ci: Correct pipeline

.gitea/workflows/pr-validation.yml

@@ -168,11 +168,15 @@ jobs:
       - name: Upload coverage badge
         id: badge
         if: ${{ always() && steps.coverage.outcome == 'success' && steps.coverage-files.outputs.exists == 'true' }}
-        uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
+        run: |
-        with:
+          set -euo pipefail
-          coverage-profile: coverage.out
+          total="$(go tool cover -func=coverage.out | awk '/^total:/ {sub(/%/, "", $3); print $3}')"
-          artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
+          if [[ -z "$total" ]]; then
-          artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
+            total="n/a"
+          fi
+          echo "total=${total}" >> "$GITHUB_OUTPUT"
+          echo "report-url=n/a" >> "$GITHUB_OUTPUT"
+          echo "badge-url=n/a" >> "$GITHUB_OUTPUT"
 
       - name: Validate changelog gate
         if: ${{ always() }}

.gitea/workflows/prepare-release.yml

@@ -9,6 +9,7 @@ permissions:
 
 jobs:
   prepare:
+    if: "${{ !startsWith(github.event.head_commit.message, 'chore(release): prepare ') }}"
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -23,24 +24,15 @@ jobs:
             ln -s CHANGELOG.md changelog.md
           fi
 
-      - name: Vociferate prepare
+      - name: Prepare release
-        uses: https://git.hrafn.xyz/aether/vociferate/prepare@v1.1.0
+        run: bash ./script/prepare-release.sh
 
-  publish:
+      - name: Summary
-    needs: prepare
+        if: ${{ always() }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Provide lowercase changelog compatibility
         run: |
           set -euo pipefail
-          if [[ -f CHANGELOG.md && ! -e changelog.md ]]; then
+          if git rev-parse -q --verify "refs/tags/$(sed -n 's/^const String = "\([^"]*\)"$/v\1/p' internal/homesick/version/version.go)" >/dev/null; then
-            ln -s CHANGELOG.md changelog.md
+            echo "Prepared and pushed release tag $(sed -n 's/^const String = "\([^"]*\)"$/v\1/p' internal/homesick/version/version.go)." >> "$GITHUB_STEP_SUMMARY"
-          fi
+          else
-
+            echo "No release prepared in this run." >> "$GITHUB_STEP_SUMMARY"
-      - name: Vociferate publish
+          fi
-        uses: https://git.hrafn.xyz/aether/vociferate/publish@v1.1.0

.gitea/workflows/push-validation.yml

@@ -12,43 +12,7 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  check-open-pr:
-    runs-on: ubuntu-latest
-    container: docker.io/catthehacker/ubuntu:act-latest
-    outputs:
-      should_run: ${{ steps.detect.outputs.should_run }}
-    steps:
-      - name: Detect open PR for branch
-        id: detect
-        env:
-          REPOSITORY: ${{ github.repository }}
-          OWNER: ${{ github.repository_owner }}
-          BRANCH: ${{ github.ref_name }}
-          SERVER_URL: ${{ github.server_url }}
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set -eu
-
-          api_url="${SERVER_URL}/api/v1/repos/${REPOSITORY}/pulls?state=open&head=${OWNER}:${BRANCH}"
-          if [ -n "${TOKEN:-}" ]; then
-            response="$(curl -fsSL -H "Authorization: token ${TOKEN}" -H "accept: application/json" "$api_url" || echo '[]')"
-          else
-            response="$(curl -fsSL -H "accept: application/json" "$api_url" || echo '[]')"
-          fi
-
-          open_prs="$(printf '%s' "$response" | grep -o '"number":[0-9]\+' | wc -l | tr -d ' ')"
-
-          if [ "$open_prs" -gt 0 ]; then
-            echo "should_run=false" >> "$GITHUB_OUTPUT"
-            echo "Open PR detected for ${OWNER}:${BRANCH}; skipping push validation." >> "$GITHUB_STEP_SUMMARY"
-          else
-            echo "should_run=true" >> "$GITHUB_OUTPUT"
-            echo "No open PR detected for ${OWNER}:${BRANCH}; running push validation." >> "$GITHUB_STEP_SUMMARY"
-          fi
-
   validate:
-    needs: check-open-pr
-    if: ${{ needs.check-open-pr.outputs.should_run == 'true' }}
     runs-on: ubuntu-latest
     container: docker.io/catthehacker/ubuntu:act-latest
     defaults:
@@ -198,19 +162,27 @@ jobs:
             exit 1
           fi
 
-      - name: Publish coverage artefacts
+      - name: Add coverage summary
-        id: coverage-badge
+        if: ${{ always() && steps.coverage-tests.outcome == 'success' }}
-        uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
+        run: |
-        with:
+          set -euo pipefail
-          coverage-profile: coverage.out
+          total="${{ steps.coverage-tests.outputs.total }}"
-          coverage-html: coverage.html
+          if [[ -z "$total" ]]; then
-          coverage-badge: coverage-badge.svg
+            total="n/a"
-          coverage-summary: coverage-summary.json
+          fi
-          artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
+
-          artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
+          {
-          branch-name: ${{ github.ref_name }}
+            echo '## Coverage'
-          repository-name: ${{ github.repository }}
+            echo
-          summary-file: ${{ env.SUMMARY_FILE }}
+            echo "- Total: ${total}%"
+            echo
+            echo '### Package Coverage'
+            if [[ -f coverage-packages.md ]]; then
+              cat coverage-packages.md
+            else
+              echo '_Package coverage details unavailable for this run._'
+            fi
+          } >> "$SUMMARY_FILE"
 
       - name: Run behavior suite on main pushes
         if: ${{ github.ref == 'refs/heads/main' }}

.gitea/workflows/tag-build-artifacts.yml

@@ -89,5 +89,13 @@ jobs:
             ln -s CHANGELOG.md changelog.md
           fi
 
-      - name: Vociferate publish
+      - name: Install jq
-        uses: https://git.hrafn.xyz/aether/vociferate/publish@v1.1.0
+        run: |
+          set -euo pipefail
+          apt-get update
+          apt-get install -y jq
+
+      - name: Create or update release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: bash ./script/publish-release.sh

CHANGELOG.md

@@ -32,13 +32,15 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 - PR validation badge upload now runs only when `coverage.out` exists, preventing downstream badge artefact failures while still allowing PR decoration to run on failed jobs.
 - PR validation now keys coverage badge upload off the coverage step outcome and performs changelog gate validation in a native workflow step; decorate-pr changelog gating is disabled to bypass the broken internal extractor action.
 - Push validation now triggers on all branches, not only `main`.
-- Push and PR validation workflows now share a `concurrency` group keyed on the branch name (`github.ref_name` / `github.head_ref`) with `cancel-in-progress: true`; when a push to a PR branch fires both workflows, the second run cancels the first so only one validation executes per commit.
+- Push and PR validation workflows now share a `concurrency` group keyed on the branch name (`github.ref_name` / `github.head_ref`) with `cancel-in-progress: true` to reduce redundant in-flight runs per branch.
-- Push validation now performs an open-PR branch check via the Gitea API and skips the heavy validation job when the branch already has an open PR, preventing duplicate full pipeline runs.
+- Push validation now runs as a single runner-compatible job; the separate open-PR precheck job was removed due workflow-engine incompatibility.
-- Push validation open-PR detection is now POSIX-shell compatible (no bash-only `pipefail`/array/`[[ ... ]]` usage), fixing failures on runners that execute `run` scripts with `/bin/sh`.
+- PR validation now checks that `coverage.out` exists before computing coverage metadata; when missing, coverage output steps are skipped with a summary note instead of failing the workflow.
-- PR validation now checks that `coverage.out` exists before invoking `coverage-badge`; when missing, badge upload is skipped with a summary note instead of failing the workflow.
 - PR decoration is now `continue-on-error` to avoid hard-failing validation when the external `decorate-pr` action's internal extractor step is unavailable.
 - PR validation now skips external PR decoration on non-GitHub runners and writes a summary note instead, avoiding runner-specific action resolution failures.
 - Coverage summary generation is now resilient when badge outputs or `coverage-packages.md` are unavailable, preventing summary-step hard failures after earlier skips.
+- Push and PR validation no longer depend on external `vociferate/coverage-badge` action fetches, avoiding pipeline failures during external TLS/certificate outages.
+- Release automation no longer depends on external `vociferate` action fetches; local repository scripts now prepare tags from `CHANGELOG.md` and publish Gitea releases directly via the API, avoiding TLS/certificate outages on the external action host.
+- `prepare-release.yml` now quotes the job-level `if:` expression guarding release-preparation commits, fixing YAML parsing errors caused by the colon in the release commit message prefix.
 - README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards.
 - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
 - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners.

README.md

@@ -1,4 +1,4 @@
-# homesick
+# gosick
 
 [![Main Validation](https://git.hrafn.xyz/aether/gosick/actions/workflows/push-validation.yml/badge.svg?branch=main&event=push)](https://git.hrafn.xyz/aether/gosick/actions/runs/latest?workflow=push-validation.yml&branch=main&event=push)
 [![Coverage](https://s3.hrafn.xyz/aether-workflow-report-artefacts/gosick/branch/main/coverage-badge.svg)](https://s3.hrafn.xyz/aether-workflow-report-artefacts/gosick/branch/main/coverage.html)

script/prepare-release.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$repo_root"
+
+version_file="internal/homesick/version/version.go"
+primary_changelog="CHANGELOG.md"
+compat_changelog="changelog.md"
+
+current_version="$(sed -n 's/^const String = "\([^"]*\)"$/\1/p' "$version_file")"
+if [[ -z "$current_version" ]]; then
+  echo "Failed to read current version from ${version_file}" >&2
+  exit 1
+fi
+
+bump="$(awk '
+  BEGIN { in_unreleased = 0; section = ""; has_entries = 0; bump = "" }
+  /^## \[Unreleased\]/ { in_unreleased = 1; next }
+  /^## \[/ && in_unreleased { exit }
+  /^### / && in_unreleased { section = substr($0, 5); next }
+  in_unreleased && /^- / {
+    has_entries = 1
+    if (section == "Breaking" || section == "Removed") {
+      bump = "major"
+    } else if (section == "Added") {
+      if (bump != "major") {
+        bump = "minor"
+      }
+    } else if (bump == "") {
+      bump = "patch"
+    }
+  }
+  END {
+    if (!has_entries) {
+      print "none"
+      exit
+    }
+    if (bump == "") {
+      bump = "patch"
+    }
+    print bump
+  }
+' "$primary_changelog")"
+
+if [[ "$bump" == "none" ]]; then
+  echo "No unreleased changelog entries found; skipping release preparation."
+  exit 0
+fi
+
+IFS=. read -r major minor patch <<< "$current_version"
+case "$bump" in
+  major)
+    major=$((major + 1))
+    minor=0
+    patch=0
+    ;;
+  minor)
+    minor=$((minor + 1))
+    patch=0
+    ;;
+  patch)
+    patch=$((patch + 1))
+    ;;
+  *)
+    echo "Unsupported bump type: ${bump}" >&2
+    exit 1
+    ;;
+esac
+
+next_version="${major}.${minor}.${patch}"
+tag="v${next_version}"
+today="$(date -u +%F)"
+
+if git rev-parse -q --verify "refs/tags/${tag}" >/dev/null; then
+  echo "Tag ${tag} already exists; skipping release preparation."
+  exit 0
+fi
+
+unreleased_line="$(grep -n '^## \[Unreleased\]' "$primary_changelog" | cut -d: -f1)"
+if [[ -z "$unreleased_line" ]]; then
+  echo "Missing [Unreleased] section in ${primary_changelog}" >&2
+  exit 1
+fi
+
+next_heading_line="$(awk -v start="$unreleased_line" 'NR > start && /^## \[/ { print NR; exit }' "$primary_changelog")"
+total_lines="$(wc -l < "$primary_changelog" | tr -d ' ')"
+if [[ -z "$next_heading_line" ]]; then
+  next_heading_line=$((total_lines + 1))
+fi
+
+tmp_changelog="$(mktemp)"
+{
+  sed -n "1,$((unreleased_line - 1))p" "$primary_changelog"
+  echo "## [Unreleased]"
+  echo
+  echo "### Breaking"
+  echo
+  echo "### Added"
+  echo
+  echo "### Changed"
+  echo
+  echo "### Fixed"
+  echo
+  echo "### Removed"
+  echo
+  echo "## [${next_version}] - ${today}"
+  echo
+  sed -n "$((unreleased_line + 2)),$((next_heading_line - 1))p" "$primary_changelog"
+  if (( next_heading_line <= total_lines )); then
+    sed -n "${next_heading_line},${total_lines}p" "$primary_changelog"
+  fi
+} > "$tmp_changelog"
+
+tmp_version="$(mktemp)"
+sed "s/^const String = \".*\"$/const String = \"${next_version}\"/" "$version_file" > "$tmp_version"
+
+mv "$tmp_version" "$version_file"
+mv "$tmp_changelog" "$primary_changelog"
+cp "$primary_changelog" "$compat_changelog"
+
+git config user.name "gitea-actions[bot]"
+git config user.email "gitea-actions[bot]@users.noreply.local"
+
+git add "$version_file" "$primary_changelog" "$compat_changelog"
+git commit -m "chore(release): prepare ${tag}"
+git tag "$tag"
+git push origin HEAD:main
+git push origin "$tag"
+
+echo "Prepared ${tag} from ${current_version} with a ${bump} bump."

