fix(release): suppress wish GHSA alias in grype, fold rc tags into launch notes

The existing .grype.yaml ignore listed the wish SCP traversal only by CVE
id; grype's db now matches it as GHSA-xjvp-7243-rg9h and ignores are
exact-id, so the rc.2 scan gate tripped on an already-triaged finding.
List both ids. Vulnerable SCP middleware is never compiled in; real fix
is the charm v2 stack migration (#126).

cliff.toml ignore_tags folds rc tags into the next real release so
v0.1.0's notes cover full history instead of commits-since-rc.2.

.gitea/workflows/release-binaries.yml

@@ -53,37 +53,6 @@ jobs:
           GITEA_TOKEN: ${{ secrets.RELEASE_TOKEN }}
           GITEA_API_URL: http://gitea:3000/api/v1
 
-      # GoReleaser publishes to exactly one SCM (Gitea). The push mirror
+      # GitHub release relaying is handled by .github/workflows/mirror-release.yml,
-      # carries git refs but not release artifacts, so relay the release to
+      # which runs on GitHub Actions when the push mirror delivers the tag and
-      # the GitHub mirror — README install links point there.
+      # copies this run's Gitea release assets — no PAT needed on this side.
-      - name: Mirror release to GitHub
-        env:
-          GH_TOKEN: ${{ secrets.GH_MIRROR_TOKEN }}
-        run: |
-          if [ -z "$GH_TOKEN" ]; then
-            echo "GH_MIRROR_TOKEN not set — skipping GitHub release relay"
-            exit 0
-          fi
-          apk add --no-cache github-cli
-          TAG="${{ github.ref_name }}"
-
-          # Nudge the push mirror, then wait for the tag to land on GitHub.
-          curl -sf -X POST \
-            -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
-            "http://gitea:3000/api/v1/repos/lerkolabs/uptop/push_mirrors-sync" || true
-          for i in $(seq 1 30); do
-            if gh api "repos/lerkolabs/uptop/git/ref/tags/${TAG}" >/dev/null 2>&1; then
-              break
-            fi
-            sleep 10
-          done
-
-          PRERELEASE=""
-          case "$TAG" in *-*) PRERELEASE="--prerelease";; esac
-          gh release create "$TAG" \
-            --repo lerkolabs/uptop \
-            --verify-tag \
-            --title "$TAG" \
-            --notes-file /tmp/release-notes.md \
-            $PRERELEASE \
-            dist/*.tar.gz dist/*.zip dist/*.deb dist/*.rpm dist/checksums.txt

.github/workflows/mirror-release.yml

@@ -38,7 +38,9 @@ jobs:
             exit 1
           fi
 
-          echo "$RESPONSE" | jq -r '.body // empty' > /tmp/release-notes.md
+          # select() so an empty-string body produces an empty file — `// empty`
+          # treats "" as truthy and wrote a blank line, defeating this fallback.
+          echo "$RESPONSE" | jq -r '.body | select(. != null and . != "")' > /tmp/release-notes.md
 
           if [ ! -s /tmp/release-notes.md ]; then
             echo "Release ${TAG} from [Gitea](https://gitea.lerkolabs.com/lerkolabs/uptop/releases/tag/${TAG})" > /tmp/release-notes.md
@@ -62,8 +64,11 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           TAG: ${{ github.ref_name }}
         run: |
+          PRERELEASE=""
+          case "$TAG" in *-*) PRERELEASE="--prerelease" ;; esac
           gh release create "$TAG" \
             --repo "$GITHUB_REPOSITORY" \
             --title "$TAG" \
             --notes-file /tmp/release-notes.md \
+            $PRERELEASE \
             /tmp/assets/*

.goreleaser.yaml

@@ -8,6 +8,7 @@ release:
   gitea:
     owner: lerkolabs
     name: uptop
+  prerelease: auto
 
 builds:
   - main: ./cmd/uptop
@@ -58,5 +59,7 @@ nfpms:
         dst: /usr/share/doc/uptop/LICENSE
         type: doc
 
-changelog:
+# Changelog generation must stay enabled: the --release-notes flag is consumed
-  disable: true
+# by the changelog pipe, so disabling it silently drops the git-cliff notes
+# (empty release body on v0.1.0-rc.1). With --release-notes set, GoReleaser
+# skips its own generation and uses the file.

.grype.yaml

@@ -1,6 +1,11 @@
 ignore:
-  # CVE-2026-41589: SCP path traversal in charmbracelet/wish.
+  # SCP path traversal in charmbracelet/wish — same flaw, two ids: grype has
+  # matched it as CVE-2026-41589 and as GHSA-xjvp-7243-rg9h depending on db
+  # version, and ignore matching is exact-id, so both stay listed.
   # We only import wish/bubbletea for the SSH TUI server — the vulnerable
-  # scp.Middleware / scp.NewFileSystemHandler symbols are never compiled in.
+  # scp.Middleware / scp.NewFileSystemHandler symbols are never compiled in
-  # No fix available for wish v1; v2 (charm.land/wish/v2) patched in 2.0.1.
+  # (govulncheck reachability agrees). No fix for wish v1; v2
+  # (charm.land/wish/v2 >= 2.0.1) requires the bubbletea-v2 stack migration,
+  # tracked in issue #126. Remove both entries when that lands.
   - vulnerability: CVE-2026-41589
+  - vulnerability: GHSA-xjvp-7243-rg9h

Dockerfile

@@ -1,5 +1,5 @@
 # --- Stage 1: Builder ---
-FROM golang:1.26-alpine3.23@sha256:91eda9776261207ea25fd06b5b7fed8d397dd2c0a283e77f2ab6e91bfa71079d AS builder
+FROM golang:1.26.4-alpine3.23@sha256:f23e8b227fb4493eabe03bede4d5a32d04092da71962f1fb79b5f7d1e6c2a17f AS builder
 WORKDIR /app
 COPY go.mod go.sum ./
 RUN --mount=type=cache,target=/go/pkg/mod \

cliff.toml

@@ -24,6 +24,10 @@ split_commits = false
 protect_breaking_commits = false
 filter_commits = false
 tag_pattern = "v[0-9].*"
+# rc tags are pipeline rehearsals, not releases — without this, the final
+# tag's notes would only cover commits since the last rc (near-empty for
+# v0.1.0). Ignored tags fold their commits into the next real release.
+ignore_tags = "v.*-rc.*"
 topo_order = false
 sort_commits = "oldest"