[skip ci]

#1981)

Co-authored-by: Copilot <[email protected]>

[skip ci]

Co-authored-by: Copilot <[email protected]>

[skip ci]

…eld (#1956)

The `Suggested references` section listed paths relative to the repo
root (e.g. `docs/commands/commit.md`), but per the Agent Skills
specification, file references should be relative to the skill root.
When the skill folder is installed standalone, those paths do not
resolve, so the section was effectively dead pointers.

Drop the section and rely on agent inference / the documented
`metadata.docs` URL for the canonical docs.

Also drop the `compatibility` frontmatter field. The spec notes most
skills do not need it, and the previous value did not describe a
constraint that would prevent the skill from running.

Refs #1936

Co-authored-by: Copilot <[email protected]>
Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: bearomorphism <[email protected]>

* ci: add PR bump preview workflow

Adds a workflow that runs cz bump --dry-run on incoming pull requests
and posts (or updates) a sticky comment summarising the would-be version
bump and changelog entries. This makes unexpected version bumps visible
to reviewers before merging, addressing #1510.

The pattern is documented in docs/tutorials/github_actions.md so other
projects can copy/paste the same workflow.

Closes #1510

Co-authored-by: Copilot <[email protected]>

* fix(ci): gate PR bump preview to same-repo PRs only

Address Copilot review feedback on #1957:

* `cz bump` renders Jinja templates from the working directory whenever
  `update_changelog_on_bump` is set in config, using a non-sandboxed
  `FileSystemLoader('.')`. Under `pull_request_target` with a write
  token, executing those templates against fork-controlled files would
  risk RCE / token exfiltration. Gate the job to same-repo PRs by
  comparing `head.repo.full_name` to `base.repo.full_name`.
* Set `persist-credentials: false` on `actions/checkout` as
  defense in depth, so the workflow token is not written to
  `.git/config`.
* Adjust docs to drop the misleading `and changelog entries` claim
  (the dry-run only shows changelog entries when
  `update_changelog_on_bump` is enabled), and rewrite the safety
  explanation to reflect the real threat model.

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot <[email protected]>

[skip ci]

Signed-off-by: dependabot[bot] <[email protected]>

[skip ci]

Signed-off-by: dependabot[bot] <[email protected]>

[skip ci]

Signed-off-by: dependabot[bot] <[email protected]>

[skip ci]

Bumps [uv](https://github.com/astral-sh/uv) from 0.11.6 to 0.11.15.
- [Release notes](https://github.com/astral-sh/uv/releases)
- [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md)
- [Commits](astral-sh/uv@0.11.6...0.11.15)

---
updated-dependencies:
- dependency-name: uv
  dependency-version: 0.11.15
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

[skip ci]

* test: normalize argparse choice snapshots

* test: normalize invalid command snapshots

---------

Co-authored-by: Puneet Dixit <[email protected]>
Co-authored-by: Deepak kudi <[email protected]>

[skip ci]

The packaged commitizen-branch pre-push hook in .pre-commit-hooks.yaml
passes the literal string \..\ as
an argv element and relied on shell expansion. After #1941 switched git
execution to shell=False (CWE-78 hardening), git received the literal
string and aborted with atal: ambiguous argument, breaking every
commitizen release after v4.15.0 for users of that hook.

Expand env vars explicitly on the --rev-range argument via
os.path.expandvars so the hook keeps working without reintroducing
shell execution. Unset variables are left literal so git surfaces a
clear error instead of being silently rewritten to an empty range.

Closes #2003

Co-authored-by: Tim Hsiung <[email protected]>
Co-authored-by: Copilot <[email protected]>