serviceuser
released this
2026-03-21 20:16:35 +00:00
| 12 commits to main since this release
[1.1.0] - 2026-03-21
Breaking
Added
- Added changelog gate validation to
decorate-pr action for enforcing changelog updates on qualifying code changes.
- Changelog gate modes:
strict (fails job on violation) and soft (warns via PR comment).
- Docs-only PR exemption with customizable glob patterns for documentation files.
- PR label-based exemptions for changelog gate (example:
skip-changelog).
- Precise diff parsing: validates only added lines within the Unreleased section.
- Gate decision outputs:
gate-passed, docs-only, unreleased-additions-count, gate-failure-reason for reuse downstream.
- Integrated remediation guidance in PR comments showing how to add changelog entries.
Changed
- Refactored
internal/vociferate to use a constructor-backed service with injected filesystem, environment, and git dependencies while preserving the existing package-level API.
- Hardened
prepare-release validation to enforce formatting checks, module hygiene, gosec, and govulncheck before preparing a release.
- Added matching local validation targets in
justfile for formatting, module hygiene, tests, and security checks.
decorate-pr now reads Unreleased changelog content through the vociferate Go CLI instead of maintaining separate shell parsing logic in the composite action.publish now extracts tagged release notes through the vociferate Go CLI instead of duplicating changelog section parsing in shell.- Composite actions now share a centralized
run-vociferate orchestration flow, with binary-versus-source execution delegated through shared composite actions and single-use runtime/download logic folded back into run-vociferate.binary.
run-vociferate now contains both binary and source execution flows directly in a single action implementation, removing nested local action wrappers for better runner compatibility.- Release automation now requires
secrets.RELEASE_PAT for prepare/publish/do-release operations instead of defaulting to GITHUB_TOKEN/GITEA_TOKEN.
Removed
Fixed
- Prevented
govulncheck-action from defaulting to setup-go version stable by explicitly setting go-version-file and disabling check-latest, avoiding unauthenticated GitHub API rate-limit failures on self-hosted/act-style runners.
- Made
do-release version resolution resilient to workflow_call input passing issues by adding a separate tag detection step that fetches and discovers the latest tag from origin as a fallback when inputs.tag is empty, enabling proper operation even when Gitea's workflow_call doesn't pass inputs through correctly.
- Fixed version resolution in
do-release workflow by moving version calculation before checkout, resolving from inputs/git tags, and always passing explicit version to publish action.
- Fixed tag detection in
do-release to prioritize the tag at current HEAD (created by prepare-release) over the globally latest tag, ensuring correct version is detected when called from prepare-release workflow.
- Fixed
do-release workflow_call resolution on Teacup runners by explicitly falling back to needs.prepare.outputs.tag and normalizing %!t(string=...) wrapped values before choosing a release tag.
- Fixed release-chain triggering by using a PAT for release commit/tag pushes so downstream release workflows are triggered reliably.
- Made
publish action version resolution more robust with clearer error messages when version input is missing and workflow is not running from a tag push.
- Fixed
do-release workflow to always checkout the resolved release tag, eliminating conditional checkout logic that could skip the checkout when called from prepare-release workflow.
- Pinned
securego/gosec and golang/govulncheck-action to concrete version tags (v2.22.4 and v1.0.4) so self-hosted Gitea runners can resolve them via direct git clone without relying on the GitHub Actions floating-tag API.
- Restored explicit gosec caching by storing a pinned
v2.22.4 binary under ${{ runner.temp }}/gosec-bin with actions/cache@v4, so CI keeps fast security scans while still using the Go 1.26 toolchain from setup-go.
- Replaced
securego/gosec composite action with a direct go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 && gosec ./... run step so gosec uses the Go 1.26 toolchain installed by setup-go rather than the action's bundled Go 1.24 binary which ignores GOTOOLCHAIN=auto.
- Fixed nested local composite-action references to use repository-local
./run-vociferate paths so strict runners do not misparse parent-directory (../) action references as malformed remote coordinates.
- Consolidated
run-vociferate binary and source execution flows directly into the main run-vociferate action to avoid nested local-action path resolution issues on strict runners.
- Hardened workflow module hygiene by retrying
go mod verify after a module-cache refresh (go clean -modcache + go mod download) when runners report modified cached dependency directories.
Downloads