# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). A `### Breaking` section is used in addition to Keep a Changelog's standard sections to explicitly document changes that are backwards-incompatible but would otherwise appear under `### Changed`. Entries under `### Breaking` trigger a major version bump in automated release recommendation logic. ## [Unreleased] ### Breaking ### Added - Extracted `coverage-gate` action and tool from Cue for reuse across Æther projects. - Coverage gate now available as reusable composite action with JSON metrics output (`passes`, `total_coverage`, `packages_checked`, `packages_failed`). - Support for per-package coverage threshold policy via JSON configuration in `coverage-gate` tool. ### Changed ### Removed ### Fixed - Hardened `coverage-gate` file input handling by validating and normalizing policy/profile paths before opening files, resolving `G304` findings in `coverage-gate/parse.go`. - Made release binary builds resilient when `upx` is unavailable by falling back to uncompressed artifacts in both `release.yml` and `update-release.yml`. ## [1.1.0] - 2026-03-21 ### Breaking ### Added - Added changelog gate validation to `decorate-pr` action for enforcing changelog updates on qualifying code changes. - Changelog gate modes: `strict` (fails job on violation) and `soft` (warns via PR comment). - Docs-only PR exemption with customizable glob patterns for documentation files. - PR label-based exemptions for changelog gate (example: `skip-changelog`). - Precise diff parsing: validates only added lines within the Unreleased section. - Gate decision outputs: `gate-passed`, `docs-only`, `unreleased-additions-count`, `gate-failure-reason` for reuse downstream. - Integrated remediation guidance in PR comments showing how to add changelog entries. ### Changed - Refactored `internal/vociferate` to use a constructor-backed service with injected filesystem, environment, and git dependencies while preserving the existing package-level API. - Hardened `prepare-release` validation to enforce formatting checks, module hygiene, `gosec`, and `govulncheck` before preparing a release. - Added matching local validation targets in `justfile` for formatting, module hygiene, tests, and security checks. - `decorate-pr` now reads Unreleased changelog content through the `vociferate` Go CLI instead of maintaining separate shell parsing logic in the composite action. - `publish` now extracts tagged release notes through the `vociferate` Go CLI instead of duplicating changelog section parsing in shell. - Composite actions now share a centralized `run-vociferate` orchestration flow, with binary-versus-source execution delegated through shared composite actions and single-use runtime/download logic folded back into `run-vociferate.binary`. - `run-vociferate` now contains both binary and source execution flows directly in a single action implementation, removing nested local action wrappers for better runner compatibility. - Release automation now requires `secrets.RELEASE_PAT` for prepare/publish/do-release operations instead of defaulting to `GITHUB_TOKEN`/`GITEA_TOKEN`. - Renamed the reusable Gitea workflows to `release.yml` and `update-release.yml`, and inlined release publication into the main `release` workflow for clearer per-step job output. - Release binary builds now compress published linux artifacts with UPX before checksum generation and upload. ### Removed ### Fixed - Prevented `govulncheck-action` from defaulting to `setup-go` version `stable` by explicitly setting `go-version-file` and disabling `check-latest`, avoiding unauthenticated GitHub API rate-limit failures on self-hosted/act-style runners. - Made `do-release` version resolution resilient to `workflow_call` input passing issues by adding a separate tag detection step that fetches and discovers the latest tag from origin as a fallback when `inputs.tag` is empty, enabling proper operation even when Gitea's workflow_call doesn't pass inputs through correctly. - Fixed version resolution in `do-release` workflow by moving version calculation before checkout, resolving from inputs/git tags, and always passing explicit version to `publish` action. - Fixed tag detection in `do-release` to prioritize the tag at current HEAD (created by `prepare-release`) over the globally latest tag, ensuring correct version is detected when called from `prepare-release` workflow. - Fixed `do-release` workflow_call resolution on Teacup runners by explicitly falling back to `needs.prepare.outputs.tag` and normalizing `%!t(string=...)` wrapped values before choosing a release tag. - Fixed release-chain triggering by using a PAT for release commit/tag pushes so downstream release workflows are triggered reliably. - Made `publish` action version resolution more robust with clearer error messages when version input is missing and workflow is not running from a tag push. - Fixed `do-release` workflow to always checkout the resolved release tag, eliminating conditional checkout logic that could skip the checkout when called from `prepare-release` workflow. - Pinned `securego/gosec` and `golang/govulncheck-action` to concrete version tags (`v2.22.4` and `v1.0.4`) so self-hosted Gitea runners can resolve them via direct git clone without relying on the GitHub Actions floating-tag API. - Restored explicit gosec caching by storing a pinned `v2.22.4` binary under `${{ runner.temp }}/gosec-bin` with `actions/cache@v4`, so CI keeps fast security scans while still using the Go 1.26 toolchain from `setup-go`. - Replaced `securego/gosec` composite action with a direct `go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 && gosec ./...` run step so gosec uses the Go 1.26 toolchain installed by `setup-go` rather than the action's bundled Go 1.24 binary which ignores `GOTOOLCHAIN=auto`. - Fixed nested local composite-action references to use repository-local `./run-vociferate` paths so strict runners do not misparse parent-directory (`../`) action references as malformed remote coordinates. - Consolidated `run-vociferate` binary and source execution flows directly into the main `run-vociferate` action to avoid nested local-action path resolution issues on strict runners. - Hardened workflow module hygiene by retrying `go mod verify` after a module-cache refresh (`go clean -modcache` + `go mod download`) when runners report modified cached dependency directories. - Synced `update-release.yml` with the active release pipeline fixes for Teacup-wrapped outputs, release-id normalization, upload endpoint validation, and accurate success or failure summaries. ## [1.0.2] - 2026-03-21 ### Breaking ### Added ### Changed - Documented release/PR-decoration preflight token and API-access checks, including `GITHUB_TOKEN`/`GITEA_TOKEN` behavior for self-hosted Gitea. ### Removed ### Fixed ## [1.0.1] - 2026-03-21 ### Breaking ### Added ### Changed ### Removed ### Fixed - Enforced explicit `https://` changelog reference links in prepare output for browser-safe markdown links. ## [1.0.0] - 2026-03-21 ### Breaking ### Added ### Changed - Canonical changelog filename is now `CHANGELOG.md`, and action/code defaults were updated to match. - README now uses `Æther` stylization in prose and corrects released-tag guidance wording. ### Removed ### Fixed ## [0.2.0] - 2026-03-21 ### Breaking ### Added - Added a project LICENSE file. - Root and prepare actions now read `${{ vars.VOCIFERATE_REPOSITORY_URL }}` and forward it to `VOCIFERATE_REPOSITORY_URL` for repository URL override. - Added a published `coverage-badge` composite action for generating and uploading coverage report/badge artefacts for reuse across repositories. - Added `AGENTS.md`, an explicit integration guide for agentic coding partners using vociferate composite actions. ### Changed - Push validation now handles coverage artefact and badge generation in a dedicated `coverage-badge` job, with release recommendation isolated in a separate dependent job. - Push validation now calls the reusable `./coverage-badge` composite action for coverage badge generation and publication. ### Removed ### Fixed - Browser-facing URLs emitted in generated changelog links, workflow summaries, and markdown now use explicit `https://` forms. - Release workflows now collect summary markdown into portable temp files and print it in explicit `Summary` steps instead of relying on unsupported `GITHUB_STEP_SUMMARY` output. - Prepare now recreates the standard `Unreleased` section headers after promoting notes into a tagged release entry. - First-release recommendation remains `v1.0.0` when no prior releases exist in the changelog. - Do Release smoke validation now expects `--recommend` to fail on tagged release checkouts where `Unreleased` is intentionally empty. - Changelog reference links now use compare URLs (`previous...current` for releases and `latest...main` for Unreleased), with first release links comparing from the repository's first commit short hash. - Repository URL derivation now supports `VOCIFERATE_REPOSITORY_URL` as the highest-priority base-URL override for changelog link generation. ## [0.1.0] - 2026-03-20 ### Changed - README workflow badges now link to the latest workflow run pages instead of the workflow definition pages. ### Fixed - Publish action falls back to `git describe` when `inputs.version` is empty and `GITHUB_REF` is not a tag ref, resolving `workflow_call` input propagation failures in act runner v0.3.0. ### Added - Coverage badge in README linked to S3-hosted main-branch report. - S3 coverage artefact publishing (HTML report, badge, JSON summary) in push validation pipeline. - CLI tests and internal helper tests raising total coverage to 84%. - Test suite isolation against ambient CI environment variables for changelog link generation tests. - Go CLI for changelog-driven release preparation and semantic version recommendation. - Version recommendation from changelog release headings, including first-release support (`0.0.0` base -> `v1.0.0`). - Automatic `release-version` creation/update during release preparation. - Configurable version source/parsing via `--version-file` and `--version-pattern`. - Configurable changelog path via `--changelog`. - Recommended-version fallback when `version` is omitted in CLI and action flows. - Major-version recommendation trigger from `Unreleased` `### Breaking`. - Root composite action (`action.yml`) for recommend/prepare flows. - Subdirectory composite actions: `prepare/action.yml` (prepare/commit/tag/push) and `publish/action.yml` (extract notes/create-or-update release). - `publish` outputs for downstream automation: `release-id`, `tag`, and `version`. - Dual execution mode for actions: `go run` from source on `@main`, prebuilt binaries on tagged refs. - Repository-scoped binary cache keys with workflow-defined fixed token support via `VOCIFERATE_CACHE_TOKEN`. - Tag-driven release publication with idempotent release updates and asset replacement on reruns. - Release artifacts for `linux/amd64`, `linux/arm64`, and `checksums.txt`. - Reusable Gitea workflows (`prepare-release.yml`, `do-release.yml`) with `workflow_call` support. - Project/automation rename from `releaseprep` to `vociferate` (entrypoint, package paths, outputs). - README guidance focused on primary cross-repository reuse workflows. [Unreleased]: https://git.hrafn.xyz/aether/vociferate/compare/v1.1.0...main [1.1.0]: https://git.hrafn.xyz/aether/vociferate/compare/v1.0.2...v1.1.0 [1.0.2]: https://git.hrafn.xyz/aether/vociferate/compare/v1.0.1...v1.0.2 [1.0.1]: https://git.hrafn.xyz/aether/vociferate/compare/v1.0.0...v1.0.1 [1.0.0]: https://git.hrafn.xyz/aether/vociferate/compare/v0.2.0...v1.0.0 [0.2.0]: https://git.hrafn.xyz/aether/vociferate/compare/v0.1.0...v0.2.0 [0.1.0]: https://git.hrafn.xyz/aether/vociferate/compare/81dced6...v0.1.0