docs: update changelog for badge upload guard

.gitea/workflows/pr-validation.yml

@@ -151,7 +151,7 @@ jobs:
 
       - name: Upload coverage badge
         id: badge
-        if: ${{ always() }}
+        if: ${{ always() && hashFiles('coverage.out') != '' }}
         uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
         with:
           artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}

CHANGELOG.md

@@ -29,6 +29,7 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 - CLI/core wiring now injects `stdin` through `core.NewApp`, `main` owns the `GIT_TERMINAL_PROMPT=0` side effect, and `Rc` force handling is passed per call instead of mutating shared app state.
 - Core filesystem and git error paths now wrap underlying failures with command-specific context across listing, generation, tracking, linking, rc hook execution, and destroy confirmation flows.
 - Gosec compliance updated for intentional command execution paths: `Open()` now documents both `G702` and `G204` suppression rationale, and fixed-`git` helper invocations include explicit `G204` justifications.
+- PR validation badge upload now runs only when `coverage.out` exists, preventing downstream badge artefact failures while still allowing PR decoration to run on failed jobs.
 - README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards.
 - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
 - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners.