable workflow behavior, inputs, permissions, security defaults, or consumer runtime behavior.

Security

  • Forced markdown-it to 14.2.0 via npm overrides to resolve the Dependabot advisory for quadratic smartquotes parsing in vulnerable markdown-it releases.
  • Forced js-yaml to 4.2.0 so the repository audit remains clean while markdownlint-cli2 keeps exact transitive dependency pins.
  • Refreshed package-lock.json with the patched dependency graph.

Changes

  • Fixed the README CodeQL badge so it points at the active workflow.
  • Confirmed the repository dependency audit reports zero moderate-or-higher vulnerabilities.

Compatibility

No migration is required.

Consumers using the stable major alias can continue to use:

jobs:
  qa:
    uses: SymPress/workflows/.github/workflows/sympress-qa.yml@v1

Consumers pinned to 1.0.1 do not need to update for workflow behavior, but can move to 1.0.2 to track the latest repository security and documentation maintenance snapshot.

Maintainer Notes

The v1 tag is updated to point to 1.0.2 so consumers using the stable major release line receive the latest patch release.

Validation completed before release:

  • Repository checks passed on main.
  • CodeQL passed on main.
  • npm audit --audit-level=moderate reports zero vulnerabilities.

1.0.1

Choose a tag to compare

@brianvarskonst brianvarskonst released this 13 Jun 16:54
Immutable release. Only release title and notes can be modified.

Workflows 1.0.1

Documentation-only patch release for the first stable SymPress Workflows release line.

This release does not change workflow behavior, inputs, permissions, security defaults, or consumer runtime behavior.

Changes

  • Removed repository setup instructions from the README to keep the landing page focused on usage.
  • Clarified the release tag convention:
    • exact release tags use SemVer without a v prefix, for example 1.0.0
    • major aliases keep the v prefix, for example v1
  • Updated consumer documentation examples to use exact version refs such as @1.0.0.
  • Updated the bug report template placeholder to match the release tag convention.

Compatibility

No migration is required.

Consumers using the stable major alias can continue to use:

jobs:
  qa:
    uses: SymPress/workflows/.github/workflows/sympress-qa.yml@v1

Consumers pinned to 1.0.0 do not need to update unless they want the latest documentation snapshot.

Maintainer Notes

The v1 tag now points to 1.0.1 so consumers using the stable major release line receive the latest patch release.

1.0.0

Choose a tag to compare

@brianvarskonst brianvarskonst released this 13 Jun 16:44
Immutable release. Only release title and notes can be modified.

Workflows 1.0.0

First stable release of the SymPress Workflows repository.

This release provides enterprise-ready reusable GitHub Actions workflows for SymPress projects, including CI, security checks, Composer/PHP validation, Playwright testing, WordPress artifact packaging, semantic releases, deployments, and supply-chain hardening.

Highlights

  • Reusable workflow suite for WordPress, Composer, PHP, JavaScript, Playwright, DDEV, releases, and deployments.
  • Hardened workflow defaults with read-only permissions where possible.
  • Full-length SHA pinning for third-party GitHub Actions.
  • Repository contract tests to guard workflow behavior and security posture.
  • Workflow linting with actionlint and security auditing with zizmor.
  • Documentation for installation, usage, consumer setup, release strategy, security hardening, and troubleshooting.
  • Enterprise-ready repository metadata, issue templates, CODEOWNERS, security policy, and maintainer guidance.
  • GPL-2.0-or-later licensing.

Included Workflows

  • sympress-qa.yml
  • composer-validate.yml
  • playwright.yml
  • wordpress-archive.yml
  • build-and-distribute.yml
  • automatic-release.yml
  • deploy-deployer.yml
  • woo-qit.yml

Security

This release includes security-focused defaults and checks:

  • Pinned third-party action references.
  • Minimal default workflow permissions.
  • Explicit permission declarations for privileged jobs.
  • Artifact manifest and checksum support.
  • Secret-like artifact scanning.
  • Dependency update automation via Dependabot.
  • CodeQL and workflow security validation support.

Usage

Consumer repositories should call the stable major release line:

jobs:
  qa:
    uses: SymPress/workflows/.github/workflows/sympress-qa.yml@1.0.0

Migration Notes

This is the first stable release. There are no previous stable versions to migrate from.

Projects currently using local workflow copies can migrate by replacing duplicated workflow logic with calls to this repository's reusable workflows.

Maintainer Notes

After publishing this release, keep v1 pointing at 1.0.0 so consumers can use the stable major release line.