docs: update changelog for pr validation fallbacks

.gitea/workflows/pr-validation.yml

@@ -189,7 +189,7 @@ jobs:
           fi
 
       - name: Decorate PR
-        if: ${{ always() }}
+        if: ${{ always() && github.server_url == 'https://github.com' && steps.badge.outcome == 'success' }}
         uses: https://git.hrafn.xyz/aether/vociferate/decorate-pr@v1.1.0
         continue-on-error: true
         with:
@@ -197,17 +197,43 @@ jobs:
           badge-url: ${{ steps.badge.outputs.badge-url }}
           enable-changelog-gate: 'false'
 
-      - name: Add coverage summary
+      - name: Skip external PR decoration on non-GitHub runners
+        if: ${{ always() && github.server_url != 'https://github.com' }}
         run: |
+          set -euo pipefail
+          echo "Skipping decorate-pr action on ${GITHUB_SERVER_URL}; external composite action is not stable on this runner." >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Add coverage summary
+        if: ${{ always() }}
+        run: |
+          set -euo pipefail
+          total="${{ steps.badge.outputs.total }}"
+          report_url="${{ steps.badge.outputs.report-url }}"
+          badge_url="${{ steps.badge.outputs.badge-url }}"
+
+          if [[ -z "$total" ]]; then
+            total="n/a"
+          fi
+          if [[ -z "$report_url" ]]; then
+            report_url="n/a"
+          fi
+          if [[ -z "$badge_url" ]]; then
+            badge_url="n/a"
+          fi
+
           {
             echo '## Coverage'
             echo
-            echo '- Total: `${{ steps.badge.outputs.total }}%`'
+            echo "- Total: ${total}%"
-            echo '- Report: ${{ steps.badge.outputs.report-url }}'
+            echo "- Report: ${report_url}"
-            echo '- Badge: ${{ steps.badge.outputs.badge-url }}'
+            echo "- Badge: ${badge_url}"
             echo
             echo '### Package Coverage'
+            if [[ -f coverage-packages.md ]]; then
               cat coverage-packages.md
+            else
+              echo '_Package coverage details unavailable for this run._'
+            fi
           } >> "$SUMMARY_FILE"
 
       - name: Run behavior suite

CHANGELOG.md

@@ -37,6 +37,8 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 - Push validation open-PR detection is now POSIX-shell compatible (no bash-only `pipefail`/array/`[[ ... ]]` usage), fixing failures on runners that execute `run` scripts with `/bin/sh`.
 - PR validation now checks that `coverage.out` exists before invoking `coverage-badge`; when missing, badge upload is skipped with a summary note instead of failing the workflow.
 - PR decoration is now `continue-on-error` to avoid hard-failing validation when the external `decorate-pr` action's internal extractor step is unavailable.
+- PR validation now skips external PR decoration on non-GitHub runners and writes a summary note instead, avoiding runner-specific action resolution failures.
+- Coverage summary generation is now resilient when badge outputs or `coverage-packages.md` are unavailable, preventing summary-step hard failures after earlier skips.
 - README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards.
 - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
 - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners.