WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

25.11.0

Latest
Latest

Choose a tag to compare

View all tags
@jezdez jezdez released this 12 Nov 23:15
25.11.0
25eb362
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release Notes - v25.11.0

πŸŽ‰ Major Features

GitHub Team Management & Security Enhancement

A comprehensive overhaul of GitHub team permissions to improve organization security while maintaining developer access.

New Leads Team Management

  • Automatic leads sub-teams: Each project now gets a dedicated -leads sub-team with maintain permissions
  • Dynamic membership: Leads are automatically added/removed from leads teams when their status changes
  • Retroactive setup: Command to set up leads teams for all existing projects

Team Structure Optimization

  • Flattened team hierarchy: Project teams are now siblings (not children) of the Members team to prevent unintended permission inheritance
  • Explicit permissions: All 71 active project repositories explicitly assigned to Members team with write access
  • Read-only capability: Organization default can now be safely changed from write to read, with write access controlled via team membership

New CLI Commands

flask sync project_leads_team # Setup leads team for a project
flask sync setup_all_projects_leads_teams # Bulk setup for all projects
flask sync add_repo_to_members_team # Add repo to members team
flask sync update_all_projects_members_team # Bulk update all repos
flask sync flatten_project_teams # Flatten active project teams
flask sync flatten_stale_teams # Flatten stale child teamsAll commands support --dry-run for safe testing.

Team Permission Audit Tool

  • New check_teams.py script for auditing GitHub team structure
  • Identifies permission mismatches, stale teams, and inheritance issues
  • Reports on all 136 teams across the organization

API Optimization

  • Smart caching: Checks existing permissions before updating to minimize GitHub API calls
  • Example: 50 projects with 40 already configured = 11 API calls instead of 50

Database Changes

  • Added leads_team_slug field to projects table for tracking leads teams
  • Migration: d69ef951e45_add_leads_team_slug.py

Automated Workflows

  • New repositories automatically added to members team via webhooks
  • Leads team membership syncs automatically with database changes

πŸ› Bug Fixes

Docker & CI/CD

  • Critical: Updated base image from Debian Buster (EOL) to Debian Bookworm
    • Fixes: apt-get update failures in CI/CD
    • Debian Bookworm supported until ~2028

GitHub API

  • Fixed get_team_repos() return type handling (returns list, not response object)
  • Resolved migration conflict in leads_team_slug migration

Testing

  • Removed unnecessary with context manager usage in pytest-mock
  • Fixed mock object returns to be synchronous instead of coroutines
  • Added side_effect to properly simulate leads_team_slug updates in tests

✨ Improvements

Testing

  • 19 new tests for leads team management features
  • Test coverage increased:
    • Overall: 46% β†’ 64%
    • projects/tasks.py: 54% β†’ 65%
    • account/blueprint.py: 43% β†’ 72%
  • All 214 tests passing
  • Reduced warnings from 336 β†’ 334

Code Quality

  • Applied pre-commit formatting fixes
  • Removed deprecated pytest-mock patterns
  • Refactored mock setups for consistency

πŸ“¦ Dependency Updates

Python Dependencies

  • pytest: 8.3.5 β†’ 8.4.2
  • pytest-datadir: 1.7.0 β†’ 1.8.0
  • cryptography: 45.0.3 β†’ 46.0.3
  • requests[security]: 2.32.3 β†’ 2.32.5
  • setuptools: 80.8.0 β†’ 80.9.0
  • urllib3: 2.4.0 β†’ 2.5.0
  • brotli: 1.1.0 β†’ 1.2.0 (includes security fix)
  • pip: 25.1.1 β†’ 25.3

JavaScript Dependencies

  • parcel: 2.12.0 β†’ 2.16.1
  • @parcel/transformer-sass: 2.12.0 β†’ 2.16.1
  • sass: 1.89.0 β†’ 1.94.0
  • Fixed micromatch ReDoS vulnerability (moderate severity)

GitHub Actions

  • actions/checkout: v4 β†’ v5
  • actions/setup-node: v4 β†’ v6
  • docker/build-push-action: v5 β†’ v6
  • getsentry/action-release: v1 β†’ v3

πŸ”’ Security

  • 0 vulnerabilities in npm dependencies (was 1)
  • Updated Debian base image to supported version
  • Fixed ReDoS vulnerability in micromatch
  • Security updates for brotli, requests, and cryptography

πŸ“ Documentation

  • Added comprehensive testing patterns guide (AGENTS.md)
  • Documented GitHub team permission structure
  • Added usage examples for all new CLI commands

🎯 Migration Path

If upgrading from 25.6.2:

  1. Deploy the update: git pull && dokku ps:restart jazzband

  2. Run migrations: Automatic on deployment

  3. Set up teams (one-time):

    1. Flatten any remaining child teams

    dokku run jazzband flask sync flatten_stale_teams --dry-run
    dokku run jazzband flask sync flatten_stale_teams

    2. Ensure all repos in members team

    dokku run jazzband flask sync update_all_projects_members_team --dry-run
    dokku run jazzband flask sync update_all_projects_members_team

    3. Set up leads teams for all projects

    dokku run jazzband flask sync setup_all_projects_leads_teams --dry-run
    dokku run jazzband flask sync setup_all_projects_leads_teams

    4. Verify with audit script

    dokku run jazzband python check_teams.py
    4. Update GitHub org settings (optional):

    • Change organization default permission from write to read
    • Members will retain write access via explicit team membership

⚠️ Breaking Changes

None - all changes are backward compatible.

πŸ™ Contributors

Full Changelog: 25.6.2...25.11.0

Contributors

jezdez and dependabot
Assets 2
Loading