From 7316e199ef1ff90ce7999dda3351290e6f5f63fb Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Tue, 10 Mar 2026 11:39:58 +0000 Subject: [PATCH 01/18] chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 00f9662 (#1156) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | cgr.dev/chainguard/wolfi-base | container | digest | `786c4d1` → `00f9662` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [x] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- .github/workflows/reusable-build-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-image.yml b/.github/workflows/reusable-build-image.yml index 520b1dcd..39227dbb 100644 --- a/.github/workflows/reusable-build-image.yml +++ b/.github/workflows/reusable-build-image.yml @@ -324,7 +324,7 @@ jobs: - generate_matrix - build_push container: - image: cgr.dev/chainguard/wolfi-base:latest@sha256:786c4d16fa02447c89409d4c0a0c0d3ff48f6886ab5e6350e95af62d876e2373 + image: cgr.dev/chainguard/wolfi-base:latest@sha256:00f9662b838432de5f24eabe5dc86f20d1510d158eda1bcaf68bbba8412544cc options: --privileged --security-opt seccomp=unconfined permissions: contents: read From 13f9b46d18e6e8bdc9d60b918a983e4334893234 Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:48:44 +0000 Subject: [PATCH 02/18] chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to c2dba5f (#1182) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `226b06f` → `c2dba5f` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- image-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image-versions.yaml b/image-versions.yaml index ec9144a9..109b844a 100644 --- a/image-versions.yaml +++ b/image-versions.yaml @@ -2,7 +2,7 @@ images: - name: centos-bootc image: quay.io/centos-bootc/centos-bootc tag: c10s - digest: sha256:226b06fa4104bed3547897f41d2a934bcc1ba8a5c587eab5c39d4a758c2d1c61 + digest: sha256:c2dba5fede2a0e5f89363ec84f576fe709a82f06deb6774d00344e3ccf503d5d - name: common image: ghcr.io/projectbluefin/common tag: latest From b23f8097e04c0167c8e0aaed181fdd783f435d7e Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Wed, 11 Mar 2026 16:44:04 +0000 Subject: [PATCH 03/18] chore(deps): update actions/download-artifact digest to 3e5f45b (#1183) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) ([changelog](https://redirect.github.com/actions/download-artifact/compare/70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3..3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)) | action | digest | `70fc10c` → `3e5f45b` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- .github/workflows/reusable-build-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-image.yml b/.github/workflows/reusable-build-image.yml index 39227dbb..589004c1 100644 --- a/.github/workflows/reusable-build-image.yml +++ b/.github/workflows/reusable-build-image.yml @@ -428,7 +428,7 @@ jobs: - name: Fetch Build Outputs if: ${{ inputs.publish }} - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: ${{ env.IMAGE_NAME }}-* merge-multiple: true From 90132e86db6b72d2885bf5a59f3cc4a7679949a3 Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Thu, 12 Mar 2026 15:10:22 -0400 Subject: [PATCH 04/18] chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 08420c1 (#1181) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | cgr.dev/chainguard/wolfi-base | container | digest | `00f9662` → `08420c1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled because a matching PR was automerged previously. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- .github/workflows/reusable-build-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-image.yml b/.github/workflows/reusable-build-image.yml index 589004c1..e42d562d 100644 --- a/.github/workflows/reusable-build-image.yml +++ b/.github/workflows/reusable-build-image.yml @@ -324,7 +324,7 @@ jobs: - generate_matrix - build_push container: - image: cgr.dev/chainguard/wolfi-base:latest@sha256:00f9662b838432de5f24eabe5dc86f20d1510d158eda1bcaf68bbba8412544cc + image: cgr.dev/chainguard/wolfi-base:latest@sha256:08420c1a0f2995c677fa91982155c8d7da2ebd2e832a9f0070f633dae97d9099 options: --privileged --security-opt seccomp=unconfined permissions: contents: read From 8e1c75ffa7a54ed53d4f426aa16bd537d4176d24 Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Thu, 12 Mar 2026 15:10:30 -0400 Subject: [PATCH 05/18] chore(deps): update ghcr.io/projectbluefin/common:latest docker digest to 69e0d5c (#1174) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/projectbluefin/common | digest | `b9a75b6` → `69e0d5c` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- image-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image-versions.yaml b/image-versions.yaml index 109b844a..ca324fa3 100644 --- a/image-versions.yaml +++ b/image-versions.yaml @@ -6,7 +6,7 @@ images: - name: common image: ghcr.io/projectbluefin/common tag: latest - digest: sha256:b9a75b68a14211b36389402564a2cf2f9369290027ecf5f05df2d5f9cf36450a + digest: sha256:69e0d5c9ec9fe3766dc82453d96b098874ca3469a8d7b1a272677eb75e9c24e4 - name: brew image: ghcr.io/ublue-os/brew tag: latest From 6a0ad875a78f4172353e012cd48514e55b8316b1 Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Thu, 12 Mar 2026 20:03:28 +0000 Subject: [PATCH 06/18] chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to a9a3a0c (#1184) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | cgr.dev/chainguard/wolfi-base | container | digest | `08420c1` → `a9a3a0c` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- .github/workflows/reusable-build-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-image.yml b/.github/workflows/reusable-build-image.yml index e42d562d..faf6e99b 100644 --- a/.github/workflows/reusable-build-image.yml +++ b/.github/workflows/reusable-build-image.yml @@ -324,7 +324,7 @@ jobs: - generate_matrix - build_push container: - image: cgr.dev/chainguard/wolfi-base:latest@sha256:08420c1a0f2995c677fa91982155c8d7da2ebd2e832a9f0070f633dae97d9099 + image: cgr.dev/chainguard/wolfi-base:latest@sha256:a9a3a0c9fb954fd70b398afdd055d74a4f196095b9fdfbcfb13495aefeefd075 options: --privileged --security-opt seccomp=unconfined permissions: contents: read From 4e1343103b170454c1f3dd571c670110450b2fc5 Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Fri, 13 Mar 2026 23:26:33 +0000 Subject: [PATCH 07/18] chore(deps): update ghcr.io/projectbluefin/common:latest docker digest to 9409d0c (#1186) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/projectbluefin/common | digest | `69e0d5c` → `9409d0c` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- image-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image-versions.yaml b/image-versions.yaml index ca324fa3..2508226e 100644 --- a/image-versions.yaml +++ b/image-versions.yaml @@ -6,7 +6,7 @@ images: - name: common image: ghcr.io/projectbluefin/common tag: latest - digest: sha256:69e0d5c9ec9fe3766dc82453d96b098874ca3469a8d7b1a272677eb75e9c24e4 + digest: sha256:9409d0c08bf76bdfef52812db61a68453b20b23b52042e810a447ada3c72c9c1 - name: brew image: ghcr.io/ublue-os/brew tag: latest From 1339bc442d36cc1b2c854c629188e4a52382bed1 Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Sun, 15 Mar 2026 01:16:07 +0000 Subject: [PATCH 08/18] chore(deps): update cgr.dev/chainguard/wolfi-base:latest docker digest to 2a43204 (#1188) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | cgr.dev/chainguard/wolfi-base | container | digest | `a9a3a0c` → `2a43204` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- .github/workflows/reusable-build-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-image.yml b/.github/workflows/reusable-build-image.yml index faf6e99b..27d4e349 100644 --- a/.github/workflows/reusable-build-image.yml +++ b/.github/workflows/reusable-build-image.yml @@ -324,7 +324,7 @@ jobs: - generate_matrix - build_push container: - image: cgr.dev/chainguard/wolfi-base:latest@sha256:a9a3a0c9fb954fd70b398afdd055d74a4f196095b9fdfbcfb13495aefeefd075 + image: cgr.dev/chainguard/wolfi-base:latest@sha256:2a43204178a08b8c7f5e881c550bb52733364beff904ed36eeabe33cc656c749 options: --privileged --security-opt seccomp=unconfined permissions: contents: read From 914432df79d423bd9f8aab045e088380343068e5 Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Sun, 15 Mar 2026 01:53:56 +0000 Subject: [PATCH 09/18] chore(deps): update ghcr.io/ublue-os/brew:latest docker digest to fef8b47 (#1189) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/ublue-os/brew | digest | `2eca44f` → `fef8b47` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- image-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image-versions.yaml b/image-versions.yaml index 2508226e..c21237f9 100644 --- a/image-versions.yaml +++ b/image-versions.yaml @@ -10,4 +10,4 @@ images: - name: brew image: ghcr.io/ublue-os/brew tag: latest - digest: sha256:2eca44f5b4b58b8271a625d61c2c063b7c8776f68d004ae67563e2a79450be9c \ No newline at end of file + digest: sha256:fef8b4728cb042f6b69ad9be90a43095261703103fe6c0735c9d6f035065c052 \ No newline at end of file From bc65f2ab9ebd57b4ebfee56b253b3164d48884ab Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Sun, 15 Mar 2026 06:12:31 +0000 Subject: [PATCH 10/18] chore(deps): update system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com digest to e4ad180 (#1190) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com](https://redirect.github.com/icedman/search-light.git) ([changelog](https://redirect.github.com/icedman/search-light.git/compare/2070cd42271eae5aebe64045ec9cbbe8a10b74e6..e4ad180171c146f851da72ae13b7e5d1f1d056b1)) | digest | `2070cd4` → `e4ad180` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- .../gnome-shell/extensions/search-light@icedman.github.com | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com b/system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com index 2070cd42..e4ad1801 160000 --- a/system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com +++ b/system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com @@ -1 +1 @@ -Subproject commit 2070cd42271eae5aebe64045ec9cbbe8a10b74e6 +Subproject commit e4ad180171c146f851da72ae13b7e5d1f1d056b1 From 24765e45d6035de1682b861ec1d17001d26625f9 Mon Sep 17 00:00:00 2001 From: James Reilly Date: Sun, 15 Mar 2026 12:43:59 -0400 Subject: [PATCH 11/18] feat(GNOME) : gnome 49 backport (#1187) --- build_scripts/20-packages.sh | 6 ++---- build_scripts/overrides/base/10-packages-image-base.sh | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/build_scripts/20-packages.sh b/build_scripts/20-packages.sh index 962521a3..8c1cf40b 100755 --- a/build_scripts/20-packages.sh +++ b/build_scripts/20-packages.sh @@ -66,9 +66,7 @@ dnf -y --enablerepo "copr:copr.fedorainfracloud.org:che:nerd-fonts" install \ # We could get some kind of static binary for GCC but this is the cleanest and most tested alternative. This Sucks. dnf -y --setopt=install_weak_deps=False install gcc -# Downgrade to GNOME 48 from jreilly1821/c10s-gnome COPR (enabled in 10-packages-image-base.sh) -# This pins us to gnome-shell 48.x instead of the upstream 49.x -dnf -y swap gnome-shell gnome-shell-48.3 --allowerasing -# Versionlock GNOME components to prevent upgrades back to 49 + +# Versionlock GNOME components to prevent upgrades dnf -y install python3-dnf-plugin-versionlock dnf versionlock add gnome-shell gdm gnome-session-wayland-session diff --git a/build_scripts/overrides/base/10-packages-image-base.sh b/build_scripts/overrides/base/10-packages-image-base.sh index 9c590c7f..c19fc64c 100755 --- a/build_scripts/overrides/base/10-packages-image-base.sh +++ b/build_scripts/overrides/base/10-packages-image-base.sh @@ -13,9 +13,9 @@ dnf -y install 'dnf-command(versionlock)' /run/context/build_scripts/scripts/kernel-swap.sh # GNOME 48 backport COPR -dnf copr enable -y "jreilly1821/c10s-gnome" +dnf copr enable -y "jreilly1821/c10s-gnome-49" dnf -y install glib2 -dnf -y upgrade glib2 +dnf -y upgrade glib2 selinux-policy # Please, dont remove this as it will break everything GNOME related dnf versionlock add glib2 From 18bb989ee2610437badda256788770e0c96062c7 Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:05:55 +0000 Subject: [PATCH 12/18] chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to ff6f31c (#1185) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `c2dba5f` → `ff6f31c` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- image-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image-versions.yaml b/image-versions.yaml index c21237f9..0f75c0fe 100644 --- a/image-versions.yaml +++ b/image-versions.yaml @@ -2,7 +2,7 @@ images: - name: centos-bootc image: quay.io/centos-bootc/centos-bootc tag: c10s - digest: sha256:c2dba5fede2a0e5f89363ec84f576fe709a82f06deb6774d00344e3ccf503d5d + digest: sha256:ff6f31cc5055db68e617e098b731d7191ef2e73595cfc735c4c301f0d45adf7b - name: common image: ghcr.io/projectbluefin/common tag: latest From 1ff0c7ea3fc8f26ddb3125c14fb3a5f36c71efe0 Mon Sep 17 00:00:00 2001 From: James Reilly Date: Mon, 16 Mar 2026 10:49:04 -0400 Subject: [PATCH 13/18] Revert "feat(GNOME) : gnome 49 backport" (#1192) Reverts ublue-os/bluefin-lts#1187 --- build_scripts/20-packages.sh | 6 ++++-- build_scripts/overrides/base/10-packages-image-base.sh | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/build_scripts/20-packages.sh b/build_scripts/20-packages.sh index 8c1cf40b..962521a3 100755 --- a/build_scripts/20-packages.sh +++ b/build_scripts/20-packages.sh @@ -66,7 +66,9 @@ dnf -y --enablerepo "copr:copr.fedorainfracloud.org:che:nerd-fonts" install \ # We could get some kind of static binary for GCC but this is the cleanest and most tested alternative. This Sucks. dnf -y --setopt=install_weak_deps=False install gcc - -# Versionlock GNOME components to prevent upgrades +# Downgrade to GNOME 48 from jreilly1821/c10s-gnome COPR (enabled in 10-packages-image-base.sh) +# This pins us to gnome-shell 48.x instead of the upstream 49.x +dnf -y swap gnome-shell gnome-shell-48.3 --allowerasing +# Versionlock GNOME components to prevent upgrades back to 49 dnf -y install python3-dnf-plugin-versionlock dnf versionlock add gnome-shell gdm gnome-session-wayland-session diff --git a/build_scripts/overrides/base/10-packages-image-base.sh b/build_scripts/overrides/base/10-packages-image-base.sh index c19fc64c..9c590c7f 100755 --- a/build_scripts/overrides/base/10-packages-image-base.sh +++ b/build_scripts/overrides/base/10-packages-image-base.sh @@ -13,9 +13,9 @@ dnf -y install 'dnf-command(versionlock)' /run/context/build_scripts/scripts/kernel-swap.sh # GNOME 48 backport COPR -dnf copr enable -y "jreilly1821/c10s-gnome-49" +dnf copr enable -y "jreilly1821/c10s-gnome" dnf -y install glib2 -dnf -y upgrade glib2 selinux-policy +dnf -y upgrade glib2 # Please, dont remove this as it will break everything GNOME related dnf versionlock add glib2 From aa14da41b07b3078182dcd516234cc8eb6d9e89a Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:50:12 +0000 Subject: [PATCH 14/18] chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to b10c380 (#1191) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `ff6f31c` → `b10c380` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- image-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image-versions.yaml b/image-versions.yaml index 0f75c0fe..96e392d0 100644 --- a/image-versions.yaml +++ b/image-versions.yaml @@ -2,7 +2,7 @@ images: - name: centos-bootc image: quay.io/centos-bootc/centos-bootc tag: c10s - digest: sha256:ff6f31cc5055db68e617e098b731d7191ef2e73595cfc735c4c301f0d45adf7b + digest: sha256:b10c380afa6362d5015c5392f7c1c7dc4f23e4aec582dce1a6192ff244ee0479 - name: common image: ghcr.io/projectbluefin/common tag: latest From 1658526119be17cc02cfc66c505ac6ad01e219dd Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Tue, 17 Mar 2026 06:09:55 +0000 Subject: [PATCH 15/18] chore(deps): update system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com digest to 4e93e0e (#1193) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com](https://redirect.github.com/icedman/search-light.git) ([changelog](https://redirect.github.com/icedman/search-light.git/compare/e4ad180171c146f851da72ae13b7e5d1f1d056b1..4e93e0e3e2fba8512dfd588177b7a6a2a71c9f1e)) | digest | `e4ad180` → `4e93e0e` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- .../gnome-shell/extensions/search-light@icedman.github.com | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com b/system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com index e4ad1801..4e93e0e3 160000 --- a/system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com +++ b/system_files/usr/share/gnome-shell/extensions/search-light@icedman.github.com @@ -1 +1 @@ -Subproject commit e4ad180171c146f851da72ae13b7e5d1f1d056b1 +Subproject commit 4e93e0e3e2fba8512dfd588177b7a6a2a71c9f1e From dd4152ffbe6e696c89d8bad0422f1d03607996c9 Mon Sep 17 00:00:00 2001 From: "ubot-7274[bot]" <217212047+ubot-7274[bot]@users.noreply.github.com> Date: Tue, 17 Mar 2026 08:38:43 +0000 Subject: [PATCH 16/18] chore(deps): update quay.io/centos-bootc/centos-bootc:c10s docker digest to 7b1e3d1 (#1194) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | quay.io/centos-bootc/centos-bootc | digest | `b10c380` → `7b1e3d1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/549) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). Co-authored-by: ubot-7274[bot] <217212047+ubot-7274[bot]@users.noreply.github.com> --- image-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image-versions.yaml b/image-versions.yaml index 96e392d0..069c5c1f 100644 --- a/image-versions.yaml +++ b/image-versions.yaml @@ -2,7 +2,7 @@ images: - name: centos-bootc image: quay.io/centos-bootc/centos-bootc tag: c10s - digest: sha256:b10c380afa6362d5015c5392f7c1c7dc4f23e4aec582dce1a6192ff244ee0479 + digest: sha256:7b1e3d109d928b296c39b9dd2c73ae337bb569537ce97eed8adb55c14c90c5a0 - name: common image: ghcr.io/projectbluefin/common tag: latest From 6462f99b78865a746695f0a586ef57ec02c63cda Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Tue, 17 Mar 2026 15:13:37 -0700 Subject: [PATCH 17/18] ci(promote): replace push-based promotion with PR gate (#1195) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ok I think I got it this time, I can confirm this works via testing in my personal repo. I am likely going to force this because we need the action in the LTS branch anyway. ## Agent Notes follow: ## Solution Replace with `create-lts-pr.yml`, a PR-gate workflow: - Fires on every push to `main` (and `workflow_dispatch`) - Uses `git diff --quiet` (content diff, not commit graph) to detect new content — survives squash-merges without false positives - Passes the commit list as a `COMMIT_LIST` env var and uses `printf` to build the PR body, safely handling commit messages containing double quotes (e.g. `Revert "..."`) - Auto-creates a draft PR from `main` → `lts`, or updates the existing one - Maintainer squash-merges the PR as the human approval gate - No pre-flight check: branch protection is the guard against direct `lts` commits Also fixes `AGENTS.md`: corrects the release schedule (cron `0 6 * * 2` = Tuesday 6am UTC, not Sunday 2am UTC) and updates all references to the old workflow. ## Testing Tested on the `castrojo/bluefin-lts` fork: - ✅ Workflow fires on push and creates draft PR correctly - ✅ PR body auto-updates on subsequent pushes without creating duplicate PRs - ✅ Commit messages with double quotes handled safely (the `Revert "..."` case) - ✅ Force-push after squash: workflow correctly updates existing PR Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/create-lts-pr.yml | 78 ++++++++++++++++++++++++++++ .github/workflows/promote-to-lts.yml | 71 ------------------------- AGENTS.md | 27 +++++----- 3 files changed, 92 insertions(+), 84 deletions(-) create mode 100644 .github/workflows/create-lts-pr.yml delete mode 100644 .github/workflows/promote-to-lts.yml diff --git a/.github/workflows/create-lts-pr.yml b/.github/workflows/create-lts-pr.yml new file mode 100644 index 00000000..9daf5d4a --- /dev/null +++ b/.github/workflows/create-lts-pr.yml @@ -0,0 +1,78 @@ +name: Create LTS Promotion PR + +on: + push: + branches: [main] + workflow_dispatch: + +concurrency: + group: create-lts-pr + cancel-in-progress: true + +permissions: + contents: read + pull-requests: write + +jobs: + create-pr: + runs-on: ubuntu-latest + steps: + - name: Checkout main + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + ref: main + fetch-depth: 0 + + - name: Fetch lts + run: git fetch origin lts + + - name: Check content diff + id: diff + run: | + if git diff --quiet origin/lts origin/main; then + echo "No content difference between lts and main. Nothing to promote." + echo "has_diff=false" >> "$GITHUB_OUTPUT" + else + echo "has_diff=true" >> "$GITHUB_OUTPUT" + fi + + - name: Build commit list + if: steps.diff.outputs.has_diff == 'true' + id: commits + run: | + LIST=$(git log origin/lts..origin/main --oneline) + { + echo "list<> "$GITHUB_OUTPUT" + + - name: Create or update promote PR + if: steps.diff.outputs.has_diff == 'true' + env: + GH_TOKEN: ${{ github.token }} + COMMIT_LIST: ${{ steps.commits.outputs.list }} + run: | + # Build body with printf so commit messages containing quotes are safe + BODY=$(printf '## Commits pending promotion to `lts`\n\n%s\n\n---\n_Squash-merge this PR to promote. The PR body updates automatically as `main` advances._\n' "${COMMIT_LIST}") + + EXISTING=$(gh pr list \ + --base lts \ + --head main \ + --state open \ + --json number \ + --jq '.[0].number' \ + 2>/dev/null || echo "") + + if [ -n "$EXISTING" ]; then + echo "Updating existing promote PR #${EXISTING}" + printf '%s\n' "${BODY}" | gh pr edit "$EXISTING" --body-file - || true + else + echo "Creating new draft promote PR" + printf '%s\n' "${BODY}" | gh pr create \ + --draft \ + --base lts \ + --head main \ + --title "promote: main → lts" \ + --body-file - + fi diff --git a/.github/workflows/promote-to-lts.yml b/.github/workflows/promote-to-lts.yml deleted file mode 100644 index 8fb2c503..00000000 --- a/.github/workflows/promote-to-lts.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Promote Main to LTS - -on: - workflow_dispatch: - inputs: - commit_title: - description: 'Commit title for the squash promotion commit' - required: false - default: 'promote: main to lts' - commit_body: - description: 'Commit body (optional)' - required: false - default: | - Squash promotion of tested changes from `main` to `lts`. - -permissions: - contents: write - -jobs: - promote: - runs-on: ubuntu-latest - steps: - - name: Checkout lts - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - with: - ref: lts - fetch-depth: 0 - token: ${{ github.token }} - - - name: Fetch main - run: git fetch origin main - - - name: Pre-flight check - run: | - UNIQUE=$(git rev-list origin/lts ^origin/main --count) - if [ "$UNIQUE" -gt 0 ]; then - echo "ERROR: lts has $UNIQUE commit(s) that are not in main:" - git log --oneline origin/lts ^origin/main - echo "" - echo "All changes must land in main before promoting to lts." - echo "Land the above commits in main first, then re-run this workflow." - exit 1 - fi - echo "Pre-flight passed: lts has no commits outside of main." - - - name: Configure Git - run: | - git config user.name "github-actions[bot]" - git config user.email "github-actions[bot]@users.noreply.github.com" - - - name: Squash merge main into lts - id: squash - run: | - git merge --squash origin/main - if git diff --cached --quiet; then - echo "No changes to promote: origin/main is already fully merged into lts." - echo "has_changes=false" >> "$GITHUB_OUTPUT" - else - echo "has_changes=true" >> "$GITHUB_OUTPUT" - fi - - - name: Commit promotion - if: steps.squash.outputs.has_changes == 'true' - run: | - git commit \ - -m "${{ inputs.commit_title }}" \ - -m "${{ inputs.commit_body }}" - - - name: Push to lts - if: steps.squash.outputs.has_changes == 'true' - run: git push origin lts diff --git a/AGENTS.md b/AGENTS.md index 58207ff0..e0e718b0 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -120,8 +120,8 @@ This section is the authoritative reference for all CI/CD behavior. Read it comp | `build-regular-hwe.yml` | Caller — builds `bluefin` with HWE kernel | | `build-dx-hwe.yml` | Caller — builds `bluefin-dx` with HWE kernel | | `reusable-build-image.yml` | Reusable workflow — all 5 callers invoke this | -| `scheduled-lts-release.yml` | Dispatcher — owns the weekly Sunday production release | -| `promote-to-lts.yml` | Squash-pushes `main` → `lts` with pre-flight divergence check (see below) | +| `scheduled-lts-release.yml` | Dispatcher — owns the weekly Tuesday production release | +| `create-lts-pr.yml` | Opens a draft PR from `main` → `lts` when content differs; maintainer squash-merges as approval gate | | `generate-release.yml` | Creates a GitHub Release when `build-gdx.yml` completes on `lts` | ### Two Branches, Two Tag Namespaces @@ -137,23 +137,24 @@ This section is the authoritative reference for all CI/CD behavior. Read it comp Promotion and production release are **intentionally decoupled**. There are two separate phases: -**Phase 1 — Promotion (manual, no publishing):** -1. A maintainer triggers `promote-to-lts.yml` via `workflow_dispatch` -2. The workflow runs a **pre-flight check**: fails immediately if `lts` has any commits not reachable from `main`, printing those commits with instructions to land them in `main` first. -3. The workflow performs a **squash merge** (`git merge --squash origin/main`) and pushes one clean commit to `lts`. There is no PR. Triggering `workflow_dispatch` is the human approval step. -4. The push triggers a `push` event on `lts` — all 5 build workflows run as **validation builds** (`publish=false`). No images are published. This confirms the promoted code builds cleanly on `lts` before the next production release. +**Phase 1 — Promotion (human-gated via PR):** +1. Every push to `main` triggers `create-lts-pr.yml` +2. The workflow checks `git diff --quiet origin/lts origin/main` (content diff, not commit graph — survives squash-merges) +3. If content differs: a draft PR from `main` → `lts` is created (or the existing one is updated with the latest commit list) +4. A maintainer reviews and **squash-merges** the PR — this is the human approval gate +5. The squash-merge triggers a `push` event on `lts` — all 5 build workflows run as **validation builds** (`publish=false`). No images are published. **Phase 2 — Production release (automated or manual publishing):** -1. `scheduled-lts-release.yml` fires at `0 2 * * 0` (Sunday 2am UTC), OR a maintainer manually triggers it +1. `scheduled-lts-release.yml` fires at `0 6 * * 2` (Tuesday 6am UTC), OR a maintainer manually triggers it 2. It dispatches all 5 build workflows via `gh workflow run --ref lts` 3. Those are `workflow_dispatch` events on `lts` → `publish=true` → production tags pushed 4. After `build-gdx.yml` completes on `lts`, `generate-release.yml` creates a GitHub Release -**Why `promote-to-lts.yml` exists:** Automated tools (the old Pull app, AI agents) cannot distinguish merge direction — when they see `lts` is behind `main`, they attempt to "sync" and sometimes merge `lts` → `main`, polluting `main` with old production commits. The workflow enforces the correct direction by always targeting `lts` as the base. +**Why `create-lts-pr.yml` exists:** Automated tools (the old Pull app, AI agents) cannot distinguish merge direction — when they see `lts` is behind `main`, they attempt to "sync" and sometimes merge `lts` → `main`, polluting `main` with old production commits. The PR-gate workflow enforces the correct direction: `main` → `lts` only, with a human squash-merge as the approval step. **NEVER merge `lts` into `main`.** The flow is always one-way: `main` → `lts`. -**NEVER commit directly to `lts`.** All changes — including CI hotfixes — must land in `main` first. Direct commits to `lts` create divergence that causes the pre-flight check to fail and blocks future promotions. +**NEVER commit directly to `lts`.** All changes — including CI hotfixes — must land in `main` first. Direct commits to `lts` will appear as phantom content in the PR diff and confuse reviewers. ### `publish` Input — How It Is Evaluated @@ -252,7 +253,7 @@ When touching any condition in `reusable-build-image.yml`, use this reference: ### `schedule:` Triggers — Ownership Rule -**`scheduled-lts-release.yml` is the sole owner of Sunday 2am UTC production builds.** +**`scheduled-lts-release.yml` is the sole owner of Tuesday 6am UTC production builds.** The 5 build caller workflows (`build-regular.yml`, `build-dx.yml`, `build-gdx.yml`, `build-regular-hwe.yml`, `build-dx-hwe.yml`) must NOT have `schedule:` triggers. Any `schedule:` event on those workflows fires on `main` (the default branch), evaluates `publish=false`, publishes nothing, and wastes runner time. @@ -264,8 +265,8 @@ If you see `schedule:` in any of the 5 build callers, remove it entirely. Do not - `build-gdx.yml` — GPU/AI Developer Experience (`bluefin-gdx` image) - `build-regular-hwe.yml` — HWE kernel variant of `bluefin` - `build-dx-hwe.yml` — HWE kernel variant of `bluefin-dx` -- `scheduled-lts-release.yml` — Weekly production release dispatcher (sole owner of Sunday builds) -- `promote-to-lts.yml` — Squash-pushes `main` into `lts` (with pre-flight divergence check) +- `scheduled-lts-release.yml` — Weekly production release dispatcher (sole owner of Tuesday builds) +- `create-lts-pr.yml` — Opens a draft PR from `main` → `lts` when content differs; maintainer squash-merges as approval gate - `generate-release.yml` — Creates GitHub Release after successful GDX build on `lts` ## Validation Scenarios From a764cfc023136819c3b3e614dbc09268557490b4 Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Tue, 17 Mar 2026 15:37:08 -0700 Subject: [PATCH 18/18] fix(ci): use tree-hash anchor for accurate promotion commit list (#1197) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ... and of course I messed it up, one more. :) ## Solution Find the most-recent commit on `main` whose tree hash matches the current `lts` tree. Since squash-merges preserve content exactly, this is always the `main` commit that was squash-merged into `lts`. `git log` is anchored from that point, showing only genuinely new commits regardless of squash-merge history. If no match is found within 500 commits (first-ever promotion), falls back to `git diff --name-status`. ## Also fixed - Removed `|| true` from `gh pr edit` — failures now surface visibly instead of silently leaving the PR body stale - Added guard: if `git diff` detects a difference but `origin/lts..origin/main` is empty (lts is ahead/diverged), skip rather than open a misleading empty PR Addresses Copilot review comments from #1195. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/create-lts-pr.yml | 20 ++++++++++++++++++-- AGENTS.md | 2 +- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/create-lts-pr.yml b/.github/workflows/create-lts-pr.yml index 9daf5d4a..1bc753fe 100644 --- a/.github/workflows/create-lts-pr.yml +++ b/.github/workflows/create-lts-pr.yml @@ -32,6 +32,9 @@ jobs: if git diff --quiet origin/lts origin/main; then echo "No content difference between lts and main. Nothing to promote." echo "has_diff=false" >> "$GITHUB_OUTPUT" + elif [ -z "$(git log origin/lts..origin/main --oneline)" ]; then + echo "lts is ahead of or diverged from main with no commits to promote. Nothing to promote." + echo "has_diff=false" >> "$GITHUB_OUTPUT" else echo "has_diff=true" >> "$GITHUB_OUTPUT" fi @@ -40,7 +43,20 @@ jobs: if: steps.diff.outputs.has_diff == 'true' id: commits run: | - LIST=$(git log origin/lts..origin/main --oneline) + # Find the most-recent commit on main whose tree hash matches the current lts tree. + # This is the anchor point from which we show only genuinely new commits, even after + # squash-merge promotions (which lose individual commit provenance in lts history). + LTS_TREE=$(git rev-parse origin/lts^{tree}) + ANCHOR=$(git log origin/main --format="%H %T" --max-count=500 \ + | awk -v t="$LTS_TREE" '$2==t{print $1; exit}') + + if [ -n "$ANCHOR" ]; then + LIST=$(git log "${ANCHOR}..origin/main" --oneline) + else + # Fallback when the tree match isn't in recent history (e.g., first ever promotion). + LIST=$(git diff --name-status origin/lts origin/main) + fi + { echo "list<