8.0.0

8.0.0 - 2026-05-13

Summary

In this major release, several modifications were made to the PTB's workflow templates:

• For automatically resolving vulnerabilities, the dependency-update.yml workflow was
  added. For more details, see the Update Dependencies section.
• The periodic run which was previously executed in the ci.yml has been moved to its
  own periodic-validation.yml and will run weekly. This also has been modified to
  run the slow-checks.yml so that more complete linting and coverage information is
  sent to Sonar.
• With the addition of periodic-validation.yml, the pr-merge.yml was reduced so that
  it only executes gh-pages.yml.
• The unit tests job has been moved from checks.yml to its own fast-tests.yml file.
• Workflow extensions were added to fast-tests and merge-gate. This allows users to
  add custom fast-tests-extension.yml and merge-gate-extension.yml files. For more
  details, check out the Workflow Extensions section.
• slow-checks.yml is only maintained by the project (not the PTB). See the Not Maintained by the PTB section.

Features

• #829: Extended removing a job from a workflow to also remove it from the needs of another job
• #825: Created two workflows by splitting up previous ones:
  • Moved the periodic jobs in ci.yml to its own periodic-validation.yml
  • Moved the unit tests job in checks.yml to its own fast-tests.yml
• #730: Added workflow extensions to fast-tests and merge-gate
• #756: Added dependency-update.yml to automate resolving vulnerabilities with a generated pull request
• #792: Improved dependency-update.yml documentation
• #831: Switched slow-checks.yml to be provided by the project and not maintained by the PTB and improved output of pydantic validation of .workflow-patcher.yml

Bugfix

• #563: Fixed merge-gate to prevent auto-merges from happening when integration tests failed

Security Issues

This release fixes vulnerabilities by updating dependencies:

Dependency	Vulnerability	Affected	Fixed in
urllib3	CVE-2026-44431	2.6.3	2.7.0
urllib3	CVE-2026-44432	2.6.3	2.7.0

• #836: Relocked poetry.lock

Dependency Updates

main

• Updated dependency coverage:7.13.4 to 7.14.0
• Updated dependency importlib-resources:6.5.2 to 7.1.0
• Updated dependency mypy:1.19.1 to 2.1.0
• Updated dependency nox:2026.2.9 to 2026.4.10
• Updated dependency pip-licenses:5.5.1 to 5.5.5
• Updated dependency pre-commit:4.5.1 to 4.6.0
• Updated dependency pydantic:2.12.5 to 2.13.4
• Updated dependency pysonar:1.0.2.1722 to 1.5.0.4793
• Updated dependency sphinxcontrib-mermaid:2.0.1 to 2.0.2
• Updated dependency typer:0.24.1 to 0.25.1

dev

• Updated dependency types-pyyaml:6.0.12.20250915 to 6.0.12.20260510

7.0.0

7.0.0 - 2026-04-29

Summary

In this major release, support for the version.pyfile has been removed. Users should:

• delete the version.py file

• add in their project's __init__.py module

  from importlib.metadata import version
  __version__ = version("<package_name>")

This is required for the nox session docs:multiversion to successfully complete,
and it is a Python standard for users to check in the terminal which version they are
using.

The underlying code for the nox sessions vulnerabilities:resolved and release:prepare have been modified so that all dependencies (main, in groups, and in optional groups) are considered for the vulnerability report. Additionally, we only consider a vulnerability resolved if pip-audit includes fix_versions for the dependency. Previously, these nox sessions only reported the dependencies of main and the transitive dependencies of main.

Feature

• #803: Included other dependencies for local pip-audit check

Refactoring

• #800: Removed tbx security pretty-print, tbx lint pretty-print, and creation of .lint.txt, as superseded by Sonar and .lint.json usage
• #791: Resolved Sonar concerns: accepted specific subprocess import usage, subprocess commands, & improved minor maintainability items
• #629: Replace version.py with version from the __init__.py

Bug Fix

• #808: Resolved release:prepare to update pyproject.toml

6.4.0

6.4.0 - 2026-04-22

Summary

This release includes a few notable improvements:

• The nox session release:prepare automatically reports resolved security issues.
• The stability of the tbx security cve CLI commands is improved with new test coverage
  to help ensure it works for non-Python projects.

Features

• #777: Improved VulnerabilityMatcher to handle packages with multiple vulnerabilities
• #517: Modified nox session release:prepare to report resolved security issues

Refactoring

• #731: Reduced costly test-python-environment.yml to run when triggered on main or when the files related to the action are altered
• #785: Removed nox session project:report and metrics-schema, as superseded by Sonar usage
• #763: Parsed and manipulated Changes Files
• #788: Removed tbx workflow CLI commands, as superseded by nox session workflow:generate

Bugfix

• #798: Added test to ensure tbx security cve works

6.3.0

6.3.0 - 2026-04-15

Summary

This release includes an update of action/upload-pages-artifact from v4 to v5.0.0. With this
change, now all actions used in the PTB run with Node.js 24. This is important as support
for Node.js 20 reaches it end-of-life in April 2026 and support for it in GitHub will end in
September 2026; for more details, see GitHub's deprecation notice.

The report.yml is also called after the checks.yml completes. This allows users
to get linting, security, and unit test coverage before running the slow-checks.yml,
as described in the Pull Request description.

This release also adds a vulnerabilities:resolved Nox session, which reports GitHub security issues resolved since the last release.

This release fixes a vulnerability by updating the poetry.lock file.

Name	Version	ID	Fix Versions	Updated to
pytest	9.0.2	CVE-2025-71176	9.0.3	9.0.3

To ensure usage of secure packages, it is up to the user to similarly relock their dependencies.

Features

• #402: Created nox session vulnerabilities:resolved to report resolved GitHub security issues
• #733: Adjusted structlog and log level for workflow generation

Refactoring

• #764: Updated action/upload-pages-artifact from v4 to v5
• #768: Updated merge-gate.yml to execute the report.yml after the checks.yml completes

Bugfix

• #766: Fixed action/upload-pages-artifact from v5 to v5.0.0

Security

• #774: Fixed vulnerability by re-locking pytest in the poetry.lock

Dependency Updates

main

• Updated dependency pytest:9.0.2 to 9.0.3

6.2.0

6.2.0 - 2026-04-10

Summary

A new nox session release:update was added, which allows users to modify the changelog of the already prepared release with dependency updates.

This release fixes vulnerabilities by updating transitive dependencies in the poetry.lock file.

Dependency	Version	ID	Fix Versions	Updated to
cryptography	46.0.5	CVE-2026-34073	46.0.6	46.0.7
cryptography	46.0.6	CVE-2026-39892	46.0.7	46.0.7
pygments	2.19.2	CVE-2026-4539	2.20.0	2.20.0
requests	2.32.5	CVE-2026-25645	2.33.0	2.33.1

To ensure usage of secure packages, it is up to the user to similarly relock their dependencies.

Features

• #740: Added nox session release:update

Security Issues

• #759: Fixed vulnerabilities by re-locking transitive dependencies & updated actions/deploy-pages from v4 to v5

Dependency Updates

main

• Updated dependency pysonar:1.3.0.4086 to 1.0.2.1722

6.1.1

6.1.1 - 2026-03-18

Summary

Security Issues

• #748: Updated dependency to black

Refactorings

• #752: Updated upload-artifact from v6 to v7 and download-artifact from v7 to v8
• #750: Updated dependency pip-audit

