v3.2.0

Minor Changes

• 368e3a5: helm-lint.yml: add two opt-in inputs.

  • chart-discovery-command: optional bash command that prints newline-separated chart paths (or Chart.yaml paths, which are normalized to their parent directory). Use when the chart layout is dynamic (e.g. find infrastructure -name Chart.yaml -not -path '*/charts/*'). Either charts or chart-discovery-command must be provided; when both are set, charts wins.
  • kubeconform-schema-locations: newline-separated list of -schema-location values passed to kubeconform when validate-templates: true. Defaults preserve the prior behavior (default + datreeio CRDs catalog). Override to point at internal CRD schema bundles.

  The charts input is now optional but mutually-exclusive with discovery. Existing callers that pass charts: keep working unchanged.

v3.1.0

Minor Changes

• 555bd91: feat(ci-quality): add opt-in shellcheck-command and cspell-command inputs

  feat(helm-lint): add validate-templates input that runs kubeconform against
  helm-rendered manifests. Configurable via kubernetes-version and
  kubeconform-version. Defaults to off — non-breaking.

  feat(kubeconform): new kubeconform.yml reusable for validating raw
  Kubernetes manifests outside helm charts. Takes install-command (optional)
  and lint-command (required). Routes through resolve-runner heavy tier.

  All new jobs are additive opt-ins; existing callers are unaffected.

v3.0.0

Major Changes

• c9a73ed: reusable-visual-tests.yml and update-snapshots.yml now resolve their runner labels via resolve-runner.yml@v2.0.0 instead of hardcoding runs-on: ubuntu-latest. This brings both workflows in line with ci-build-lint-test.yml and ci-quality.yml, so a caller repo (or its org) can opt the Playwright suite onto the self-hosted heavy tier via vars.RUNNER_HEAVY without forking the reusables.

  Breaking change. Both workflows now default to the heavy tier:

  • reusable-visual-tests.yml visual-tests job → vars.RUNNER_HEAVY → self-hosted
  • update-snapshots.yml dispatch job → vars.RUNNER_HEAVY → self-hosted

  Existing callers under the kethalia/chillwhales/phlox-labs orgs (where vars.RUNNER_HEAVY is already pinned to ubuntu-latest) see no change. Standalone consumers that previously inherited the hardcoded ubuntu-latest and have no RUNNER_HEAVY set will fall back to self-hosted for both jobs — pin vars.RUNNER_HEAVY=ubuntu-latest on the caller repo (or org) to preserve prior behavior.

  Self-hosted runners that consume the visual workflow must have Docker available and be able to pull the configured Playwright image, since the suite still runs inside container:.

v2.0.0

Major Changes

• 9ae2fdd: BREAKING: Remove the label-gate job and the approval-label input from reusable-visual-tests.yml. Baseline-approval enforcement was redundant with ordinary PR review and the pull_request trigger lacked the labeled activity type, so the gate stayed red until the workflow was manually re-run after the label was applied — pure friction for no added security. Callers must (1) drop label-gate from any required-check list in branch protection, and (2) remove approval-label: from their with: block — passing an unknown input now fails workflow startup.

v1.5.5

Patch Changes

• bcf3ef2: Add additive pr-<num>-<head_short_sha_8> tag to build-stack.yml so ArgoCD's PullRequest-generated ApplicationSets can resolve per-PR images. The existing pr-<num>-<github.sha> tag (which on pull_request events is the synthetic merge-commit SHA, not the PR head SHA) is unchanged and continues to be published — the new tag is additive and non-breaking. ArgoCD's PullRequest generator exposes only head_sha / head_short_sha; without an 8-char head-sha tag, every preview Application ImagePullBackOff'd because the merge ref and head ref never match. GHCR retention prunes both tags together since they share the pr- prefix; no extra cleanup configuration required.

v1.5.4

Patch Changes

• bc82277: Sign baseline-refresh commits in reusable-visual-tests.yml via the GitHub API. The update-baselines mode previously created the refresh commit with git commit + git push from the runner, producing unsigned commits that fail branch-protection rules requiring signed commits (and blocking PR merges via the "verified" badge). The commit is now created with the GraphQL createCommitOnBranch mutation using the workflow's GITHUB_TOKEN, which GitHub signs with its web-flow key and attributes to github-actions[bot]. A single mutation carries all additions and deletions, avoiding secondary rate limits on baseline refreshes that touch many PNGs. No caller changes required; the git-user-name / git-user-email inputs are now deprecated (accepted-but-ignored) since the author is fixed by web-flow signing.

v1.5.3

Patch Changes

• 11c25fe: Fix YAML syntax error in reusable-visual-tests.yml playwright-image input description. The unquoted plain scalar contained `defaults.run.shell: bash`, whose embedded : broke YAML parsing and triggered GitHub's "Invalid workflow file" phantom failure run on every push touching the file. Converted the description to a | block scalar to match neighboring inputs.

v1.5.2

Patch Changes

• 0d022b4: fix(visual-tests): rename visual-tests.yml to reusable-visual-tests.yml to clear stuck workflow registration

  The original visual-tests.yml file was first registered with a broken parse during the initial commit, leaving its registered name stuck at the file path (.github/workflows/visual-tests.yml) instead of the declared workflow name. GitHub never refreshes the registered name on subsequent commits, so every push that touches the file emits a phantom push-event startup-failure run with zero jobs. Renaming the file forces GitHub to create a fresh workflow registration row, clearing the noise.

  The update-snapshots.yml reusable's target-workflow input default remains visual-tests.yml — that input names the caller's local shim workflow (which still owns the workflow_dispatch trigger), not this reusable file. Callers that pin a tag (e.g. @v1.5.1) are unaffected — the rename only changes the file path going forward. Callers consuming @main of this workflow must update their uses: path:

  - uses: kethalia/workflows/.github/workflows/visual-tests.yml@main
  + uses: kethalia/workflows/.github/workflows/reusable-visual-tests.yml@main

v1.5.1

Patch Changes

• c361d3e: fix(visual-tests): force bash for inline run steps inside the Playwright container

  The reusable visual-tests job runs inside mcr.microsoft.com/playwright, where the default shell GitHub Actions selects is sh (dash). The "Guard refresh-mode ref is a branch" and "Commit and push" steps both begin with set -euo pipefail, which dash rejects (set: Illegal option -o pipefail), causing the refresh job to crash on its first real step.

  Set defaults.run.shell: bash on the visual-tests job so every inline run: step uses bash. The playwright-jammy image ships bash. The label-gate job already runs on ubuntu-latest (no container) and is unaffected.

v1.5.0

Minor Changes

• 5c9230b: Breaking-ish: update-snapshots.yml no longer declares a job-level
  permissions: block. A reusable workflow's job permissions can only cap
  the caller's grants, never elevate them — declaring them here masked the
  real contract and gave consumers a false sense of security when their
  caller omitted the grants. The caller must now declare the following
  permissions at workflow-level or on the calling job:

  permissions:
    pull-requests: write # PR-context comment reactions + dispatch follow-up
    actions: write # gh workflow run (dispatch the target workflow)
    contents: read # actions/github-script + gh CLI base scope

  Also fixes the documented issues: write scope, which was wrong: PR-context
  issue_comment API calls (reactions, comments) route through the
  pull-requests scope despite the URL shape. Consumers using v1.4.0 with
  issues: write instead of pull-requests: write will 403 on the
  "React to comment" and "Comment with dispatch confirmation" steps.

  Consumers should update their caller's permissions: block (workflow- or
  job-level) in lockstep with the version bump.