docs: roll README + CHANGELOG forward past v0.3.1

README:
- Status line bumped from v0.3.0 to v0.3.1 with the actually-validated
  framing (K8s Ready under QEMU virt+HVF, CoreDNS + local-path +
  nginx all Running) and a link to CHANGELOG.md for full notes.
- Roadmap: Phase 7 (generic ARM64) flipped to "Complete (v0.3.1, K8s
  Ready under QEMU virt+HVF)". OCI cosign verification, LABEL=KSOLODATA
  on ARM64, and real-hardware ARM64 validation move from "Planned for
  v0.3.1" to "Planned for v0.3.2" — they didn't make this release.

CHANGELOG:
- New "[Unreleased]" section covering the four post-v0.3.1 CI / repo
  housekeeping commits: drop tag trigger on build-arm64.yaml (04a5cd2),
  gitignore .env/credentials (48267e1), fix gated x86 job staying
  "queued" instead of "skipped" (fb24e64), and paths-ignore on
  build-arm64.yaml so workflow/docs-only commits skip the 60-minute
  kernel rebuild (e1b8a69).

No runtime changes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.gitea/workflows/build-arm64.yaml

@@ -1,11 +1,26 @@
 name: ARM64 Build
 
-# Triggers on push to main and on tags. Skipped on PRs to keep PR feedback fast;
-# manual via Gitea UI ("Run workflow") if needed.
+# Smoke-test workflow for main-branch ARM64 builds. Triggers on push to main
+# (so we catch breakages early) and on manual dispatch.
+#
+# Tag pushes are intentionally NOT a trigger — release.yaml handles tags and
+# also produces the disk image. Triggering both on the same tag wastes an
+# hour of Odroid time on a duplicate kernel build.
+#
+# `paths-ignore` keeps workflow-file and docs-only commits from kicking off
+# a 60-minute Odroid rebuild. If you change a kernel fragment, init script,
+# or build/script, this WILL fire — that's by design.
 on:
   push:
     branches: [main]
-    tags: ['v*']
+    paths-ignore:
+      - '.gitea/workflows/**'
+      - '.github/workflows/**'
+      - 'docs/**'
+      - '*.md'
+      - 'CHANGELOG.md'
+      - 'README.md'
+      - '.gitignore'
   workflow_dispatch:
 
 jobs:

.gitea/workflows/release.yaml

@@ -76,14 +76,15 @@ jobs:
 
   build-iso-amd64:
     name: Build x86_64 ISO + disk image
-    # Routes to a runner with the `amd64-linux` label. As of v0.3.x no such
-    # runner exists in this Gitea instance — the only runner is the Odroid
-    # which is arm64 and would fail apt-installing grub-efi-amd64-bin /
-    # syslinux because those packages aren't in the arm64 ports repo. The
-    # job stays in the workflow (so it auto-runs once an amd64 runner is
-    # registered) but is gated and the release job continues without it.
-    if: false   # remove this line once an amd64-linux runner is registered
-    runs-on: amd64-linux
+    # Gated until an amd64-linux runner is registered. We use `runs-on:
+    # ubuntu-latest` (which the Odroid claims) so SOME runner picks the job
+    # up and evaluates `if: false`, marking it `skipped` instead of leaving
+    # it `queued` forever — the latter holds the overall run in `queued`
+    # state even when every load-bearing job is complete. When we get an
+    # amd64 runner, flip `if: false` to `false` -> `true` (and flip the
+    # `runs-on:` back to `amd64-linux`).
+    if: false
+    runs-on: ubuntu-latest
     needs: build-binaries
     steps:
       - uses: actions/checkout@v4

