docs: update changelog for runner compatibility

.gitea/workflows/pr-validation.yml

@@ -168,11 +168,15 @@ jobs:
       - name: Upload coverage badge
         id: badge
         if: ${{ always() && steps.coverage.outcome == 'success' && steps.coverage-files.outputs.exists == 'true' }}
-        uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
-        with:
-          coverage-profile: coverage.out
-          artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
-          artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
+        run: |
+          set -euo pipefail
+          total="$(go tool cover -func=coverage.out | awk '/^total:/ {sub(/%/, "", $3); print $3}')"
+          if [[ -z "$total" ]]; then
+            total="n/a"
+          fi
+          echo "total=${total}" >> "$GITHUB_OUTPUT"
+          echo "report-url=n/a" >> "$GITHUB_OUTPUT"
+          echo "badge-url=n/a" >> "$GITHUB_OUTPUT"
 
       - name: Validate changelog gate
         if: ${{ always() }}

.gitea/workflows/push-validation.yml

@@ -12,43 +12,7 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  check-open-pr:
-    runs-on: ubuntu-latest
-    container: docker.io/catthehacker/ubuntu:act-latest
-    outputs:
-      should_run: ${{ steps.detect.outputs.should_run }}
-    steps:
-      - name: Detect open PR for branch
-        id: detect
-        env:
-          REPOSITORY: ${{ github.repository }}
-          OWNER: ${{ github.repository_owner }}
-          BRANCH: ${{ github.ref_name }}
-          SERVER_URL: ${{ github.server_url }}
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set -eu
-
-          api_url="${SERVER_URL}/api/v1/repos/${REPOSITORY}/pulls?state=open&head=${OWNER}:${BRANCH}"
-          if [ -n "${TOKEN:-}" ]; then
-            response="$(curl -fsSL -H "Authorization: token ${TOKEN}" -H "accept: application/json" "$api_url" || echo '[]')"
-          else
-            response="$(curl -fsSL -H "accept: application/json" "$api_url" || echo '[]')"
-          fi
-
-          open_prs="$(printf '%s' "$response" | grep -o '"number":[0-9]\+' | wc -l | tr -d ' ')"
-
-          if [ "$open_prs" -gt 0 ]; then
-            echo "should_run=false" >> "$GITHUB_OUTPUT"
-            echo "Open PR detected for ${OWNER}:${BRANCH}; skipping push validation." >> "$GITHUB_STEP_SUMMARY"
-          else
-            echo "should_run=true" >> "$GITHUB_OUTPUT"
-            echo "No open PR detected for ${OWNER}:${BRANCH}; running push validation." >> "$GITHUB_STEP_SUMMARY"
-          fi
-
   validate:
-    needs: check-open-pr
-    if: ${{ needs.check-open-pr.outputs.should_run == 'true' }}
     runs-on: ubuntu-latest
     container: docker.io/catthehacker/ubuntu:act-latest
     defaults:
@@ -198,19 +162,27 @@ jobs:
             exit 1
           fi
 
-      - name: Publish coverage artefacts
-        id: coverage-badge
-        uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
-        with:
-          coverage-profile: coverage.out
-          coverage-html: coverage.html
-          coverage-badge: coverage-badge.svg
-          coverage-summary: coverage-summary.json
-          artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
-          artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
-          branch-name: ${{ github.ref_name }}
-          repository-name: ${{ github.repository }}
-          summary-file: ${{ env.SUMMARY_FILE }}
+      - name: Add coverage summary
+        if: ${{ always() && steps.coverage-tests.outcome == 'success' }}
+        run: |
+          set -euo pipefail
+          total="${{ steps.coverage-tests.outputs.total }}"
+          if [[ -z "$total" ]]; then
+            total="n/a"
+          fi
+
+          {
+            echo '## Coverage'
+            echo
+            echo "- Total: ${total}%"
+            echo
+            echo '### Package Coverage'
+            if [[ -f coverage-packages.md ]]; then
+              cat coverage-packages.md
+            else
+              echo '_Package coverage details unavailable for this run._'
+            fi
+          } >> "$SUMMARY_FILE"
 
       - name: Run behavior suite on main pushes
         if: ${{ github.ref == 'refs/heads/main' }}

CHANGELOG.md

@@ -32,13 +32,13 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 - PR validation badge upload now runs only when `coverage.out` exists, preventing downstream badge artefact failures while still allowing PR decoration to run on failed jobs.
 - PR validation now keys coverage badge upload off the coverage step outcome and performs changelog gate validation in a native workflow step; decorate-pr changelog gating is disabled to bypass the broken internal extractor action.
 - Push validation now triggers on all branches, not only `main`.
-- Push and PR validation workflows now share a `concurrency` group keyed on the branch name (`github.ref_name` / `github.head_ref`) with `cancel-in-progress: true`; when a push to a PR branch fires both workflows, the second run cancels the first so only one validation executes per commit.
-- Push validation now performs an open-PR branch check via the Gitea API and skips the heavy validation job when the branch already has an open PR, preventing duplicate full pipeline runs.
-- Push validation open-PR detection is now POSIX-shell compatible (no bash-only `pipefail`/array/`[[ ... ]]` usage), fixing failures on runners that execute `run` scripts with `/bin/sh`.
-- PR validation now checks that `coverage.out` exists before invoking `coverage-badge`; when missing, badge upload is skipped with a summary note instead of failing the workflow.
+- Push and PR validation workflows now share a `concurrency` group keyed on the branch name (`github.ref_name` / `github.head_ref`) with `cancel-in-progress: true` to reduce redundant in-flight runs per branch.
+- Push validation now runs as a single runner-compatible job; the separate open-PR precheck job was removed due workflow-engine incompatibility.
+- PR validation now checks that `coverage.out` exists before computing coverage metadata; when missing, coverage output steps are skipped with a summary note instead of failing the workflow.
 - PR decoration is now `continue-on-error` to avoid hard-failing validation when the external `decorate-pr` action's internal extractor step is unavailable.
 - PR validation now skips external PR decoration on non-GitHub runners and writes a summary note instead, avoiding runner-specific action resolution failures.
 - Coverage summary generation is now resilient when badge outputs or `coverage-packages.md` are unavailable, preventing summary-step hard failures after earlier skips.
+- Push and PR validation no longer depend on external `vociferate/coverage-badge` action fetches, avoiding pipeline failures during external TLS/certificate outages.
 - README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards.
 - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
 - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners.