softprops/action-gh-release@v2 has a long-standing intermittent bug
where it creates the release as a draft and silently fails to flip the
draft→published step, even though it logs "🎉 Release ready" and the
job exits successfully. v1.4.0, v1.4.1, and v1.4.2 all shipped as
drafts because of this — meaning the GitHub `releases/latest` API
returned v1.3.0, the documented install snippets and the new install.sh
would both download v1.3.0, and admins running the upgrade flow would
never actually get the storage-type-code fix.
Two changes:
1. Pass `make_latest: 'true'` to the action so a successful create
also explicitly marks the release as latest (when the action is
working correctly).
2. Add an unconditional follow-up step `gh release edit --draft=false
--latest` that runs whenever the create step ran. If the action
already published correctly, this is a no-op. If it failed to
flip, we recover.
Token + variables go through `env:` blocks (not interpolated inline
into `run:`) to match the workflow injection guidance the rest of the
file already follows.
v1.4.0/1/2 were manually re-published with `gh release edit` as a
one-off cleanup; this fix prevents the same situation from recurring.
Previous workflow dumped every commit subject since the last tag as raw
bullets — no grouping, no structure, and it overwrote hand-edited release
bodies on every re-push.
New strategy, in order of preference:
1. Extract the "## [X.Y.Z]" section from CHANGELOG.md and use it as the
release body. Maintainers already write structured notes there
(Features / Bug Fixes / Documentation per Keep-a-Changelog); this
flows them to GitHub with zero re-typing.
2. If CHANGELOG.md has no matching section, fall back to grouping the
commit range by conventional-commit prefix:
feat: → Features
fix: → Bug Fixes
refactor: → Changes
docs: → Documentation
other → Other
Automated "chore(release):" bumps are filtered out (they're noise in
a release the reader is already viewing).
3. Append a "Full Changelog" compare link at the bottom when a previous
tag exists.
Retag safety: the workflow now checks the current release body before
regenerating. If a body is already present (manual edit), it's preserved
instead of being clobbered by a force-pushed tag. To intentionally
regenerate: `gh release edit vX.Y.Z --notes ""` then re-push the tag.
Security: all ${{ ... }} interpolation flows through `env:` blocks rather
than inline into `run:` commands. Shell scripts reference those env vars
with $VAR, which is immune to the command-injection pattern documented at
https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/
Also switched to fetch-depth: 0 on checkout so `git describe --tags` can
find the previous tag (default fetch-depth: 1 has no tag history).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Remove client IP removal capability (keep backend methods removed too)
- Add copy-to-clipboard buttons for IP addresses with tooltip feedback
- Replace OS dropdown with tile gallery (grouped, searchable, brand colors, EOL badges) in rebuild panel and checkout page
- Add inline server rename with friendly name generator and RFC 1123 validation
- Add traffic statistics canvas chart with responsive resize in resources panel
- Add backup listing timeline in manage panel with show-all expansion
- Add VNC enable/disable toggle with connection details and password copy
- Add server root password reset with auto-clipboard copy (never displayed)
- Add skeleton loading placeholders, action cooldowns (power 3s, rebuild 30s), progress indicator with elapsed timer
- Sanitize all client-facing error messages (no raw API errors exposed)
- Convert all state-mutating AJAX calls from GET to POST
- Add explicit break after all output() calls in client.php
- Add Redis-backed API response caching (Cache.php): OS templates 10min, traffic/backups 2min, currencies 30min, packages 10min
- Add GitHub Actions workflow for weekly VirtFusion API change detection
- Move cache busting step after semantic-release in publish workflow
- Add endpoint doc generator script and OpenAPI baseline placeholder
- Improve hostname generation entropy (bin2hex random_bytes)
- Add .superpowers/ to .gitignore
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Escape $serverObject and $systemUrl in AdminHTML.php heredocs to prevent XSS
- Add null guard in Database::getSystemUrl() to prevent fatal error
- Guard primaryNetwork access in module.js to prevent null dereference
- Reset badge/traffic-bar CSS classes on refresh to prevent accumulation
- Add VNC popup-blocked check with user-facing message
- Add BS3 input-group-btn dual class for theme compatibility
- Escape billing template variables with |escape:'htmlall'
- Add cache-busting to admin CSS/JS includes
- Switch cache-busting format from version to date-based (20260207)
- Create .releaserc.json for automated CHANGELOG.md management
- Add changelog/git plugins to semantic-release workflow
- Remove manual [Unreleased] section from CHANGELOG.md
- Update README: install/upgrade with rsync, accuracy fixes, add keygen.js
- Update CLAUDE.md: add keygen.js, document removed features
- Fix SECURITY.md grammar and version operator
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
