fix: resolve merge conflict in safePath combining segment validation with symlink resolution

Author: skyoo2003

.changie.yaml

@@ -0,0 +1,23 @@
+changesDir: changes
+unreleasedDir: unreleased
+headerPath: header.tpl.md
+changelogPath: CHANGELOG.md
+versionExt: md
+versionFormat: '## [{{ .Version }}](https://github.com/skyoo2003/devcloud/releases/tag/{{ .Version }}) - {{ .Time.Format "2006-01-02" }}'
+
+
+kindFormat: "### {{ .Kind }}"
+changeFormat: "* {{ .Body }} ([#{{ .Custom.Issue }}](https://github.com/skyoo2003/devcloud/issues/{{ .Custom.Issue }}))"
+kinds:
+  - label: Added
+  - label: Changed
+  - label: Deprecated
+  - label: Removed
+  - label: Fixed
+  - label: Security
+  - label: Documentation
+custom:
+  - key: Issue
+    label: Issue Number
+    type: int
+    minInt: 1

.github/workflows/cd.yml

@@ -25,31 +25,31 @@ jobs:
       github.event.workflow_run.conclusion == 'success' &&
       github.event.workflow_run.event == 'push'
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event.workflow_run.head_sha }}
 
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
             type=raw,value=latest,enable=${{ github.event.workflow_run.head_branch == 'main' }},suffix=-${{ matrix.arch }}
             type=raw,value=${{ github.event.workflow_run.head_branch }},enable=${{ startsWith(github.event.workflow_run.head_branch, 'v') }},suffix=-${{ matrix.arch }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           context: .
           file: docker/Dockerfile
@@ -69,18 +69,18 @@ jobs:
     steps:
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
           images: ghcr.io/${{ github.repository }}
           tags: |
             type=raw,value=latest,enable=${{ github.event.workflow_run.head_branch == 'main' }}
             type=raw,value=${{ github.event.workflow_run.head_branch }},enable=${{ startsWith(github.event.workflow_run.head_branch, 'v') }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to GHCR
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/lint.yml

@@ -14,18 +14,18 @@ jobs:
     name: golangci-lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: "1.26"
 
       - name: Install SQLite dev headers
         run: sudo apt-get install -y libsqlite3-dev
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
         with:
           version: latest
           args: --timeout=5m

.github/workflows/release-drafter.yml

@@ -16,7 +16,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@67e173cadb2fbd3de94f4a861e0c48c913b462ae # v6
         with:
           config-name: release-drafter.yml
         env:

.github/workflows/release.yml

@@ -0,0 +1,52 @@
+name: Release
+
+on:
+  push:
+    tags:
+    - 'v*'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      attestations: write
+    steps:
+    - name: Checkout the code
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        fetch-depth: 0
+    - name: Set up Go
+      uses: actions/setup-go@41dfa10bef8ca8f7c4c7cec63b269ccb8a9156b9 # v6
+      with:
+        go-version-file: go.mod
+        cache-dependency-path: go.sum
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Verify changie release notes exist
+      run: |
+        if [ ! -f "changes/${{ github.ref_name }}.md" ]; then
+          echo "::error::Changie fragment changes/${{ github.ref_name }}.md not found."
+          echo "::error::Run 'changie batch ${{ github.ref_name }}' and 'changie merge' before pushing the tag."
+          exit 1
+        fi
+    - name: Execute GoReleaser
+      uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29  # goreleaser-action v7
+      with:
+        distribution: goreleaser
+        version: "~> v2"
+        args: release --clean --release-notes changes/${{ github.ref_name }}.md
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload assets
+      uses: actions/upload-artifact@5d5df5e032fcb57d3c9d9901e9b8f8b2b7d8051a # v7
+      with:
+        name: devcloud
+        path: dist/*

.github/workflows/smithy-sync.yml

@@ -13,10 +13,10 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: "1.26"
 
@@ -52,7 +52,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.changes.outputs.changed == 'true'
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8
         with:
           commit-message: "chore: sync Smithy models and regenerate code"
           title: "chore: weekly Smithy model sync"

.goreleaser.yaml

@@ -0,0 +1,67 @@
+version: 2
+
+project_name: devcloud
+
+env:
+- GO111MODULE=on
+- CGO_ENABLED=0
+
+before:
+  hooks:
+  - go mod download
+
+builds:
+- id: devcloud
+  binary: devcloud
+  main: cmd/devcloud/main.go
+  goos:
+  - darwin
+  - linux
+  - windows
+  goarch:
+  - amd64
+  - arm64
+
+archives:
+- id: devcloud
+  format: tar.gz
+  format_overrides:
+  - goos: windows
+    format: zip
+  files:
+    - LICENSE
+    - README.md
+    - CHANGELOG.md
+
+changelog:
+  disable: false
+
+checksum:
+  algorithm: sha256
+  name_template: 'CHECKSUMS'
+
+dockers_v2:
+- images:
+  - ghcr.io/{{ .Env.GITHUB_REPOSITORY_OWNER }}/{{ .ProjectName }}
+  dockerfile: Dockerfile.goreleaser
+  ids:
+  - devcloud
+  sbom: false
+  flags:
+  - "--provenance=false"
+  tags:
+  - "{{ .Tag }}-alpine"
+  - "v{{ .Major }}.{{ .Minor }}-alpine"
+  - "v{{ .Major }}-alpine"
+  - "latest-alpine"
+  labels:
+    org.opencontainers.image.created: "{{ .Date }}"
+    org.opencontainers.image.source: "https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }}/{{ .ProjectName }}"
+    org.opencontainers.image.title: "{{ .ProjectName }}"
+    org.opencontainers.image.revision: "{{ .FullCommit }}"
+    org.opencontainers.image.version: "{{ .Version }}"
+
+release:
+  name_template: "{{ .Version }}"
+  disable: false
+  mode: replace

Dockerfile.goreleaser

@@ -0,0 +1,11 @@
+FROM --platform=$BUILDPLATFORM alpine:3.21
+
+RUN adduser --system --home /devcloud appuser
+VOLUME /devcloud
+WORKDIR /devcloud
+ARG TARGETOS
+ARG TARGETARCH
+COPY ${TARGETOS}/${TARGETARCH}/devcloud /usr/bin/devcloud
+
+USER appuser
+ENTRYPOINT ["devcloud"]

Makefile

@@ -1,4 +1,4 @@
-.PHONY: build test codegen run clean test-compat build-web build-all docker-build docker-run
+.PHONY: build test codegen run clean test-compat build-web build-all docker-build docker-run changelog
 
 build:
 	go build -o dist/devcloud ./cmd/devcloud
@@ -32,3 +32,10 @@ docker-run:
 
 clean:
 	rm -rf dist/ data/
+
+changelog:
+	@if [ -z "$(VERSION)" ]; then \
+	  echo "VERSION is required. Usage: make changelog VERSION=v0.2.0"; \
+	  exit 1; \
+	fi
+	@changie batch $(VERSION) && changie merge