.github/workflows/govulncheck.yml

@@ -13,6 +13,8 @@ on:
 jobs:
   govulncheck:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - name: go-version

.github/workflows/lock.yml

@@ -14,6 +14,9 @@ concurrency:
 jobs:
   action:
     runs-on: ubuntu-22.04
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
     - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771
       with:

.github/workflows/main.yml

@@ -8,23 +8,27 @@ on:
     - master
     tags:
     - v*
+  schedule:
+  - cron: 22 2 * * *
 env:
   ACTIONLINT_VERSION: 1.6.26
   AGE_VERSION: 1.1.1
   CHOCOLATEY_VERSION: 2.2.2
-  EDITORCONFIG_CHECKER_VERSION: 2.7.2
+  EDITORCONFIG_CHECKER_VERSION: 2.8.0
   FIND_TYPOS_VERSION: 0.0.3
-  GO_VERSION: 1.21.6
-  GOFUMPT_VERSION: 0.5.0
-  GOLANGCI_LINT_VERSION: 1.55.2
-  GOLINES_VERSION: 0.11.0
+  GO_VERSION: 1.22.0
+  GOFUMPT_VERSION: 0.6.0
+  GOLANGCI_LINT_VERSION: 1.56.1
+  GOLINES_VERSION: 0.12.2
   GOVERSIONINFO_VERSION: 1.4.0
-  RAGE_VERSION: 0.9.2
+  RAGE_VERSION: 0.10.0
 jobs:
   changes:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     outputs:
       code: ${{ steps.filter.outputs.code }}
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - id: filter
@@ -46,19 +50,21 @@ jobs:
   codeql:
     needs: changes
     if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     permissions:
       security-events: write
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       with:
         fetch-depth: 1
-    - uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4
+    - uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923
       with:
         languages: go
-    - uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4
+    - uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923
   misspell:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - uses: reviewdog/action-misspell@06d6a480724fa783c220081bbc22336a78dbbe82
@@ -67,7 +73,9 @@ jobs:
   test-alpine:
     needs: changes
     if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - name: test
@@ -78,7 +86,9 @@ jobs:
   test-archlinux:
     needs: changes
     if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - name: test
@@ -90,6 +100,8 @@ jobs:
     needs: changes
     if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
     runs-on: macos-11
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
@@ -126,7 +138,9 @@ jobs:
   test-oldstable-go:
     needs: changes
     if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
@@ -157,7 +171,9 @@ jobs:
         go test ./...
   test-release:
     needs: changes
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-20.04 # use older Ubuntu for older glibc
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       with:
@@ -190,37 +206,39 @@ jobs:
         args: release --skip=sign --snapshot --timeout=1h
     - name: upload-artifact-chezmoi-darwin-amd64
       if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
       with:
         name: chezmoi-darwin-amd64
         path: dist/chezmoi-nocgo_darwin_amd64_v1/chezmoi
     - name: upload-artifact-chezmoi-darwin-arm64
       if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
       with:
         name: chezmoi-darwin-arm64
         path: dist/chezmoi-nocgo_darwin_arm64/chezmoi
     - name: upload-artifact-chezmoi-linux-amd64
       if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
       with:
         name: chezmoi-linux-amd64
         path: dist/chezmoi-cgo-glibc_linux_amd64_v1/chezmoi
     - name: upload-artifact-chezmoi-linux-musl-amd64
       if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
       with:
         name: chezmoi-linux-amd64-musl
         path: dist/chezmoi-cgo-musl_linux_amd64_v1/chezmoi
     - name: upload-artifact-chezmoi-windows-amd64.exe
       if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
       with:
         name: chezmoi-windows-amd64
         path: dist/chezmoi-nocgo_windows_amd64_v1/chezmoi.exe
   test-ubuntu:
     needs: changes
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-20.04 # use older Ubuntu for older glibc
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       with:
@@ -266,7 +284,9 @@ jobs:
         sh assets/scripts/install.sh
         bin/chezmoi --version
   test-website:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
@@ -283,6 +303,8 @@ jobs:
     needs: changes
     if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
     runs-on: windows-2022
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
@@ -321,7 +343,9 @@ jobs:
         (iwr -useb https://get.chezmoi.io/ps1).ToString() | powershell -c -
         bin/chezmoi.exe --version
   check:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       with:
@@ -367,13 +391,15 @@ jobs:
   lint:
     needs: changes
     if: github.event_name == 'push' || needs.changes.outputs.code == 'true'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
       with:
         go-version: ${{ env.GO_VERSION }}
-    - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc
+    - uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804
       with:
         version: v${{ env.GOLANGCI_LINT_VERSION }}
         args: --timeout=5m
@@ -390,7 +416,9 @@ jobs:
     - test-ubuntu
     - test-website
     - test-windows
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-20.04 # use older Ubuntu for older glibc
+    permissions:
+      contents: write
     steps:
     - name: install-build-dependencies
       run: |
@@ -415,7 +443,7 @@ jobs:
     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
       with:
         go-version: ${{ env.GO_VERSION }}
-    - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149
+    - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
     - name: create-syso
       run: |
         make create-syso
@@ -433,7 +461,9 @@ jobs:
   deploy-website:
     needs:
     - release
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
       with:

.golangci.yml

@@ -1,16 +1,14 @@
 run:
-  go: '1.19'
+  go: '1.21'
 
 linters:
   enable:
   - asciicheck
   - bidichk
   - bodyclose
   - containedctx
-  - contextcheck
   - decorder
   - dogsled
-  - dupl
   - dupword
   - durationcheck
   - errcheck
@@ -59,12 +57,15 @@ linters:
   - revive
   - rowserrcheck
   - sloglint
+  - spancheck
   - sqlclosecheck
   - staticcheck
   - stylecheck
+  - tagalign
   - tagliatelle
   - tenv
   - testableexamples
+  - testifylint
   - thelper
   - typecheck
   - unconvert
@@ -76,8 +77,10 @@ linters:
   - zerologlint
   disable:
   - asasalint
+  - contextcheck
   - cyclop
   - depguard
+  - dupl
   - exhaustive
   - exhaustruct
   - funlen
@@ -100,7 +103,6 @@ linters:
   - nlreturn
   - nonamedreturns
   - paralleltest
-  - tagalign
   - testpackage
   - tparallel
   - varnamelen

Makefile

@@ -200,6 +200,6 @@ shellcheck:
 test-release:
 	goreleaser release \
 		--clean \
-		--skip=sign \
+		--skip=chocolatey,sign \
 		--snapshot \
 		${GORELEASER_FLAGS}

assets/chezmoi.io/docs/developer/developing-locally.md

@@ -2,7 +2,7 @@
 
 chezmoi is written in [Go](https://golang.org) and development happens on
 [GitHub](https://github.com). chezmoi is a standard Go project, using standard
-Go tooling. chezmoi requires Go 1.20 or later.
+Go tooling. chezmoi requires Go 1.21 or later.
 
 Checkout chezmoi:
 
@@ -17,15 +17,6 @@ Build chezmoi:
 $ go build
 ```
 
-!!! hint
-
-    If you try to build chezmoi with an unsupported version of Go you will get
-    the error:
-
-    ```
-    package github.com/twpayne/chezmoi/v2: build constraints exclude all Go files in /home/twp/src/github.com/twpayne/chezmoi
-    ```
-
 Run all tests:
 
 ```console

assets/chezmoi.io/docs/developer/testing.md

@@ -9,7 +9,7 @@ chezmoi uses multiple levels of testing:
    `internal/chezmoi/*_test.go`.
 
 2. Filesystem integration tests, using `testing` and
-   [`github.com/twpayne/go-vfs/v5`](https://pkg.go.dev/github.com/twpayne/go-vfs/v4),
+   [`github.com/twpayne/go-vfs/v5`](https://pkg.go.dev/github.com/twpayne/go-vfs/v5),
    test chezmoi's effects on the filesystem. This include some tests in
    `internal/chezmoi/*_test.go`, and higher level command tests in
    `internal/cmd/*cmd_test.go`.

assets/chezmoi.io/docs/install.md.tmpl

@@ -244,13 +244,13 @@ pre-built binary and shell completions.
 
 === "OpenBSD"
 
-{{ range $arch := list "amd64" "arm" "arm64" "i386" }}
+{{ range $arch := list "amd64" "arm" "arm64" "i386" "ppc64" }}
     [`{{ $arch }}`](https://github.com/twpayne/chezmoi/releases/download/v{{ $version }}/chezmoi_{{ $version }}_openbsd_{{ $arch }}.tar.gz)
 {{- end }}
 
 ## Install from source
 
-Download, build, and install chezmoi for your system with Go 1.20 or later:
+Download, build, and install chezmoi for your system with Go 1.21 or later:
 
 ```console
 $ git clone https://github.com/twpayne/chezmoi.git

assets/chezmoi.io/docs/reference/configuration-file/variables.md.yaml

@@ -386,6 +386,10 @@ sections:
       default: '`vault`'
       description: Vault CLI command
   update:
+    apply:
+      type: 'bool'
+      default: '`true`'
+      description: Apply after pulling
     args:
       type: '[]string'
       description: Extra args to update command

assets/chezmoi.io/docs/reference/templates/1password-functions/index.md

@@ -44,8 +44,3 @@ CLI](https://developer.1password.com/docs/cli) (`op`).
     `account1.1password.ca` will not be a valid lookup value, but `my@account1`,
     `my@account1.1password.ca`, `your@account1`, and
     `your@account1.1password.ca` would all be valid lookups.
-
-!!! warning
-
-    Support for 1Password CLI v1 will be removed with the next major release of
-    chezmoi.

assets/chezmoi.io/docs/reference/templates/init-functions/promptStringOnce.md

@@ -1,6 +1,6 @@
 # `promptStringOnce` *map* *path* *prompt* [*default*]
 
-`promptStringOnce` returns the value of *map* at *path* if it exists and is an
+`promptStringOnce` returns the value of *map* at *path* if it exists and is a
 string value, otherwise it prompts the user for a string value with *prompt* and
 an optional *default* using `promptString`.