Skip to content

chore: release v0.24.0#2032

Merged
danielmeppiel merged 1 commit into
mainfrom
danielmeppiel-psychic-spork
Jul 5, 2026
Merged

chore: release v0.24.0#2032
danielmeppiel merged 1 commit into
mainfrom
danielmeppiel-psychic-spork

Conversation

@danielmeppiel

Copy link
Copy Markdown
Collaborator

Cut release 0.24.0.

  • Bump pyproject.toml to 0.24.0 (and uv.lock).
  • Move [Unreleased] to [0.24.0] - 2026-07-05 in CHANGELOG.md, with one short "so what?" entry per PR merged since v0.23.1.

Why MINOR (0.24.0), not PATCH (0.23.2)

Two new user-visible surfaces landed this cycle, which is a minor bump under pre-1.0 semver:

Every other PR in the cycle is a fix, security hardening, or performance improvement -- subordinate to the two new surfaces above. No BREAKING changes landed, so this stays a minor bump in the 0.x line rather than escalating toward 1.0.

25 PRs merged since v0.23.1; 24 changelog entries (one docs-only PR, #2010, dropped as internal housekeeping).

Validation

Lint mirror green locally (ruff check + format, pylint R0801, auth-signals). See .apm/instructions/linting.instructions.md for the contract this mirrors.

Post-merge

Tag v0.24.0 to trigger the release workflow:

git tag v0.24.0
git push origin v0.24.0

Bump pyproject.toml and uv.lock to 0.24.0 and move the [Unreleased]
CHANGELOG block to [0.24.0] - 2026-07-05 (one so-what entry per merged PR).
MINOR bump: new `apm config list` alias (#1991) and Antigravity `trigger: glob`
frontmatter support (#1984); no BREAKING changes. Lint mirror green locally
(ruff check + format, pylint R0801, auth-signals).

Post-merge: tag v0.24.0 to trigger the release workflow.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 5, 2026 09:15
@danielmeppiel danielmeppiel merged commit a8a2393 into main Jul 5, 2026
15 checks passed
@danielmeppiel danielmeppiel deleted the danielmeppiel-psychic-spork branch July 5, 2026 09:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Cuts the v0.24.0 release by bumping the project version (and lockfile) and promoting the changelog entries into a dated release section.

Changes:

  • Bump apm-cli version from 0.23.1 to 0.24.0 in pyproject.toml.
  • Update uv.lock to reflect the new project version and refreshed dependency resolution.
  • Move release notes from [Unreleased] into ## [0.24.0] - 2026-07-05 in CHANGELOG.md.
Show a summary per file
File Description
CHANGELOG.md Promotes Unreleased notes into the 0.24.0 release section (needs formatting fixes to match the repo changelog contract).
pyproject.toml Version bump to 0.24.0.
uv.lock Lockfile updated for the new version and dependency graph changes.

Review details

  • Files reviewed: 2/3 changed files
  • Comments generated: 8
  • Review effort level: Low

Comment thread CHANGELOG.md
Comment on lines +14 to +20
- `apm install` and `apm compile` now emit Antigravity-native `trigger: glob`
and `globs` frontmatter in `.agents/rules/*.md`, and `apm compile` omits
instructions from `AGENTS.md` when they already exist in `.agents/rules/`
(compile-time dedup). (by @okamiconcept, #1984)
- `apm config list` is now available as a discoverable alias for `apm config
get` with no key, listing all resolved configuration values. (by @WilliamK112,
#1991)
Comment thread CHANGELOG.md
Comment on lines +24 to +31
- Artifactory registry-proxy ZIP installs now use the shared safe-extraction
path with traversal, symlink, and zip-bomb guards instead of direct ZIP
extraction. (by @fallintoplace, #1948)
- `apm runtime setup codex` now verifies GitHub Releases SHA-256 asset digests
before extracting downloaded archives. (by @fallintoplace, #1949)
- Marketplace plugin `bin/` executables now deploy with user-only `0o700`
permissions (group/other bits cleared) and legacy `bin_deploy.deny` GitHub
forms are normalized before matching. (by @WilliamK112, #1971, #2024)
Comment thread CHANGELOG.md
Comment on lines 35 to +39
- `apm install` with a committed lockfile no longer re-resolves branch-pinned
and tagless locked dependencies over the network. The tiered ref resolver's
L0 cache is now seeded from the lockfile before resolution runs, eliminating
redundant commits-API calls on every locked install (2 calls -> 0 on a
1-direct + 1-transitive branch-pinned install). Skipped under `--update` /
`--refresh`. Verbose tier stats now also correctly track concrete-SHA refs as
`sha_passthrough` instead of inflating the `commits_api` counter. --
by @srobroek (#1973)

