hanthor · github-actions · Feb 16, 2026 · Feb 20, 2026 · Feb 21, 2026 · Feb 21, 2026
diff --git a/.github/pull.yml b/.github/pull.yml
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -4,6 +4,9 @@
   // Enable GitHub's native automerge; merging is handled by GitHub and remains subject to branch protection/bypass settings
   "platformAutomerge": true,
 
+  // Only target main branch - lts is production and only updated via promotion
+  "baseBranchPatterns": ["main"],
+
   "extends": [
     "config:best-practices",
   ],
@@ -29,24 +32,15 @@
 
   "packageRules": [
     {
+      // Auto-merge all digest/pin updates across all managers (dockerfile, github-actions, regex/Justfile)
       "automerge": true,
-      "matchUpdateTypes": ["pin", "pinDigest"]
-    },
-    {
-      "automerge": true,
-      "matchManagers": ["dockerfile"],
-      "matchUpdateTypes": ["digest"]
+      "matchUpdateTypes": ["digest", "pin", "pinDigest"]
     },
     {
+      // Auto-merge minor/patch version bumps for GitHub Actions (e.g. cosign-installer v3.8 → v3.9)
       "automerge": true,
-      "matchUpdateTypes": ["digest"],
-      "matchDepNames": [
-        "quay.io/centos-bootc/centos-bootc",
-        "quay.io/centos-bootc/bootc-image-builder",
-        "ghcr.io/projectbluefin/common",
-        "ghcr.io/ublue-os/akmods-zfs",
-        "ghcr.io/ublue-os/brew"
-      ]
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch"]
     }
   ]
 }
diff --git a/.github/workflows/build-dx-hwe.yml b/.github/workflows/build-dx-hwe.yml
@@ -9,7 +9,6 @@ on:
   pull_request:
     branches:
       - main
-      - lts
   push:
     branches:
       - main
@@ -34,6 +33,5 @@ jobs:
       flavor: dx
       kernel-pin: 6.17.12-200.fc42
       rechunk: ${{ github.event_name != 'pull_request' }}
-      sbom: ${{ github.event_name != 'pull_request' }}
-      publish: ${{ github.event_name != 'pull_request' }}
+      publish: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
       hwe: true
diff --git a/.github/workflows/build-dx.yml b/.github/workflows/build-dx.yml
@@ -9,7 +9,6 @@ on:
   pull_request:
     branches:
       - main
-      - lts
   push:
     branches:
       - main
@@ -29,5 +28,4 @@ jobs:
       image-name: bluefin-dx
       flavor: dx
       rechunk: ${{ github.event_name != 'pull_request' }}
-      sbom: ${{ github.event_name != 'pull_request' }}
-      publish: ${{ github.event_name != 'pull_request' }}
+      publish: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
diff --git a/.github/workflows/build-gdx.yml b/.github/workflows/build-gdx.yml
@@ -9,7 +9,6 @@ on:
   pull_request:
     branches:
       - main
-      - lts
   push:
     branches:
       - main
@@ -30,5 +29,4 @@ jobs:
       flavor: gdx
       kernel-pin: 6.17.12-200.fc42
       rechunk: ${{ github.event_name != 'pull_request' }}
-      sbom: ${{ github.event_name != 'pull_request' }}
-      publish: ${{ github.event_name != 'pull_request' }}
+      publish: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
diff --git a/.github/workflows/build-gnome50.yml b/.github/workflows/build-gnome50.yml
@@ -0,0 +1,68 @@
+name: Build Bluefin GNOME 50 (testing)
+
+# Builds bluefin and bluefin-dx lts-testing-50 / lts-hwe-testing-50 using
+# the same full build pipeline as GNOME 49, selecting GNOME 50 packages
+# via the gnome-version input. Only runs on main branch pushes.
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  merge_group:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    uses: ./.github/workflows/reusable-build-image.yml
+    secrets: inherit
+    with:
+      image-name: bluefin
+      tag-suffix: "50"
+      gnome-version: "50"
+      rechunk: ${{ github.event_name != 'pull_request' }}
+      publish: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/main' }}
+
+  build-hwe:
+    uses: ./.github/workflows/reusable-build-image.yml
+    secrets: inherit
+    with:
+      image-name: bluefin
+      tag-suffix: "50"
+      gnome-version: "50"
+      hwe: true
+      rechunk: ${{ github.event_name != 'pull_request' }}
+      publish: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/main' }}
+
+  build-dx:
+    uses: ./.github/workflows/reusable-build-image.yml
+    secrets: inherit
+    with:
+      image-name: bluefin-dx
+      flavor: dx
+      tag-suffix: "50"
+      gnome-version: "50"
+      rechunk: ${{ github.event_name != 'pull_request' }}
+      publish: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/main' }}
+
+  build-dx-hwe:
+    uses: ./.github/workflows/reusable-build-image.yml
+    secrets: inherit
+    with:
+      image-name: bluefin-dx
+      flavor: dx
+      tag-suffix: "50"
+      gnome-version: "50"
+      hwe: true
+      rechunk: ${{ github.event_name != 'pull_request' }}
+      publish: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/main' }}
diff --git a/.github/workflows/build-regular-hwe.yml b/.github/workflows/build-regular-hwe.yml
@@ -9,7 +9,6 @@ on:
   pull_request:
     branches:
       - main
-      - lts
   push:
     branches:
       - main
@@ -33,7 +32,6 @@ jobs:
       image-name: bluefin
       kernel-pin: 6.17.12-200.fc42
       rechunk: ${{ github.event_name != 'pull_request' }}
-      sbom: ${{ github.event_name != 'pull_request' }}
-      publish: ${{ github.event_name != 'pull_request' }}
+      publish: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
       hwe: true
 
