Releases: drevops/vortex
Release list
1.40.2
What's new since 1.40.2
- Added installer selection for Gitleaks secret scanning. @AlexSkrypnyk (#2781)
- Bumped the CI database cache version to 'v26.7.1'. @AlexSkrypnyk (#2779)
Full Changelog: 1.40.1...1.40.2
1.40.1
What's new since 1.40.1
- [#2767] Fixed 'VORTEX_DB_DIR' and 'VORTEX_DB_FILE' ignored for indexed DB fetches. @AlexSkrypnyk (#2770)
- Update renovatebot/github-action action to v46.1.18 @renovate[bot] (#2771)
- Update dependency phpstan/phpstan to ^2.2.4 @AlexSkrypnyk (#2765)
- Replaced the docs hero with a value-led marketing diagram and narrowed demo videos to 80 columns. @AlexSkrypnyk (#2769)
- Update marocchino/sticky-pull-request-comment action to v3.0.5 @renovate[bot] (#2766)
- Update PHP - Drupal core - Minor and patch to ~11.4.1 @AlexSkrypnyk (#2762)
- Update PHP - Drupal core - Minor and patch to ~11.4.0 @AlexSkrypnyk (#2757)
- Update clamav/clamav-debian Docker tag to v1.5.3 @renovate[bot] (#2759)
Full Changelog: 1.40.0...1.40.1
@AlexSkrypnyk, @renovate[bot], Renovate Self Hosted and renovate[bot]
1.40.0 - Spectrum
1.40.0 - Spectrum
This release standardises and hardens the Vortex tooling surface: database commands are unified under a fetch/import/export/push vocabulary, environment variables drop vendor-specific prefixes, and CI gains automated security scanning (Zizmor, Gitleaks), SSH host-key pinning, native test-result reporting, and site-wide accessibility checks. The installer can now target multiple scaffold versions and ship Single Directory Component tooling out of the box.
π Highlights
-
Automated CI security scanning
Every project's CI lint stage now runs Zizmor static analysis of GitHub Actions workflows and Gitleaks secret scanning. Both run automatically - no configuration needed. -
Hardened deployments with SSH host-key pinning
Deployments can now pin the remote SSH host key instead of disabling strict host-key checking, and the GitHub Actionsknown_hostsis configurable per step. This closes a long-standing man-in-the-middle gap for artifact and Lagoon deployments. -
Test results in the GitHub Checks UI
PHPUnit and Behat results are published natively to the GitHub Checks UI, so failures surface inline on pull requests instead of only in raw CI logs. -
Site-wide accessibility reporting
The Behat test suite now produces a site-wide accessibility report and captures animated screenshots on failure, making regressions easier to see and triage. -
Single Directory Components (SDC) tooling by default
Vortex ships a sample button component,drupal/sdc_develinrequire, and CI validation that fails whensdc-devel:validatereports problems - giving new projects a working SDC baseline. -
Label-driven deployment gate
Deployments can be gated behind a pull-request label, giving teams an explicit, auditable switch to control when a branch is allowed to deploy. -
Unified, hardened database tooling
The database commands were standardised and hardened:download-dbbecamefetch-db, dedicatedimport-dbandexport-dbscripts are now reused by both provision and Ahoy, and a platform-agnostictaskrunner backs hosting operations. See Breaking changes for the variable renames. -
Multi-version installer
The installer can now scaffold either the current1.xor the upcoming2.xline, and the documentation is versioned per major line.
π₯ Breaking changes
These changes are applied when you update to 1.40.0. Most are simple find-and-replace renames in your .env file and hosting environment variables.
-
DRUPAL_ENVIRONMENTrenamed toENVIRONMENT_TYPE. Update any references in your settings overrides, CI, and hosting environment variables. -
VORTEX_LOCALDEV_URLrenamed toLOCALDEV_URL. Update any references in your.envand local tooling. -
Database "download" variables renamed to "fetch". All
VORTEX_DOWNLOAD_DB_*andVORTEX_DOWNLOAD_DB2_*variables are nowVORTEX_FETCH_DB_*andVORTEX_FETCH_DB2_*(for exampleVORTEX_DOWNLOAD_DB_URLβVORTEX_FETCH_DB_URL,VORTEX_DOWNLOAD_DB_ENVIRONMENTβVORTEX_FETCH_DB_ENVIRONMENT). Update your.envand hosting configuration. Theahoy fetch-dbcommand keepsdownload-dbas an alias, so scripted command calls keep working, but the environment variables must be renamed. -
Deployment types changed. The deploy types are now
artifact,webhook, andlagoon(previouslycode,container_registry,webhook). Thecontainer_registrydeploy type was removed; container-image publishing moved to a dedicatedpushcommand and its scripts/variables were renamed fromdeploytopush. -
upload-db-s3renamed topush-db-s3. Update any custom automation that invoked the S3 upload script directly. -
ahoy reset hardreplaced byahoy reset --hard. The barehardpositional argument is now an option flag. -
VORTEX_LAGOON_AMAZEEIO_REGIONremoved. The Lagoon amazee.io trusted-host pattern was simplified and no longer needs a per-region variable. -
Tooling scripts prefixed with
vortex-. Shipped tooling scripts are now prefixed withvortex-, and user-facing ones are exposed as Composer binaries undervendor/bin/vortex-*. Update any project scripts that referenced the old unprefixed script paths. -
PHPMD removed. PHPMD was dropped from the tooling, CI, installer, and docs. If your project relied on it, add it back locally.
-
oomphinc/composer-installers-extenderremoved. This abandoned package is no longer required; its functionality is covered bycomposer/installers. -
Removed deprecated
sid_lengthandsid_bits_per_characterfromservices.yml. These keys are no longer supported by Drupal 11 core and are removed from the shippedservices.yml.
What's new since 1.39.0
π Template
-
β¨ New
- [#2563] Added GitHub Actions security analysis with Zizmor. @AlexSkrypnyk (#2591)
What it does: Runs Zizmor static analysis over the project's GitHub Actions workflows as part of the CI lint stage, flagging insecure workflow patterns.
How to use it: Runs automatically on CI for GitHub Actions projects; no configuration needed. - [#2562] Added Gitleaks secret scanning to CI lint jobs. @AlexSkrypnyk (#2579)
What it does: Scans the repository for committed secrets during the CI lint stage and fails the build when a secret is detected.