### Changed

- Collapsed repeated `git config` subprocess calls from 3 to 1 per repository
during cache operations, cutting process-spawn overhead on `apm install` and
`apm update`. (#1974)
and tagless locked dependencies over the network -- the tiered ref resolver's
L0 cache is seeded from the lockfile before resolution runs (2 commits-API
calls -> 0 on a 1-direct + 1-transitive branch-pinned install), skipped under
`--update`/`--refresh`. (by @srobroek, #1973)
Comment thread CHANGELOG.md
Comment on lines +54 to +58
- Generated `CLAUDE.md` now uses a single H1 title with nested H2/H3 sections,
fixing duplicate top-level headings in Claude Code. (by @WilliamK112, #2016)
- `apm install` now deploys hook script directories as self-contained bundles
for Claude-family targets, Copilot, and Kiro so sibling helper modules resolve
at runtime, and JS/TS hook bundles get a minimal module-type `package.json`
Comment thread CHANGELOG.md
Comment on lines +68 to +73
- `apm audit --help` now describes the command's full scope -- hidden-Unicode
scanning, drift detection, and lockfile/policy checks -- instead of naming
only Unicode scanning. (by @WilliamK112, #2017)
- `apm mcp install --help` now surfaces the forwarded `apm install` options
inside the command description under a clearer "Forwarded install options"
heading. (by @WilliamK112, #2018)
Comment thread CHANGELOG.md
Comment on lines +74 to +80
- `apm pack` now packs dependency content exclusively from lockfile-attested
`deployed_files`, verifying each against its recorded SHA-256 before bundling,
so tampered or unattested content fails the pack instead of shipping silently.
This closes a supply-chain provenance hole in both `--format apm` and `--format
plugin`; unattested dependency hooks/MCP config is no longer packed and
directory entries are walked with per-child symlink containment. (closes #1999,
#2013)
Comment thread CHANGELOG.md
Comment on lines +81 to +90
- `apm install --frozen` no longer spuriously rejects private Git dependencies
on non-default hosts (Bitbucket Server, GitLab, GitHub Enterprise); lockfile
matching now uses the same host-qualified identity as `apm install`. (closes
#1996, #2011)
- Self-hosted Git hosts such as GitBucket that serve smart-HTTP only at the
`.git` path now install over anonymous HTTPS -- `apm install` no longer drops
the `.git` suffix. (by @mia106dev, closes #1995, #1997)
- `apm install` and `apm uninstall` no longer strip comments from `apm.yml` when
updating dependency entries, so inline annotations and section notes survive.
(closes #2000, #2012)
Comment thread CHANGELOG.md
Comment on lines +91 to +102
- `apm pack` now emits a `marketplace.json` the Copilot App accepts when the
manifest `name` contains dots or underscores: the `name` is normalized to
kebab-case with a warning naming the original and emitted values, while
internal resolution keeps the original name. (by @sergio-sisternes-epam, #2008)
- `targets:`, `skills:`, and `alias:` on a `path:` dependency entry are no longer
silently ignored during `apm install`, and now round-trip on serialization.
(by @sergio-sisternes-epam, closes #1982, #1987)
- Self-defined stdio MCP env `${VAR}` placeholders now resolve from the
install-process environment for Claude Code and Codex instead of being written
verbatim. (closes #1963, #1966)
- `apm audit --ci` no longer reports phantom drift for root-local hook files when
audit replay writes into a scratch project root. (closes #1978, #1980)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants