gosick/CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

A ### Breaking section is used in addition to Keep a Changelog's standard sections to explicitly document changes that are backwards-incompatible but would otherwise appear under ### Changed. Entries under ### Breaking trigger a major version bump in the automated release tooling.

[Unreleased]

Breaking

Added

• internal/homesick/version: added version_test.go covering the String constant and semver format validation.
• internal/homesick/cli: added targeted tests for list, generate, clone, status, and diff CLI commands; coverage raised from 62.5% to 71.2%.
• internal/homesick/core: added helpers_test.go covering runGit pretend mode, actionVerb, sayStatus, unlinkPath, linkPath, readSubdirs, matchesIgnoredDir, confirmDestroy responses and read errors, ExecAll empty-command and no-repos-dir edge cases, and Link/Unlink default-castle wrappers; existing suites extended with New constructor and PullAll quiet-mode tests; coverage raised from 75.6% to 80.2%.
• PR validation now uses vociferate/coverage-badge@v1.1.0 for coverage artefact upload and vociferate/decorate-pr@v1.1.0 for PR comment decoration and changelog gate enforcement.

Changed

• gosec security scanning in CI now invoked directly via go install + gosec ./... instead of the securego/gosec action, resolving compatibility issues with Go 1.26.1.

• golang/govulncheck-action pinned from @v1 to @v1.0.4 in push and PR validation; major-version tags do not resolve reliably in Gitea API.

• GOTOOLCHAIN=auto moved from per-step env to job-level env in push and PR validation workflows.

• Push validation vociferate/coverage-badge bumped from v1.0.1 to v1.1.0 for version consistency with PR validation.

• vociferate/prepare and vociferate/publish in prepare-release.yml and tag-build-artifacts.yml bumped from v1.0.1 to v1.1.0 for cross-workflow version consistency.

• golang/govulncheck-action in push and PR validation now passes explicit go-package, cache enablement, and cache-dependency-path inputs to match the required workflow pattern.

• CLI/core wiring now injects stdin through core.NewApp, main owns the GIT_TERMINAL_PROMPT=0 side effect, and Rc force handling is passed per call instead of mutating shared app state.

• Core filesystem and git error paths now wrap underlying failures with command-specific context across listing, generation, tracking, linking, rc hook execution, and destroy confirmation flows.

• Gosec compliance updated for intentional command execution paths: Open() now documents both G702 and G204 suppression rationale, and fixed-git helper invocations include explicit G204 justifications.

• PR validation badge upload now runs only when coverage.out exists, preventing downstream badge artefact failures while still allowing PR decoration to run on failed jobs.

• PR validation now keys coverage badge upload off the coverage step outcome and performs changelog gate validation in a native workflow step; decorate-pr changelog gating is disabled to bypass the broken internal extractor action.

• Push validation now triggers on all branches, not only main.

• README badge link target updated to actions/runs/latest?workflow=... format per workflow standards.

• CI security scanning now uses GitHub Marketplace actions (securego/gosec and golang/govulncheck-action) instead of manual tool installation, improving reliability and caching.

• CI setup compatibility fix: gosec scanner now references the correct public action source (securego/gosec), resolving action clone failures in Gitea runners.

• CI security scanner compatibility: gosec and govulncheck action steps now set GOTOOLCHAIN=auto so repositories requiring newer Go versions are analyzed successfully.

• Code formatting validation added to CI pipelines: pushes and pull requests with code not matching go fmt ./... output will be rejected.

• Applied go fmt normalization to core tests (list_test.go and track_test.go) to satisfy the new formatting gate.

• Dependencies updated to resolve security vulnerabilities: cloudflare/circl to v1.6.3, go-git/v5 to v5.17.0, golang.org/x/crypto to v0.49.0, and golang.org/x/net to v0.52.0.

• CI workflows now include explicit caching for Go modules and build artifacts to reduce pipeline execution time.

• Security hardening: file and directory creation now uses restrictive permissions (0o750 for directories, 0o600 for files) instead of world-accessible defaults. Executable wrapper scripts are created with restricted permissions and then explicitly made executable via chmod.

• Security: Open() now executes the editor directly without shell intermediary to prevent injection through the $EDITOR environment variable.

• CI validation now runs gosec and govulncheck security scanning on push and pull request workflows.

• cmd/homesick now includes entrypoint-focused tests that exercise both the CLI run path and main process path.

• rc command: executes all executable scripts inside a castle's .homesick.d/ directory in sorted order, with the castle root as the working directory. stdout/stderr from each script is forwarded to the caller.

• rc command: when a .homesickrc file exists and no parity.rb wrapper is present in .homesick.d/, a Ruby wrapper script (parity.rb) is generated automatically to preserve backwards compatibility. An existing parity.rb is never overwritten.

• exec command: runs a shell command inside the target castle root directory.

• exec_all command: runs a shell command inside each cloned castle root directory in sorted order.

• pull --all support: pulls updates for every cloned castle in sorted order.

• rc --force support: legacy .homesickrc compatibility hooks now require explicit force mode before execution.

• Global command flags restored: --pretend (with --dry-run alias) and --quiet.

• Native Go implementations for clone, link, unlink, track, pull, push, commit, destroy, cd, open, and generate.

• Containerized behavior test suite for command parity validation.

• Dedicated test suites for list, show_path, status, diff, and version.

• Just workflow support for building and running the Linux behavior binary.

• Coverage reports and badges published to shared object storage for branches and pull requests.

• Pull requests now receive coverage report links in CI comments.

• Automated release orchestration now runs through vociferate prepare and publish workflows.

• symlink command alias compatibility for link.

Changed

• Release automation now uses aether/vociferate prepare and publish actions (pinned to v1.0.1) instead of repository-local releaseprep wrappers.
• Push and pull request validation now enforce per-package coverage gates (fail below 50%) and publish package-level coverage status tables in workflow summaries.
• Push and pull request validation now verify module hygiene (go mod tidy, go mod verify) and use a dedicated summary-file pattern with a final always-run summary step.
• CLI argument parsing migrated to Kong.
• Git operations for clone and track migrated to go-git.
• Build and behavior workflows now produce and run the gosick binary name.
• CI validation is unified into push events, running behavior tests only on main pushes.
• Gitea CI workflows now cache Go modules and build artifacts using a shared runner tool cache.
• Gitea workflow and README badge updated from push-unit-tests to push-validation.
• CLI help now uses the invoked binary name (defaulting to gosick) in usage output.
• CLI help description now reflects Homesick's purpose for managing precious dotfiles.
• Release notes standardized to Keep a Changelog format.
• commit command now accepts legacy positional form commit <castle> <message> in addition to -m.
• destroy now prompts for confirmation by default and preserves the castle when declined.

Fixed

• status and diff now consistently write through configured app output writers.
• pull --all output now includes per-castle prefixes to match behavior expectations.
• Behavior-suite container now includes Ruby so .homesickrc parity wrapper execution works under rc --force.

Removed

• Legacy script/prepare-release.sh releaseprep wrapper and its dedicated script test.
• Legacy Ruby implementation and Ruby toolchain.
• Legacy in-repository releaseprep package and command implementation, now superseded by the standalone vociferate tool.

[1.1.6] - 2017-12-20

Fixed

• Ensure FileUtils is imported correctly to avoid a potential error.
• Fix an issue where comparing a diff did not use the content of the new file.

Changed

• Small documentation fixes.

[1.1.5] - 2017-03-23

Fixed

• Problem with version number being incorrect.

[1.1.4] - 2017-03-22

Fixed

• Ensure symlink conflicts are explicitly communicated to users and symlinks are not silently overwritten.
• Fix a problem in diff when asking a user to resolve a conflict.

Changed

• Use real paths of symlinks when linking a castle into home.
• Code refactoring and fixes.

[1.1.3] - 2015-10-31

Added

• Allow a destination to be passed when cloning a castle.

Fixed

• Make sure homesick edit opens the default editor in the root of the given castle.
• Bug when diffing edited files.
• Crashing bug when attempting to diff directories.
• Ensure that messages are escaped correctly on git commit all.

[1.1.2] - 2015-01-02

Added

• --force option to the rc command to bypass confirmation checks when running a .homesickrc file.
• Check to ensure that at least Git 1.8.0 is installed.

Fixed

• Stop Homesick failing silently when Git is not installed.

Changed

• Code refactoring and fixes.

[1.1.0] - 2014-04-28

Added

• exec and exec_all commands to run commands inside one or all cloned castles.

Changed

• Code refactoring.

[1.0.0] - 2014-01-15

Added

• version command.

Removed

• Support for Ruby 1.8.7.

[0.9.8] - 2014-01-02

Added

• homesick cd command.
• homesick open command.

[0.9.4] - 2013-07-31

Added

• homesick unlink command.
• homesick rc command.

Changed

• Use HTTPS protocol instead of git protocol.

[0.9.3] - 2013-07-07

Added

• Recursive option to homesick clone.

[0.9.2] - 2013-06-27

Added

• homesick show_path command.
• homesick status command.
• homesick diff command.

Changed

• Set dotfiles as default castle name.

[0.9.1] - 2013-06-17

Fixed

• Small bugs: #35, #40.

[0.9.0] - 2013-06-06

Added

• .homesick_subdir (#39).

[0.8.1] - 2013-05-19

Fixed

• homesick list bug on Ruby 2.0 (#37).

[0.8.0] - 2013-04-06

Added

• commit and push command.
• Commit changes in a castle and push to remote.
• Enable recursive submodule update.
• Git add when using track.

[0.7.0] - 2012-05-28

Added

• New option for pull command: --all.
• Pull each castle instead of just one.

Fixed

• Double-cloning (#14).

[0.6.1] - 2010-11-13

Added

• License.

[0.6.0] - 2010-10-27

Added

• .homesickrc support.
• Castles can now have a .homesickrc inside them.
• On clone, this is eval'd inside the destination directory.
• track command.
• Allows easily moving an existing file into a castle and symlinking it back.

[0.5.0] - 2010-05-18

Added

• homesick pull <CASTLE> for updating castles (thanks Jorge Dias).
• A very basic homesick generate <CASTLE>.

Fixed

• Listing of castles cloned using homesick clone <github-user>/<github-repo> (issue 3).

[0.4.1] - 2010-04-02

Fixed

• Improve error message when a castle's home dir does not exist.

[0.4.0] - 2010-04-01

Added

• homesick clone can take a path to a directory on the filesystem, which is symlinked into place.
• homesick clone tries to run git submodule init and git submodule update if git submodules are defined for a cloned repo.

Changed

• Use HOME environment variable for where to store files, instead of assuming ~.

Fixed

• Missing dependency on thor and others.

[0.3.0] - 2010-04-01

Changed

• Rename link to symlink.

Fixed

• Conflict resolution when symlink destination exists and is a normal file.

[0.2.0] - 2010-03-19

Added

• Better support for recognizing git URLs (thanks jacobat).
• If it looks like a GitHub user/repo, use that.
• Otherwise hand off to git clone.
• Listing now displays in color and shows git remote.
• Support pretend, force, and quiet modes.

[0.1.1] - 2010-03-17

Fixed

• Trying to link against castles that do not exist.
• Linking now excludes . and .. from the list of files to link (thanks Martinos).

[0.1.0] - 2010-03-10

Added

• Initial release.