How to use it: Runs automatically on CI; no configuration needed. - [#2548] Added SSH host key pinning as a secure alternative to disabling strict checking. @AlexSkrypnyk (#2587)
What it does: Lets deployments verify the remote host against a pinned SSH host key instead of turning off strict host-key checking.
How to use it: Provide the pinned host key via the deployment SSH variables; combined with #2632, the GitHub Actionsknown_hostsis configurable per step. - [#2566] Published PHPUnit and Behat test results to the GitHub Checks UI. @AlexSkrypnyk (#2576)
What it does: Surfaces PHPUnit and Behat results as GitHub Checks so failures appear inline on pull requests.
How to use it: Applies automatically to GitHub Actions projects; results appear on the PR checks tab. - [#2651] Added SDC tooling, a sample button component, and CI validation. @AlexSkrypnyk (#2671)
What it does: Ships a sample Single Directory Component (button), SDC development tooling, and a CI step that validates components.
How to use it: The sample component lives under the custom theme; CI runssdc-devel:validateautomatically. - [#2571] Added label-driven deployment gate to the deploy router. @AlexSkrypnyk (#2575)
What it does: Allows a deployment to be gated behind a pull-request label so branches only deploy when explicitly approved.
How to use it: Apply the configured deployment label to a PR to permit its deployment; controlled via the deploy gate variable. - [#2719] Added a platform-agnostic
taskrunner for hosting operations. @AlexSkrypnyk (#2721)
What it does: Introduces a singletaskrunner that abstracts hosting-provider operations behind one entry point.
How to use it: Hosting operations route through the newtaskscript; no action needed for existing provision flows. - [#2720] Extracted a dedicated
import-dbscript reused by provision and Ahoy. @AlexSkrypnyk (#2728)
What it does: Provides a standaloneimport-dbscript shared by the provision flow andahoy import-db.
How to use it: Runahoy import-db; provisioning uses the same script internally. - Added
*.xversion branch CI support behindVORTEX_DEVfences. @AlexSkrypnyk (#2604)
What it does: Enables CI on*.xdevelopment branches, fenced behindVORTEX_DEVso it only affects the template's own development.
How to use it: No action for consumer projects; this supports Vortex's multi-major development.
- [#2563] Added GitHub Actions security analysis with Zizmor. @AlexSkrypnyk (#2591)
-
π Changed
- [#2726] Renamed the
download-dbcommand, variables, and installer source tofetch. @AlexSkrypnyk (#2730)
What it does: Standardises the database-retrieval vocabulary onfetch.
How to use it: RenameVORTEX_DOWNLOAD_DB_*/VORTEX_DOWNLOAD_DB2_*toVORTEX_FETCH_DB_*/VORTEX_FETCH_DB2_*;ahoy download-dbremains an alias ofahoy fetch-db. See Breaking changes. - [#2733] Renamed the container-image push scripts and variables from
deploytopushand dropped the container-registry deploy type. @AlexSkrypnyk (#2737)
What it does: Separates container-image publishing (push) from deployment (deploy) and removes thecontainer_registrydeploy type.
How to use it: Deploy types are nowartifact,webhook,lagoon; use thepushcommand for container images. See Breaking changes. - [#2739] Renamed
upload-db-s3topush-db-s3and aligned tooling and playground script names. @AlexSkrypnyk (#2740)
What it does: Aligns the S3 database upload script with the newpushvocabulary.
How to use it: Callpush-db-s3instead ofupload-db-s3. - Renamed
DRUPAL_ENVIRONMENTenvironment variable toENVIRONMENT_TYPE. @AlexSkrypnyk (#2750)
What it does: Drops theDRUPAL_prefix from the environment-type indicator for a vendor-neutral name.
How to use it: ReplaceDRUPAL_ENVIRONMENTwithENVIRONMENT_TYPEin settings, CI, and hosting variables. - Renamed
VORTEX_LOCALDEV_URLenvironment variable toLOCALDEV_URL. @AlexSkrypnyk (#2748)
What it does: Simplifies the local development URL variable name.
**How to u...
- [#2726] Renamed the
1.39.0
1.39.0 - Photon
This release adds opt-in visual regression testing through Diffy, extracts the Vortex shell tooling into the versioned drevops/vortex-tooling Composer package, ships accessibility test coverage out of the box, and refreshes the runtime to PHP 8.4.21 and drevops/ci-runner 26.6.0.
π Highlights
-
Visual regression testing with Diffy
A new opt-in GitHub Actions workflow compares a deployed environment against a baseline using Diffy and gates on a PR label, so visual diffs only run when you ask for them. Source and target environments behind HTTP basic auth (Shield,htpasswd) are supported via optional credentials, and results are posted back to the PR. -
Vortex tooling extracted into the
drevops/vortex-toolingComposer package
The shell scripts that used to live underscripts/vortex/are now shipped as a versioned Composer package and resolved fromvendor/drevops/vortex-tooling/src/. This makes the tooling independently versioned, testable, and upgradable, and keeps your project tree free of vendored framework scripts. -
Accessibility test coverage out of the box
A ready-to-run Behataccessibility.featureships in the template, giving every new project a baseline accessibility check from day one. -
Cross-tool command aliases
Common Ahoy commands now answer to names borrowed from other tools -ahoy ssh/shell,ahoy status/describe/ps,ahoy rebuild,ahoy destroy, andahoy fetch-db/db-download/db-fetch- so muscle memory from Docker, Make, and other stacks just works. -
Lagoon database source defaults to the
mainenvironment
New projects configured with a Lagoon database source now default to downloading from themainenvironment instead of the Acquia-orientedprod, removing a manual post-install fix for Lagoon users. -
Faster CI through rebalanced PHPUnit test groups
PHPUnit tests are redistributed across six balanced buckets to cut CI wall-clock time, with no change required from consuming projects.
π₯ Breaking changes
-
Custom provision scripts moved from
scripts/custom/toscripts/.
The defaultVORTEX_PROVISION_SCRIPTS_DIRchanged from./scripts/customto./scripts, andscripts/customis deprecated. Provisioning still auto-runs scripts with aprovision-prefix and a.shextension. Migration: move your customscripts/custom/provision-*.shfiles intoscripts/, or setVORTEX_PROVISION_SCRIPTS_DIR=./scripts/customto keep the previous location. -
Vortex shell scripts now ship via the
drevops/vortex-toolingComposer package.
The scripts previously underscripts/vortex/*.shhave been removed from the project tree and are installed intovendor/drevops/vortex-tooling/src/. The bundled.ahoy.yml, CI configs, and deployment hooks are updated automatically by the Vortex update. Migration: update any custom references fromscripts/vortex/<name>.shtovendor/drevops/vortex-tooling/src/<name>; CI bootstraps the package with./scripts/vortex-tooling.sh.
What's new since 1.38.0
π Template
-
β¨ New
- [#131] Added Diffy visual regression workflow with PR label gate. @AlexSkrypnyk (#2516)
What it does: Adds a.github/workflows/test-vr.ymlworkflow that runs a Diffy visual comparison between a source baseline and the deployed target environment, gated behind a PR label so it only runs on demand. A companionnotify-diffytooling command posts results.
How to use it: Enable it via the installer's visual regression prompt (shipstest-vr.yml). Set theVR_DIFFY_API_KEYsecret andVR_DIFFY_PROJECT_IDrepository variable, then add the configured PR label to a pull request to trigger a comparison. - Bumped Behat dependencies to stable releases and added accessibility coverage. @AlexSkrypnyk (#2527)
What it does: Moves Behat dependencies to stable releases and ships a ready-to-runtests/behat/features/accessibility.featurewith supportingFeatureContextsteps.
How to use it: Runahoy test-bdd(orahoy test-bdd -- --tags=@accessibility); the feature is included automatically in new projects. - [#2174] Added cross-tool aliases for Ahoy commands. @AlexSkrypnyk (#2510)
What it does: Registers familiar aliases on core Ahoy commands -rebuild(build),status/describe/ps(info),destroy(down),ssh/shell(cli), andfetch-db/db-download/db-fetch(download-db).
How to use it: Run the alias instead of the canonical command, e.g.ahoy ssh,ahoy status,ahoy rebuild. No configuration needed.
- [#131] Added Diffy visual regression workflow with PR label gate. @AlexSkrypnyk (#2516)
-
π Changed
- Extracted Vortex shell scripts into the
drevops/vortex-toolingComposer package. @AlexSkrypnyk (#2505)
What it does: Moves all framework shell scripts out ofscripts/vortex/into the independently versioneddrevops/vortex-toolingpackage, resolved fromvendor/drevops/vortex-tooling/src/, with its own test suite.
How to use it: No action for standard projects - the Vortex update reconciles.ahoy.yml, CI configs, and hooks. CI installs the package with./scripts/vortex-tooling.sh. Update any custom references fromscripts/vortex/<name>.shtovendor/drevops/vortex-tooling/src/<name>. - Moved custom provision scripts to
scriptsand deprecatedscripts/custom. @AlexSkrypnyk (#2539)
What it does: Changes the default custom-provision-scripts directory from./scripts/customto./scripts; scripts with aprovision-prefix and.shextension still run automatically during provisioning.
How to use it: Move customprovision-*.shfiles fromscripts/custom/toscripts/, or setVORTEX_PROVISION_SCRIPTS_DIR=./scripts/custom(default is now./scripts). - Added optional HTTP basic auth credentials to the Diffy visual regression workflow. @AlexSkrypnyk (#2536)
What it does: Lets the Diffy comparison authenticate against source and/or target environments protected by HTTP basic auth (Shield,htpasswd), forwarding credentials only when both user and password are set.
How to use it: Optionally set theVR_SOURCE_HTTP_USER/VR_SOURCE_HTTP_PASSandVR_TARGET_HTTP_USER/VR_TARGET_HTTP_PASSrepository secrets. Leave them unset for publicly reachable environments. - Replaced the visual regression PR comment with hide-and-recreate behavior. @AlexSkrypnyk (#2537)
What it does: The visual regression PR comment is now hidden and recreated on each run (matching the coverage comment), so the latest result is always the most recent comment.
How to use it: Automatic; no configuration needed. - Renamed
region_maptoregionsand nested message selectors inbehat.yml. @AlexSkrypnyk (#2523)
What it does: Updates the Behat configuration to useregionsand nests the message selectors under it for clearer structure.
How to use it: Applied automatically on update; custombehat.ymloverrides that referencedregion_mapshould be renamed toregions. - Added
patches.lock.jsonto the CLI Docker container. @AlexSkrypnyk (#2532)
What it does: Copiespatches.lock.jsoninto the CLI image so Composer patches resolve deterministically during the in-container build.
How to use it: Automatic; no action needed. - Added
patches.lock.jsonto the.dockerignorewhitelist and sorted entries. @AlexSkrypnyk (#2531)
What it does: Whitelistspatches.lock.jsonin.dockerignoreso it is available to the Docker build context, and sorts the file's entries.
How to use it: Automatic; no action needed. - Rebalanced PHPUnit test groups across 6 buckets to reduce CI wall-clock time. @AlexSkrypnyk (#2521)
What it does: Redistributes PHPUnit tests into six balanced parallel groups so CI build time is more evenly split.
How to use it: Automatic in CI; no action needed. - [#2518] Removed audit ignore entries for upstream-fixed
twig/twigandsymfony/polyfill-intl-idnCVEs. @AlexSkrypnyk (#2528)
What it does: Dropscomposer auditignore entries that are no longer needed now that the advisories are fixed upstream, restoring full audit coverage for those packages.
How to use it: Automatic on nextcomposer update; no configuration needed. - Added audit ignore entries for advisories blocking Drupal core install. @AlexSkrypnyk (#2520)
What it does: Temporarily ignores specific advisories that otherwise blocked installing Drupal core, keepingcomposer auditactionable.
How to use it: Automatic; entries are revisited as upstream fixes land. - Limited 'Vortex - Publish tooling' to
mainandvortex-toolingbranches. @AlexSkrypnyk (#2508)
What it does: Restricts the tooling-publish workflow to the relevant branches to avoid unnecessary runs.
How to use it: Maintenance-only; no consumer impact.
- Extracted Vortex shell scripts into the
-
π Fixed
- [#2499] Fixed Jest CI failure when no tests are present. @AlexSkrypnyk (#2503)
What it does: Prevents the Jest CI step from failing when a project has no JavaScript tests yet.
How to use it: Automatic; no configuration needed. - Fixed eight small issues across Ahoy commands, installer runners, and CI workflows. @AlexSkrypnyk (#2533)
What it does: A batch of small correctness fixes across.ahoy.yml, the installer command/process runners, and CI workflow files.
How to use it: Applied automatically on update.
- [#2499] Fixed Jest CI failure when no tests are present. @AlexSkrypnyk (#2503)
-
β¬οΈ Updated
- Updated
drevops/ci-runnerto 26.6.0; refreshed the CI database cache key tov26.6.0-db11. @AlexSkrypnyk - **Set the platform PHP ve...
- Updated
1.38.0 - Prism
1.38.0 - Prism
This release sharpens what teams actually use day to day: JavaScript unit tests, more batteries-included Drupal modules, per-channel deployment notifications, hardened access controls on Drupal core text files, opt-in repeated configuration import, manual deploys from the GitHub Actions UI, hardened Renovate config, and a fix for the profile-fallback provisioning path. PHP 8.4 is now the runtime baseline and Lagoon containers are at 26.4.0.
π Highlights
-
JavaScript unit testing with Jest
Jest is now configured for JavaScript modules and theme code, alongside the existing PHPUnit and Behat suites. CI runsahoy test-jsand reports coverage. Existing projects: pull the new theme dependencies (yarn installinweb/themes/custom/your_site_theme/); the lint and test commands wire in automatically. New projects: it's on by default. -
More batteries-included Drupal modules
drupal_helpers,generated_content,testmode, andreroute_emailare now part of the default module set, with environment-aware settings.reroute_emailintercepts outbound mail on non-production environments usingDRUPAL_REROUTE_EMAIL_ADDRESSandDRUPAL_REROUTE_EMAIL_ALLOWED(setDRUPAL_REROUTE_EMAIL_DISABLED=1to disable). Existing projects: runcomposer update -Wthendrush pm:install drupal_helpers generated_content testmode reroute_emailto enable. -
Per-channel branch filtering for deployment notifications
Each notification channel (Email, Newrelic, Jira, GitHub, Webhook) can now be filtered to specific branches independently. SetVORTEX_NOTIFY_<CHANNEL>_BRANCHES(e.g.VORTEX_NOTIFY_EMAIL_BRANCHES="main,develop") to restrict that channel; leave empty to fire on all branches. Existing projects: behaviour unchanged unless you set the new variables. -
Blocked access to Drupal core
*.txtand*.mdfiles in.htaccess
Files likeweb/core/CHANGELOG.txt,INSTALL.txt,README.md, and friends are now blocked at the web-server level, removing a common information-disclosure vector that fingerprints Drupal version. Existing projects: regenerate.htaccessfrom the template (or copy the new block from this release) and redeploy. No env vars; the protection is automatic once the file is on the server. -
Opt-in repeated configuration import after the initial import
Provision can now run a seconddrush config:importpass after the first one to settle dependent configuration that does not resolve in a single pass. Enable withVORTEX_PROVISION_CONFIG_IMPORT_REPEAT=1(default0). Existing projects: behaviour unchanged unless you set the variable; flip it on if your config has known cross-dependency issues. -
Manual deploys from the GitHub Actions UI
The deploy job now acceptsworkflow_dispatchinputsdeploy_target(a branch name orPR-<num>) andoverride_db(boolean). Trigger ad-hoc deploys without pushing a commit. Existing projects: the new inputs appear in theRun workflowpanel forbuild-test-deploy.yml; no configuration needed. -
Hardened Renovate config
Renovate now caps concurrent PRs, auto-merges trusted GitHub Actions updates, and labels grouped updates on the dependency dashboard. Existing projects: copy the updatedrenovate.jsonfrom the template. The new limits and auto-merge rules apply on the next Renovate run. -
Fixed profile-fallback provisioning + cache rebuild after
updb
Two reliability fixes: the fallback profile install (VORTEX_PROVISION_FALLBACK_TO_PROFILE=1) now installs Shield, skips post-provision steps, and avoids a missing-tables crash; anddrush cache:rebuildruns automatically afterdrush updbso the site renders correctly on the first request. SetVORTEX_PROVISION_CACHE_REBUILD_AFTER_DB_UPDATE_SKIP=1to opt out (default0= enabled). Existing projects: applied automatically on next provision. -
PHP 8.4 baseline
The CLI image, Composer platform, PHPStan, and PHPCS all target PHP 8.4. Existing projects: bumpcomposer.jsonconfig.platform.php,phpstan.neonphpVersion, andphpcs.xmltestVersionto match (or copy from the template) and run lint to surface any 8.3-only patterns in custom code.
π₯ Breaking changes
- PHP 8.4 is now required. Consumer projects pinned to PHP 8.3 must update Composer platform, PHPStan, and PHPCS configuration to PHP 8.4 before running CI on this release.
What's new since 1.37.0
π Template
- β¨ New
-
[#2394] Added Jest for JavaScript unit testing. @AlexSkrypnyk (#2418)
What it does: Adds Jest as the JavaScript unit test runner, with coverage thresholds and CI integration matching the PHP test setup.
How to use it: Runahoy test-jslocally; CI runs it automatically. Place tests next to the JS source underweb/modules/custom/*/tests/orweb/themes/custom/*/tests/. Existing projects: pull the new yarn dependencies in the theme directory. -
[#2401] Added drupal_helpers, generated_content, and testmode modules. @AlexSkrypnyk (#2414)
What it does: Three modules join the default stack to support development workflows.drupal_helpersprovides utility hooks;generated_contentcreates fixture data programmatically;testmodeflags the site as being in a test mode so behaviour can branch on it.
How to use it: After updating, runcomposer update -Wanddrush pm:install drupal_helpers generated_content testmode. Generated content fixtures live underweb/modules/custom/*/src/Plugin/GeneratedContent/. Test-mode aware code can check thetestmode.is_test_modeservice. -
[#2422] Added 'reroute_email' module with environment-based settings. @AlexSkrypnyk (#2431)
What it does: Intercepts outbound mail on non-production environments using thereroute_emailmodule, so staging or development sites do not accidentally email real users.
How to use it: Enable the module (it's now incomposer.json). Configure withDRUPAL_REROUTE_EMAIL_ADDRESS(target inbox) andDRUPAL_REROUTE_EMAIL_ALLOWED(glob pattern that bypasses rerouting). SetDRUPAL_REROUTE_EMAIL_DISABLED=1on production to turn rerouting off. -
[#2173] Added per-channel branch filtering for notifications. @AlexSkrypnyk (#2429, #2430)
What it does: Each notification channel (Email, Newrelic, Jira, GitHub, Slack, Webhook) can be restricted to specific branches independently.
How to use it: SetVORTEX_NOTIFY_<CHANNEL>_BRANCHESto a comma-separated branch list (e.g.VORTEX_NOTIFY_EMAIL_BRANCHES="main,develop"). Leave empty to fire on all branches. New Relic now defaults tomain,master,develop. -
[#2373] Blocked access to 'web/core/.txt' and '.md' files in '.htaccess'. @AlexSkrypnyk (#2420)
What it does: Drupal core text and markdown files (CHANGELOG.txt,INSTALL.txt,README.md, etc.) are now blocked from public access at the web-server level.
How to use it: Existing projects need to regenerate.htaccessfrom the template (or copy the new block) and redeploy. No env vars - the rule is unconditional. -
[#2374] Added opt-in repeated configuration import after initial import. @AlexSkrypnyk (#2417)
What it does: Provision can run a seconddrush config:importpass after the first one to settle dependent configuration that does not resolve in a single pass.
How to use it: SetVORTEX_PROVISION_CONFIG_IMPORT_REPEAT=1to enable (default0). Existing projects: behaviour unchanged unless flipped on. -
Allow to manually run deploy from GHA UI. @AlexSkrypnyk (#2405)
What it does: The deploy workflow now acceptsworkflow_dispatchinputs to trigger ad-hoc deploys without pushing a commit.
How to use it: From theActionstab, runbuild-test-deploy.ymlwithdeploy_targetset to a branch name orPR-<num>, and optionallyoverride_db: trueto wipe the existing database. Lint, database, and build jobs are skipped on manual runs. -
[#2351] Added per-step timing to 'task()' and 'pass()' functions. @AlexSkrypnyk (#2473)
What it does: Shell scripts now print per-step timings, making it easier to spot where build and provision time is going.
How to use it: No action needed - timings appear automatically in script output. -
[#2444] Added 'CodeCoverageProvider' installer prompt with Codecov option. @AlexSkrypnyk (#2464)
What it does: A new installer prompt lets you opt into Codecov as the coverage provider. CI uploads coverage reports, posts threshold summaries as PR comments, and degrades gracefully when Codecov is unavailable.
How to use it: Re-run the installer or pick "Codecov" when prompted. Existing projects: setCODECOV_TOKENin CI variables and copy the relevant CI block from the template. -
[#2399] Added Behat attribute set to Rector configuration. @AlexSkrypnyk (#2416)
What it does: Rector now understands Behat PHP attributes, so test step modernisation can run alongside the rest of the codebase.
How to use it: Runvendor/bin/rector(orahoy lint); no configuration needed. -
Add content moderation in search. @AlexSkrypnyk (#2397)
What it does: Search index integration now respects the Content Moderation state, so unpublished revisions do not leak into search results.
How to use it: Existing projects on Search API: re-export search index config (drush cex) to pull in the moderation-state filter, or copy the relevant config from the template. -
Added Jest test coverage and refactored demo test to use 'require()'. @AlexSkrypnyk (#2446)
What it does: The demo Jest test now reports coverage and uses CommonJSrequire(), providing a w...
-
1.37.0 - Resonance
1.37.0 - Resonance
This release extracts demo code into a dedicated module, splits linting into a standalone CI job, restructures CircleCI config for maintainability, and includes multiple CI/CD fixes for Docker permissions, coverage reporting, and branch filtering.
π Highlights
-
Demo Module Extraction
Demo code (counter block, deploy hooks, CSS/JS, tests) moved fromys_baseinto a newys_demomodule, making it easy to remove demo content from production projects. -
Standalone Lint CI Job
All linting tools extracted into a dedicated CI job that runs in parallel with the build, providing faster code style feedback. -
CircleCI Config Split
CircleCI configuration split into multiple files for better maintainability and separation of concerns. -
CI/CD Hardening
Fixed Docker permission warnings in GHA, improved coverage comment handling, and corrected branch filtering for feature/bugfix branches.
π₯ Breaking changes
None
What's new since 1.36.1
π Template
-
β¨ New
-
[#2340] Moved demo code from
ys_baseto newys_demomodule. @AlexSkrypnyk (#2349)
Demo code (counter block with CSS/JS, deploy hooks, and example tests across Unit, Kernel, Functional, and FunctionalJavascript test types) has been extracted into a dedicatedys_demomodule. This makes it straightforward to remove all demo content from production projects by simply disabling one module. -
[#2363] Added colour to
ahoy confirm. @AlexSkrypnyk (#2366)
Confirmation prompts for destructiveahoycommands now display in red with dimmed[y/N]text, making them more visually prominent and harder to accidentally dismiss. -
[#2353] Allow running CI builds against PR branches. @AlexSkrypnyk (#2354)
Addedpull_request_targettrigger to GitHub Actions workflow so that CI builds can run against PR branches. Previously, only push events to specific branches triggered builds. -
[#2368] Switched
git-artifactto download from GitHub Releases with SHA256 verification. @AlexSkrypnyk (#2370)
Thegit-artifactdeployment tool is now downloaded as a binary from GitHub Releases instead of being installed via Composer. Each download is verified against a SHA256 checksum, improving supply chain security and removing the Composer dependency from the deploy process. -
Updated posting of coverage comments to replace existing comments. @AlexSkrypnyk (#2380)
Coverage comments posted to PRs now replace the previous comment instead of creating duplicates. This uses a dedicatedpost-coverage-comment.shscript that finds and updates existing comments, keeping PR conversations clean. -
Added consistent Chromium flags to Behat and PHPUnit configs. @AlexSkrypnyk (#2378)
Added--disable-popup-blockingflag to Chrome browser arguments in both Behat and PHPUnit configurations. This ensures consistent browser behaviour across both testing frameworks and prevents popup-related test flakiness.
-
-
π Changed
-
[#1571] Split CircleCI config into multiple files. @AlexSkrypnyk (#2105)
The monolithic CircleCIconfig.ymlhas been split intoconfig.yml,vortex-test-common.yml, andupdate-dependencies.yml. This reduces the main config size and makes each CI concern (project builds, Vortex integration tests, dependency updates) independently maintainable. The installer now also cleans up these internal Vortex CI files during installation. -
[#2154] Extracted linting into standalone
lintCI job. @AlexSkrypnyk (#2346)
All linting tools (PHPCS, PHPStan, PHPMD, Rector, Twig CS Fixer, ESLint, Stylelint, Gherkin Lint) now run in a dedicatedlintjob that executes in parallel with thebuildjob. This provides faster feedback on code style issues without waiting for the full build to complete. -
[#2362] Use
yieldin data providers. @AlexSkrypnyk (#2367)
Converted all PHPUnit data providers across the project to useyieldstatements instead of returning arrays. This improves memory efficiency for large test suites and makes data providers more readable by naming each test case inline. -
Removed stale references to
asset-packagist's installer types. @AlexSkrypnyk (#2359)
Cleaned up leftoverasset-packagistreferences that were no longer relevant after previous dependency changes.
-
-
π Fixed
-
Fixed docker permissions in GHA. @AlexSkrypnyk (#2376)
SetDOCKER_CONFIG=/tmp/.dockerat workflow level to work around the Actions runner creating/root/.docker/config.jsonwith permissions that prevent the container from reading it (actions/runner#863). -
Fixed pushes to
feature/*andbugfix/*branches should not run CI builds. @AlexSkrypnyk (#2365)
Removedfeature/**andbugfix/**from the push trigger list. These branches should only trigger CI via pull request events, not on every push. -
Fixed S3 upload not stopping on failed upload. @AlexSkrypnyk (#2371)
The S3 upload script now captures the HTTP response status code and fails with an error message on non-2xx responses. Previously, upload failures were silently ignored. -
[#2350] Fixed local settings file being included during settings unit tests. @AlexSkrypnyk (#2352)
Added a guard to preventsettings.local.phpfrom being loaded during unit tests. Developer-specific local settings were polluting the test environment and causing inconsistent results. -
Fixed DB download variables inconsistencies. @AlexSkrypnyk (#2360)
Standardised variable naming across all database download scripts (download-db-acquia.sh,download-db-s3.sh,download-db-ftp.sh, etc.) and added test coverage for the main download orchestration script. -
Fixed migration Drupal variables not starting with
DRUPAL_. @AlexSkrypnyk (#2357)
Renamed migration-related environment variables to use theDRUPAL_prefix, matching the project's variable naming convention. -
Fixed coverage threshold check not storing results on low values in CI. @AlexSkrypnyk (#2372)
When coverage values were very low, the threshold check failed to store results, causing CI job summaries to be incomplete. -
Fixed missed pinned GHA actions not being updated with Renovate. @AlexSkrypnyk (#2375)
Pinnedshimataro/ssh-key-actionto a commit SHA digest so Renovate can track and update it automatically. Previously it used a tag reference that Renovate did not manage. -
Fixed ownership permissions warning in GHA. @AlexSkrypnyk (#2358)
-
Fixed GH test token not being passed to tests in CI. @AlexSkrypnyk (#2364)
-
[#2338] Fixed installer replacement and PHPMD discovery. @AlexSkrypnyk (#2369)
Fixed PHPMD tool discovery logic in the installer's Tools handler and a replacement issue in the Webroot handler.
-
-
β¬οΈ Updated
- Update PHP - Drupal core - Minor and patch to ~11.3.5. @AlexSkrypnyk (#2342)
- Update dawidd6/action-download-artifact action to v17. @renovate[bot] (#2377)
- Update clamav/clamav-debian Docker tag to v1.5.2-32. @renovate[bot] (#2348)
- Update clamav/clamav-debian Docker tag to v1.5.2-31. @AlexSkrypnyk (#2341)
- Update actions/download-artifact digest to 3e5f45b. @renovate[bot] (#2356)
- Update renovatebot/github-action action to v46.1.4. @renovate[bot] (#2345)
- Update release-drafter/release-drafter digest to 6a93d82. @renovate[bot] (#2343)
- Update GitHub Actions - All - Major, minor and patch. @renovate[bot] (#2339)
- Updated Renovate docs. @AlexSkrypnyk (#2361)
π Installer
-
β¨ New
- [#2340] Added
CustomModuleshandler for selecting custom modules during installation. @AlexSkrypnyk (#2349)
A new installer prompt allows users to choose which custom modules (Base, Demo, Search) to include. Previously, all modules were always included. The Demo module can now be easily excluded for production projects, and the Search module selection is linked to Solr service availability.
- [#2340] Added
-
π Changed
-
[#1571] Installer now removes Vortex-internal CircleCI config files during installation. @AlexSkrypnyk (#2105)
Internalvortex-*.ymlCircleCI configs are cleaned up during installation, matching the existing cleanup of internal GHA workflows. -
[#2340] Updated
ServicesandModulePrefixhandlers for demo module support. @AlexSkrypnyk (#2349)
The Services handler now conditionally includes the Solr service based on Search module selection. The ModulePrefix handler applies prefix renaming to the new demo module alongside the base module.
-
-
π Fixed
- [#2338] Fixed PHPMD discovery in Tools handler and Webroot handler replacement. @AlexSkrypnyk (#2369)
π Documentation
- π Changed
- Updated CI documentation to reflect the split CircleCI config structure and standalone lint job. @AlexSkrypnyk (#2105, #2346)
- Updated Renovate documentation. @AlexSkrypnyk (#2361)
π Release checklist
- Updated all dependencies outside of the schedule (run Renovate locally)
- Updated container images to the latest versions and checked that
@seelinks (v26.2.0) - Updated PHP version in
composer.jsonforconfig.platform. (8.3.28 β 8.3.30) - Updated PHP version in
phpcs.xmlfortestVersion. (8.3 β unchanged, still on 8.3.x) - Updated PHP version in
phpstan.neonforphpVersion. (80328 β 80330) - Updated minor version of all packages in
composer.json. (composer update -W && composer bumpdone) - Updated minor version of dependencies in theme's
package.json. (yarn upgradedone) - Update
drevops/ci-runnerto the latest version in.circleci/config.ymland `.github/workflows/build-test-deploy....
1.36.1
What's new since 1.36.0
-
Fixed Shield ACME bypass rewriting other bypass settings. @AlexSkrypnyk (#2337)
-
Fixed incorrect type in Lagoon for
database2. @AlexSkrypnyk (#2335) -
Added AI tab to Features in docs. @AlexSkrypnyk (#2328)
-
Improved installer infra. @AlexSkrypnyk (#2327)
-
[#2320] Added support to select Eslint and Stylelint in the installer. @AlexSkrypnyk (#2325)
-
Fixed PHPUnit to run only in the first CI container + docs. @AlexSkrypnyk (#2324)
-
Added a section to docs installation page. @AlexSkrypnyk (#2311)
-
Fixed AI agents missing previously downloaded cache. @AlexSkrypnyk (#2310)
-
Update renovatebot/github-action action to v46.1.3 @renovate[bot] (#2334)
-
Update clamav/clamav-debian Docker tag to v1.5.1-30 @renovate[bot] (#2333)
-
Update suzuki-shunsuke/github-action-renovate-config-validator action to v2.1.0 @renovate[bot] (#2330)
-
Update GitHub Actions - All - Major, minor and patch (major) @renovate[bot] (#2329)
-
Update dawidd6/action-download-artifact action to v16 @renovate[bot] (#2326)
-
Updated Renovate configuration to name all groups consistently and exclude language version updates. @AlexSkrypnyk (#2321)
-
Update selenium/standalone-chromium Docker tag to v145 @renovate[bot] (#2323)
-
Update clamav/clamav-debian Docker tag to v1.5.1-29 @renovate[bot] (#2318)
-
Update renovatebot/github-action action to v46.1.2 @renovate[bot] (#2319)
-
Update Container images to v26.2.0 @renovate[bot] (#2315)
-
Update uselagoon/valkey-8 Docker tag to v26.2.0 @renovate[bot] (#2317)
-
Update uselagoon/mysql-8.4 Docker tag to v26.2.0 @renovate[bot] (#2316)
Full Changelog: 1.36.0...1.36.1
@AlexSkrypnyk, @renovate[bot] and renovate[bot]
1.36.0
1.36.0 - Phase
This release makes Vortex AI-native, migration-ready, and more production-safe by introducing structured agent support, CI-testable migrations, full-stack JS testing, hardened provisioning, and improved CI/infrastructure capabilities.
π Highlights
-
Migration Framework Integration
Added secondary database support during provisioning to import existing sites and run migrations in a controlled, CI-testable sequence. -
AI-Native Development Support
IntroducedAGENTS.mdand an AI-friendly installer with structured schema and validation flags, enabling reliable non-interactive and agent-driven workflows. -
Functional JavaScript Testing
Enabled browser-based Functional JS tests via a Chrome container, extending Vortexβs full-stack automated testing capabilities. -
Safer, More Reliable Provisioning
Prevent config imports from overriding database updates and simplified provisioning logic to use direct Drush commands. -
Improved CI & Infrastructure Flexibility
Added S3 database download support, surfaced coverage thresholds in CI summaries, and improved artifact handling for better visibility and debugging.
π₯ Breaking changes
None.
What's new since 1.35.3
π Template
-
β¨ New
-
[#1642] Added support for migrations. @AlexSkrypnyk
A secondary database can now be used during provisioning to import an existing Drupal site's database dump, and then run the migration commands in a pre-defined order. This allows to test migrations locally and in CI. -
[#1968] Added a fallback for installing from profile if the DB is not available during provision. @AlexSkrypnyk (#2294)
When setting up a project in an environment where the database is not available, a "seed" databases is needed. But the environment not exist to seed that database. This change allows to use a Drupal profile to provision a seed database in the environment, and later override it with the real one. -
[#1654] Added a check that config import does not override database updates during provision. @AlexSkrypnyk (#2304)
Updated modules may bring databased updates via update hook. When the provision runs, the config import runs after these database updates, and may revert them. This change allows to check the configs before and after import and fail the provision if there are changes that may indicate that database updates were reverted. -
[#532] Added support for Functional JS tests. @AlexSkrypnyk (#2300)
Functional JS tests can now run using the Chrome container. The setup is similar to existing Behat configuration. -
Added support for all AI agents + docs. @AlexSkrypnyk (#2272)
Vortex now hasAGENTS.mdfile that provides instructions for AI agents on how to work with projects based on Vortex, including how to read generic documentation from https://www.vortextemplate.com/docs, and project-specific documentation from the project'sdocs/directory. This allows teams to document only the project-related specifics and let AI agents use the generic documentation for all the common tasks. -
[#699] Added support for downloading DB from S3. @AlexSkrypnyk (#2256)
Added AWS S3 bucket as a new source of the database dump storage. This is useful for when the database dump cannot be sourced directly from the production environment and is stored in the intermediary location, such as S3. -
[#1913] Allow to modify Drush PHP runtime configuration. @AlexSkrypnyk (#2268)
This allows to provide a customdrush.inifile with PHP configuration targeted for Drush commands. This is useful for commands that require more memory or longer execution time. -
[#2198] Added support for ACME challenge in Shield. @AlexSkrypnyk (#2254)
This allows to use Let's Encrypt certificates with Shield module by bypassing ACME challenge endpoint/.well-known/acme-challenge/*. -
[#1979] Added support for
xmlsitemapmodule for sitemap.xml generation. @AlexSkrypnyk (#2264)
This allows to generatesitemap.xmlfile, which every website should have. -
Added coverage threshold to CI job summary. @AlexSkrypnyk (#2251)
Coverage threshold existed before, but it was only visible in the logs. Now it is also added to the CI job summary, so it is more visible and easier to track. -
Added config to Renovate to update root FE deps. @AlexSkrypnyk (#2278, #2277)
Renovate was configured to manage PHP, Docker and GitHub Action dependencies, but not the NPM dependencies used for module development. This change adds the rootpackage.jsonto Renovate's scope, so that it can keep the FE dependencies up to date as well.
