All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
2.3.0 - 2026-02-19
- deploy action: New
path-suffixinput to append a path to the deployment URL (e.g./docs/)- The suffix is included in the
urloutput, PR comment, and QR code - Handles leading/trailing slashes gracefully
- The suffix is included in the
2.2.1 - 2026-02-19
- scheduled-cleanup: Allow
$regex anchor inenvironment-patternandpr-number-patterninputs (was incorrectly blocked as a dangerous shell character)
2.2.0 - 2026-02-19
- deploy, cleanup, and scheduled-cleanup actions: Retry with exponential backoff for transient ZAD API errors
- New inputs:
max-retries(default:3),retry-delay(default:2) - Retries on network errors (HTTP 000), rate limits (429), and server errors (500-504)
- Does not retry on auth errors (401, 403) or not found (404)
- Backoff: 2s → 4s → 8s (worst-case 14s extra)
- Retry logic extracted into shared
curl_with_retrybash function - Note: only ZAD API calls are retried; GitHub API calls use best-effort error handling
- New inputs:
- scheduled-cleanup action: Periodically find and clean up stale PR environments
- Scans GitHub environments matching a configurable regex pattern
- Checks PR state and marks closed/merged PRs as stale
- Optional age-based cleanup via
max-age-days - Dry-run mode for safe testing
- Cleans up ZAD deployments, GitHub deployments/environments, and container images
- Smart rate limiting: reads
X-RateLimit-Remainingheader and only pauses when approaching the limit (replaces blind 0.5s delay) - Input validation for
environment-patternandpr-number-pattern(including sedeflag injection protection) cleaned-countoutput defaults to0when no cleanup is needed- Compact JSON output for
stale-environmentsto prevent GITHUB_OUTPUT corruption - Safe date parsing: warns and skips age check instead of falling back to epoch 0
- Container deletion uses
2>/dev/nullinstead of2>&1to prevent stderr leaking into captured output
- deploy, cleanup: ZAD API calls now retry 3 times by default on transient errors (was 0).
This adds up to 14s extra delay on persistent failures. Set
max-retries: '0'to restore previous fail-fast behavior. - deploy, cleanup:
github-tokendefault now consistently quoted as'${{ github.token }}'
- scheduled-cleanup:
cleaned-countno longer counts 404 (already deleted) as successfully cleaned - scheduled-cleanup: Admin token no longer leaks into subsequent operations if environment deletion fails (uses subshell)
- scheduled-cleanup:
pr-number-patternis now validated in both find-stale and cleanup steps (defense-in-depth)
2.1.0 - 2026-02-18
- deploy and cleanup actions: Skip bot PR deployments by default
- New input:
skip-bot-prs(default:true) - New output:
skipped - Detects bots via GitHub user type and known bot list (dependabot, renovate, pre-commit-ci, github-actions)
- Set
skip-bot-prs: 'false'to restore previous behavior - Supports both
pull_requestandpull_request_targetevents
- New input:
- CI workflow: Add explicit
permissions: contents: readto all jobs to comply with GitHub security best practices
2.0.1 - 2026-02-06
- deploy QR code not displaying in PR comments (switched from base64 PNG to text-based UTF8 format)
- cleanup action: Handle deletion of last tagged package version by deleting entire package when needed
- Update all documentation examples to use
@v2instead of@v1 - SECURITY.md: Mark v1.x.x as end of life, v2.x.x as supported
2.0.0 - 2026-02-02
- cleanup action: PR comment delete feature
- Delete the deploy PR comment when PR is closed (default: enabled)
- New inputs:
delete-pr-comment,comment-header - New output:
pr-comment-deleted
- BREAKING
cleanupaction:update-pr-commentinput (usedelete-pr-commentinstead) - BREAKING
cleanupaction:pr-comment-updatedoutput (usepr-comment-deletedinstead)
If you use the cleanup action with update-pr-comment, update your workflow:
- Replace
update-pr-comment: truewithdelete-pr-comment: true - The output
pr-comment-updatedis nowpr-comment-deleted - Note:
delete-pr-commentdefaults totrue, so you can remove it if you want the comment deleted
1.3.0 - 2026-02-02
- deploy action: Wait for ready feature
- Wait for deployment to be reachable before continuing
- New inputs:
wait-for-ready,health-endpoint,wait-timeout,wait-interval - Polls deployment URL until HTTP 2xx/3xx or timeout
- PR comment only appears after deployment is healthy (when combined with
comment-on-pr)
- deploy action: QR code in PR comment
- New input:
qr-code(default:false) - QR code for easy mobile testing of preview deployments
- Generated locally using
qrencode(no external API calls, privacy-friendly)
- New input:
.editorconfigfor consistent editor formatting.github/dependabot.ymlfor automated GitHub Actions updates.gitignorefor local settings and Claude plans.claude/configuration for AI assistant (coding rules, skills, workflow)
.pre-commit-config.yaml: require minimum version 4.5.0CONTRIBUTING.md: simplify setup withuvinstead ofpiprelease.yml: verify CHANGELOG entry exists, rollback tag on failure- deploy and cleanup actions:
github-tokennow defaults togithub.token- No longer necessary to explicitly pass
github-token: ${{ secrets.GITHUB_TOKEN }} - Only needed when using a custom PAT for cross-repository operations
- No longer necessary to explicitly pass
- Bump
actions/checkoutfrom v4 to v6
- Added justfile for common development tasks
- Added pre-commit.ci configuration (weekly autoupdates, skip duplicates with CI)
1.2.0 - 2026-01-22
- cleanup action: PR comment update feature
- Update the deploy PR comment to show cleanup status when PR is closed
- New inputs:
update-pr-comment,comment-header - New output:
pr-comment-updated
1.1.0 - 2026-01-22
- deploy action: PR commenting feature
- Automatically post/update a comment on PRs with the deployment URL
- New inputs:
comment-on-pr,github-token,comment-header - Upsert behavior: updates existing comment instead of creating duplicates
- CI/CD pipeline with ShellCheck, actionlint, and yamllint
- Branch protection and governance files (CODEOWNERS, issue templates, PR template)
- CONTRIBUTING.md with development guidelines
- SECURITY.md with security policy
- Pre-commit hooks configuration
- ShellCheck warnings: properly quoted GITHUB_OUTPUT
- Actionlint configuration to only lint workflow files
1.0.0 - 2026-01-22
- Initial release of ZAD Actions
- deploy action: Deploy container images to ZAD Operations Manager
- Support for cloning configuration from existing deployments
force-cloneparameter to re-clone even if deployment exists- Input validation for security (alphanumeric, hyphens, underscores, dots only)
- 60-second curl timeout to prevent hanging
- cleanup action: Remove ZAD deployments and GitHub resources
- Delete ZAD deployments via Operations Manager API
- Delete GitHub deployments (mark inactive, then delete)
- Delete GitHub environments (requires admin token)
- Delete container images from GHCR
- Best-effort cleanup (continues even if individual steps fail)
- Comprehensive documentation with examples
- EUPL-1.2 license
- Input validation before logging to prevent injection attacks
- Secure handling of API keys via environment variables
- Dangerous character detection for container inputs