oracle · graalvmbot · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 11, 2026
diff --git a/.agents/skills/pr-gate-check/SKILL.md b/.agents/skills/pr-gate-check/SKILL.md
@@ -22,6 +22,8 @@ git rev-list --all --parents | rg ' <PR_HEAD_SHA>( |$)'
 ```
 Pick the merge commit where one parent is `<PR_HEAD_SHA>` and the other is the target branch tip at merge time.
 
+If you cannot find it this way, another heuristic is to take the branch name and append `_gate` - that usually has the merge commit we want as tip.
+
 3. Check builds on that merge commit:
 ```bash
 gdev-cli bitbucket get-builds --commit=<MERGE_SHA> --all --format=key,state,url

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ language runtime. The main focus is on user-observable behavior of the engine.
 * Added a new `java` backend for the `pyexpat` module that uses a Java XML parser instead of the native `expat` library. It can be useful when running without native access or multiple-context scenarios. This backend is the default when embedding and can be switched back to native `expat` by setting `python.PyExpatModuleBackend` option to `native`. Standalone distribution still defaults to native expat backend.
 * Add a new context option `python.UnicodeCharacterDatabaseNativeFallback` to control whether the ICU database may fall back to the native unicode character database from CPython for features and characters not supported by ICU. This requires native access to be enabled and is disabled by default for embeddings.
 * Foreign temporal objects (dates, times, and timezones) are now given a Python class corresponding to their interop traits, i.e., `date`, `time`, `datetime`, or `tzinfo`. This allows any foreign objects with these traits to be used in place of the native Python types and Python methods available on these types work on the foreign types.
+* Make BouncyCastle an optional dependency for embedding use cases. BouncyCastle is only needed for legacy RSA, DSA, and EC privat keys versions 0 and 1. To support these from Python embeddings, BouncyCastle must now be explicitly enabled by adding the `org.graalvm.python:python-bouncycastle-support` Maven artifact.
 
 ## Version 25.0.1
 * Allow users to keep going on unsupported JDK/OS/ARCH combinations at their own risk by opting out of early failure using `-Dtruffle.UseFallbackRuntime=true`, `-Dpolyglot.engine.userResourceCache=/set/to/a/writeable/dir`, `-Dpolyglot.engine.allowUnsupportedPlatform=true`, and `-Dpolyglot.python.UnsupportedPlatformEmulates=[linux|macos|windows]` and `-Dorg.graalvm.python.resources.exclude=native.files`.

diff --git a/.../src/META-INF/native-image/org.graalvm.python/python-bouncycastle/native-image.properties b/.../src/META-INF/native-image/org.graalvm.python/python-bouncycastle/native-image.properties
@@ -0,0 +1,2 @@
+# Additional native-image arguments for optional GraalPy BouncyCastle support
+Args = --features=com.oracle.graal.python.bouncycastle.BouncyCastleFeature
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Additional native-image arguments for optional GraalPy BouncyCastle support
		Args = --features=com.oracle.graal.python.bouncycastle.BouncyCastleFeature