-
-
π Changed
-
Simplified provision to use direct commands rather than
drush:deploy. @AlexSkrypnyk (#2303)
We used bothdrush:deployand direct Drush commands in the provision script based on whether the configuration files were present or not. This change simplifies the logic by always using direct Drush commands, which are more straightforward and easier to maintain. -
Added missing namespaced variables to Vortex scripts. @AlexSkrypnyk (#2267)
Namespaced variables are variables that have a specific prefix to indicate that they are used in a context of a specific script. This allows to target variables more precisely. Some of the scripts did not have namespaced variables, which made certain overrides impossible. This change fixes that. -
Removed the Docker builder cache to free up CI container space. @AlexSkrypnyk (#2290)
In some edge cases, the container could run out of space due to the builder cache, which is not needed in CI and can be safely removed. -
Disabled Renovate for development
.vortexfiles. @AlexSkrypnyk (#2285)
These dependencies are locked and managed manually. -
[#2202] Updated Acquia settings to use env variables to include the cloud setting file. @AlexSkrypnyk (#2260)
Prior to this change, the Acquia settings file was included using the project details specified as strings in thesettings.acquia.phpfile, making it less upgradable. -
Increased test coverage for Acquia env settings. @AlexSkrypnyk
Some of the code paths in Acquia settings were not covered by tests, which made it more difficult to maintain and refactor. This change adds more tests to cover these paths. -
[#1976] Upload SUT test artifacts in vortex-test-workflow CI. @AlexSkrypnyk (#2255)
This allows to have access to the test artifacts produced by the SUT tests, such as screenshots and logs, which can be useful for debugging test failures.
-
-
π Fixed
-
[#2270] Fixed follow-up deployments to mark deployment in GitHub as inactive. @AlexSkrypnyk (#2299)
This was making follow-up deployments of peer PRs to mark the deployments of the other PRs as inactive. The fix was to correctly name the deployment in GitHub after the PR number or branch. -
[#2261] Fixed Acquia settings to allow
DRUPAL_CONFIG_PATHoverride independently ofconfig_vcs_directory. @AlexSkrypnyk (#2263)
This fixes the issues where the config sync directory in Acquia could be overridden with a value fromDRUPAL_CONFIG_PATHenvironment variable only if$settings['config_vcs_directory']existed. After this fix, theDRUPAL_CONFIG_PATHvariable can be used to override the config sync directory in Acquia regardless of the presence ofconfig_vcs_directorysetting. -
Fixed incorrectly prefixed environment variables. @AlexSkrypnyk (#2265)
RenamedVORTEX_DB_<ACTION>_*toVORTEX_<ACTION>_DB_*for consistency with other variables. -
Fixed SIGPIPE (exit code 141) in CI coverage threshold check caused by
head -1closing pipe underpipefail. @AlexSkrypnyk (#2289) -
[#1219] Fixed tag deployment mode skip in Lagoon deploy script. @AlexSkrypnyk (#2301)
Prior to this change, the tag deployment wouldbe triggered from CI and hiy Lagoon, which would respond with an error, causing the CI job to fail. -
[#2249] Changed Renovate rangeStrategy to bump. @AlexSkrypnyk (#2250)
This fixes Renovate configuration to also updatecomposer.jsonwhen bumping dependencies. Not adding this earlier when we switched to using "bumping" of versions incomposer.jsonwas an oversight.
-
-
β¬οΈ Updated
- Updated CI runner to 26.2.0 @AlexSkrypnyk (#2307)
- Update Node.js to >= 20.20.0. @renovate[bot] (#2291)
- Update Minor and Patch Core to ~11.3.3. @renovate[bot] (#2253)
- Updated deps. @AlexSkrypnyk (#2257)
- Updated deps for installer, tests and docs. @AlexSkrypnyk (#2276)
- Update dawidd6/action-download-artifact action to v15. @renovate[bot] (#2305)
- Update renovatebot/github-action action to v46.1.1. @renovate[bot] (#2296)
- Update clamav/clamav-debian Docker tag to v1.5.1-28. @renovate[bot] (#2295)
- Update renovatebot/github-action action to v46.1.0. @renovate[bot] (#2274)
- Update clamav/clamav-debian Docker tag to v1.5.1-27. @renovate[bot] (#2266)
- Update renovatebot/github-action action to v46.0.2. @renovate[bot] (#2258)
π Installer
- β¨ New
- [#2302] Added support for prompts schema to make the installer AI-friendly. @AlexSkrypnyk (#2306)
AI agents now can use--schemaflag to get structured information about the installer options, requirements and steps, and use it to run the installer in a non-interactive way.
They can also use--validateflag to validate the config before running the installer.
There is also a new--agent-helpflag that provides detailed information about the installer's commands and options. This is useful for AI age...
- [#2302] Added support for prompts schema to make the installer AI-friendly. @AlexSkrypnyk (#2306)
1.35.3
What's new since 1.35.2
- Updated CI runner to 26.1.0 @AlexSkrypnyk (#2246)
- Update clamav/clamav-debian Docker tag to v1.5.1-26 @renovate[bot] (#2244)
- Update GitHub Actions (major) @renovate[bot] (#2243)
- Update GitHub Actions @renovate[bot] (#2242)
- Updated behat-steps to the latest version. @AlexSkrypnyk (#2245)
- Update GitHub Actions @renovate[bot] (#2239)
- Update clamav/clamav-debian Docker tag to v1.5.1-25 @renovate[bot] (#2241)
- Update Container images (major) @renovate[bot] (#2237)
- Update GitHub Actions @renovate[bot] (#2235)
- Update clamav/clamav-debian Docker tag to v1.5.1-24 @renovate[bot] (#2236)
- Updated installer and test deps. @AlexSkrypnyk (#2234)
- Update suzuki-shunsuke/github-action-renovate-config-validator action to v2 @renovate[bot] (#2230)
- Update actions/cache digest to 8b402f5 @renovate[bot] (#2229)
- Update GitHub Actions @renovate[bot] (#2228)
Full Changelog: 1.35.2...1.35.3
@AlexSkrypnyk, @renovate[bot] and renovate[bot]
1.35.2
What's new since 1.35.1
- [#2227] Replace prettier plugin for jsdoc. @AlexSkrypnyk (#2226)
- Update renovatebot/github-action action to v44.2.4 @renovate[bot] (#2225)
- Update clamav/clamav-debian Docker tag to v1.5.1-23 @renovate[bot] (#2224)
- Fixed Rector running with
--clear-cachein CI. @AlexSkrypnyk (#2223)
Full Changelog: 1.35.1...1.35.2
@AlexSkrypnyk, @renovate[bot] and renovate[bot]