# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [0.0.13] - 2026-07-08
### Added
- ๐ **Auto-Mitigation & PR Creation**: Added a new `pr-create` subcommand to automatically run pinning on workflows, create a git branch, commit changes, push to the remote repository, and open a Pull Request (GitHub) or Merge Request (GitLab) via REST API.
- ๐ฌ **Preceding Comments Support**: Added surgical updating of version-only preceding line comments (e.g. `# v1` -> `# v2`) above workflow dependencies.
- ๐ **SBOM Exporting**: Added an SBOM exporter (`export_sbom`) to output dependencies in CycloneDX format.
- ๐ก **Enterprise & Test API Overrides**: Added `PINNER_GITHUB_URL` and `PINNER_GITLAB_URL` environment variable overrides to allow target host configuration (including Mockito testing).
- ๐ท๏ธ **Dynamic Release Version Badge**: Replaced the static release tag in documentation and landing pages with an asynchronous lookup to the GitHub Releases API (with instant local fallback).
### Changed
- ๐งช **Pipeline Test Coverage Boost**: Added robust unit and integration testing blocks for Git PR creation flow, project initialization (`init`), and SBOM generation, boosting total line coverage to `87.15%` (logical ~100% coverage ceiling).
### Fixed
- ๐ก๏ธ **Vulnerability Resolution**: Upgraded `crossbeam-epoch` to `0.9.20` to resolve pointer dereferencing vulnerability `RUSTSEC-2026-0204`.
## [0.0.12] - 2026-06-27
### Added
- ๐พ **Cache Controls Override**: Added `--no-cache` global flag (env `PINNER_NO_CACHE`) to completely bypass persistent cache and `--cache-ttl` global option (env `PINNER_CACHE_TTL`) to customize cache validation duration.
- ๐ซ **Mutual Parameter Validation**: Validated that `--no-cache` and `--cache-ttl` cannot be used together.
### Changed
- ๐ ๏ธ **Dependency Bumps**:
- Upgraded `toml_edit` to `0.25.12+spec-1.1.0`.
- Upgraded `actions/checkout` from `v6.0.3` to `v7.0.0` in CI/CD workflows.
- Upgraded `taiki-e/install-action` from `2.82.0` to `2.82.2`.
- ๐ **Documentation Improvements**: Refactored landing pages using reusable custom Web Components, extracted shared styles, aligned content with version 0.0.12, and optimized SEO metadata.
### Fixed
- ๐ก๏ธ **Vulnerability Resolution**: Upgraded `quinn-proto` to `0.11.15` to resolve security vulnerability `RUSTSEC-2026-0185`.
## [0.0.11] - 2026-06-20
### Added
- ๐ก๏ธ **Vulnerability and Strictness Checks in Verification**: Added `--check-osv` and `--strict` options to the `verify` command to query the OSV database for known vulnerabilities/compromised hashes and fail verification if dependencies are not explicitly vetted.
- ๐ **Global Configuration Support**: Automatically load and merge user configurations from global paths (e.g., config and home directories).
- ๐ **CircleCI Token Configuration**: Added support for the `CIRCLECI_TOKEN` environment variable to configure the GraphQL API token.
### Changed
- ๐ ๏ธ **CLI Scoping and Refinements**:
- Relocated `--upgrade-strategy` from a global option to a subcommand-specific argument for the `upgrade` and `scan` commands.
- Added mutual exclusion check between `--quiet` and `--verbose`.
- Added mutual dependency validation for `--oci-username` and `--oci-password`.
- Deprecated and removed the global `--json` flag (use `--format json` instead).
- Aligned environment variables for OCI registry to use `PINNER_OCI_USERNAME` and `PINNER_OCI_PASSWORD`.
- ๐ฆ **Compact Configuration Format**: Serialized the `.pinner.toml` config's `vetted` and `compromised` security lists as compact inline arrays instead of verbose tables.
### Fixed
- ๐ณ **Docker Port Registry Parsing**: Fixed a parsing issue where Docker image tags containing registry hosts with custom ports (e.g. `localhost:5000/my-image:v1.0.0`) were parsed incorrectly.
- ๐งช **Offline Mode Safeguards**: Added validation checks to prevent running online-only operations like OSV checks and scans in offline mode.
## [0.0.10] - 2026-06-19
### Added
- ๐พ **Persistent Disk Caching**: Added persistent disk caching via `cacache` to drastically reduce API requests across runs.
- ๐ก๏ธ **OCI Provenance Verification**: Implemented OCI image provenance verification (Sigstore/Cosign structural integration).
- ๐ **OCI Credential Lookup**: Added automatic OCI credential lookup using `docker-credential-helpers`.
- โ๏ธ **AWS ECR & Azure Marketplace**: Added AWS ECR and Azure Marketplace resolvers, and optimized CircleCI support.
- ๐ **CircleCI Orb Upgrades**: Added support for upgrading CircleCI orbs via GraphQL API.
- ๐ **Auto-Shell Detection**: Implemented automatic shell detection for the `generate-completion` command.
- ๐ **Release Automation**: Added a reliable `scripts/release.sh` utility to automate version bumping, verification, and tagging.
- ๐ก๏ธ **Tag Safety Verification**: Added CI step to prevent releasing tags that do not match the version specified in `Cargo.toml`.
### Changed
- ๐ฑ Improved mobile responsiveness of the documentation landing site.
- ๐ Aligned documentation and README with actual CLI subcommands.
- โ๏ธ Enhanced GitLab, Forgejo, and CircleCI provider configurations.
- ๐งน Cleaned up dependencies and updated `deny.toml` rules.
### Fixed
- ๐ Fixed broken license badge and updated badge style.
- ๐ Fixed bugs in repository/tag resolution and version tag comparisons.
- ๐งช Fixed unused variable warnings in tests.
## [0.0.6] - 2026-06-16
### Added
- Git pre-commit hook installation via `pinner install-hook`.
### Changed
- โก **Performance**: 30x speedup in YAML parsing by caching `TSParser` in thread-local storage.
- โก **Performance**: Optimized concurrent execution by wrapping Rayon calls in `tokio::task::spawn_blocking`.
- Improved error handling for `ReqwestGithubProvider` and better retry policies.
- Enhanced GitLab project resolution and added exhaustive unit tests.
### Fixed
- Fixed a panic during reqwest client initialization on some platforms.
- Fixed git hook installation when `.git/hooks` directory is missing.
## [0.0.5] - 2026-06-13
### Changed
- Modernized landing page and documentation to reflect multi-forge support.
- Grouped CLI options into configuration structs to address architectural concerns.
- Synchronized installation commands across all platforms for better reliability.
## [0.0.4] - 2026-06-13
### Added
- New `verify` subcommand to ensure all actions in workflows are correctly pinned (ideal for CI).
- New `generate-completion` subcommand to generate shell autocompletion scripts.
- Support for `.pinner.toml` configuration file for repo-wide settings (ignore lists, concurrency, custom URLs).
- Support for GitHub Enterprise via `--github-url` flag or `GITHUB_URL` environment variable.
- New `--json` output flag for machine-readable results.
- Advanced `upgrade` strategies: `latest`, `major`, `minor`, and `commit`.
- Support for pinning Docker-based actions (`docker://...`).
### Changed
- Migrated from Regex-based parsing to `tree-sitter-yaml` for surgical precision and better comment/formatting preservation.
- Improved progress reporting with multi-threaded execution.
- Enhanced CLI with more descriptive help and global flags.
- Refactored core logic to support multiple git forges (GitHub, GitLab, Bitbucket, Forgejo).
- Deduplicated HTTP client and improved error handling across all repository providers.
- Increased overall test coverage to >90%.
## [0.0.3] - 2026-06-10
### Fixed
- CI: Refactored release workflow to prevent race conditions in parallel jobs by using a dedicated `create-release` job.
## [0.0.2] - 2026-06-09
### Fixed
- CI: Removed unsupported FreeBSD targets from release matrix.
- CI: Fixed `upload-rust-binary-action` version and archive naming.
## [0.0.1] - 2026-06-09
### Added
- Initial release of `pinner`.
- Core pinning logic using Regex-based parsing to preserve YAML comments and formatting.
- `pin` subcommand to convert mutable tags to immutable commit SHAs.
- `upgrade` subcommand to update actions to their latest release or commit.
- `set` subcommand to forcibly update a specific action across all workflows.
- Comprehensive test suite with offline mocking and HTTP interception.
- GitHub API integration with rate limit handling via `GITHUB_TOKEN`.
- Support for multiple workflow paths and dry-run mode.