Skip to content

Releases: boinger/confvis

v1.4.0

Choose a tag to compare

@github-actions github-actions released this 16 Jun 21:31

What's Changed

  • ci(deps): bump github/codeql-action from 4.35.1 to 4.35.2 by @dependabot[bot] in #24
  • ci(deps): bump actions/setup-go from 6.3.0 to 6.4.0 by @dependabot[bot] in #22
  • ci(deps): bump SonarSource/sonarqube-scan-action from 7.0.0 to 7.1.0 by @dependabot[bot] in #23
  • ci(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0 by @dependabot[bot] in #25
  • ci(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 by @dependabot[bot] in #26
  • ci(deps): bump github/codeql-action from 4.35.2 to 4.36.0 by @dependabot[bot] in #32
  • ci(deps): bump goreleaser/goreleaser-action from 7.1.0 to 7.2.2 by @dependabot[bot] in #33
  • ci(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @dependabot[bot] in #35
  • ci(deps): bump codecov/codecov-action from 6.0.0 to 7.0.0 by @dependabot[bot] in #31
  • ci(deps): bump SonarSource/sonarqube-scan-action from 7.1.0 to 8.1.0 by @dependabot[bot] in #34

Full Changelog: v1.3.1...v1.4.0

v1.3.1

Choose a tag to compare

@github-actions github-actions released this 20 Apr 17:22

v1.3.1

Fixes

  • fix(history): PruneRef now uses compare-and-swap when writing the
    pruned ref, matching AppendToRef's existing pattern. Previously a
    concurrent AppendToRef between PruneRef's read and write would
    silently lose the appended entry. PruneRef now returns
    gitutil.ErrRefConflict on conflict; the CLI caller treats this as
    benign (the append succeeded, next run will prune).

v1.3.0

Choose a tag to compare

@github-actions github-actions released this 18 Apr 17:10

v1.3.0

  • Strict JSON/YAML config parsing: confvis now rejects unknown fields in
    confidence.json / confidence.yaml configs. Typos like 'thresholdd: 80'
    that previously parsed silently to 'Threshold: 0' now error out with a
    message naming the unknown field. Any config carrying non-schema
    metadata fields will break and needs those fields removed.

  • History retention default: the new --history-max-entries flag on
    'confvis gauge' defaults to 5000. Long-lived history files larger than
    5000 entries will be pruned to the most recent 5000 on the next run.
    Pass --history-max-entries=-1 or 0 to restore unbounded behavior.

  • feat(history): cap history growth via Prune/PruneRef helpers + new
    --history-max-entries flag, covering both file-backed and git-ref-
    backed history storage.

  • fix(confidence): Report now accepts the documented Passed/Baseline/
    Delta emit-json output fields on input, so 'confvis aggregate
    --emit-json ... | confvis baseline save' round-trips cleanly.

  • fix(checks): escape markdown metacharacters (|, newline, backtick) in
    the GitHub Checks summary so report titles/factor names with
    punctuation no longer break the rendered table.

  • fix(deps): bump Go toolchain to 1.26.2 to pick up stdlib security
    fixes (5 callable CVEs in crypto/tls, crypto/x509, html/template).

  • chore(infra): pin docker-compose SonarQube image by sha256 digest.

  • test(trufflehog): cover Source.Fetch via mock bash script (package
    coverage 60.9% -> 92.8%).

  • internal/confidence.Report.Passed() renamed to IsPass() to free the
    Passed field name for the documented JSON output shape. Not a public
    API break (internal/ package).

v1.2.2

Choose a tag to compare

@github-actions github-actions released this 25 Feb 03:24

Full Changelog: v1.2.1...v1.2.2

v1.2.0

Choose a tag to compare

@github-actions github-actions released this 25 Feb 00:25

Full Changelog: v1.1.3...v1.2.0

v1.1.3

Choose a tag to compare

@github-actions github-actions released this 21 Feb 04:07

What's Changed

  • ci(deps): bump github/codeql-action from 4.32.1 to 4.32.2 by @dependabot[bot] in #8
  • ci(deps): bump SonarSource/sonarqube-scan-action from 6.0.0 to 7.0.0 by @dependabot[bot] in #9
  • ci(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 by @dependabot[bot] in #10
  • ci(deps): bump github/codeql-action from 4.32.2 to 4.32.3 by @dependabot[bot] in #11

Full Changelog: v1.1.2...v1.1.3

v1.1.2

Choose a tag to compare

@boinger boinger released this 06 Feb 03:34

What's Changed

New Sources

  • CodeQL, GitLeaks, TruffleHog, and Gosec integrations — four new security scanning sources join the lineup, each with full severity-based scoring
  • Coveralls integration — coverage metrics from Coveralls alongside the existing Codecov support

Bug Fixes

  • Paginate Dependabot alerts — repositories with more than 100 open vulnerabilities now report all alerts instead of silently truncating at the first page
  • Paginate GitHub Actions workflow runs — cap and paginate to avoid incomplete run data
  • Consistent Codecov rounding — coverage scores now use uniform rounding instead of truncation
  • Validate CLI tool output — binary-runner sources now check for valid JSON before parsing, producing clearer errors when tools emit unexpected output
  • Warn on unknown severity strings — unrecognized severity levels in source count functions are surfaced as warnings instead of silently dropped
  • Fix CodeQL badge URL — corrected the README badge link for CodeQL scanning results
  • Address SonarCloud security hotspot — resolved a flagged hotspot in shared utilities

Internal / Code Quality

  • Generic source implementations — introduced shared fetch-flow engines for GitHub alerts and coverage sources; individual sources (Dependabot, CodeQL, Coveralls, Codecov) are now thin configuration wrappers with source-specific callbacks, cutting structural duplication significantly
  • Extract shared utilities — consolidated repeated patterns (config resolution, HTTP client setup, repo parsing) into reusable helpers across two refactoring passes
  • Tighten API surface — unexported package-internal helper functions and constants across source packages
  • Comprehensive test coverage — added dedicated tests for generic source packages, bringing coverage to 100% (coverage pkg) and 98.3% (githubalerts pkg)

v1.1.1

Choose a tag to compare

@boinger boinger released this 05 Feb 15:03

What's Changed

Bug Fixes

  • Surface silent failures — SonarQube metric conversion errors now warn to stderr instead of silently dropping factors; glob patterns with metacharacters that match no files produce errors; invalid weight suffixes in config paths are rejected
  • Fix sparkline division-by-zero — single-score sparklines no longer panic
  • Distinguish GitHub env errors — "no PR in event" is no longer conflated with file read/parse failures in LoadGitHubEnvWithPR
  • Remove residual dead code — deleted orphaned quality gate handler and stale snyk comment left after earlier refactors

Improvements

  • GitHub comment pagination — FindComment and FindAllConfvisComments now paginate (per_page=100) instead of only scanning the first page
  • Dashboard CSS namespacing — all fragment CSS classes prefixed with confvis- to prevent style leakage when embedded
  • Better error messages — file format hints included when extensions are unrecognized; stderr warnings when GitHub env loading fails with a provided token

Internal / Code Quality

  • Extract internal/gitutil package — shared git helpers (ResolveGitPath, IsGitRepo, RefExists, CommandTimeout) consolidated from duplicate implementations in baseline and history
  • Deduplicate types and helpers — IssueCounts consolidated into scoring.SeverityCounts, checks.ParseRepository replaced by repoparse.Parse, new sources.ResolveCommand helper, gauge.ColorOptions embedded struct
  • Unexport package-internal symbols — 24 functions/constants across gauge, baseline, history, and sonarqube narrowed from exported to unexported, tightening the public API surface
  • Remove dead code — unused Parse()/ParseFile() wrappers, FetchQualityGate()/ProjectURL(), ConclusionScore(), orphaned types and test handlers
  • Fix errcheck compliance — bare fmt.Fprintf calls wrapped; discarded viper.BindPFlag errors replaced with must() panics
  • Rename MustParse to ParseDefault — aligns with Go convention (Must* implies panic)
  • Derive SonarQube metric keys from metricMappings — eliminates drift between the mapping table and the key list
  • Validation in scoring.BuildReport — catches programming errors at construction time

Full Changelog: v1.1.0...v1.1.1

v1.1.0

Choose a tag to compare

@boinger boinger released this 05 Feb 05:54

What's Changed

Features

  • Embeddable dashboard fragments--fragment flag outputs HTML without DOCTYPE wrapper for embedding in Confluence, wikis, or iframes
  • --emit-json for aggregate — write structured JSON alongside visual output for CI/CD pipelines
  • Score-of-zero fix — a score of 0 is no longer silently overwritten when factors are present

Improvements

  • Adaptive dashboard layout based on report count
  • Factor threshold highlighting with pass/fail coloring
  • SVG rendering fixes (transparent backgrounds, proper viewBox scaling)
  • 90%+ test coverage, <1% duplication

Bug Fixes

  • SonarCloud badge links now show overall project metrics (instead of new-code-only)
  • Factor thresholds validated to 0–100 range

Full Changelog: v1.0.1...v1.1.0

v1.0.1

Choose a tag to compare

@github-actions github-actions released this 04 Feb 23:52

What's Changed

Bug Fixes

  • Address LLM review findings for sorting, action efficiency, and error handling

Documentation

  • Add llms.txt for AI tool integration
  • Add JSON Schema for confidence.json validation
  • Add missing sources to README and llms.txt
  • Update README with GitHub Marketplace badge
  • Documentation cleanup and fixes

Internal Improvements

  • Consolidate vulnerability penalty/weight constants in scoring package
  • Add race detection to CI
  • Add tests for EmitJSON and verify Names() sorting

Full Changelog: v1.0.0...v1.0.1