#104:CHANGELOG + deprecation policy (stability signaling).

[AuraMindNest]

Close #104.

Summary by CodeRabbit

• Documentation
  • Added a comprehensive changelog with versioned entries and a formal deprecation policy
  • Updated README and deployment runbook to describe the revised release/tagging process and failure modes
• New Features
  • Release creation now uses the matching changelog entry and appends compatibility info to published release notes
• Chores
  • Included changelog in packaged source files

[coderabbitai]

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b79abbde-9fac-4243-b1d7-db71f7079f7c

📥 Commits

Reviewing files that changed from the base of the PR and between eb0b254 and a6b012a.

📒 Files selected for processing (3)

• .github/workflows/release.yml
• docs/deployment-runbook.md
• pyproject.toml

---

📝 Walkthrough

Walkthrough

This PR initializes a Keep-a-Changelog CHANGELOG.md, adds a release workflow step that extracts the matching ## [<version>] section and writes it to a notes file used by gh release create, and updates docs and packaging to include and document the changelog-driven release process.

Changes

Release Notes Automation

Layer / File(s)	Summary
Changelog initialization CHANGELOG.md	CHANGELOG.md is added with Keep a Changelog structure, an [Unreleased] section, v1.0.0 release notes, and a Deprecation Policy with SemVer rules and covered integration surface.
Workflow changelog extraction and release integration .github/workflows/release.yml	Adds an Extract changelog section for release step that reads pyproject.toml, regex-extracts the matching ## [<version>] section from CHANGELOG.md, writes release-notes.md with an appended "Built against Weblate ..." footer, exports notes_file, and updates gh release create to use --notes-file pointing to that file.
Docs: README and deployment runbook README.md, docs/deployment-runbook.md	README notes that release tagging is independent of deployment and adds changelog/deprecation links. Deployment runbook documents the changelog extraction step, adds a prerequisite that CHANGELOG.md contains the expected ## [<version>] section, and expands failure modes for missing or mismatched changelog contents.
Package include: add CHANGELOG to source-include pyproject.toml	Adds CHANGELOG.md to [tool.uv.build-backend].source-include so the file is included in built packages.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• cppalliance/cppa-weblate-plugin#88: Modifies the same .github/workflows/release.yml release workflow and GitHub Release creation logic.

Suggested reviewers

• henry0816191
• wpak-ai

Poem

🐰 A changelog appears, tidy and bright,

I nibble the lines by soft candlelight.
The workflow reads versions with regex and grace,
Release notes are born and find their place.
Hooray — a release with a documented trace ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title concisely identifies the main changes: adding a CHANGELOG and defining a deprecation policy for stability signaling.
Linked Issues check	✅ Passed	All acceptance criteria from issue #104 are addressed: CHANGELOG.md exists with Keep a Changelog format, deprecation policy is documented with SemVer rules and notice periods, release.yml extracts changelog sections using Python regex, and README.md links to both resources.
Out of Scope Changes check	✅ Passed	All changes are directly related to the linked issue objectives: CHANGELOG.md, release.yml workflow, deprecation policy documentation, README.md updates, and pyproject.toml packaging configuration for including CHANGELOG.md.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

CHANGELOG.md (1)

14-14: ⚡ Quick win

Consider adding guidance for future maintainers on [Unreleased] population.

The [Unreleased] section is a placeholder for ongoing development. To help future maintainers, consider adding a brief comment or example showing the expected structure (e.g., ### Added, ### Changed, ### Deprecated, ### Removed).

💡 Example guidance section

## [Unreleased]

### Added
<!-- - New feature description -->

### Changed
<!-- - Behavior change description -->

### Deprecated
<!-- - Deprecation notice with removal version -->

### Removed
<!-- - Removed feature from previous deprecation -->

### Fixed
<!-- - Bug fix description -->

This template helps maintainers and CI reviewers immediately see what changelog categories to populate when a new release is prepared.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` at line 14, Add a short maintainer guidance comment under the
"[Unreleased]" header describing the expected changelog structure and include
the canonical section headings (e.g., "### Added", "### Changed", "###
Deprecated", "### Removed", "### Fixed") as a template/example so future
contributors know how to populate the section; place this guidance directly
beneath the existing "## [Unreleased]" line in CHANGELOG.md and keep it concise
and commented or clearly delimited so it can be removed when releasing.

.github/workflows/release.yml (1)

71-99: ⚡ Quick win

Verify changelog extraction regex handles [Unreleased] vs. dated versions correctly.

The regex pattern rf"^## \[{re.escape(version)}\].*?(?=^## |\Z)" will match the first header matching the version, regardless of whether it's ## [1.0.0] - 2026-06-11 or ## [Unreleased]. In normal operation, the workflow is manually triggered and the operator should ensure they're releasing a dated version (not the Unreleased placeholder).

To explicitly guard against accidentally releasing [Unreleased] notes:

1. Add a pre-check that the extracted section contains a date (or is not [Unreleased])
2. Or, update the regex to require a date: rf"^## \[{re.escape(version)}\]\s+- \d{4}-\d{2}-\d{2}"

Consider which approach fits your release discipline.

