chore(deps): update mvdan.cc/sh/moreinterp digest to f5c6e27

* Closes #2812
* Closes #2818
* Ref https://github.com/mvdan/sh/pull/1330

.github/workflows/lint.yml

@@ -16,7 +16,7 @@ jobs:
     name: Lint
     strategy:
       matrix:
-        go-version: [1.25.x, 1.26.x]
+        go-version: [1.25.10, 1.26.x]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0

.github/workflows/pr-build.yml

@@ -21,7 +21,7 @@ jobs:
         with:
           go-version: "1.26.x"
           cache: true
-      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
+      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7
         with:
           version: "~> v2"
           args: release --snapshot --clean --config .goreleaser-pr.yml

.github/workflows/release-nightly.yml

@@ -23,7 +23,7 @@ jobs:
           go-version: 1.26.x
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
+        uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7
         with:
           distribution: goreleaser-pro
           version: latest

.github/workflows/release.yml

@@ -23,7 +23,7 @@ jobs:
         with:
           go-version: 1.26.x
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: "24"
           registry-url: "https://registry.npmjs.org"
@@ -35,13 +35,13 @@ jobs:
         uses: go-task/setup-task@3be4020d41929789a01026e0e427a4321ce0ad44 # v2
 
       - name: Install pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+        uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6
         with:
           package_json_file: "website/package.json"
           run_install: "true"
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
+        uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7
         with:
           distribution: goreleaser-pro
           version: latest

.github/workflows/test.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.25.x, 1.26.x]
+        go-version: [1.25.10, 1.26.x]
         platform: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{matrix.platform}}
     steps:

.golangci.yml

@@ -2,33 +2,16 @@ version: "2"
 
 formatters:
   enable:
-    - gofmt
     - gofumpt
     - goimports
     - gci
   settings:
-    gofmt:
-      simplify: true
-      rewrite-rules:
-        - pattern: interface{}
-          replacement: any
-    gofumpt:
-      module-path: github.com/go-task/task/v3
-    goimports:
-      local-prefixes:
-        - github.com/go-task
     gci:
       sections:
         - standard
         - default
         - prefix(github.com/go-task)
         - localmodule
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
 
 linters:
   enable:
@@ -36,6 +19,7 @@ linters:
     - gosec
     - mirror
     - misspell
+    - modernize
     - noctx
     - paralleltest
     - thelper
@@ -56,13 +40,8 @@ linters:
             - pkg: errors
               desc: Use github.com/go-task/task/v3/errors instead
   exclusions:
-    generated: lax
     presets:
       - comments
       - common-false-positives
       - legacy
       - std-error-handling
-    paths:
-      - third_party$
-      - builtin$
-      - examples$

CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## Unreleased
+
+- A significant performance boost was achieved for large Taskfiles (monorepos)
+  by skipping templating altogether when the string is static (#2820 by @romnn).
+- Added `absPath` template function that resolves a path to its absolute form,
+  cleaning `..` and `.` components (#2681, #2788 by @mateenanjum).
+- Added `joinEnv` function to join paths based on your oprating system: `;` for
+  Windows and `:` elsewhere, and `joinUrl` to join URL paths. Also, added two
+  new special variables: `FILE_PATH_SEPARATOR` which returns `\` on Windows
+  and `/` elsewhere, and `PATH_LIST_SEPARATOR` which returns `;` on Windows and
+  `:` elsewhere (#2406, #2408 by @solvingj).
+- Update the shell interpreter with a regression fix (#2812, #2832 by
+  @andreynering).
+- Fix potential panic with the shell interpreter (#2810 by @trulede).
+
 ## v3.50.0 - 2026-04-13
 
 - Added `enum.ref` support in `requires`: enum constraints can now reference

compiler.go

@@ -202,11 +202,13 @@ func (c *Compiler) getSpecialVars(t *ast.Task, call *Call) (map[string]string, e
 	// across platforms. This prevents issues with backslashes being interpreted
 	// as escape sequences when paths are used in shell commands on Windows.
 	allVars := map[string]string{
-		"TASK_EXE":         filepath.ToSlash(os.Args[0]),
-		"ROOT_TASKFILE":    filepath.ToSlash(filepathext.SmartJoin(c.Dir, c.Entrypoint)),
-		"ROOT_DIR":         filepath.ToSlash(c.Dir),
-		"USER_WORKING_DIR": filepath.ToSlash(c.UserWorkingDir),
-		"TASK_VERSION":     version.GetVersion(),
+		"TASK_EXE":            filepath.ToSlash(os.Args[0]),
+		"ROOT_TASKFILE":       filepath.ToSlash(filepathext.SmartJoin(c.Dir, c.Entrypoint)),
+		"ROOT_DIR":            filepath.ToSlash(c.Dir),
+		"USER_WORKING_DIR":    filepath.ToSlash(c.UserWorkingDir),
+		"TASK_VERSION":        version.GetVersion(),
+		"PATH_LIST_SEPARATOR": string(os.PathListSeparator),
+		"FILE_PATH_SEPARATOR": string(os.PathSeparator),
 	}
 	if t != nil {
 		allVars["TASK"] = t.Task

go.mod

@@ -1,11 +1,11 @@
 module github.com/go-task/task/v3
 
-go 1.25.8
+go 1.25.10
 
 require (
 	charm.land/bubbles/v2 v2.1.0
-	charm.land/bubbletea/v2 v2.0.2
-	charm.land/lipgloss/v2 v2.0.2
+	charm.land/bubbletea/v2 v2.0.6
+	charm.land/lipgloss/v2 v2.0.3
 	github.com/Ladicle/tabwriter v1.0.0
 	github.com/Masterminds/semver/v3 v3.4.0
 	github.com/alecthomas/chroma/v2 v2.23.1
@@ -21,7 +21,7 @@ require (
 	github.com/hashicorp/go-getter v1.8.6
 	github.com/joho/godotenv v1.5.1
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/puzpuzpuz/xsync/v4 v4.4.0
+	github.com/puzpuzpuz/xsync/v4 v4.5.0
 	github.com/sajari/fuzzy v1.0.0
 	github.com/sebdah/goldie/v2 v2.8.0
 	github.com/spf13/pflag v1.0.10
@@ -29,9 +29,9 @@ require (
 	github.com/zeebo/xxh3 v1.1.0
 	go.yaml.in/yaml/v3 v3.0.4
 	golang.org/x/sync v0.20.0
-	golang.org/x/term v0.42.0
-	mvdan.cc/sh/moreinterp v0.0.0-20260120230322-19def062a997
-	mvdan.cc/sh/v3 v3.13.1
+	golang.org/x/term v0.43.0
+	mvdan.cc/sh/moreinterp v0.0.0-20260510185049-f5c6e2779117
+	mvdan.cc/sh/v3 v3.13.2-0.20260503214111-9e7dd28c81cf
 )
 
 require (
@@ -68,9 +68,9 @@ require (
 	github.com/aws/smithy-go v1.24.2 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/charmbracelet/colorprofile v0.4.2 // indirect
-	github.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8 // indirect
-	github.com/charmbracelet/x/ansi v0.11.6 // indirect
+	github.com/charmbracelet/colorprofile v0.4.3 // indirect
+	github.com/charmbracelet/ultraviolet v0.0.0-20260416155717-489999b90468 // indirect
+	github.com/charmbracelet/x/ansi v0.11.7 // indirect
 	github.com/charmbracelet/x/term v0.2.2 // indirect
 	github.com/charmbracelet/x/termios v0.1.1 // indirect
 	github.com/charmbracelet/x/windows v0.2.2 // indirect
@@ -94,10 +94,10 @@ require (
 	github.com/klauspost/compress v1.18.5 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
-	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.21 // indirect
+	github.com/mattn/go-runewidth v0.0.23 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
@@ -120,11 +120,11 @@ require (
 	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
-	golang.org/x/crypto v0.49.0 // indirect
-	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
+	golang.org/x/net v0.54.0 // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
 	google.golang.org/api v0.271.0 // indirect
 	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect

go.sum

@@ -2,10 +2,10 @@ cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
 cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
 charm.land/bubbles/v2 v2.1.0 h1:YSnNh5cPYlYjPxRrzs5VEn3vwhtEn3jVGRBT3M7/I0g=
 charm.land/bubbles/v2 v2.1.0/go.mod h1:l97h4hym2hvWBVfmJDtrEHHCtkIKeTEb3TTJ4ZOB3wY=
-charm.land/bubbletea/v2 v2.0.2 h1:4CRtRnuZOdFDTWSff9r8QFt/9+z6Emubz3aDMnf/dx0=
-charm.land/bubbletea/v2 v2.0.2/go.mod h1:3LRff2U4WIYXy7MTxfbAQ+AdfM3D8Xuvz2wbsOD9OHQ=
-charm.land/lipgloss/v2 v2.0.2 h1:xFolbF8JdpNkM2cEPTfXEcW1p6NRzOWTSamRfYEw8cs=
-charm.land/lipgloss/v2 v2.0.2/go.mod h1:KjPle2Qd3YmvP1KL5OMHiHysGcNwq6u83MUjYkFvEkM=
+charm.land/bubbletea/v2 v2.0.6 h1:UHN/91OyuhaOFGSrBXQ/hMZD8IO1Uc4BvHlgHXL2WJo=
+charm.land/bubbletea/v2 v2.0.6/go.mod h1:MH/D8ZLlN3op37vQvijKuU29g3rqTp+aQapURFonF9g=
+charm.land/lipgloss/v2 v2.0.3 h1:yM2zJ4Cf5Y51b7RHIwioil4ApI/aypFXXVHSwlM6RzU=
+charm.land/lipgloss/v2 v2.0.3/go.mod h1:7myLU9iG/3xluAWzpY/fSxYYHCgoKTie7laxk6ATwXA=
 cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
 cloud.google.com/go/auth v0.18.2 h1:+Nbt5Ev0xEqxlNjd6c+yYUeosQ5TtEUaNcN/3FozlaM=
@@ -92,12 +92,12 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chainguard-dev/git-urls v1.0.2 h1:pSpT7ifrpc5X55n4aTTm7FFUE+ZQHKiqpiwNkJrVcKQ=
 github.com/chainguard-dev/git-urls v1.0.2/go.mod h1:rbGgj10OS7UgZlbzdUQIQpT0k/D4+An04HJY7Ol+Y/o=
-github.com/charmbracelet/colorprofile v0.4.2 h1:BdSNuMjRbotnxHSfxy+PCSa4xAmz7szw70ktAtWRYrY=
-github.com/charmbracelet/colorprofile v0.4.2/go.mod h1:0rTi81QpwDElInthtrQ6Ni7cG0sDtwAd4C4le060fT8=
-github.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8 h1:eyFRbAmexyt43hVfeyBofiGSEmJ7krjLOYt/9CF5NKA=
-github.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8/go.mod h1:SQpCTRNBtzJkwku5ye4S3HEuthAlGy2n9VXZnWkEW98=
-github.com/charmbracelet/x/ansi v0.11.6 h1:GhV21SiDz/45W9AnV2R61xZMRri5NlLnl6CVF7ihZW8=
-github.com/charmbracelet/x/ansi v0.11.6/go.mod h1:2JNYLgQUsyqaiLovhU2Rv/pb8r6ydXKS3NIttu3VGZQ=
+github.com/charmbracelet/colorprofile v0.4.3 h1:QPa1IWkYI+AOB+fE+mg/5/4HRMZcaXex9t5KX76i20Q=
+github.com/charmbracelet/colorprofile v0.4.3/go.mod h1:/zT4BhpD5aGFpqQQqw7a+VtHCzu+zrQtt1zhMt9mR4Q=
+github.com/charmbracelet/ultraviolet v0.0.0-20260416155717-489999b90468 h1:Q9fO0y1Zo5KB/5Vu8JZoLGm1N3RzF9bNj3Ao3xoR+Ac=
+github.com/charmbracelet/ultraviolet v0.0.0-20260416155717-489999b90468/go.mod h1:bAAz7dh/FTYfC+oiHavL4mX1tOIBZ0ZwYjSi3qE6ivM=
+github.com/charmbracelet/x/ansi v0.11.7 h1:kzv1kJvjg2S3r9KHo8hDdHFQLEqn4RBCb39dAYC84jI=
+github.com/charmbracelet/x/ansi v0.11.7/go.mod h1:9qGpnAVYz+8ACONkZBUWPtL7lulP9No6p1epAihUZwQ=
 github.com/charmbracelet/x/exp/golden v0.0.0-20250806222409-83e3a29d542f h1:pk6gmGpCE7F3FcjaOEKYriCvpmIN4+6OS/RD0vm4uIA=
 github.com/charmbracelet/x/exp/golden v0.0.0-20250806222409-83e3a29d542f/go.mod h1:IfZAMTHB6XkZSeXUqriemErjAWCCzT0LwjKFYCZyw0I=
 github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=
@@ -192,14 +192,14 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag=
-github.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/lucasb-eyer/go-colorful v1.4.0 h1:UtrWVfLdarDgc44HcS7pYloGHJUjHV/4FwW4TvVgFr4=
+github.com/lucasb-eyer/go-colorful v1.4.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.21 h1:jJKAZiQH+2mIinzCJIaIG9Be1+0NR+5sz/lYEEjdM8w=
-github.com/mattn/go-runewidth v0.0.21/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/mattn/go-runewidth v0.0.23 h1:7ykA0T0jkPpzSvMS5i9uoNn2Xy3R383f9HDx3RybWcw=
+github.com/mattn/go-runewidth v0.0.23/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
@@ -214,8 +214,8 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/puzpuzpuz/xsync/v4 v4.4.0 h1:vlSN6/CkEY0pY8KaB0yqo/pCLZvp9nhdbBdjipT4gWo=
-github.com/puzpuzpuz/xsync/v4 v4.4.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
+github.com/puzpuzpuz/xsync/v4 v4.5.0 h1:vOSWu6b57/emh+L/Cw0BeQfvxa/cogFywXHeGUxQxAg=
+github.com/puzpuzpuz/xsync/v4 v4.5.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
@@ -272,27 +272,23 @@ go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09
 go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
-golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
@@ -319,5 +315,7 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 mvdan.cc/sh/moreinterp v0.0.0-20260120230322-19def062a997 h1:3bbJwtPFh98dJ6lxRdR3eLHTH1CmR3BcU6TriIMiXjE=
 mvdan.cc/sh/moreinterp v0.0.0-20260120230322-19def062a997/go.mod h1:Qy/zdaMDxq9sT72Gi43K3gsV+TtTohyDO3f1cyBVwuo=
-mvdan.cc/sh/v3 v3.13.1 h1:DP3TfgZhDkT7lerUdnp6PTGKyxxzz6T+cOlY/xEvfWk=
-mvdan.cc/sh/v3 v3.13.1/go.mod h1:lXJ8SexMvEVcHCoDvAGLZgFJ9Wsm2sulmoNEXGhYZD0=
+mvdan.cc/sh/moreinterp v0.0.0-20260510185049-f5c6e2779117 h1:JPDzzhmf2Vx9xIXjyyy/TArCIdWb6Bnec7xHirHSXFg=
+mvdan.cc/sh/moreinterp v0.0.0-20260510185049-f5c6e2779117/go.mod h1:SR7UOjTQQhhrUu6d6lNtjAmdqmlMqr0lR/UWTxY8wJM=
+mvdan.cc/sh/v3 v3.13.2-0.20260503214111-9e7dd28c81cf h1:3mGRe/xSr7fd9m+c5FSab/CSCtADsbdMcyhYGdVR6DY=
+mvdan.cc/sh/v3 v3.13.2-0.20260503214111-9e7dd28c81cf/go.mod h1:lXJ8SexMvEVcHCoDvAGLZgFJ9Wsm2sulmoNEXGhYZD0=

internal/execext/exec.go

@@ -127,7 +127,10 @@ func ExpandFields(s string) ([]string, error) {
 	s = escape(s)
 	p := syntax.NewParser()
 	var words []*syntax.Word
-	for w := range p.WordsSeq(strings.NewReader(s)) {
+	for w, err := range p.WordsSeq(strings.NewReader(s)) {
+		if err != nil {
+			return nil, err
+		}
 		words = append(words, w)
 	}
 	cfg := &expand.Config{

