From 51c746168e672f4e94e810b289b31db54b0b958b Mon Sep 17 00:00:00 2001 From: ArkForge Date: Wed, 11 Mar 2026 01:13:49 +0000 Subject: [PATCH] fix(changelog): clean up v1.2.2 entry + fix update_changelog.py insertion logic The v1.2.2 CI release failed because branch protection blocked the CHANGELOG commit via GitHub API (HTTP 409). The deploy script was already fixed (674bfad) but the tag used the old workflow. This commit: - Moves v1.2.2 entry to correct position (after header, before v1.2.1) - Removes duplicate v1.2.1 entries and stale [Unreleased] block - Fixes update_changelog.py to insert after first --- separator instead of relying on [Unreleased] marker --- CHANGELOG.md | 37 ++++++++----------------------------- scripts/update_changelog.py | 27 +++++++++------------------ 2 files changed, 17 insertions(+), 47 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc19c55..ff1c6dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,14 @@ Versions follow [Semantic Versioning](https://semver.org/). --- +## [1.2.2] — 2026-03-11 + +### Fixed +- CI release: CHANGELOG commit moved to deploy script (pre-tag) — avoids branch protection conflict during CI. +- CI fallback PR path for CHANGELOG commit when API commit is blocked. + +--- + ## [1.2.1] — 2026-03-11 ### Security @@ -185,32 +193,3 @@ _(initial 1.1.x series — internal stabilisation)_ ### Added - Stripe webhooks: `invoice.paid` and `invoice.payment_failed` handlers. - ---- - -## [Unreleased] - -## [1.2.1] — 2026-03-10 - -### Fixed -- cryptography 43.0.0 → 46.0.5 — 3 Dependabot CVEs - -### Documentation -- CHANGELOG.md + auto-update on release - -### Tests -- branch chain_hash by algorithm field (legacy vs canonical_json) - ---- -_Next changes will appear here automatically._ - ---- - -## [1.2.1] — 2026-03-10 - -### Security -- **cryptography 43.0.0 → 46.0.5** — closes 3 Dependabot alerts: - - HIGH: subgroup attack via missing validation on SECT curves (fixed in 46.0.5) - - MEDIUM: vulnerable OpenSSL bundled in wheels (fixed in 43.0.1) - - LOW: vulnerable OpenSSL bundled in wheels (fixed in 44.0.1) - `cryptography` is not directly used by Trust Layer code (Fernet key derivation only) — no API change. diff --git a/scripts/update_changelog.py b/scripts/update_changelog.py index 75b5041..9d4f0b4 100644 --- a/scripts/update_changelog.py +++ b/scripts/update_changelog.py @@ -106,32 +106,23 @@ def build_entry(tag: str, commits: list[str]) -> str: def update_changelog(entry: str) -> None: content = CHANGELOG.read_text(encoding="utf-8") - marker = "## [Unreleased]" - if marker not in content: - # Append at end if marker missing - CHANGELOG.write_text(content.rstrip() + "\n\n" + entry, encoding="utf-8") - return - - # Insert after the [Unreleased] block (first blank line after it) lines = content.splitlines(keepends=True) insert_at = None - in_unreleased = False + + # Insert after the first "---" separator (end of file header block). + # This places new entries right after the header, before existing versions. for i, line in enumerate(lines): - if line.strip() == marker: - in_unreleased = True - continue - if in_unreleased and line.strip() == "": + if line.strip() == "---": insert_at = i + 1 break if insert_at is None: - # Fallback: insert right after the marker line - for i, line in enumerate(lines): - if line.strip() == marker: - insert_at = i + 1 - break + # No separator found — append after header + CHANGELOG.write_text(content.rstrip() + "\n\n" + entry, encoding="utf-8") + return - lines.insert(insert_at, entry) + entry_block = "\n" + entry + lines.insert(insert_at, entry_block) CHANGELOG.write_text("".join(lines), encoding="utf-8")