🔍 Proposed regex update (requires date in header)

-        pattern = rf"^## \[{re.escape(version)}\].*?(?=^## |\Z)"
+        # Require date in format "## [X.Y.Z] - YYYY-MM-DD" to avoid extracting [Unreleased]
+        pattern = rf"^## \[{re.escape(version)}\]\s+-\s+\d{{4}}-\d{{2}}-\d{{2}}.*?(?=^## |\Z)"

Alternatively, add a post-check after extraction:

 section = match.group(0).rstrip()
+if "[Unreleased]" in section[:50]:
+    raise SystemExit(f"Extracted section looks like [Unreleased]; aborting release")
 notes_file = Path(os.environ["RUNNER_TEMP"]) / "release-notes.md"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 71 - 99, The changelog extraction
can accidentally pick the [Unreleased] section; update the logic around the
pattern/match/section extraction to guard against that by either making pattern
require a date (modify the pattern variable to something like requiring "\s+-
YYYY-MM-DD" after the header) or add a post-check after section = match.group(0)
that inspects the header (e.g., check the first ~50 chars of section for
"[Unreleased]") and raise SystemExit with a clear message if found; ensure the
check uses the existing version/env variables and still writes notes_file only
when the section is a dated release.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 71-99: The changelog extraction can accidentally pick the
[Unreleased] section; update the logic around the pattern/match/section
extraction to guard against that by either making pattern require a date (modify
the pattern variable to something like requiring "\s+- YYYY-MM-DD" after the
header) or add a post-check after section = match.group(0) that inspects the
header (e.g., check the first ~50 chars of section for "[Unreleased]") and raise
SystemExit with a clear message if found; ensure the check uses the existing
version/env variables and still writes notes_file only when the section is a
dated release.

In `@CHANGELOG.md`:
- Line 14: Add a short maintainer guidance comment under the "[Unreleased]"
header describing the expected changelog structure and include the canonical
section headings (e.g., "### Added", "### Changed", "### Deprecated", "###
Removed", "### Fixed") as a template/example so future contributors know how to
populate the section; place this guidance directly beneath the existing "##
[Unreleased]" line in CHANGELOG.md and keep it concise and commented or clearly
delimited so it can be removed when releasing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 31bcadd3-54aa-424a-9080-637584b52217

📥 Commits

Reviewing files that changed from the base of the PR and between 00bb516 and eb0b254.

📒 Files selected for processing (3)

• .github/workflows/release.yml
• CHANGELOG.md
• README.md

[henry0816191]

Fix line 389("4. Creates a GitHub Release with auto-generated notes, ...") of docs/deployment-runbook.md as extracting the version info from changelog.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 93-99: The release workflow is vulnerable because
steps.versions.outputs.tag and weblate_version are interpolated into shell
commands without validation; update the "Parse versions from pyproject.toml"
step to validate project.version against a semantic version regex (e.g.,
/^\d+\.\d+\.\d+$/) and fail early if it doesn't match, then export only the
validated values (e.g., validated_tag, validated_weblate_version) for use by the
"Create and push tag" and "Create GitHub Release" steps instead of raw
steps.versions.outputs values; ensure the git tag and release steps consume
those validated environment variables so shell metacharacters cannot be
injected.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b79abbde-9fac-4243-b1d7-db71f7079f7c

📥 Commits

Reviewing files that changed from the base of the PR and between eb0b254 and a6b012a.

📒 Files selected for processing (3)

• .github/workflows/release.yml
• docs/deployment-runbook.md
• pyproject.toml

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 93-99: The release workflow is vulnerable because
steps.versions.outputs.tag and weblate_version are interpolated into shell
commands without validation; update the "Parse versions from pyproject.toml"
step to validate project.version against a semantic version regex (e.g.,
/^\d+\.\d+\.\d+$/) and fail early if it doesn't match, then export only the
validated values (e.g., validated_tag, validated_weblate_version) for use by the
"Create and push tag" and "Create GitHub Release" steps instead of raw
steps.versions.outputs values; ensure the git tag and release steps consume
those validated environment variables so shell metacharacters cannot be
injected.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b79abbde-9fac-4243-b1d7-db71f7079f7c

📥 Commits

Reviewing files that changed from the base of the PR and between eb0b254 and a6b012a.

📒 Files selected for processing (3)

• .github/workflows/release.yml
• docs/deployment-runbook.md
• pyproject.toml

🛑 Comments failed to post (1)

.github/workflows/release.yml (1)

93-99: ⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Template injection in .github/workflows/release.yml at lines 93-99 and 101-110.

Both the "Create and push tag" step (L93-99) and "Create GitHub Release" step (L101-110) interpolate version strings from steps.versions.outputs directly into shell commands without validation. If pyproject.toml on main were compromised to include shell metacharacters in project.version, those would execute. The shared root cause is missing input validation in the "Parse versions from pyproject.toml" step. Add semantic version format validation (e.g., \d+\.\d+\.\d+) after parsing project.version to reject malformed input before it reaches shell expansion sites, or consistently use environment variables to reduce injection surface.

🧰 Tools

🪛 zizmor (1.25.2)

[info] 96-96: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

---

[info] 97-97: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 93 - 99, The release workflow is
vulnerable because steps.versions.outputs.tag and weblate_version are
interpolated into shell commands without validation; update the "Parse versions
from pyproject.toml" step to validate project.version against a semantic version
regex (e.g., /^\d+\.\d+\.\d+$/) and fail early if it doesn't match, then export
only the validated values (e.g., validated_tag, validated_weblate_version) for
use by the "Create and push tag" and "Create GitHub Release" steps instead of
raw steps.versions.outputs values; ensure the git tag and release steps consume
those validated environment variables so shell metacharacters cannot be
injected.

Source: Linters/SAST tools