.gitignore

@@ -16,6 +16,12 @@ build/rootfs-work/
 *.swo
 *~
 
+# Secrets — never commit
+.env
+.env.*
+*.token
+*.pat
+
 # OS
 .DS_Store
 ._*

CHANGELOG.md

@@ -5,6 +5,39 @@ All notable changes to KubeSolo OS are documented in this file.
 Format based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+Pure CI / repository housekeeping; no runtime changes since v0.3.1. All
+items below shake out workflow-loop bugs exposed by the v0.3.1 release
+flow on Gitea Actions.
+
+### Fixed (CI)
+
+- `build-arm64.yaml` no longer triggers on tag pushes. `release.yaml`
+  already produces the ARM64 disk image as part of the release flow, so
+  triggering both on the same tag wasted an hour of Odroid runner time
+  on a duplicate kernel build. (`04a5cd2`)
+- The gated `build-iso-amd64` job in `release.yaml` (`if: false` until an
+  amd64-linux runner exists) used to advertise `runs-on: amd64-linux`.
+  With no matching runner, Gitea left the job queued forever and the
+  overall workflow run never transitioned to `success` — even though
+  every load-bearing job had finished and the release was already
+  published. Now uses `runs-on: ubuntu-latest` so any runner picks the
+  job up just long enough to evaluate `if: false` and mark it `skipped`.
+  (`fb24e64`)
+- `build-arm64.yaml` now ignores workflow-file, docs, and `*.md` changes
+  via `paths-ignore` (`.gitea/workflows/**`, `.github/workflows/**`,
+  `docs/**`, top-level `*.md`, `.gitignore`). Workflow- / docs-only
+  commits no longer kick off a 60-minute kernel rebuild on the Odroid.
+  Any change to a kernel fragment, init script, or build script still
+  triggers the full build, as intended. (`e1b8a69`)
+
+### Changed
+
+- `.gitignore` now excludes `.env`, `.env.*`, `*.token`, `*.pat` to keep
+  Gitea PATs and other credentials used during release ops from being
+  accidentally committed. (`48267e1`)
+
 ## [0.3.1] - 2026-05-15
 
 First fully-functional generic ARM64 release. v0.3.0 shipped the build

README.md

@@ -2,7 +2,7 @@
 
 An immutable, bootable Linux distribution purpose-built for [KubeSolo](https://github.com/portainer/kubesolo) — Portainer's ultra-lightweight single-node Kubernetes.
 
-> **Status (v0.3.0):** x86_64 and generic ARM64 (UEFI / virtio / mainline kernel) both build and boot end-to-end. Update agent has an explicit state machine, OCI registry distribution alongside HTTP, channel + maintenance-window + version-stepping-stone gates, and auto-rollback. ARM64 Raspberry Pi support remains paused pending physical hardware. See [docs/release-notes-0.3.0.md](docs/release-notes-0.3.0.md) for the full v0.3.0 changelog.
+> **Status (v0.3.1):** First fully-validated generic ARM64 release. x86_64 and ARM64 (UEFI / virtio / mainline kernel) both build and boot end-to-end; v0.3.1 closes the dual-glibc, nftables address-family, and kube-proxy expression-module gaps that kept v0.3.0 from reaching a Ready node on ARM64. Validated end-to-end under QEMU virt + HVF on Apple Silicon: `kubectl get nodes` reports `Ready`, CoreDNS, local-path-provisioner, and an nginx test workload all `Running`. The update agent has an explicit state machine, OCI registry distribution alongside HTTP, channel + maintenance-window + version-stepping-stone gates, and auto-rollback. ARM64 Raspberry Pi support remains paused pending physical hardware. See [CHANGELOG.md](CHANGELOG.md) for the full v0.3.1 changelog and [docs/release-notes-0.3.0.md](docs/release-notes-0.3.0.md) for the v0.3.0 milestone summary.
 
 ## What is this?
 
@@ -245,12 +245,12 @@ Metrics include: `kubesolo_os_info`, `boot_success`, `boot_counter`, `uptime_sec
 | 5 | CI/CD, OCI distribution, Prometheus metrics, ARM64 cross-compile | Complete |
 | 6 | Security hardening, AppArmor | Complete |
 | - | Custom kernel build for container runtime fixes | Complete (x86_64) |
-| 7 | ARM64 generic (mainline kernel, UEFI, virtio) | Complete (v0.3.0, QEMU validated) |
+| 7 | ARM64 generic (mainline kernel, UEFI, virtio) | Complete (v0.3.1, K8s Ready under QEMU virt+HVF) |
 | 8 | Update engine v2 (state machine, channels, OCI, pre-flight gates) | Complete (v0.3.0) |
 | - | ARM64 Raspberry Pi (custom kernel, firmware, SD card image) | Paused — needs hardware |
-| - | OCI cosign signature verification | Planned for v0.3.1 |
-| - | LABEL=KSOLODATA on ARM64 (replace blkid/findfs path) | Planned for v0.3.1 |
-| - | Real-hardware ARM64 validation (Graviton / Ampere) | Planned for v0.3.1 |
+| - | OCI cosign signature verification | Planned for v0.3.2 |
+| - | LABEL=KSOLODATA on ARM64 (replace blkid/findfs path) | Planned for v0.3.2 |
+| - | Real-hardware ARM64 validation (Graviton / Ampere) | Planned for v0.3.2 |
 
 ## License