internal/summary/summary.go

@@ -285,7 +285,9 @@ func isEnvVar(key string, envVars map[string]bool) bool {
 		key == "TASKFILE_DIR" ||
 		key == "USER_WORKING_DIR" ||
 		key == "ALIAS" ||
-		key == "MATCH" {
+		key == "MATCH" ||
+		key == "PATH_LIST_SEPARATOR" ||
+		key == "FILE_PATH_SEPARATOR" {
 		return true
 	}
 	return envVars[key]

internal/templater/funcs.go

@@ -3,6 +3,8 @@ package templater
 import (
 	"maps"
 	"math/rand/v2"
+	"os"
+	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -21,8 +23,8 @@ var templateFuncs template.FuncMap
 
 func init() {
 	taskFuncs := template.FuncMap{
-		"OS":           os,
-		"ARCH":         arch,
+		"OS":           goos,
+		"ARCH":         goarch,
 		"numCPU":       runtime.NumCPU,
 		"catLines":     catLines,
 		"splitLines":   splitLines,
@@ -33,7 +35,10 @@ func init() {
 		"splitArgs":    splitArgs,
 		"IsSH":         IsSH, // Deprecated
 		"joinPath":     filepath.Join,
+		"joinEnv":      joinEnv,
+		"joinUrl":      joinUrl,
 		"relPath":      filepath.Rel,
+		"absPath":      filepath.Abs,
 		"merge":        merge,
 		"spew":         spew.Sdump,
 		"fromYaml":     fromYaml,
@@ -56,11 +61,11 @@ func init() {
 	maps.Copy(templateFuncs, taskFuncs)
 }
 
-func os() string {
+func goos() string {
 	return runtime.GOOS
 }
 
-func arch() string {
+func goarch() string {
 	return runtime.GOARCH
 }
 
@@ -94,6 +99,14 @@ func IsSH() bool {
 	return true
 }
 
+func joinEnv(elem ...string) string {
+	return strings.Join(elem, string(os.PathListSeparator))
+}
+
+func joinUrl(elem ...string) string {
+	return path.Join(elem...)
+}
+
 func merge(base map[string]any, v ...map[string]any) map[string]any {
 	cap := len(v)
 	for _, m := range v {

internal/templater/templater.go

@@ -68,6 +68,13 @@ func ReplaceWithExtra[T any](v T, cache *Cache, extra map[string]any) T {
 		return v
 	}
 
+	// Optimization: skip if string is not a template
+	if s, ok := any(v).(string); ok {
+		if !strings.Contains(s, "{{") {
+			return v
+		}
+	}
+
 	// Initialize the cache map if it's not already initialized
 	if cache.cacheMap == nil {
 		cache.cacheMap = cache.Vars.ToCacheMap()
@@ -82,6 +89,10 @@ func ReplaceWithExtra[T any](v T, cache *Cache, extra map[string]any) T {
 
 	// Traverse the value and parse any template variables
 	copy, err := deepcopy.TraverseStringsFunc(v, func(v string) (string, error) {
+		// Optimization: skip if string is not a template
+		if !strings.Contains(v, "{{") {
+			return v, nil
+		}
 		tpl, err := template.New("").Funcs(templateFuncs).Parse(v)
 		if err != nil {
 			return v, err

task_test.go

@@ -2601,6 +2601,27 @@ func TestSplitArgs(t *testing.T) {
 	assert.Equal(t, "3\n", buff.String())
 }
 
+func TestAbsPath(t *testing.T) {
+	t.Parallel()
+
+	var buff bytes.Buffer
+	e := task.NewExecutor(
+		task.WithDir("testdata/abs_path"),
+		task.WithStdout(&buff),
+		task.WithStderr(&buff),
+		task.WithSilent(true),
+	)
+	require.NoError(t, e.Setup())
+
+	err := e.Run(t.Context(), &task.Call{Task: "default"})
+	require.NoError(t, err)
+
+	cwd, err := os.Getwd()
+	require.NoError(t, err)
+	expected := filepath.Join(cwd, "bar") + "\n"
+	assert.Equal(t, expected, buff.String())
+}
+
 func TestSingleCmdDep(t *testing.T) {
 	t.Parallel()
 

taskfile/node.go

@@ -93,8 +93,8 @@ func getScheme(uri string) (string, error) {
 		return "git", nil
 	}
 
-	if i := strings.Index(uri, "://"); i != -1 {
-		return uri[:i], nil
+	if before, _, ok := strings.Cut(uri, "://"); ok {
+		return before, nil
 	}
 
 	return "", nil

taskfile/reader.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"slices"
 	"sync"
 	"time"
 
@@ -285,12 +286,7 @@ func (r *Reader) isTrusted(uri string) bool {
 	host := parsedURL.Host
 
 	// Check against each trusted pattern (exact match including port if provided)
-	for _, pattern := range r.trustedHosts {
-		if host == pattern {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(r.trustedHosts, host)
 }
 
 func (r *Reader) include(ctx context.Context, node Node) error {

testdata/abs_path/Taskfile.yml

@@ -0,0 +1,6 @@
+version: '3'
+
+tasks:
+  default:
+    cmds:
+      - cmd: echo '{{absPath "foo/../bar"}}'

website/.vitepress/adopters.ts

@@ -0,0 +1,138 @@
+export interface Adopter {
+  name: string;
+  url: string;
+  img: string;
+  description: string;
+}
+
+export const adopters: Adopter[] = [
+  // Big brand names (first three double as the "featured" showcase)
+  {
+    name: 'Docker',
+    url: 'https://github.com/docker/mcp-registry',
+    img: 'https://github.com/docker.png',
+    description:
+      'The industry-standard container platform uses Task in mcp-registry, the official registry for Docker Model Context Protocol servers.'
+  },
+  {
+    name: 'Vercel',
+    url: 'https://github.com/vercel/terraform-provider-vercel',
+    img: 'https://github.com/vercel.png',
+    description:
+      'The team behind Next.js and the leading frontend cloud platform uses Task to run and release the official Vercel Terraform provider.'
+  },
+  {
+    name: 'HashiCorp',
+    url: 'https://github.com/hashicorp/terraform-aws-terraform-enterprise-hvd',
+    img: 'https://github.com/hashicorp.png',
+    description:
+      'HashiCorp ships Task across its Validated Design modules for Terraform, Vault, Consul, Nomad, and Boundary on AWS, Azure, and GCP.'
+  },
+  // Other big brands
+  {
+    name: 'Microsoft',
+    url: 'https://github.com/Azure/Azure-Sentinel',
+    img: 'https://github.com/microsoft.png',
+    description:
+      'Azure Sentinel, Microsoft’s cloud-native SIEM used by enterprises worldwide, relies on Task to orchestrate its repository automation.'
+  },
+  {
+    name: 'Google Cloud',
+    url: 'https://github.com/GoogleCloudPlatform/deploystack',
+    img: 'https://github.com/GoogleCloudPlatform.png',
+    description:
+      'DeployStack, Google Cloud’s one-click Terraform deployment tool, automates its workflows with Task.'
+  },
+  {
+    name: 'AWS',
+    url: 'https://github.com/aws-samples/appmod-blueprints',
+    img: 'https://github.com/aws-samples.png',
+    description:
+      'The AWS Samples AppMod Blueprints reference platform uses Task to orchestrate its demo environments.'
+  },
+  {
+    name: 'Anthropic',
+    url: 'https://github.com/anthropics/buffa',
+    img: 'https://github.com/anthropics.png',
+    description:
+      'Anthropic’s Rust protobuf implementation, buffa, uses Task for its build and release tooling.'
+  },
+  {
+    name: 'MongoDB',
+    url: 'https://github.com/mongodb/mongo-go-driver',
+    img: 'https://github.com/mongodb.png',
+    description:
+      'The official Go driver for MongoDB uses Task to orchestrate its build, lint, formatting, and full test suite across every commit.'
+  },
+  {
+    name: 'Redpanda',
+    url: 'https://github.com/redpanda-data/connect',
+    img: 'https://github.com/redpanda-data.png',
+    description:
+      'Redpanda Connect, the stream processor formerly known as Benthos, uses Task to orchestrate builds, Docker images, test suites, and its GitHub release pipeline.'
+  },
+  // Notable open source projects
+  {
+    name: 'Flet',
+    url: 'https://github.com/flet-dev/flet',
+    img: 'https://github.com/flet-dev.png',
+    description:
+      'Build realtime web, mobile and desktop apps in Python, with no frontend experience required.'
+  },
+  {
+    name: 'GoReleaser',
+    url: 'https://github.com/goreleaser/goreleaser',
+    img: 'https://github.com/goreleaser.png',
+    description:
+      'Release engineering, simplified. GoReleaser is the de-facto release automation tool for Go projects.'
+  },
+  {
+    name: 'Arduino CLI',
+    url: 'https://github.com/arduino/arduino-cli',
+    img: 'https://github.com/arduino.png',
+    description:
+      'The official Arduino command-line tool. Task powers the entire Arduino developer tooling stack across 70+ repositories.'
+  },
+  {
+    name: 'FerretDB',
+    url: 'https://github.com/FerretDB/FerretDB',
+    img: 'https://github.com/FerretDB.png',
+    description:
+      'A truly open-source MongoDB alternative built on PostgreSQL, with Task driving every build and release step.'
+  },
+  {
+    name: 'Tyk',
+    url: 'https://github.com/TykTechnologies/tyk',
+    img: 'https://github.com/TykTechnologies.png',
+    description:
+      'Open source API gateway supporting REST, GraphQL, TCP and gRPC, automated end-to-end with Task.'
+  },
+  {
+    name: 'Charmbracelet',
+    url: 'https://github.com/charmbracelet/glamour',
+    img: 'https://github.com/charmbracelet.png',
+    description:
+      'The team behind Bubble Tea uses Task to build Glamour, the stylesheet-based markdown renderer for CLI apps.'
+  },
+  {
+    name: 'Outline',
+    url: 'https://github.com/OutlineFoundation/outline-server',
+    img: 'https://github.com/OutlineFoundation.png',
+    description:
+      'Outline, the open-source proxy server originally built by Jigsaw (Google), uses Task for its build pipeline.'
+  },
+  {
+    name: 'werf',
+    url: 'https://github.com/werf/werf',
+    img: 'https://github.com/werf.png',
+    description:
+      'werf, the CNCF-hosted CI/CD tool for shipping software to Kubernetes, uses Task as its build and development entry point.'
+  },
+  {
+    name: 'Gobuster',
+    url: 'https://github.com/OJ/gobuster',
+    img: 'https://github.com/OJ.png',
+    description:
+      'The ubiquitous directory, DNS and virtual-host brute-forcing tool trusted by pen testers worldwide runs its entire build through Task.'
+  }
+];

website/.vitepress/components/Adopters.vue

@@ -0,0 +1,629 @@
+<script setup lang="ts">
+import { adopters } from '../adopters';
+
+const featured = adopters.slice(0, 3);
+const rest = adopters.slice(3);
+
+const pad = (n: number) => String(n).padStart(2, '0');
+const githubPath = (url: string) =>
+  url.replace(/^https?:\/\/github\.com\//, '').replace(/\/$/, '');
+</script>
+
+<template>
+  <article class="adopters-page">
+    <header class="hero">
+      <p class="kicker">
+        <span class="slashes">//</span>
+        Who builds with Task
+      </p>
+      <h1 class="title">
+        Trusted by teams shipping<br />
+        production software.
+      </h1>
+      <p class="lead">
+        Thousands of open source projects use Task as their build and release
+        orchestrator, from hyperscaler platforms and enterprise security tools
+        to CLI utilities downloaded millions of times. Below are a few
+        organizations whose public repositories ship a
+        <code>Taskfile.yml</code>. Every entry links to real, production code
+        you can inspect yourself.
+      </p>
+    </header>
+
+    <section class="featured" aria-labelledby="featured-heading">
+      <h2 id="featured-heading" class="section-title">
+        <span class="slashes">//</span>
+        Featured adopters
+      </h2>
+      <div class="featured-grid">
+        <a
+          v-for="item in featured"
+          :key="item.name"
+          :href="item.url"
+          target="_blank"
+          rel="noopener"
+          class="featured-card"
+          :aria-label="`${item.name} on GitHub`"
+        >
+          <span class="corner tl" aria-hidden="true"></span>
+          <span class="corner tr" aria-hidden="true"></span>
+          <span class="corner bl" aria-hidden="true"></span>
+          <span class="corner br" aria-hidden="true"></span>
+
+          <img
+            :src="item.img"
+            :alt="`${item.name} logo`"
+            class="featured-logo"
+            loading="lazy"
+            decoding="async"
+            width="64"
+            height="64"
+          />
+          <h3 class="featured-name">{{ item.name }}</h3>
+          <p class="featured-desc">{{ item.description }}</p>
+          <span class="featured-cta">
+            <span class="cta-label">View Taskfile on GitHub</span>
+            <span class="cta-arrow" aria-hidden="true">&rarr;</span>
+          </span>
+        </a>
+      </div>
+    </section>
+
+    <section class="grid-section" aria-labelledby="grid-heading">
+      <h2 id="grid-heading" class="section-title">
+        <span class="slashes">//</span>
+        More projects using Task
+      </h2>
+      <div class="grid">
+        <a
+          v-for="(item, i) in rest"
+          :key="item.name"
+          :href="item.url"
+          target="_blank"
+          rel="noopener"
+          class="card"
+          :aria-label="`${item.name} on GitHub`"
+        >
+          <div class="card-head">
+            <img
+              :src="item.img"
+              :alt="`${item.name} logo`"
+              class="card-logo"
+              loading="lazy"
+              decoding="async"
+              width="44"
+              height="44"
+            />
+            <span class="card-index"
+              >N&deg; {{ pad(i + featured.length + 1) }}</span
+            >
+          </div>
+          <h3 class="card-name">{{ item.name }}</h3>
+          <p class="card-desc">{{ item.description }}</p>
+          <div class="card-foot">
+            <span class="card-path">{{ githubPath(item.url) }}</span>
+            <span class="card-arrow" aria-hidden="true">&rarr;</span>
+          </div>
+        </a>
+      </div>
+    </section>
+
+    <section class="faq" aria-labelledby="why-heading">
+      <h2 id="why-heading" class="section-title">
+        <span class="slashes">//</span>
+        Why Task?
+      </h2>
+      <dl class="faq-list">
+        <div class="faq-item">
+          <dt>Is Task production-ready?</dt>
+          <dd>
+            Yes. Task ships as a single static binary, has been in wide
+            production use since 2018, and powers the release workflows of
+            projects with millions of downloads including Arduino CLI,
+            GoReleaser, FerretDB, and Gogs.
+          </dd>
+        </div>
+        <div class="faq-item">
+          <dt>Who uses Task in enterprise?</dt>
+          <dd>
+            Docker, Vercel, HashiCorp, Microsoft (Azure Sentinel), Google Cloud,
+            AWS, and Anthropic are among the organizations that ship code with a
+            <code>Taskfile.yml</code>. Task is also embedded end-to-end in
+            Arduino’s developer tooling stack across more than 70 repositories.
+          </dd>
+        </div>
+        <div class="faq-item">
+          <dt>How is Task different from Make?</dt>
+          <dd>
+            Task uses plain YAML instead of Make’s tab-sensitive syntax, runs
+            identically on Linux, macOS, and Windows, and provides built-in
+            caching based on file fingerprints. It also comes with an
+            <a href="/docs/integrations"
+              >ecosystem of editor and CI integrations</a
+            >
+            that Make lacks by default.
+          </dd>
+        </div>
+        <div class="faq-item">
+          <dt>Where can I find real-world Taskfile examples?</dt>
+          <dd>
+            Every project above links directly to a public repository containing
+            a production <code>Taskfile.yml</code>. Browsing those is the
+            fastest way to see Task used in real codebases at different scales.
+          </dd>
+        </div>
+      </dl>
+    </section>
+
+    <aside class="submit-cta">
+      <div class="submit-body">
+        <p class="submit-kicker">
+          <span class="slashes">//</span>
+          Using Task in your project?
+        </p>
+        <p class="submit-text">
+          Open a pull request on
+          <a
+            href="https://github.com/go-task/task/blob/main/website/.vitepress/adopters.ts"
+            target="_blank"
+            rel="noopener"
+            ><code>.vitepress/adopters.ts</code></a
+          >
+          to get featured here.
+        </p>
+      </div>
+    </aside>
+  </article>
+</template>
+
+<style scoped>
+.adopters-page {
+  max-width: 1152px;
+  margin: 0 auto;
+  padding: 0 24px 6rem;
+}
+
+.slashes {
+  color: var(--vp-c-brand-1);
+  margin-right: 0.4em;
+}
+
+.section-title {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.8rem;
+  font-weight: 500;
+  letter-spacing: 0.04em;
+  color: var(--vp-c-text-2);
+  text-transform: uppercase;
+  margin: 0 0 1.5rem;
+}
+
+/* ---------- Hero ---------- */
+.hero {
+  padding: 3.5rem 0 4rem;
+  max-width: 48rem;
+}
+
+.kicker {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.8rem;
+  font-weight: 500;
+  letter-spacing: 0.04em;
+  color: var(--vp-c-text-2);
+  text-transform: uppercase;
+  margin: 0 0 1.25rem;
+}
+
+.title {
+  font-size: clamp(2.25rem, 5vw, 3.5rem);
+  font-weight: 700;
+  letter-spacing: -0.03em;
+  line-height: 1.05;
+  margin: 0 0 1.75rem;
+  color: var(--vp-c-text-1);
+}
+
+.lead {
+  font-size: 1.1rem;
+  line-height: 1.65;
+  color: var(--vp-c-text-2);
+  margin: 0;
+}
+
+.lead code {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.9em;
+  padding: 0.1rem 0.4rem;
+  border-radius: 4px;
+  background: var(--vp-c-bg-alt);
+  color: var(--vp-c-brand-1);
+}
+
+/* ---------- Featured ---------- */
+.featured {
+  margin-bottom: 4rem;
+}
+
+.featured-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
+  gap: 1.25rem;
+}
+
+.featured-card {
+  position: relative;
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+  padding: 2rem 1.75rem;
+  border: 1px solid var(--vp-c-divider);
+  border-radius: 16px;
+  background: var(--vp-c-bg-soft);
+  color: var(--vp-c-text-1);
+  text-decoration: none !important;
+  transition:
+    border-color 0.3s ease,
+    transform 0.3s ease,
+    box-shadow 0.3s ease;
+  isolation: isolate;
+  overflow: hidden;
+}
+
+.featured-card::before {
+  content: '';
+  position: absolute;
+  inset: 0;
+  background: radial-gradient(
+    600px circle at 50% 0%,
+    color-mix(in srgb, var(--vp-c-brand-1) 14%, transparent),
+    transparent 50%
+  );
+  opacity: 0;
+  transition: opacity 0.3s ease;
+  pointer-events: none;
+  z-index: -1;
+}
+
+.featured-card:hover {
+  border-color: color-mix(
+    in srgb,
+    var(--vp-c-brand-1) 50%,
+    var(--vp-c-divider)
+  );
+  transform: translateY(-3px);
+  box-shadow: 0 18px 48px -28px
+    color-mix(in srgb, var(--vp-c-brand-1) 50%, transparent);
+}
+
+.featured-card:hover::before {
+  opacity: 1;
+}
+
+.featured-logo {
+  width: 56px;
+  height: 56px;
+  border-radius: 12px;
+  object-fit: cover;
+  background: #fff;
+}
+
+.featured-name {
+  font-size: 1.4rem;
+  font-weight: 700;
+  letter-spacing: -0.02em;
+  margin: 0;
+  line-height: 1.2;
+}
+
+.featured-desc {
+  font-size: 0.95rem;
+  line-height: 1.55;
+  color: var(--vp-c-text-2);
+  margin: 0;
+  flex: 1;
+}
+
+.featured-cta {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.4rem;
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.78rem;
+  color: var(--vp-c-text-2);
+  transition: color 0.3s ease;
+  margin-top: 0.5rem;
+}
+
+.featured-card:hover .featured-cta {
+  color: var(--vp-c-brand-1);
+}
+
+.cta-arrow {
+  display: inline-block;
+  transition: transform 0.3s ease;
+}
+
+.featured-card:hover .cta-arrow {
+  transform: translateX(4px);
+}
+
+/* Crosshair corner marks (shared with grid cards) */
+.corner {
+  position: absolute;
+  width: 10px;
+  height: 10px;
+  opacity: 0;
+  transition: opacity 0.3s ease;
+  pointer-events: none;
+}
+
+.corner::before,
+.corner::after {
+  content: '';
+  position: absolute;
+  background: var(--vp-c-brand-1);
+}
+
+.corner::before {
+  width: 10px;
+  height: 1px;
+  top: 50%;
+  left: 0;
+}
+
+.corner::after {
+  width: 1px;
+  height: 10px;
+  top: 0;
+  left: 50%;
+}
+
+.corner.tl {
+  top: 8px;
+  left: 8px;
+}
+.corner.tr {
+  top: 8px;
+  right: 8px;
+}
+.corner.bl {
+  bottom: 8px;
+  left: 8px;
+}
+.corner.br {
+  bottom: 8px;
+  right: 8px;
+}
+
+.featured-card:hover .corner {
+  opacity: 0.8;
+}
+
+/* ---------- Grid ---------- */
+.grid-section {
+  margin-bottom: 4rem;
+}
+
+.grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fill, minmax(260px, 1fr));
+  gap: 1rem;
+}
+
+.card {
+  position: relative;
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+  padding: 1.25rem 1.25rem 1rem;
+  border: 1px solid var(--vp-c-divider);
+  border-radius: 12px;
+  background: var(--vp-c-bg-soft);
+  color: var(--vp-c-text-1);
+  text-decoration: none !important;
+  transition:
+    border-color 0.25s ease,
+    transform 0.25s ease,
+    box-shadow 0.25s ease;
+}
+
+.card:hover {
+  border-color: color-mix(
+    in srgb,
+    var(--vp-c-brand-1) 45%,
+    var(--vp-c-divider)
+  );
+  transform: translateY(-2px);
+  box-shadow: 0 10px 28px -22px
+    color-mix(in srgb, var(--vp-c-brand-1) 40%, transparent);
+}
+
+.card-head {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 0.75rem;
+}
+
+.card-logo {
+  width: 40px;
+  height: 40px;
+  border-radius: 8px;
+  object-fit: cover;
+  background: #fff;
+  flex-shrink: 0;
+}
+
+.card-index {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.7rem;
+  letter-spacing: 0.04em;
+  color: var(--vp-c-text-3);
+  font-variant-numeric: tabular-nums;
+  transition: color 0.25s ease;
+}
+
+.card:hover .card-index {
+  color: var(--vp-c-brand-1);
+}
+
+.card-name {
+  font-size: 1.05rem;
+  font-weight: 600;
+  letter-spacing: -0.01em;
+  line-height: 1.25;
+  margin: 0;
+}
+
+.card-desc {
+  font-size: 0.85rem;
+  line-height: 1.5;
+  color: var(--vp-c-text-2);
+  margin: 0;
+  flex: 1;
+}
+
+.card-foot {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 0.5rem;
+  padding-top: 0.75rem;
+  border-top: 1px dashed var(--vp-c-divider);
+}
+
+.card-path {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.72rem;
+  color: var(--vp-c-text-3);
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+  min-width: 0;
+  flex: 1;
+}
+
+.card-arrow {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.8rem;
+  color: var(--vp-c-text-2);
+  transition:
+    transform 0.25s ease,
+    color 0.25s ease;
+}
+
+.card:hover .card-arrow {
+  transform: translateX(3px);
+  color: var(--vp-c-brand-1);
+}
+
+/* ---------- FAQ ---------- */
+.faq {
+  margin-bottom: 3.5rem;
+  max-width: 48rem;
+}
+
+.faq-list {
+  margin: 0;
+}
+
+.faq-item {
+  padding: 1.25rem 0;
+  border-bottom: 1px solid var(--vp-c-divider);
+}
+
+.faq-item:first-of-type {
+  border-top: 1px solid var(--vp-c-divider);
+}
+
+.faq-item dt {
+  font-size: 1.05rem;
+  font-weight: 600;
+  color: var(--vp-c-text-1);
+  margin: 0 0 0.5rem;
+  letter-spacing: -0.01em;
+}
+
+.faq-item dd {
+  font-size: 0.95rem;
+  line-height: 1.65;
+  color: var(--vp-c-text-2);
+  margin: 0;
+}
+
+.faq-item dd a {
+  color: var(--vp-c-brand-1);
+  font-weight: 500;
+}
+
+.faq-item dd code {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.88em;
+  padding: 0.08rem 0.35rem;
+  border-radius: 4px;
+  background: var(--vp-c-bg-alt);
+  color: var(--vp-c-brand-1);
+}
+
+/* ---------- Submit CTA ---------- */
+.submit-cta {
+  padding: 1.75rem 2rem;
+  border: 1px solid var(--vp-c-divider);
+  border-radius: 14px;
+  background:
+    linear-gradient(
+      135deg,
+      color-mix(in srgb, var(--vp-c-brand-1) 6%, transparent) 0%,
+      transparent 60%
+    ),
+    var(--vp-c-bg-soft);
+  position: relative;
+  overflow: hidden;
+}
+
+.submit-cta::before {
+  content: '';
+  position: absolute;
+  top: -1px;
+  left: 2rem;
+  right: 2rem;
+  height: 1px;
+  background: linear-gradient(
+    90deg,
+    transparent,
+    var(--vp-c-brand-1),
+    transparent
+  );
+  opacity: 0.5;
+}
+
+.submit-kicker {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.75rem;
+  font-weight: 500;
+  letter-spacing: 0.04em;
+  color: var(--vp-c-text-2);
+  text-transform: uppercase;
+  margin: 0 0 0.5rem;
+}
+
+.submit-text {
+  font-size: 0.95rem;
+  line-height: 1.55;
+  color: var(--vp-c-text-2);
+  margin: 0;
+}
+
+.submit-text a {
+  color: var(--vp-c-brand-1);
+  font-weight: 500;
+}
+
+.submit-text code {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.88em;
+  padding: 0.08rem 0.4rem;
+  border-radius: 4px;
+  background: var(--vp-c-bg-alt);
+}
+</style>

website/.vitepress/components/AdoptersCarousel.vue

@@ -0,0 +1,227 @@
+<script setup lang="ts">
+import { adopters } from '../adopters';
+
+const loop = [...adopters, ...adopters];
+</script>
+
+<template>
+  <section class="adopters-carousel" aria-labelledby="adopters-heading">
+    <h2 id="adopters-heading" class="label">
+      <span class="slashes">//</span>
+      Trusted by open source projects
+    </h2>
+    <p class="subline">
+      Adopted by <strong>Docker</strong>, <strong>Vercel</strong>,
+      <strong>HashiCorp</strong>, <strong>Microsoft</strong>,
+      <strong>Google Cloud</strong>, <strong>AWS</strong>,
+      <strong>Anthropic</strong> and more.
+      <a class="see-all" href="/adopters">
+        See all adopters
+        <span class="see-all-arrow" aria-hidden="true">&rarr;</span>
+      </a>
+    </p>
+
+    <div class="viewport">
+      <div class="track">
+        <a
+          v-for="(item, i) in loop"
+          :key="`${item.name}-${i}`"
+          :href="item.url"
+          target="_blank"
+          rel="noopener"
+          class="chip"
+          :aria-label="`${item.name} on GitHub`"
+        >
+          <img
+            :src="item.img"
+            :alt="`${item.name} logo`"
+            class="logo"
+            loading="lazy"
+            decoding="async"
+            width="28"
+            height="28"
+          />
+          <span class="name">{{ item.name }}</span>
+          <span class="chevron" aria-hidden="true">&rarr;</span>
+        </a>
+      </div>
+    </div>
+  </section>
+</template>
+
+<style scoped>
+.adopters-carousel {
+  max-width: 1248px;
+  margin: 5rem auto 2rem;
+  padding: 0 24px;
+}
+
+.label {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.8rem;
+  font-weight: 500;
+  letter-spacing: 0.04em;
+  color: var(--vp-c-text-2);
+  text-transform: uppercase;
+  text-align: center;
+  margin: 0 0 0.75rem;
+}
+
+.slashes {
+  color: var(--vp-c-brand-1);
+  margin-right: 0.4em;
+}
+
+.subline {
+  text-align: center;
+  font-size: 0.95rem;
+  color: var(--vp-c-text-2);
+  max-width: 640px;
+  margin: 0 auto 2rem;
+  line-height: 1.5;
+}
+
+.subline strong {
+  color: var(--vp-c-text-1);
+  font-weight: 600;
+}
+
+.see-all {
+  display: inline-block;
+  margin-left: 0.4em;
+  color: var(--vp-c-brand-1);
+  font-weight: 500;
+  white-space: nowrap;
+  text-decoration: none !important;
+}
+
+.see-all:hover {
+  text-decoration: underline !important;
+}
+
+.see-all-arrow {
+  display: inline-block;
+  transition: transform 0.25s ease;
+}
+
+.see-all:hover .see-all-arrow {
+  transform: translateX(3px);
+}
+
+.viewport {
+  overflow: hidden;
+  -webkit-mask-image: linear-gradient(
+    90deg,
+    transparent 0,
+    #000 6%,
+    #000 94%,
+    transparent 100%
+  );
+  mask-image: linear-gradient(
+    90deg,
+    transparent 0,
+    #000 6%,
+    #000 94%,
+    transparent 100%
+  );
+}
+
+.track {
+  display: flex;
+  gap: 0.875rem;
+  width: max-content;
+  animation: scroll 55s linear infinite;
+  padding: 6px 0;
+}
+
+.track:hover {
+  animation-play-state: paused;
+}
+
+.chip {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.75rem;
+  padding: 0.625rem 1.125rem 0.625rem 0.625rem;
+  border: 1px solid var(--vp-c-divider);
+  border-radius: 999px;
+  background: var(--vp-c-bg-soft);
+  color: var(--vp-c-text-1);
+  text-decoration: none !important;
+  white-space: nowrap;
+  transition:
+    border-color 0.25s ease,
+    background 0.25s ease,
+    transform 0.25s ease,
+    box-shadow 0.25s ease;
+}
+
+.chip:hover {
+  border-color: var(--vp-c-brand-1);
+  background: var(--vp-c-bg);
+  transform: translateY(-2px);
+  box-shadow: 0 6px 20px -10px
+    color-mix(in srgb, var(--vp-c-brand-1) 60%, transparent);
+}
+
+.logo {
+  width: 28px;
+  height: 28px;
+  border-radius: 6px;
+  object-fit: cover;
+  flex-shrink: 0;
+  background: #fff;
+}
+
+.name {
+  font-size: 0.9rem;
+  font-weight: 500;
+  letter-spacing: -0.005em;
+}
+
+.chevron {
+  font-family: var(--vp-font-family-mono);
+  font-size: 0.85rem;
+  color: var(--vp-c-text-3);
+  opacity: 0;
+  transform: translateX(-4px);
+  transition:
+    opacity 0.25s ease,
+    transform 0.25s ease,
+    color 0.25s ease;
+  margin-left: -0.25rem;
+}
+
+.chip:hover .chevron {
+  opacity: 1;
+  transform: translateX(0);
+  color: var(--vp-c-brand-1);
+}
+
+@keyframes scroll {
+  from {
+    transform: translateX(0);
+  }
+  to {
+    transform: translateX(calc(-50% - 0.4375rem));
+  }
+}
+
+@media (max-width: 640px) {
+  .adopters-carousel {
+    margin-top: 3.5rem;
+  }
+}
+
+@media (prefers-reduced-motion: reduce) {
+  .track {
+    animation: none;
+    flex-wrap: wrap;
+    justify-content: center;
+    width: 100%;
+  }
+  .chip:hover {
+    transform: none;
+  }
+}
+</style>

website/.vitepress/components/HomePage.vue

@@ -1,12 +1,14 @@
 <script setup lang="ts">
 import { VPHomeSponsors } from 'vitepress/theme';
 import { sponsors } from '../sponsors';
+import AdoptersCarousel from './AdoptersCarousel.vue';
 </script>
 
 <template>
   <div class="content">
     <div class="content-container">
       <main class="main">
+        <AdoptersCarousel />
         <VPHomeSponsors
           v-if="sponsors"
           message="Task is free and open source, made possible by wonderful sponsors."

website/.vitepress/config.ts

@@ -9,6 +9,7 @@ import {
   localIconLoader
 } from 'vitepress-plugin-group-icons';
 import { team } from './team.ts';
+import { adopters } from './adopters.ts';
 import { taskDescription, taskName, ogUrl, ogImage } from './meta.ts';
 import { fileURLToPath, URL } from 'node:url';
 import llmstxt from 'vitepress-plugin-llms';
@@ -107,6 +108,112 @@ export default defineConfig({
       head.push(['meta', { name: 'robots', content: 'noindex, nofollow' }])
     }
 
+    // Structured data for the adopters carousel on the homepage: an ItemList
+    // of Organization entities so search engines can surface Task's adopters
+    // directly in rich results.
+    if (isHome) {
+      head.push([
+        'script',
+        { type: 'application/ld+json' },
+        JSON.stringify({
+          '@context': 'https://schema.org',
+          '@type': 'ItemList',
+          name: 'Organizations and projects using Task',
+          itemListOrder: 'https://schema.org/ItemListUnordered',
+          numberOfItems: adopters.length,
+          itemListElement: adopters.map((a, i) => ({
+            '@type': 'ListItem',
+            position: i + 1,
+            item: {
+              '@type': 'Organization',
+              name: a.name,
+              url: a.url,
+              logo: a.img,
+              sameAs: [a.url]
+            }
+          }))
+        })
+      ])
+    }
+
+    // On the /adopters page, emit CollectionPage + ItemList (richer than the
+    // homepage snippet because it targets this specific URL) and FAQPage for
+    // the question block at the bottom of the page. Kept in sync by hand with
+    // components/Adopters.vue.
+    if (pageData.relativePath === 'adopters.md') {
+      head.push([
+        'script',
+        { type: 'application/ld+json' },
+        JSON.stringify({
+          '@context': 'https://schema.org',
+          '@type': 'CollectionPage',
+          name: 'Who uses Task',
+          url: 'https://taskfile.dev/adopters',
+          description:
+            'Organizations and open source projects that use Task as their build and release runner.',
+          mainEntity: {
+            '@type': 'ItemList',
+            numberOfItems: adopters.length,
+            itemListElement: adopters.map((a, i) => ({
+              '@type': 'ListItem',
+              position: i + 1,
+              item: {
+                '@type': 'Organization',
+                name: a.name,
+                url: a.url,
+                logo: a.img,
+                description: a.description,
+                sameAs: [a.url]
+              }
+            }))
+          }
+        })
+      ])
+
+      head.push([
+        'script',
+        { type: 'application/ld+json' },
+        JSON.stringify({
+          '@context': 'https://schema.org',
+          '@type': 'FAQPage',
+          mainEntity: [
+            {
+              '@type': 'Question',
+              name: 'Is Task production-ready?',
+              acceptedAnswer: {
+                '@type': 'Answer',
+                text: 'Yes. Task ships as a single static binary, has been in wide production use since 2018, and powers the release workflows of projects with millions of downloads including Arduino CLI, GoReleaser, FerretDB, and Gogs.'
+              }
+            },
+            {
+              '@type': 'Question',
+              name: 'Who uses Task in enterprise?',
+              acceptedAnswer: {
+                '@type': 'Answer',
+                text: 'Docker, Vercel, HashiCorp, Microsoft (Azure Sentinel), Google Cloud, AWS, and Anthropic are among the organizations that ship code with a Taskfile.yml. Task is also embedded end-to-end in Arduino’s developer tooling stack across more than 70 repositories.'
+              }
+            },
+            {
+              '@type': 'Question',
+              name: 'How is Task different from Make?',
+              acceptedAnswer: {
+                '@type': 'Answer',
+                text: 'Task uses plain YAML instead of Make’s tab-sensitive syntax, runs identically on Linux, macOS, and Windows, and provides built-in caching based on file fingerprints. It also comes with an ecosystem of editor and CI integrations that Make lacks by default.'
+              }
+            },
+            {
+              '@type': 'Question',
+              name: 'Where can I find real-world Taskfile examples?',
+              acceptedAnswer: {
+                '@type': 'Answer',
+                text: 'Every adopter listed above links directly to a public repository containing a production Taskfile.yml. Browsing those is the fastest way to see Task used in real codebases at different scales.'
+              }
+            }
+          ]
+        })
+      ])
+    }
+
     return head
   },
   srcDir: 'src',
@@ -363,6 +470,10 @@ export default defineConfig({
             {
               text: 'Incident Response Plan',
               link: '/docs/security/incident-response-plan'
+            },
+            {
+              text: 'Threat Model',
+              link: '/docs/security/threat-model'
             }
           ]
         },
@@ -377,7 +488,8 @@ export default defineConfig({
       ],
       // Hacky to disable sidebar for these pages
       '/donate': [],
-      '/team': []
+      '/team': [],
+      '/adopters': []
     },
 
     socialLinks: [

website/.vitepress/theme/index.ts

@@ -5,6 +5,7 @@ import HomePage from '../components/HomePage.vue';
 import AuthorCard from '../components/AuthorCard.vue';
 import BlogPost from '../components/BlogPost.vue';
 import Version from '../components/Version.vue';
+import Adopters from '../components/Adopters.vue';
 import { enhanceAppWithTabs } from 'vitepress-plugin-tabs/client';
 import { h } from 'vue';
 import 'virtual:group-icons.css';
@@ -21,6 +22,7 @@ export default {
     app.component('AuthorCard', AuthorCard);
     app.component('BlogPost', BlogPost);
     app.component('Version', Version);
+    app.component('Adopters', Adopters);
     app.component('CopyOrDownloadAsMarkdownButtons', CopyOrDownloadAsMarkdownButtons);
     enhanceAppWithTabs(app);
   }

website/package.json

@@ -15,11 +15,11 @@
   "devDependencies": {
     "@types/markdown-it": "^14.1.2",
     "@types/node": "^24.1.0",
-    "netlify-cli": "^24.0.0",
+    "netlify-cli": "^26.0.0",
     "prettier": "^3.6.2",
     "vitepress": "^1.6.3",
     "vitepress-plugin-group-icons": "^1.6.1",
-    "vitepress-plugin-tabs": "^0.8.0",
+    "vitepress-plugin-tabs": "^0.9.0",
     "vitepress-plugin-llms": "^1.9.1",
     "vue": "^3.5.18"
   },

website/src/adopters.md

@@ -0,0 +1,11 @@
+---
+title: Who uses Task
+description:
+  Organizations and open source projects that use Task as their build and
+  release runner, including Docker, Microsoft, HashiCorp, Vercel, Google Cloud,
+  AWS, Anthropic, Arduino, GoReleaser, and more.
+layout: page
+sidebar: false
+---
+
+<Adopters />

website/src/docs/reference/schema.md

@@ -274,6 +274,12 @@ includes:
   internal:
     taskfile: ./internal.yml
     internal: true
+[...]
+tasks:
+  example:
+    desc: using an internal task
+    cmds:
+      - task: internal:default
 ```
 
 ### `aliases`

website/src/docs/reference/templating.md

@@ -249,6 +249,32 @@ tasks:
       - echo "Working {{.USER_WORKING_DIR}}"
 ```
 
+#### `FILE_PATH_SEPARATOR`
+
+- **Type**: `string`
+- **Description**: OS-specific path separator: Windows = `\`, others = `/`
+
+::: info
+
+> See `joinPath` in [Path Functions](#path-functions) for joining filesystem paths for use with
+> file system operations.
+
+:::
+
+### Environment Variables
+
+#### `PATH_LIST_SEPARATOR`
+
+- **Type**: `string`
+- **Description**: OS-specific path separator for environment variables: Windows = `;`, others = `:`
+
+::: info
+
+> See `joinEnv` in [Environment Variable Functions](#environment-variable-functions) for joining
+> paths for use in environment variables.
+
+:::
+
 ### Status
 
 #### `CHECKSUM`
@@ -597,9 +623,9 @@ tasks:
 tasks:
   platform:
     cmds:
-      - echo "OS {{OS}}"                         # linux, darwin, windows, etc.
-      - echo "Architecture {{ARCH}}"             # amd64, arm64, etc.
-      - echo "CPU cores {{numCPU}}"              # Number of CPU cores
+      - echo "OS {{OS}}"                    # linux, darwin, windows, etc.
+      - echo "Architecture {{ARCH}}"        # amd64, arm64, etc.
+      - echo "CPU cores {{numCPU}}"         # Number of CPU cores
       - echo "Building for {{OS}}/{{ARCH}}"
 ```
 
@@ -613,10 +639,52 @@ tasks:
       OUTPUT_DIR: 'dist'
       BINARY_NAME: 'myapp'
     cmds:
-      - echo "{{.WIN_PATH | toSlash}}"                          # Convert to forward slashes
-      - echo "{{.WIN_PATH | fromSlash}}"                        # Convert to OS-specific slashes
-      - echo "{{joinPath .OUTPUT_DIR .BINARY_NAME}}"            # Join path elements
-      - echo "Relative {{relPath .ROOT_DIR .TASKFILE_DIR}}"    # Get relative path
+      - echo "{{.WIN_PATH | toSlash}}"                      # Convert to forward slashes
+      - echo "{{.WIN_PATH | fromSlash}}"                    # Convert to OS-specific slashes
+      - echo "{{joinPath .OUTPUT_DIR .BINARY_NAME}}"        # Join path elements
+      - echo "Relative {{relPath .ROOT_DIR .TASKFILE_DIR}}" # Get relative path
+      - echo '{{absPath "../sibling"}}'                     # Resolve to an absolute path
+```
+
+#### Environment Variable Functions
+
+```yaml
+tasks:
+  paths:
+    vars:
+      WIN_PATH1: 'C:\Users\Person\bin'
+      WIN_PATH2: 'C:\Shared\bin'
+    cmds:
+      # Join paths for Windows ENV vars:
+      # C:\Users\Person\bin;C:\Shared\bin
+      - echo "{{joinEnv .WIN_PATH1 .WIN_PATH2}}"
+```
+
+```yaml
+tasks:
+  paths:
+    vars:
+      POSIX_PATH1: '/users/person/.local/bin'
+      POSIX_PATH2: '/usr/bin'
+    cmds:
+      # Join paths for POSIX ENV vars:
+      # /users/person/.local/bin:/usr/bin
+      - echo "{{joinEnv .POSIX_PATH1 .POSIX_PATH2}}"
+```
+
+#### URLs
+
+```yaml
+tasks:
+  paths:
+    vars:
+      SERVER: 'http://localhost'
+      PATH1: 'path1'
+      PATH2: 'path2'
+    cmds:
+      # Join paths for URL:
+      # http://localhost/path1/path2
+      - echo "{{joinUrl .SERVER .PATH1 .PATH2}}"
 ```
 
 ### Data Structure Functions

website/src/docs/security/index.md

@@ -15,7 +15,8 @@ A member of the team will investigate as soon as possible and we will keep you
 updated throughout the process.
 
 You can read more about how we handle security-related issues in our [Incident
-Response Plan][irp].
+Response Plan][irp] and [Threat Model][tm].
 
 [pvr]: https://github.com/go-task/task/security/advisories/new
 [irp]: ./incident-response-plan
+[tm]: ./threat-model

website/src/docs/security/threat-model.md

@@ -0,0 +1,174 @@
+---
+title: Threat Model
+outline: deep
+---
+
+# Threat Model
+
+This document outlines the security threats, assets, and mitigations for the
+Task project. It serves as a high-level, public guide and is published as part
+of our commitment to transparency.
+
+## Asset Inventory
+
+### Critical Assets
+
+- **Source Code:** The Task CLI, build scripts, and configuration files
+  (e.g., `Taskfile.yml`, `.goreleaser.yml`).
+- **Build Artifacts:** Compiled binaries, packages, and containers distributed
+  to users.
+- **Secrets:** API tokens, signing keys, and repository credentials used in
+  CI/CD and release pipelines.
+- **Release Metadata:** Version numbers, changelogs, and checksums.
+- **CI/CD Pipelines & Runners:** GitHub Actions workflows that build, test, and
+  release the project.
+- **Third-party Dependencies:** Go modules and tools used to build and
+  distribute Task.
+- **Website & Documentation:** The taskfile.dev site and installation scripts.
+
+### Asset Locations
+
+- Local developer machines
+- GitHub Actions runners
+- GitHub Releases
+- Public package registries (npm, Homebrew, Winget, Cloudsmith)
+- Source control platforms (GitHub)
+- Netlify (website hosting)
+
+## Threat Model
+
+### Actors
+
+- **Maintainers & Contributors:** Trusted users with varying levels of
+  repository access.
+- **External Attackers:** Untrusted users seeking to compromise builds,
+  releases, or user systems.
+- **Supply Chain Threats:** Malicious dependencies or compromised third-party
+  services.
+- **CI/CD Systems:** Automated agents that may be exploited if misconfigured.
+
+### Entry Points
+
+- Source code contributions (pull requests, issues)
+- Configuration files and build scripts
+- CI/CD integration and environment variables
+- Third-party dependencies
+- Release pipelines and artifact repositories
+- Remote Taskfile fetching (HTTP, Git)
+- Installation scripts
+
+### Trust Boundaries
+
+- Between the project repository and the CI/CD environment
+- Between Task and remote Taskfiles fetched over the network
+- Between artifact generation and distribution channels
+- Between the Task binary and user-defined shell commands
+
+### Threats
+
+#### Supply Chain Attacks
+
+- Compromised Go dependencies or build tools
+- Unauthorized changes to source code or configuration
+- Exploitation of third-party CI/CD or package registry services
+- Compromised installation scripts or distribution channels
+
+#### Secrets Leakage
+
+- Exposure of tokens, credentials, or signing keys in logs, error messages,
+  or artifacts
+- Hardcoded secrets in code or configuration
+- Improper secret management in CI/CD environments
+
+#### Code Execution / Injection
+
+- Malicious code execution via compromised pull requests or dependencies
+- Remote code execution vulnerabilities in Task or its dependencies
+- **Note:** Task intentionally executes user-defined shell commands as part of
+  its core functionality. Users are responsible for the commands they define in
+  their Taskfiles.
+
+#### Unauthorized Access
+
+- Unauthorized users triggering releases or accessing sensitive artifacts
+- Insecure permissions on runners, repositories, or artifact stores
+- Compromised maintainer accounts
+
+#### Data Integrity & Tampering
+
+- Tampering with build artifacts, changelogs, or metadata
+- Compromise of signing keys, leading to malicious releases
+- Man-in-the-middle attacks against remote Taskfile fetching
+
+#### Denial of Service
+
+- Abuse of CI/CD resources, bandwidth, or artifact storage
+- Overloading automated processes or API endpoints
+- Malicious Taskfiles designed to exhaust system resources
+
+## Mitigations
+
+### Supply Chain Security
+
+- Pin dependencies and use trusted sources
+- Mandatory code review and CI checks on all incoming pull requests
+- Signed commits and release tags
+- Enable immutable releases where supported
+- Run `govulncheck` on every commit and tag
+- Pin GitHub Actions to specific commit SHAs
+
+### Secrets Management
+
+- Secure storage using GitHub Secrets
+- Never log or expose secrets in build or release outputs
+- Regularly rotate secrets and monitor for suspicious activity
+- Use least-privilege tokens scoped to specific repositories
+
+### Secure Code Execution
+
+- Validate and sanitize configuration files and user inputs
+- Audit dependencies for vulnerabilities
+- HTTP is rejected for remote Taskfiles by default (requires `--insecure` flag)
+- TLS certificate verification for remote Git repositories
+
+### Access Control
+
+- Enforce least privilege for CI/CD runners, repositories, and artifact stores
+- Require multi-factor authentication for maintainers
+- Restrict release triggers to tagged releases only
+- Lower permissions of less active maintainers
+
+### Artifact Integrity
+
+- Generate checksums for all release artifacts
+- Distribute artifacts via trusted, access-controlled repositories
+- Verify signatures and checksums in installation scripts where possible
+
+### Availability Protection
+
+- Implement rate limiting and resource quotas on CI/CD jobs
+- Monitor for abnormal activity and automate alerts
+- Set timeouts on network operations (e.g., remote Taskfile fetching)
+
+## Residual Risks
+
+- Zero-day vulnerabilities in dependencies, CI/CD systems, or Task itself
+- Social engineering attacks targeting maintainers
+- Unnoticed supply chain compromises
+- Human error in configuration or secret management
+- Users fetching malicious remote Taskfiles from untrusted sources
+
+## Security Best Practices
+
+- Regularly update dependencies and build tools
+- Monitor security advisories and patch vulnerabilities promptly
+- Educate contributors on secure coding and secrets hygiene
+- Document security policies and incident response procedures
+
+## References
+
+- [Task Documentation](https://taskfile.dev/)
+- [Incident Response Plan](./incident-response-plan)
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [Supply Chain Security](https://slsa.dev/)
+- [GitHub Security Best Practices](https://docs.github.com/en/code-security)