dropunused: Run the annex.secure-erase-command

(or .git/hooks/secure-erase-annex) when deleting
temp and bad object files.

As was already done when deleting unlocked files.

CHANGELOG

@@ -5,6 +5,9 @@ git-annex (10.20251103) UNRELEASED; urgency=medium
   * p2phttp: Fix server stall when there are too many concurrent clients.
   * p2phttp: Fix a file descriptor leak caused by a race condition.
   * p2phttp: Added the --lockedfiles option.
+  * dropunused: Run the annex.secure-erase-command 
+    (or .git/hooks/secure-erase-annex) when deleting
+    temp and bad object files.
 
  -- Joey Hess <id@joeyh.name>  Mon, 03 Nov 2025 14:02:46 -0400
 

Command/DropUnused.hs

@@ -1,6 +1,6 @@
 {- git-annex command
  -
- - Copyright 2010,2012,2018 Joey Hess <id@joeyh.name>
+ - Copyright 2010-2025 Joey Hess <id@joeyh.name>
  -
  - Licensed under the GNU AGPL version 3 or higher.
  -}
@@ -17,6 +17,7 @@ import qualified Git
 import Command.Unused (withUnusedMaps, UnusedMaps(..), startUnused)
 import Annex.NumCopies
 import Annex.Content
+import Annex.Content.LowLevel
 
 cmd :: Command
 cmd = withAnnexOptions [jobsOption, jsonOptions] $
@@ -79,5 +80,7 @@ perform from numcopies mincopies key = case from of
 performOther :: (Key -> Git.Repo -> OsPath) -> Key -> CommandPerform
 performOther filespec key = do
 	f <- fromRepo $ filespec key
-	pruneTmpWorkDirBefore f (liftIO . removeWhenExistsWith removeFile)
+	pruneTmpWorkDirBefore f $ \f' -> do
+		secureErase f'
+		liftIO $ removeWhenExistsWith removeFile f'
 	next $ return True

doc/todo/dropunused_of_tmp_and_bad_files_should_honor_annex.secure-erase-command_config.mdwn

@@ -1,3 +1,5 @@
 Currently, when `annex.secure-erase-command` is configured, 
 `git-annex dropunused` does not use it for deleting tmp and bad files.
 Since those can contain the content of objects, it should. --[[Joey]]
+
+> [[done]]