diff --git a/.github/workflows/build-regular.yml b/.github/workflows/build-regular.yml
@@ -9,7 +9,6 @@ on:
   pull_request:
     branches:
       - main
-      - lts
   push:
     branches:
       - main
@@ -28,5 +27,4 @@ jobs:
     with:
       image-name: bluefin
       rechunk: ${{ github.event_name != 'pull_request' }}
-      sbom: ${{ github.event_name != 'pull_request' }}
-      publish: ${{ github.event_name != 'pull_request' }}
+      publish: ${{ (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/lts' || github.ref == 'refs/heads/main')) || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
diff --git a/.github/workflows/create-lts-pr.yml b/.github/workflows/create-lts-pr.yml
@@ -0,0 +1,90 @@
+name: Create LTS Promotion PR
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: create-lts-pr
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  create-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Fetch lts
+        run: git fetch origin lts
+
+      - name: Check content diff
+        id: diff
+        run: |
+          if git diff --quiet origin/lts origin/main; then
+            echo "No content difference between lts and main. Nothing to promote."
+            echo "has_diff=false" >> "$GITHUB_OUTPUT"
+          elif [ -z "$(git log origin/lts..origin/main --oneline)" ]; then
+            echo "lts is ahead of or diverged from main with no commits to promote. Nothing to promote."
+            echo "has_diff=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_diff=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Build commit list
+        if: steps.diff.outputs.has_diff == 'true'
+        id: commits
+        run: |
+          # Show commits on main that are not reachable from lts.
+          # With regular-merge promotions the merge base advances automatically,
+          # so this list contains only genuinely new commits.
+          LIST=$(git log origin/lts..origin/main --oneline)
+
+          if [ -z "$LIST" ]; then
+            # Fallback when the commit graph can't resolve (e.g., first ever promotion).
+            LIST=$(git diff --name-status origin/lts origin/main)
+          fi
+
+          {
+            echo "list<<EOF"
+            echo "$LIST"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Create or update promote PR
+        if: steps.diff.outputs.has_diff == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          COMMIT_LIST: ${{ steps.commits.outputs.list }}
+        run: |
+          # Build body with printf so commit messages containing quotes are safe
+          BODY=$(printf '## Commits pending promotion to `lts`\n\n%s\n\n---\n_**Merge this PR** (Create a merge commit) to promote. Do NOT squash — squash-merge breaks the merge base and causes PR bloat. The PR body updates automatically as `main` advances._\n' "${COMMIT_LIST}")
+
+          EXISTING=$(gh pr list \
+            --base lts \
+            --head main \
+            --state open \
+            --json number \
+            --jq '.[0].number' \
+            2>/dev/null || echo "")
+
+          if [ -n "$EXISTING" ]; then
+            echo "Updating existing promote PR #${EXISTING}"
+            printf '%s\n' "${BODY}" | gh pr edit "$EXISTING" --body-file -
+          else
+            echo "Creating new draft promote PR"
+            printf '%s\n' "${BODY}" | gh pr create \
+              --draft \
+              --base lts \
+              --head main \
+              --title "promote: main → lts" \
+              --body-file -
+          fi
diff --git a/.github/workflows/generate-release.yml b/.github/workflows/generate-release.yml
@@ -25,11 +25,15 @@ on:
 jobs:
   generate-release:
     runs-on: ubuntu-latest
-    # Only run if the workflow was successful and on lts branch
+    # Only run if the workflow was successful, on lts branch, and triggered by
+    # workflow_dispatch (meaning scheduled-lts-release.yml fired it — images were published).
+    # Push-to-lts validation builds complete successfully too but publish nothing,
+    # so we must not create a release for those.
     if: |
       github.event_name == 'workflow_dispatch' ||
-      (github.event.workflow_run.conclusion == 'success' && 
-       github.event.workflow_run.head_branch == 'lts')
+      (github.event.workflow_run.conclusion == 'success' &&
+       github.event.workflow_run.head_branch == 'lts' &&
+       github.event.workflow_run.event == 'workflow_dispatch')
 
     steps:
       - name: Checkout repository
@@ -63,8 +67,11 @@ jobs:
           fi
 
       - name: Generate changelog
-        run: |
-          python3 .github/changelogs.py ${{ steps.target.outputs.target }} --ci
+        uses: hanthor/changelog-action@2d212cd35f65cfe33954dd79013887e7bee76580 # master
+        with:
+          stream: ${{ steps.target.outputs.target }}
+          family: bluefin-lts
+          output-env: ./output.env
 
       - name: Read changelog outputs
         id: changelog
@@ -98,7 +105,7 @@ jobs:
             --target lts
 
       - name: Upload changelog artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: changelog
           path: |