# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). A `### Breaking` section is used in addition to Keep a Changelog's standard sections to explicitly document changes that are backwards-incompatible but would otherwise appear under `### Changed`. Entries under `### Breaking` trigger a major version bump in the automated release tooling. ## [Unreleased] ### Breaking ### Added - `internal/homesick/version`: added `version_test.go` covering the `String` constant and semver format validation. - `internal/homesick/cli`: added targeted tests for `list`, `generate`, `clone`, `status`, and `diff` CLI commands; coverage raised from 62.5% to 71.2%. - `internal/homesick/core`: added `helpers_test.go` covering `runGit` pretend mode, `actionVerb`, `sayStatus`, `unlinkPath`, `linkPath`, `readSubdirs`, `matchesIgnoredDir`, `confirmDestroy` responses and read errors, `ExecAll` empty-command and no-repos-dir edge cases, and `Link`/`Unlink` default-castle wrappers; existing suites extended with `New` constructor and `PullAll` quiet-mode tests; coverage raised from 75.6% to 80.2%. - PR validation now uses `vociferate/coverage-badge@v1.1.0` for coverage artefact upload and `vociferate/decorate-pr@v1.1.0` for PR comment decoration and changelog gate enforcement. ### Changed - `gosec` security scanning in CI now invoked directly via `go install + gosec ./...` instead of the `securego/gosec` action, resolving compatibility issues with Go 1.26.1. - `golang/govulncheck-action` pinned from `@v1` to `@v1.0.4` in push and PR validation; major-version tags do not resolve reliably in Gitea API. - `GOTOOLCHAIN=auto` moved from per-step env to job-level env in push and PR validation workflows. - Push validation `vociferate/coverage-badge` bumped from `v1.0.1` to `v1.1.0` for version consistency with PR validation. - `vociferate/prepare` and `vociferate/publish` in `prepare-release.yml` and `tag-build-artifacts.yml` bumped from `v1.0.1` to `v1.1.0` for cross-workflow version consistency. - `golang/govulncheck-action` in push and PR validation now passes explicit `go-package`, cache enablement, and `cache-dependency-path` inputs to match the required workflow pattern. - CLI/core wiring now injects `stdin` through `core.NewApp`, `main` owns the `GIT_TERMINAL_PROMPT=0` side effect, and `Rc` force handling is passed per call instead of mutating shared app state. - Core filesystem and git error paths now wrap underlying failures with command-specific context across listing, generation, tracking, linking, rc hook execution, and destroy confirmation flows. - Gosec compliance updated for intentional command execution paths: `Open()` now documents both `G702` and `G204` suppression rationale, and fixed-`git` helper invocations include explicit `G204` justifications. - PR validation badge upload now runs only when `coverage.out` exists, preventing downstream badge artefact failures while still allowing PR decoration to run on failed jobs. - PR validation now keys coverage badge upload off the coverage step outcome and performs changelog gate validation in a native workflow step; decorate-pr changelog gating is disabled to bypass the broken internal extractor action. - README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards. - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching. - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners. - CI security scanner compatibility: gosec and govulncheck action steps now set `GOTOOLCHAIN=auto` so repositories requiring newer Go versions are analyzed successfully. - Code formatting validation added to CI pipelines: pushes and pull requests with code not matching `go fmt ./...` output will be rejected. - Applied `go fmt` normalization to core tests (`list_test.go` and `track_test.go`) to satisfy the new formatting gate. - Dependencies updated to resolve security vulnerabilities: `cloudflare/circl` to v1.6.3, `go-git/v5` to v5.17.0, `golang.org/x/crypto` to v0.49.0, and `golang.org/x/net` to v0.52.0. - CI workflows now include explicit caching for Go modules and build artifacts to reduce pipeline execution time. - Security hardening: file and directory creation now uses restrictive permissions (`0o750` for directories, `0o600` for files) instead of world-accessible defaults. Executable wrapper scripts are created with restricted permissions and then explicitly made executable via `chmod`. - Security: `Open()` now executes the editor directly without shell intermediary to prevent injection through the `$EDITOR` environment variable. - CI validation now runs `gosec` and `govulncheck` security scanning on push and pull request workflows. - `cmd/homesick` now includes entrypoint-focused tests that exercise both the CLI run path and `main` process path. - `rc` command: executes all executable scripts inside a castle's `.homesick.d/` directory in sorted order, with the castle root as the working directory. stdout/stderr from each script is forwarded to the caller. - `rc` command: when a `.homesickrc` file exists and no `parity.rb` wrapper is present in `.homesick.d/`, a Ruby wrapper script (`parity.rb`) is generated automatically to preserve backwards compatibility. An existing `parity.rb` is never overwritten. - `exec` command: runs a shell command inside the target castle root directory. - `exec_all` command: runs a shell command inside each cloned castle root directory in sorted order. - `pull --all` support: pulls updates for every cloned castle in sorted order. - `rc --force` support: legacy `.homesickrc` compatibility hooks now require explicit force mode before execution. - Global command flags restored: `--pretend` (with `--dry-run` alias) and `--quiet`. - Native Go implementations for `clone`, `link`, `unlink`, `track`, `pull`, `push`, `commit`, `destroy`, `cd`, `open`, and `generate`. - Containerized behavior test suite for command parity validation. - Dedicated test suites for `list`, `show_path`, `status`, `diff`, and `version`. - Just workflow support for building and running the Linux behavior binary. - Coverage reports and badges published to shared object storage for branches and pull requests. - Pull requests now receive coverage report links in CI comments. - Automated release orchestration now runs through vociferate prepare and publish workflows. - `symlink` command alias compatibility for `link`. ### Changed - Release automation now uses `aether/vociferate` `prepare` and `publish` actions (pinned to `v1.0.1`) instead of repository-local releaseprep wrappers. - Push and pull request validation now enforce per-package coverage gates (fail below 50%) and publish package-level coverage status tables in workflow summaries. - Push and pull request validation now verify module hygiene (`go mod tidy`, `go mod verify`) and use a dedicated summary-file pattern with a final always-run summary step. - CLI argument parsing migrated to Kong. - Git operations for clone and track migrated to `go-git`. - Build and behavior workflows now produce and run the `gosick` binary name. - CI validation is unified into push events, running behavior tests only on `main` pushes. - Gitea CI workflows now cache Go modules and build artifacts using a shared runner tool cache. - Gitea workflow and README badge updated from `push-unit-tests` to `push-validation`. - CLI help now uses the invoked binary name (defaulting to `gosick`) in usage output. - CLI help description now reflects Homesick's purpose for managing precious dotfiles. - Release notes standardized to Keep a Changelog format. - `commit` command now accepts legacy positional form `commit ` in addition to `-m`. - `destroy` now prompts for confirmation by default and preserves the castle when declined. ### Fixed - `status` and `diff` now consistently write through configured app output writers. - `pull --all` output now includes per-castle prefixes to match behavior expectations. - Behavior-suite container now includes Ruby so `.homesickrc` parity wrapper execution works under `rc --force`. ### Removed - Legacy `script/prepare-release.sh` releaseprep wrapper and its dedicated script test. - Legacy Ruby implementation and Ruby toolchain. - Legacy in-repository `releaseprep` package and command implementation, now superseded by the standalone `vociferate` tool. ## [1.1.6] - 2017-12-20 ### Fixed - Ensure `FileUtils` is imported correctly to avoid a potential error. - Fix an issue where comparing a diff did not use the content of the new file. ### Changed - Small documentation fixes. ## [1.1.5] - 2017-03-23 ### Fixed - Problem with version number being incorrect. ## [1.1.4] - 2017-03-22 ### Fixed - Ensure symlink conflicts are explicitly communicated to users and symlinks are not silently overwritten. - Fix a problem in diff when asking a user to resolve a conflict. ### Changed - Use real paths of symlinks when linking a castle into home. - Code refactoring and fixes. ## [1.1.3] - 2015-10-31 ### Added - Allow a destination to be passed when cloning a castle. ### Fixed - Make sure `homesick edit` opens the default editor in the root of the given castle. - Bug when diffing edited files. - Crashing bug when attempting to diff directories. - Ensure that messages are escaped correctly on `git commit all`. ## [1.1.2] - 2015-01-02 ### Added - `--force` option to the rc command to bypass confirmation checks when running a `.homesickrc` file. - Check to ensure that at least Git 1.8.0 is installed. ### Fixed - Stop Homesick failing silently when Git is not installed. ### Changed - Code refactoring and fixes. ## [1.1.0] - 2014-04-28 ### Added - `exec` and `exec_all` commands to run commands inside one or all cloned castles. ### Changed - Code refactoring. ## [1.0.0] - 2014-01-15 ### Added - `version` command. ### Removed - Support for Ruby 1.8.7. ## [0.9.8] - 2014-01-02 ### Added - `homesick cd` command. - `homesick open` command. ## [0.9.4] - 2013-07-31 ### Added - `homesick unlink` command. - `homesick rc` command. ### Changed - Use HTTPS protocol instead of git protocol. ## [0.9.3] - 2013-07-07 ### Added - Recursive option to `homesick clone`. ## [0.9.2] - 2013-06-27 ### Added - `homesick show_path` command. - `homesick status` command. - `homesick diff` command. ### Changed - Set `dotfiles` as default castle name. ## [0.9.1] - 2013-06-17 ### Fixed - Small bugs: #35, #40. ## [0.9.0] - 2013-06-06 ### Added - `.homesick_subdir` (#39). ## [0.8.1] - 2013-05-19 ### Fixed - `homesick list` bug on Ruby 2.0 (#37). ## [0.8.0] - 2013-04-06 ### Added - `commit` and `push` command. - Commit changes in a castle and push to remote. - Enable recursive submodule update. - Git add when using track. ## [0.7.0] - 2012-05-28 ### Added - New option for pull command: `--all`. - Pull each castle instead of just one. ### Fixed - Double-cloning (#14). ## [0.6.1] - 2010-11-13 ### Added - License. ## [0.6.0] - 2010-10-27 ### Added - `.homesickrc` support. - Castles can now have a `.homesickrc` inside them. - On clone, this is eval'd inside the destination directory. - `track` command. - Allows easily moving an existing file into a castle and symlinking it back. ## [0.5.0] - 2010-05-18 ### Added - `homesick pull ` for updating castles (thanks Jorge Dias). - A very basic `homesick generate `. ### Fixed - Listing of castles cloned using `homesick clone /` (issue 3). ## [0.4.1] - 2010-04-02 ### Fixed - Improve error message when a castle's home dir does not exist. ## [0.4.0] - 2010-04-01 ### Added - `homesick clone` can take a path to a directory on the filesystem, which is symlinked into place. - `homesick clone` tries to run `git submodule init` and `git submodule update` if git submodules are defined for a cloned repo. ### Changed - Use `HOME` environment variable for where to store files, instead of assuming `~`. ### Fixed - Missing dependency on thor and others. ## [0.3.0] - 2010-04-01 ### Changed - Rename `link` to `symlink`. ### Fixed - Conflict resolution when symlink destination exists and is a normal file. ## [0.2.0] - 2010-03-19 ### Added - Better support for recognizing git URLs (thanks jacobat). - If it looks like a GitHub user/repo, use that. - Otherwise hand off to git clone. - Listing now displays in color and shows git remote. - Support pretend, force, and quiet modes. ## [0.1.1] - 2010-03-17 ### Fixed - Trying to link against castles that do not exist. - Linking now excludes `.` and `..` from the list of files to link (thanks Martinos). ## [0.1.0] - 2010-03-10 ### Added - Initial release.