upd-cli 0.1.3__tar.gz → 0.1.4__tar.gz

{upd_cli-0.1.3 → upd_cli-0.1.4}/CHANGELOG.md

@@ -13,6 +13,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 
+
+## [0.1.4](https://github.com/rvben/upd/compare/v0.1.3...v0.1.4) - 2026-04-28
+
+### Added
+
+- **discovery**: respect .gitignore for hidden ecosystem files and add --no-ignore ([bd44269](https://github.com/rvben/upd/commit/bd442692e4e7c5ab96e1163128ac8f274a771f30))
+
 ## [0.1.3](https://github.com/rvben/upd/compare/v0.1.2...v0.1.3) - 2026-04-25
 
 ### Added

{upd_cli-0.1.3 → upd_cli-0.1.4}/Cargo.lock

@@ -2024,7 +2024,7 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
 
 [[package]]
 name = "upd"
-version = "0.1.3"
+version = "0.1.4"
 dependencies = [
  "anyhow",
  "async-trait",

{upd_cli-0.1.3 → upd_cli-0.1.4}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "upd"
-version = "0.1.3"
+version = "0.1.4"
 edition = "2024"
 rust-version = "1.95.0"
 description = "A fast dependency updater for Python, Node.js, Rust, Go, Ruby, Terraform, GitHub Actions, pre-commit, and Mise projects"

{upd_cli-0.1.3 → upd_cli-0.1.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: upd-cli
-Version: 0.1.3
+Version: 0.1.4
 Classifier: Development Status :: 4 - Beta
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers
@@ -57,7 +57,11 @@ pipx run --spec upd-cli upd --apply
 - **Major warnings**: Highlights breaking changes with `(MAJOR)`
 - **Format-preserving**: Keeps formatting, comments, and structure
 - **Pre-release aware**: Updates pre-releases to newer pre-releases
-- **Gitignore-aware**: Respects `.gitignore` when discovering files
+- **Gitignore-aware**: Honors `.gitignore`, `.git/info/exclude`, and the global
+  gitignore — even outside a git repo. Hidden directories are pruned by default;
+  `upd` only opens the dotfiles it actually updates (`.github/workflows`,
+  `.pre-commit-config.yaml`, `.mise.toml`, `.tool-versions`). Use `--no-ignore`
+  to walk every file regardless.
 - **Version alignment**: Align package versions across multiple files
 - **Security auditing**: Check dependencies for known vulnerabilities via OSV
 - **Config file support**: Ignore or pin packages via `.updrc.toml`
@@ -761,6 +765,7 @@ Global flags (accepted on every subcommand):
 | `--full-precision` | | Output full versions |
 | `--no-cache` | | Disable version cache |
 | `--no-color` | | Disable colored output |
+| `--no-ignore` | | Disable `.gitignore` filtering during discovery |
 | `--lock` | | Regenerate lockfiles after updates |
 | `--config <FILE>` | `-c` | Use a specific config file |
 | `--show-config` | | Print effective configuration and exit |

{upd_cli-0.1.3 → upd_cli-0.1.4}/README.md

@@ -34,7 +34,11 @@ pipx run --spec upd-cli upd --apply
 - **Major warnings**: Highlights breaking changes with `(MAJOR)`
 - **Format-preserving**: Keeps formatting, comments, and structure
 - **Pre-release aware**: Updates pre-releases to newer pre-releases
-- **Gitignore-aware**: Respects `.gitignore` when discovering files
+- **Gitignore-aware**: Honors `.gitignore`, `.git/info/exclude`, and the global
+  gitignore — even outside a git repo. Hidden directories are pruned by default;
+  `upd` only opens the dotfiles it actually updates (`.github/workflows`,
+  `.pre-commit-config.yaml`, `.mise.toml`, `.tool-versions`). Use `--no-ignore`
+  to walk every file regardless.
 - **Version alignment**: Align package versions across multiple files
 - **Security auditing**: Check dependencies for known vulnerabilities via OSV
 - **Config file support**: Ignore or pin packages via `.updrc.toml`
@@ -738,6 +742,7 @@ Global flags (accepted on every subcommand):
 | `--full-precision` | | Output full versions |
 | `--no-cache` | | Disable version cache |
 | `--no-color` | | Disable colored output |
+| `--no-ignore` | | Disable `.gitignore` filtering during discovery |
 | `--lock` | | Regenerate lockfiles after updates |
 | `--config <FILE>` | `-c` | Use a specific config file |
 | `--show-config` | | Print effective configuration and exit |

{upd_cli-0.1.3 → upd_cli-0.1.4}/src/cli.rs

@@ -183,6 +183,15 @@ pub struct Cli {
         value_delimiter = ','
     )]
     pub packages: Vec<String>,
+
+    /// Disable .gitignore filtering and walk every dependency file in the tree.
+    ///
+    /// By default, `upd` honors `.gitignore`, `.git/info/exclude`, and the
+    /// global gitignore when discovering dependency files. Pass `--no-ignore`
+    /// to scan files git would ignore. Equivalent to `rg --no-ignore`.
+    /// Explicit file paths are always processed regardless of this flag.
+    #[arg(long = "no-ignore", global = true)]
+    pub no_ignore: bool,
 }
 
 #[derive(Subcommand)]
@@ -842,4 +851,27 @@ mod tests {
         assert_eq!(cli.min_age.as_deref(), Some("14d"));
         assert!(matches!(cli.command, Some(Command::Update { .. })));
     }
+
+    #[test]
+    fn test_cli_no_ignore_default_false() {
+        let cli = Cli::try_parse_from(["upd"]).unwrap();
+        assert!(!cli.no_ignore);
+    }
+
+    #[test]
+    fn test_cli_no_ignore_parses() {
+        let cli = Cli::try_parse_from(["upd", "--no-ignore"]).unwrap();
+        assert!(cli.no_ignore);
+    }
+
+    #[test]
+    fn test_cli_no_ignore_is_global_across_subcommands() {
+        let cli = Cli::try_parse_from(["upd", "audit", "--no-ignore"]).unwrap();
+        assert!(cli.no_ignore);
+        assert!(matches!(cli.command, Some(Command::Audit { .. })));
+
+        let cli = Cli::try_parse_from(["upd", "align", "--no-ignore"]).unwrap();
+        assert!(cli.no_ignore);
+        assert!(matches!(cli.command, Some(Command::Align { .. })));
+    }
 }

{upd_cli-0.1.3 → upd_cli-0.1.4}/src/lib.rs

@@ -25,7 +25,9 @@ pub use registry::{
     GitHubReleasesRegistry, NpmRegistry, NuGetRegistry, PyPiRegistry, Registry, RubyGemsRegistry,
     TerraformRegistry, VersionMeta,
 };
-pub use updater::{FileType, Lang, UpdateResult, Updater, discover_files};
+pub use updater::{
+    DiscoverOptions, FileType, Lang, UpdateResult, Updater, discover_files, discover_files_with,
+};
 
 /// Determine the process exit code given the outcome of a run.
 ///

{upd_cli-0.1.3 → upd_cli-0.1.4}/src/main.rs

@@ -22,10 +22,10 @@ use upd::registry::{
     NuGetRegistry, PyPiRegistry, RubyGemsRegistry, TerraformRegistry,
 };
 use upd::updater::{
-    CargoTomlUpdater, CsprojUpdater, FileType, GemfileUpdater, GithubActionsUpdater, GoModUpdater,
-    Lang, MiseUpdater, PackageJsonUpdater, PreCommitUpdater, PyProjectUpdater, RequirementsUpdater,
-    TerraformUpdater, UpdateOptions, UpdateResult, Updater, discover_files, read_file_safe,
-    write_file_atomic,
+    CargoTomlUpdater, CsprojUpdater, DiscoverOptions, FileType, GemfileUpdater,
+    GithubActionsUpdater, GoModUpdater, Lang, MiseUpdater, PackageJsonUpdater, PreCommitUpdater,
+    PyProjectUpdater, RequirementsUpdater, TerraformUpdater, UpdateOptions, UpdateResult, Updater,
+    discover_files_with, read_file_safe, write_file_atomic,
 };
 use upd::version::match_version_precision;
 
@@ -546,7 +546,14 @@ async fn run_update(cli: &Cli) -> Result<()> {
     // or --dry-run), the run behaves as dry-run and tells the user how to apply.
     let effective_dry_run = cli.is_effective_dry_run();
 
-    let files = discover_files(&paths, &cli.langs);
+    let files = discover_files_with(
+        &paths,
+        &cli.langs,
+        DiscoverOptions {
+            no_ignore: cli.no_ignore,
+            verbose: cli.verbose,
+        },
+    );
     let file_count = files.len();
 
     let text_mode_early = cli.format == upd::cli::OutputFormat::Text;
@@ -1493,7 +1500,14 @@ async fn run_align(cli: &Cli) -> Result<()> {
         }
     };
 
-    let files = discover_files(&paths, &cli.langs);
+    let files = discover_files_with(
+        &paths,
+        &cli.langs,
+        DiscoverOptions {
+            no_ignore: cli.no_ignore,
+            verbose: cli.verbose,
+        },
+    );
     let file_count = files.len();
 
     if files.is_empty() {
@@ -1701,7 +1715,14 @@ async fn run_audit(cli: &Cli) -> Result<()> {
             explicit
         }
     };
-    let files = discover_files(&paths, &cli.langs);
+    let files = discover_files_with(
+        &paths,
+        &cli.langs,
+        DiscoverOptions {
+            no_ignore: cli.no_ignore,
+            verbose: cli.verbose,
+        },
+    );
     let file_count = files.len();
 
     if files.is_empty() {

{upd_cli-0.1.3 → upd_cli-0.1.4}/src/updater/mod.rs

@@ -384,6 +384,19 @@ impl FileType {
             return Some(FileType::ToolVersions);
         }
 
+        // GitHub Actions workflows: *.yml or *.yaml inside .github/workflows/
+        if (file_name.ends_with(".yml") || file_name.ends_with(".yaml"))
+            && let Some(parent) = path.parent()
+            && parent.file_name().and_then(|n| n.to_str()) == Some("workflows")
+            && parent
+                .parent()
+                .and_then(|gp| gp.file_name())
+                .and_then(|n| n.to_str())
+                == Some(".github")
+        {
+            return Some(FileType::GithubActions);
+        }
+
         // Terraform .tf files (exclude files inside .terraform/ directories)
         if file_name.ends_with(".tf") {
             let path_str = path.to_string_lossy();
@@ -538,102 +551,126 @@ pub async fn apply_cooldown(
     }
 }
 
-/// Scan for GitHub Actions workflow files in .github/workflows/ directories.
-/// This is a separate pass because WalkBuilder::hidden(true) skips dot-directories.
-fn discover_github_actions(path: &Path, files: &mut Vec<(PathBuf, FileType)>) {
-    let workflows_dir = path.join(".github").join("workflows");
-    if !workflows_dir.is_dir() {
-        return;
-    }
-
-    if let Ok(entries) = std::fs::read_dir(&workflows_dir) {
-        for entry in entries.flatten() {
-            let entry_path = entry.path();
-            if entry_path.is_file()
-                && let Some(ext) = entry_path.extension().and_then(|e| e.to_str())
-                && (ext == "yml" || ext == "yaml")
-            {
-                files.push((entry_path, FileType::GithubActions));
-            }
-        }
-    }
-}
-
-/// Scan for .pre-commit-config.yaml in a directory.
-/// This is a separate pass because WalkBuilder::hidden(true) skips dot-files.
-fn discover_pre_commit_config(path: &Path, files: &mut Vec<(PathBuf, FileType)>) {
-    let config_path = path.join(".pre-commit-config.yaml");
-    if config_path.is_file() {
-        files.push((config_path, FileType::PreCommitConfig));
-    }
+/// Hidden entries the walker is allowed to descend into or yield.
+///
+/// Anything not in this set that starts with `.` is pruned during discovery,
+/// which keeps `.git`, `.cache`, `.venv`, and similar noise out of the scan
+/// while still letting us see the dotfiles `upd` actually updates.
+const ALLOWED_HIDDEN_ENTRIES: &[&str] = &[
+    ".github",
+    ".pre-commit-config.yaml",
+    ".mise.toml",
+    ".tool-versions",
+];
+
+/// Knobs for [`discover_files_with`].
+#[derive(Debug, Clone, Copy, Default)]
+pub struct DiscoverOptions {
+    /// When true, ignore `.gitignore`, `.git/info/exclude`, and the global
+    /// gitignore — walk every dependency file regardless. Mirrors
+    /// `rg --no-ignore`.
+    pub no_ignore: bool,
+    /// When true, emit one `skipping <path>: gitignored` line on stderr for
+    /// each dependency file the gitignore rules dropped, so users can see
+    /// why `upd` is silent on a given file.
+    pub verbose: bool,
 }
 
-/// Scan for .mise.toml and .tool-versions in a directory.
-/// These are dot-files, so WalkBuilder::hidden(true) skips them.
-fn discover_mise_files(path: &Path, files: &mut Vec<(PathBuf, FileType)>) {
-    let mise_path = path.join(".mise.toml");
-    if mise_path.is_file() {
-        files.push((mise_path, FileType::MiseToml));
-    }
-
-    let tool_versions_path = path.join(".tool-versions");
-    if tool_versions_path.is_file() {
-        files.push((tool_versions_path, FileType::ToolVersions));
-    }
+/// Discover dependency files in the given paths, optionally filtered by language.
+///
+/// Directory walks honor `.gitignore`, `.git/info/exclude`, and the global
+/// gitignore — even outside a git repository. Hidden directories and files are
+/// skipped except for the small allowlist in [`ALLOWED_HIDDEN_ENTRIES`]. Explicit
+/// file paths bypass the filter and are always processed.
+///
+/// Convenience wrapper around [`discover_files_with`] with default options.
+pub fn discover_files(paths: &[PathBuf], langs: &[Lang]) -> Vec<(PathBuf, FileType)> {
+    discover_files_with(paths, langs, DiscoverOptions::default())
 }
 
-fn discover_hidden_dependency_files(
-    path: &Path,
+/// Discover dependency files with explicit [`DiscoverOptions`].
+pub fn discover_files_with(
+    paths: &[PathBuf],
     langs: &[Lang],
-    files: &mut Vec<(PathBuf, FileType)>,
-) {
-    if langs.is_empty() || langs.contains(&Lang::Actions) {
-        discover_github_actions(path, files);
-    }
-
-    if langs.is_empty() || langs.contains(&Lang::PreCommit) {
-        discover_pre_commit_config(path, files);
+    options: DiscoverOptions,
+) -> Vec<(PathBuf, FileType)> {
+    let kept = walk_dependency_files(paths, langs, options.no_ignore);
+
+    // In verbose mode, surface the dependency files gitignore rules dropped so
+    // users can answer "why didn't upd touch X?" without guessing. Skipped when
+    // gitignore is already disabled (nothing to diff against).
+    if options.verbose && !options.no_ignore {
+        let unrestricted = walk_dependency_files(paths, langs, true);
+        let kept_set: std::collections::HashSet<&Path> =
+            kept.iter().map(|(p, _)| p.as_path()).collect();
+        for (path, _) in &unrestricted {
+            if !kept_set.contains(path.as_path()) {
+                eprintln!("skipping {}: gitignored", path.display());
+            }
+        }
     }
 
-    if langs.is_empty() || langs.contains(&Lang::Mise) {
-        discover_mise_files(path, files);
-    }
+    kept
 }
 
-/// Discover dependency files in the given paths, optionally filtered by language
-pub fn discover_files(paths: &[PathBuf], langs: &[Lang]) -> Vec<(PathBuf, FileType)> {
+fn walk_dependency_files(
+    paths: &[PathBuf],
+    langs: &[Lang],
+    no_ignore: bool,
+) -> Vec<(PathBuf, FileType)> {
     let mut files = Vec::new();
 
     for path in paths {
-        if path.is_file()
-            && let Some(file_type) = FileType::detect(path)
-        {
-            if langs.is_empty() || langs.contains(&file_type.lang()) {
+        if path.is_file() {
+            if let Some(file_type) = FileType::detect(path)
+                && (langs.is_empty() || langs.contains(&file_type.lang()))
+            {
                 files.push((path.clone(), file_type));
             }
-        } else if path.is_dir() {
-            discover_hidden_dependency_files(path, langs, &mut files);
-
-            // Walk directory respecting .gitignore
-            let walker = WalkBuilder::new(path)
-                .hidden(true)
-                .git_ignore(true)
-                .git_global(true)
-                .git_exclude(true)
-                .build();
-
-            for entry in walker.flatten() {
-                let entry_path = entry.path();
-                if entry_path.is_dir() && entry_path != path {
-                    discover_hidden_dependency_files(entry_path, langs, &mut files);
+            continue;
+        }
+
+        if !path.is_dir() {
+            continue;
+        }
+
+        let walker = WalkBuilder::new(path)
+            .hidden(false)
+            .git_ignore(!no_ignore)
+            .git_global(!no_ignore)
+            .git_exclude(!no_ignore)
+            .require_git(false)
+            .filter_entry(|entry| {
+                // Always traverse the user-supplied root, even when it is hidden
+                // (e.g. `upd .github/workflows`).
+                if entry.depth() == 0 {
+                    return true;
+                }
+
+                let name = entry.file_name().to_string_lossy();
+
+                // `.git` is internal — never descend into it.
+                if name == ".git" {
+                    return false;
                 }
 
-                if entry_path.is_file()
-                    && let Some(file_type) = FileType::detect(entry_path)
-                    && (langs.is_empty() || langs.contains(&file_type.lang()))
-                {
-                    files.push((entry_path.to_path_buf(), file_type));
+                if !name.starts_with('.') {
+                    return true;
                 }
+
+                ALLOWED_HIDDEN_ENTRIES.contains(&name.as_ref())
+            })
+            .build();
+
+        for entry in walker.flatten() {
+            let entry_path = entry.path();
+            if !entry_path.is_file() {
+                continue;
+            }
+            if let Some(file_type) = FileType::detect(entry_path)
+                && (langs.is_empty() || langs.contains(&file_type.lang()))
+            {
+                files.push((entry_path.to_path_buf(), file_type));
             }
         }
     }
@@ -1118,6 +1155,260 @@ mod tests {
         let files = discover_files(&[temp.path().to_path_buf()], &[Lang::Actions]);
         assert!(files.is_empty());
     }
+
+    /// Detection of a workflow file should depend on the .github/workflows
+    /// path components, not just the extension. A bare YAML file elsewhere
+    /// must not be classified as a GitHub Actions workflow.
+    #[test]
+    fn test_filetype_detect_github_actions_requires_workflows_dir() {
+        assert_eq!(
+            FileType::detect(Path::new("/repo/.github/workflows/ci.yml")),
+            Some(FileType::GithubActions)
+        );
+        assert_eq!(
+            FileType::detect(Path::new("/repo/.github/workflows/release.yaml")),
+            Some(FileType::GithubActions)
+        );
+        // A workflow nested under a sub-project still counts.
+        assert_eq!(
+            FileType::detect(Path::new("/repo/apps/api/.github/workflows/ci.yml")),
+            Some(FileType::GithubActions)
+        );
+        // Anything outside .github/workflows is not a workflow.
+        assert_eq!(
+            FileType::detect(Path::new("/repo/.github/dependabot.yml")),
+            None
+        );
+        assert_eq!(FileType::detect(Path::new("/repo/random.yml")), None);
+    }
+
+    /// Files listed in .gitignore must not be discovered when walking a
+    /// directory. This is the single most-requested default — users expect
+    /// `upd` to ignore the same things git does.
+    #[test]
+    fn test_discover_files_respects_gitignore() {
+        let temp = tempdir().unwrap();
+        let root = temp.path();
+
+        fs::write(
+            root.join(".gitignore"),
+            "ignored.txt\nvendor/\n.github/workflows/internal.yml\n.pre-commit-config.yaml\n.mise.toml\n.tool-versions\n",
+        )
+        .unwrap();
+
+        // Regular files: kept.
+        fs::write(root.join("requirements.txt"), "flask>=2.0").unwrap();
+        // Regular file: ignored by name.
+        fs::write(root.join("ignored.txt"), "should-not-appear").unwrap();
+        // Whole gitignored directory.
+        fs::create_dir_all(root.join("vendor")).unwrap();
+        fs::write(
+            root.join("vendor").join("Cargo.toml"),
+            "[package]\nname=\"x\"",
+        )
+        .unwrap();
+
+        // GitHub Actions: one ignored, one kept.
+        let workflows = root.join(".github").join("workflows");
+        fs::create_dir_all(&workflows).unwrap();
+        fs::write(workflows.join("ci.yml"), "name: CI").unwrap();
+        fs::write(workflows.join("internal.yml"), "name: Internal").unwrap();
+
+        // Hidden ecosystem files: gitignored.
+        fs::write(root.join(".pre-commit-config.yaml"), "repos: []").unwrap();
+        fs::write(root.join(".mise.toml"), "[tools]").unwrap();
+        fs::write(root.join(".tool-versions"), "node 20").unwrap();
+
+        let files = discover_files(&[root.to_path_buf()], &[]);
+        let paths: Vec<PathBuf> = files.iter().map(|(p, _)| p.clone()).collect();
+
+        assert!(paths.contains(&root.join("requirements.txt")));
+        assert!(paths.contains(&workflows.join("ci.yml")));
+
+        for forbidden in [
+            root.join("ignored.txt"),
+            root.join("vendor").join("Cargo.toml"),
+            workflows.join("internal.yml"),
+            root.join(".pre-commit-config.yaml"),
+            root.join(".mise.toml"),
+            root.join(".tool-versions"),
+        ] {
+            assert!(
+                !paths.contains(&forbidden),
+                "discover_files should skip gitignored {forbidden:?}; got {paths:#?}"
+            );
+        }
+    }
+
+    /// Negation patterns (`!foo`) must un-ignore matching paths so users
+    /// can ship a top-level ignore but selectively keep individual files.
+    #[test]
+    fn test_discover_files_respects_gitignore_negation() {
+        let temp = tempdir().unwrap();
+        let root = temp.path();
+
+        fs::write(
+            root.join(".gitignore"),
+            ".github/workflows/*.yml\n!.github/workflows/keep.yml\n",
+        )
+        .unwrap();
+
+        let workflows = root.join(".github").join("workflows");
+        fs::create_dir_all(&workflows).unwrap();
+        fs::write(workflows.join("drop.yml"), "name: Drop").unwrap();
+        fs::write(workflows.join("keep.yml"), "name: Keep").unwrap();
+
+        let files = discover_files(&[root.to_path_buf()], &[Lang::Actions]);
+        let paths: Vec<PathBuf> = files.iter().map(|(p, _)| p.clone()).collect();
+
+        assert!(paths.contains(&workflows.join("keep.yml")));
+        assert!(!paths.contains(&workflows.join("drop.yml")));
+    }
+
+    /// Explicit file arguments bypass the gitignore filter — `upd
+    /// path/to/file` should always process the file the user pointed at,
+    /// matching `rg` / `fd` semantics for explicit paths.
+    #[test]
+    fn test_discover_files_explicit_path_bypasses_gitignore() {
+        let temp = tempdir().unwrap();
+        let root = temp.path();
+
+        fs::write(root.join(".gitignore"), ".mise.toml\n").unwrap();
+        let mise = root.join(".mise.toml");
+        fs::write(&mise, "[tools]").unwrap();
+
+        // Directory walk: gitignored, so excluded.
+        let walked = discover_files(&[root.to_path_buf()], &[]);
+        assert!(walked.iter().all(|(p, _)| p != &mise));
+
+        // Explicit path: included regardless of gitignore.
+        let direct = discover_files(std::slice::from_ref(&mise), &[]);
+        assert_eq!(direct, vec![(mise, FileType::MiseToml)]);
+    }
+
+    /// `--no-ignore` (via `DiscoverOptions::no_ignore`) must bypass
+    /// gitignore entirely, including for hidden ecosystem files.
+    #[test]
+    fn test_discover_files_with_no_ignore_bypasses_gitignore() {
+        let temp = tempdir().unwrap();
+        let root = temp.path();
+
+        fs::write(
+            root.join(".gitignore"),
+            "ignored.txt\n.mise.toml\n.tool-versions\n",
+        )
+        .unwrap();
+        fs::write(root.join("ignored.txt"), "x").unwrap();
+        fs::write(root.join("requirements.txt"), "flask>=2.0").unwrap();
+        fs::write(root.join(".mise.toml"), "[tools]").unwrap();
+        fs::write(root.join(".tool-versions"), "node 20").unwrap();
+
+        let unrestricted = discover_files_with(
+            &[root.to_path_buf()],
+            &[],
+            DiscoverOptions {
+                no_ignore: true,
+                verbose: false,
+            },
+        );
+        let paths: Vec<PathBuf> = unrestricted.iter().map(|(p, _)| p.clone()).collect();
+
+        assert!(paths.contains(&root.join("requirements.txt")));
+        assert!(paths.contains(&root.join(".mise.toml")));
+        assert!(paths.contains(&root.join(".tool-versions")));
+        // ignored.txt is not a dependency file, so it never appears regardless;
+        // the meaningful assertion is that the hidden ecosystem files are picked
+        // up despite being gitignored.
+    }
+
+    /// `--lang` filtering must compose with gitignore filtering: ignored
+    /// files of the requested language stay out, kept files of other
+    /// languages also stay out.
+    #[test]
+    fn test_discover_files_lang_filter_composes_with_gitignore() {
+        let temp = tempdir().unwrap();
+        let root = temp.path();
+
+        fs::write(root.join(".gitignore"), "requirements.txt\n").unwrap();
+        fs::write(root.join("requirements.txt"), "flask").unwrap();
+        fs::write(root.join("pyproject.toml"), "[project]\nname='x'").unwrap();
+        fs::write(root.join("package.json"), "{}").unwrap();
+
+        let files = discover_files(&[root.to_path_buf()], &[Lang::Python]);
+        let paths: Vec<PathBuf> = files.iter().map(|(p, _)| p.clone()).collect();
+
+        // gitignored Python file is dropped, non-Python file is dropped by --lang
+        assert_eq!(paths, vec![root.join("pyproject.toml")]);
+    }
+
+    /// Nested `.gitignore` files (in a subdirectory) must be honored — the
+    /// `ignore` crate handles this; this test pins the behavior so a future
+    /// refactor can't regress it.
+    #[test]
+    fn test_discover_files_respects_nested_gitignore() {
+        let temp = tempdir().unwrap();
+        let root = temp.path();
+
+        // Top-level allows everything.
+        fs::write(root.join(".gitignore"), "").unwrap();
+        // Nested .gitignore drops a single file in its directory.
+        let sub = root.join("sub");
+        fs::create_dir_all(&sub).unwrap();
+        fs::write(sub.join(".gitignore"), "secret.toml\n").unwrap();
+        fs::write(sub.join("secret.toml"), "").unwrap();
+        fs::write(sub.join("Cargo.toml"), "[package]\nname='x'").unwrap();
+        fs::write(sub.join("package.json"), "{}").unwrap();
+
+        let files = discover_files(&[root.to_path_buf()], &[]);
+        let paths: Vec<PathBuf> = files.iter().map(|(p, _)| p.clone()).collect();
+
+        assert!(paths.contains(&sub.join("Cargo.toml")));
+        assert!(paths.contains(&sub.join("package.json")));
+        assert!(!paths.contains(&sub.join("secret.toml")));
+    }
+
+    /// A whole-directory ignore (`.github/`) must prune the entire subtree,
+    /// not just a single workflow file.
+    #[test]
+    fn test_discover_files_directory_ignore_prunes_subtree() {
+        let temp = tempdir().unwrap();
+        let root = temp.path();
+
+        fs::write(root.join(".gitignore"), ".github/\n").unwrap();
+        let workflows = root.join(".github").join("workflows");
+        fs::create_dir_all(&workflows).unwrap();
+        fs::write(workflows.join("ci.yml"), "name: CI").unwrap();
+        fs::write(workflows.join("release.yaml"), "name: Release").unwrap();
+        fs::write(root.join("package.json"), "{}").unwrap();
+
+        let files = discover_files(&[root.to_path_buf()], &[]);
+        let paths: Vec<PathBuf> = files.iter().map(|(p, _)| p.clone()).collect();
+
+        assert_eq!(paths, vec![root.join("package.json")]);
+    }
+
+    /// `.git` directories must never be walked into — they are not in
+    /// `.gitignore` (git itself manages them) but still contain YAML/TOML
+    /// content that would otherwise be picked up.
+    #[test]
+    fn test_discover_files_skips_dot_git_directory() {
+        let temp = tempdir().unwrap();
+        let root = temp.path();
+
+        let inner_git = root.join(".git").join("workflows-cache");
+        fs::create_dir_all(&inner_git).unwrap();
+        // A file matching one of our patterns, planted inside .git/.
+        fs::write(inner_git.join(".mise.toml"), "[tools]").unwrap();
+        fs::write(root.join(".git").join("config"), "[core]").unwrap();
+
+        let files = discover_files(&[root.to_path_buf()], &[]);
+        for (path, _) in &files {
+            assert!(
+                !path.to_string_lossy().contains("/.git/"),
+                "discover_files must not descend into .git/, found {path:?}"
+            );
+        }
+    }
 }
 
 #[cfg(test)]

upd_cli-0.1.4/tests/discovery_no_ignore.rs

@@ -0,0 +1,114 @@
+//! Integration tests for `.gitignore`-aware discovery and the
+//! `--no-ignore` escape hatch.
+//!
+//! These run the real binary against a temp workspace so the full path
+//! (CLI parsing → DiscoverOptions → walker → output) is covered.
+
+use std::fs;
+use std::path::Path;
+use std::process::Command;
+
+fn upd_bin() -> &'static str {
+    env!("CARGO_BIN_EXE_upd")
+}
+
+fn run(args: &[&str], cwd: &Path) -> (String, String, i32) {
+    let output = Command::new(upd_bin())
+        .args(args)
+        .env("UPD_CACHE_DIR", cwd.join("upd-cache"))
+        .output()
+        .expect("failed to run upd");
+    (
+        String::from_utf8_lossy(&output.stdout).into_owned(),
+        String::from_utf8_lossy(&output.stderr).into_owned(),
+        output.status.code().unwrap_or(-1),
+    )
+}
+
+/// Build a workspace where one of two `package.json` files is gitignored.
+/// Returns the temp dir, kept-file path, and ignored-file path.
+fn workspace_with_gitignored_package_json()
+-> (tempfile::TempDir, std::path::PathBuf, std::path::PathBuf) {
+    let tmp = tempfile::tempdir().unwrap();
+    let root = tmp.path();
+
+    fs::write(root.join(".gitignore"), "vendor/\n").unwrap();
+
+    let kept = root.join("package.json");
+    fs::write(&kept, "{\"dependencies\":{}}").unwrap();
+
+    let vendor = root.join("vendor");
+    fs::create_dir_all(&vendor).unwrap();
+    let ignored = vendor.join("package.json");
+    fs::write(&ignored, "{\"dependencies\":{}}").unwrap();
+
+    (tmp, kept, ignored)
+}
+
+/// Default behavior must skip the gitignored file: only one file is scanned.
+#[test]
+fn discovery_skips_gitignored_files_by_default() {
+    let (tmp, _kept, _ignored) = workspace_with_gitignored_package_json();
+    let path = tmp.path().to_str().unwrap();
+
+    let (stdout, stderr, _code) = run(&["--check", "--no-cache", path], tmp.path());
+
+    let combined = format!("{stdout}\n{stderr}");
+    assert!(
+        combined.contains("Scanned 1 file"),
+        "default discovery must skip the gitignored file (expect 1 scanned); got:\n{combined}"
+    );
+}
+
+/// `--no-ignore` must include the gitignored file: two files scanned.
+#[test]
+fn discovery_no_ignore_flag_includes_gitignored_files() {
+    let (tmp, _kept, _ignored) = workspace_with_gitignored_package_json();
+    let path = tmp.path().to_str().unwrap();
+
+    let (stdout, stderr, _code) = run(&["--check", "--no-cache", "--no-ignore", path], tmp.path());
+
+    let combined = format!("{stdout}\n{stderr}");
+    assert!(
+        combined.contains("Scanned 2 file"),
+        "with --no-ignore both files must be scanned; got:\n{combined}"
+    );
+}
+
+/// `--verbose` must surface a `skipping ... gitignored` line on stderr so
+/// users can see why a file they expected to be processed is being silent.
+#[test]
+fn discovery_verbose_logs_gitignored_skip() {
+    let (tmp, _kept, ignored) = workspace_with_gitignored_package_json();
+    let path = tmp.path().to_str().unwrap();
+
+    let (_stdout, stderr, _code) = run(&["--check", "--no-cache", "--verbose", path], tmp.path());
+
+    let ignored_str = ignored.to_str().unwrap();
+    assert!(
+        stderr.contains("skipping") && stderr.contains("gitignored"),
+        "verbose mode must emit a 'skipping ... gitignored' line; stderr:\n{stderr}"
+    );
+    assert!(
+        stderr.contains(ignored_str) || stderr.contains("vendor/package.json"),
+        "verbose skip log must mention the ignored path; stderr:\n{stderr}"
+    );
+}
+
+/// `--no-ignore` with `--verbose` should NOT emit skip lines (nothing was
+/// skipped — gitignore is disabled). Pinning this avoids spurious noise.
+#[test]
+fn discovery_no_ignore_with_verbose_emits_no_skip_lines() {
+    let (tmp, _kept, _ignored) = workspace_with_gitignored_package_json();
+    let path = tmp.path().to_str().unwrap();
+
+    let (_stdout, stderr, _code) = run(
+        &["--check", "--no-cache", "--no-ignore", "--verbose", path],
+        tmp.path(),
+    );
+
+    assert!(
+        !stderr.contains("gitignored"),
+        "with --no-ignore there is nothing to skip; stderr should not mention gitignored:\n{stderr}"
+    );
+}