script/publish-release.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+repo_root="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$repo_root"
+
+if [[ -z "${GITHUB_REF_NAME:-}" ]]; then
+  echo "GITHUB_REF_NAME is required" >&2
+  exit 1
+fi
+
+if [[ -z "${GITHUB_REPOSITORY:-}" || -z "${GITHUB_SERVER_URL:-}" || -z "${GITHUB_TOKEN:-}" ]]; then
+  echo "GITHUB_REPOSITORY, GITHUB_SERVER_URL, and GITHUB_TOKEN are required" >&2
+  exit 1
+fi
+
+tag="${GITHUB_REF_NAME}"
+version="${tag#v}"
+notes_file="$(mktemp)"
+
+awk -v version="$version" '
+  $0 ~ ("^## \\\[" version "\\\] - ") { in_section = 1 }
+  /^## \[/ && in_section && $0 !~ ("^## \\\[" version "\\\] - ") { exit }
+  in_section { print }
+' CHANGELOG.md > "$notes_file"
+
+if [[ ! -s "$notes_file" ]]; then
+  printf '## [%s]\n\n- Release %s\n' "$version" "$tag" > "$notes_file"
+fi
+
+payload_file="$(mktemp)"
+jq -n \
+  --arg tag "$tag" \
+  --arg name "$tag" \
+  --arg target "main" \
+  --rawfile body "$notes_file" \
+  '{tag_name: $tag, target_commitish: $target, name: $name, body: $body, draft: false, prerelease: false}' > "$payload_file"
+
+api_base="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
+status="$(curl -sS -o /tmp/release_lookup.json -w '%{http_code}' \
+  -H "Authorization: token ${GITHUB_TOKEN}" \
+  -H 'accept: application/json' \
+  "${api_base}/releases/tags/${tag}" || true)"
+
+if [[ "$status" == "200" ]]; then
+  release_id="$(jq -r '.id' /tmp/release_lookup.json)"
+  curl -fsSL -X PATCH \
+    -H "Authorization: token ${GITHUB_TOKEN}" \
+    -H 'accept: application/json' \
+    -H 'content-type: application/json' \
+    --data @"$payload_file" \
+    "${api_base}/releases/${release_id}" >/dev/null
+  echo "Updated release ${tag}."
+else
+  curl -fsSL -X POST \
+    -H "Authorization: token ${GITHUB_TOKEN}" \
+    -H 'accept: application/json' \
+    -H 'content-type: application/json' \
+    --data @"$payload_file" \
+    "${api_base}/releases" >/dev/null
+  echo "Created release ${tag}."
+fi