chore(go): replace releaseprep with vociferate flows

.gitea/workflows/pr-validation.yml

@@ -34,6 +34,12 @@ jobs:
           cache: true
           cache-dependency-path: go.sum
 
+      - name: Install security tools
+        run: |
+          set -euo pipefail
+          go install github.com/securego/gosec/v2/cmd/gosec@v2.22.3
+          go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
+
       - name: Install AWS CLI v2
         uses: ankurk91/install-aws-cli-action@v1
 
@@ -60,6 +66,12 @@ jobs:
           printf '{\n  "total": "%s"\n}\n' "$total" > coverage-summary.json
           printf 'total=%s\n' "$total" >> "$GITHUB_OUTPUT"
 
+      - name: Run security analysis
+        run: |
+          set -euo pipefail
+          "$(go env GOPATH)/bin/gosec" ./...
+          "$(go env GOPATH)/bin/govulncheck" ./...
+
       - name: Generate coverage badge
         env:
           COVERAGE_TOTAL: ${{ steps.coverage.outputs.total }}

.gitea/workflows/prepare-release.yml

@@ -1,83 +1,32 @@
-name: Prepare Release
+name: Release
 
 on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: Semantic version to release, with or without leading v.
-        required: true
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
 
 jobs:
   prepare:
     runs-on: ubuntu-latest
-    container: docker.io/catthehacker/ubuntu:act-latest
-    defaults:
-      run:
-        shell: bash
-    env:
-      RELEASE_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Setup Go
-        uses: actions/setup-go@v5
+      - name: Vociferate prepare
+        uses: aether/vociferate/prepare@v1.0.0
+
+  publish:
+    needs: prepare
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
-          go-version: '1.26.1'
-          check-latest: true
-          cache: true
-          cache-dependency-path: go.sum
+          fetch-depth: 0
 
-      - name: Prepare release files
-        env:
-          RELEASE_VERSION: ${{ inputs.version }}
-        run: |
-          set -euo pipefail
-          ./script/prepare-release.sh "$RELEASE_VERSION"
-
-      - name: Run tests
-        run: |
-          set -euo pipefail
-          go test ./...
-
-      - name: Configure git author
-        run: |
-          set -euo pipefail
-          git config user.name "gitea-actions[bot]"
-          git config user.email "gitea-actions[bot]@users.noreply.local"
-
-      - name: Commit release changes and push tag
-        env:
-          RELEASE_VERSION: ${{ inputs.version }}
-        run: |
-          set -euo pipefail
-
-          normalized_version="${RELEASE_VERSION#v}"
-          tag="v${normalized_version}"
-
-          if git rev-parse "$tag" >/dev/null 2>&1; then
-            echo "Tag ${tag} already exists" >&2
-            exit 1
-          fi
-
-          case "$GITHUB_SERVER_URL" in
-            https://*)
-              authed_remote="https://oauth2:${RELEASE_TOKEN}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git"
-              ;;
-            http://*)
-              authed_remote="http://oauth2:${RELEASE_TOKEN}@${GITHUB_SERVER_URL#http://}/${GITHUB_REPOSITORY}.git"
-              ;;
-            *)
-              echo "Unsupported GITHUB_SERVER_URL: ${GITHUB_SERVER_URL}" >&2
-              exit 1
-              ;;
-          esac
-
-          git remote set-url origin "$authed_remote"
-          git add changelog.md internal/homesick/version/version.go
-          git commit -m "release: prepare ${tag}"
-          git tag "$tag"
-          git push origin HEAD
-          git push origin "$tag"
+      - name: Vociferate publish
+        uses: aether/vociferate/publish@v1.0.0

.gitea/workflows/push-validation.yml

@@ -34,6 +34,12 @@ jobs:
           cache: true
           cache-dependency-path: go.sum
 
+      - name: Install security tools
+        run: |
+          set -euo pipefail
+          go install github.com/securego/gosec/v2/cmd/gosec@v2.22.3
+          go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
+
       - name: Install AWS CLI v2
         uses: ankurk91/install-aws-cli-action@v1
 
@@ -52,6 +58,12 @@ jobs:
           printf '{\n  "total": "%s"\n}\n' "$total" > coverage-summary.json
           printf 'total=%s\n' "$total" >> "$GITHUB_OUTPUT"
 
+      - name: Run security analysis
+        run: |
+          set -euo pipefail
+          "$(go env GOPATH)/bin/gosec" ./...
+          "$(go env GOPATH)/bin/govulncheck" ./...
+
       - name: Generate coverage badge
         env:
           COVERAGE_TOTAL: ${{ steps.coverage.outputs.total }}
@@ -121,26 +133,3 @@ jobs:
       - name: Run behavior suite on main pushes
         if: ${{ github.ref == 'refs/heads/main' }}
         run: ./script/run-behavior-suite-docker.sh
-
-      - name: Recommend next release tag on main pushes
-        if: ${{ github.ref == 'refs/heads/main' }}
-        run: |
-          set -euo pipefail
-
-          if recommended_tag="$(go run git.hrafn.xyz/aether/vociferate/cmd/releaseprep@latest --recommend --root . --version-file internal/homesick/version/version.go --version-pattern 'const String = "([^"]+)"' --changelog changelog.md 2>release-recommendation.err)"; then
-            {
-              echo
-              echo '## Release Recommendation'
-              echo
-              echo "- Recommended next tag: \\`${recommended_tag}\\`"
-            } >> "$GITHUB_STEP_SUMMARY"
-          else
-            recommendation_error="$(tr '\n' ' ' < release-recommendation.err | sed 's/[[:space:]]\+/ /g' | sed 's/^ //; s/ $//')"
-            echo "::warning::${recommendation_error}"
-            {
-              echo
-              echo '## Release Recommendation'
-              echo
-              echo "- No recommended tag emitted: ${recommendation_error}"
-            } >> "$GITHUB_STEP_SUMMARY"
-          fi