v3.0.1

What's Changed

• fix(safety): make dependency-safety/gate status clickable via env vars by @j7an in #77

Full Changelog: v3.0.0...v3.0.1

v3.0.0

Breaking changes

The legacy workflow paths
j7an/shared-workflows/.github/workflows/dependency-cooldown.yml and
.../cooldown-rescan.yml are absent from v3. Consumers still on
those paths should remain on frozen @v2 (last cooldown-bearing release,
no further updates) or migrate their callers to dependency-safety.yml
before moving to @v3. To migrate from v2 to v3:

1. Add native cooldown to .github/dependabot.yml:

   cooldown:
     default-days: 5

2. Update caller uses: line:

   - uses: j7an/shared-workflows/.github/workflows/dependency-cooldown.yml@v2
   + uses: j7an/shared-workflows/.github/workflows/dependency-safety.yml@v3

3. Rename input cooldown_days → minimum_release_age_days.
4. Drop fail_on_cooldown; use fail_on_age_violation instead.
5. Remove any caller using cooldown-rescan.yml — no rescan companion.
6. Update branch protection: rename required status dependency-cooldown / gate → dependency-safety / gate.
7. Remove stale cooldown-pending labels manually.

See README "v2 → v3 migration" for full details.

---

What's Changed

• fix(safety): add pyproject.toml parser support for uv/poetry Dependabot PRs by @j7an in #67
• chore!: remove deprecated cooldown workflows (v2 → v3) by @j7an in #69

Full Changelog: v2...v3.0.0

v2.6.0

What's Changed

• docs: add agent instructions (AGENTS.md + .claude/CLAUDE.md) by @j7an in #57
• deps: bump actions/create-github-app-token from 3.1.1 to 3.2.0 by @dependabot[bot] in #58
• feat(safety): add dependency-safety workflow with native-cooldown verification by @j7an in #61
• deps: bump step-security/harden-runner from 2.19.1 to 2.19.3 by @dependabot[bot] in #63
• fix(safety): trigger guard on partial extraction by @j7an in #65

Full Changelog: v2.5...v2.6.0

v2.5.3

What's Changed

• deps: bump step-security/harden-runner from 2.16.0 to 2.19.0 by @dependabot[bot] in #54
• deps: bump step-security/harden-runner from 2.19.0 to 2.19.1 by @dependabot[bot] in #55
• fix(tag-release): use Git Data API so commits and tags auto-sign by @j7an in #56

Full Changelog: v2.5.2...v2.5.3

v2.5.2

What's Changed

• fix(cooldown): extract deps from TOML lockfiles + fail-loud guard by @j7an in #53

Full Changelog: v2.5.1...v2.5.2

v2.5.1

What's Changed

• deps: bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 by @dependabot[bot] in #49
• fix(cooldown): accept large valid diffs in extract-deps by @j7an in #51

Full Changelog: v2.5.0...v2.5.1

v2.5.0

What's Changed

• feat(tag-release): support nested field paths in .version-bump.json by @j7an in #47
• feat(tag-release): accept bracket-quoted keys and [] iterator in path_expr by @j7an in #48

Full Changelog: v2.4...v2.5.0

v2.4.0

What's Changed

• feat(cooldown): add cooldown-rescan scheduled rescan workflow by @j7an in #43

Full Changelog: v2.3...v2.4.0

v2.3.0

What's Changed

• feat: add tag-prefix to tag-release.yml and new publish-pypi.yml (v2.3) by @j7an in #41

Full Changelog: v2.2...v2.3.0

v2.2.0

What's Changed

• fix(cooldown): harden reusable workflows against caller-context bugs by @j7an in #37
• chore(tag-release): replace deprecated app-id input with client-id by @j7an in #38
• feat(tag-release): auto-bump version files before tagging by @j7an in #39

Full Changelog: v2.1...v2.2.0