docs: update changelog for workflow hardening

ci: harden workflow dedup and badge gating
2026-03-21 22:54:07 +00:00 · 2026-03-21 22:54:07 +00:00
3 changed files with 24 additions and 7 deletions
--- a/.gitea/workflows/pr-validation.yml
+++ b/.gitea/workflows/pr-validation.yml
@@ -153,11 +153,24 @@ jobs:
          cache: true
          cache-dependency-path: go.sum

+      - name: Check coverage artefacts
+        id: coverage-files
+        if: ${{ always() && steps.coverage.outcome == 'success' }}
+        run: |
+          set -euo pipefail
+          if [[ -f coverage.out ]]; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+            echo "coverage.out was not produced; skipping coverage badge upload." >> "$GITHUB_STEP_SUMMARY"
+          fi
+
      - name: Upload coverage badge
        id: badge
-        if: ${{ always() && steps.coverage.outcome == 'success' }}
+        if: ${{ always() && steps.coverage.outcome == 'success' && steps.coverage-files.outputs.exists == 'true' }}
        uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
        with:
+          coverage-profile: coverage.out
          artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
          artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}

@@ -178,6 +191,7 @@ jobs:
      - name: Decorate PR
        if: ${{ always() }}
        uses: https://git.hrafn.xyz/aether/vociferate/decorate-pr@v1.1.0
+        continue-on-error: true
        with:
          coverage-percentage: ${{ steps.badge.outputs.total }}
          badge-url: ${{ steps.badge.outputs.badge-url }}
--- a/.gitea/workflows/push-validation.yml
+++ b/.gitea/workflows/push-validation.yml
@@ -27,18 +27,18 @@ jobs:
          SERVER_URL: ${{ github.server_url }}
          TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          set -euo pipefail
+          set -eu

          api_url="${SERVER_URL}/api/v1/repos/${REPOSITORY}/pulls?state=open&head=${OWNER}:${BRANCH}"
-          auth_args=()
-          if [[ -n "${TOKEN:-}" ]]; then
-            auth_args=(-H "Authorization: token ${TOKEN}")
+          if [ -n "${TOKEN:-}" ]; then
+            response="$(curl -fsSL -H "Authorization: token ${TOKEN}" -H "accept: application/json" "$api_url" || echo '[]')"
+          else
+            response="$(curl -fsSL -H "accept: application/json" "$api_url" || echo '[]')"
          fi

-          response="$(curl -fsSL "${auth_args[@]}" -H 'accept: application/json' "$api_url" || echo '[]')"
          open_prs="$(printf '%s' "$response" | grep -o '"number":[0-9]\+' | wc -l | tr -d ' ')"

-          if [[ "$open_prs" -gt 0 ]]; then
+          if [ "$open_prs" -gt 0 ]; then
            echo "should_run=false" >> "$GITHUB_OUTPUT"
            echo "Open PR detected for ${OWNER}:${BRANCH}; skipping push validation." >> "$GITHUB_STEP_SUMMARY"
          else
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,6 +34,9 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 - Push validation now triggers on all branches, not only `main`.
 - Push and PR validation workflows now share a `concurrency` group keyed on the branch name (`github.ref_name` / `github.head_ref`) with `cancel-in-progress: true`; when a push to a PR branch fires both workflows, the second run cancels the first so only one validation executes per commit.
 - Push validation now performs an open-PR branch check via the Gitea API and skips the heavy validation job when the branch already has an open PR, preventing duplicate full pipeline runs.
+- Push validation open-PR detection is now POSIX-shell compatible (no bash-only `pipefail`/array/`[[ ... ]]` usage), fixing failures on runners that execute `run` scripts with `/bin/sh`.
+- PR validation now checks that `coverage.out` exists before invoking `coverage-badge`; when missing, badge upload is skipped with a summary note instead of failing the workflow.
+- PR decoration is now `continue-on-error` to avoid hard-failing validation when the external `decorate-pr` action's internal extractor step is unavailable.
 - README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards.
 - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
 - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners.
Author	SHA1	Message	Date
Micheal Wilkinson	bbbacb0eb6	docs: update changelog for workflow hardening Some checks failed Push Validation / check-open-pr (push) Successful in 2s Details Push Validation / validate (push) Has been skipped Details Pull Request Validation / validate (pull_request) Failing after 2m9s Details	2026-03-21 22:54:07 +00:00
Micheal Wilkinson	28820748f7	ci: harden workflow dedup and badge gating	2026-03-21 22:54:07 +00:00