Dependency Updates

main

• Updated dependency bandit:1.9.3 to 1.9.4
• Updated dependency black:25.12.0 to 26.3.1
• Updated dependency coverage:7.13.1 to 7.13.4
• Updated dependency import-linter:2.9 to 2.11
• Updated dependency nox:2025.11.12 to 2026.2.9
• Updated dependency pip-audit:2.9.0 to 2.10.0
• Updated dependency pip-licenses:5.5.0 to 5.5.1
• Updated dependency pylint:4.0.4 to 4.0.5
• Updated dependency ruff:0.14.13 to 0.14.14
• Updated dependency sphinxcontrib-mermaid:2.0.0 to 2.0.1
• Updated dependency typer:0.21.1 to 0.24.1

dev

• Updated dependency cookiecutter:2.6.0 to 2.7.1

6.1.0

6.1.0 - 2026-03-16

Summary

This release renamed some of the GitHub workflows which requires to update your branch protection. It needs to be Merge Gate / Allow Merge in contrast to merge-gate / Allow Merge in the past.

This release also changes the semantics of field PROJECT_CONFIG.add_to_excluded_python_paths.

Before, a .venv directory would have be excluded no matter what parent directory structure it had. Now, only ROOT_PATH / .venv would be excluded. If you have multiple paths like .venv before, you will need to specifically specify them relative to the ROOT_PATH.

Please see the user guide for details.

Additionally the release updates the references to GitHub actions cache and setup-python to avoid using deprecated Node.js 20 actions.

Features

• #697: Supported multi-part paths in add_to_excluded_python_paths

Refactoring

• #728: Updated to latest PTB workflows and added .workflow-patcher.yml
• #736: Capitalized and shorten names of GitHub workflows
• #745: Updated references to GitHub actions cache and setup-python

6.0.0

6.0.0 - 2026-02-26

Summary

In this major version:

• the Nox session workflow:generate has been added to replace the deprecated
  tbx workflow install and tbx workflow update. It has the additional feature
  that users may customize the PTB provided workflows with a .workflow-patcher.yml
  file, as detailed in Customize Workflows for Your Project.
• the GitHub workflow templates have been modified to include step_ids and to follow
  an AP-format naming convention, as such it is anticipated that updating the workflows
  results in several small changes.

Feature

• #691: Started customization of PTB workflows by defining the YML schema
• #712: Added basic logging to workflow processing
• #714: Added logic to modify a workflow using the .workflow-patcher.yml
• #717: Restricted workflow names in .workflow-patcher.yml to template workflow names
• #719: Added Nox session workflow:generate to generate/update workflows using the .workflow-patcher.yml (if desired)
• #725: Added newline after headlines for dependency changes

Documentation

• #705: Described how the versions of poetry and python are retrieved
• #706: Added description how to ignore findings to the User Guide
• #721: Added documentation for Nox session workflow:generate

Refactoring

• #664: Removed deprecation warning for projects to switch over to BaseConfig
• #637: Added id to workflow templates & synchronized on naming conventions
• #702: Fixed StepCustomization.content to list[StepContent] and security concern for update_cookiecutter_default
• #710: Refactored and added custom exceptions to YamlRender-based classes

Dependency Updates

main

• Added dependency structlog:25.5.0

5.1.1

5.1.1 - 2026-02-06

Summary

In this patch release, we:

• Fixed a bug which was affecting new GitHub projects from using the nox session release:prepare.
• Switched from using a string verified by PyYaml to directly using ruamel-yaml for rendering the GitHub workflows.

Bug

• #692: Fixed bug where creating first release failed due to no previous tags

Documentation

• #585: Added instructions how to ignore sonar issues to the User Guide
• #630: Updated cookiecutter command to reduce errors experienced by users

Refactoring

• #686: Switched GitHub templates to be fully parsed by ruamel-yaml

Dependency Updates

main

• Removed dependency pyyaml:6.0.3
• Added dependency ruamel-yaml:0.18.16

5.1.0

5.1.0 - 2026-01-29

Summary

Feature

• #673: Switched checks.yml to get Python versions for matrix from BaseConfig

Documentation

• #676: Moved GitHub Workflows to be inside features & updated
• #658: Removed configuration of Sonar for private repos

Refactoring

• #680: Removed needs from checks.yml

Dependency Updates

main

• Added dependency sphinxcontrib-mermaid:2.0.0