Update workflows and documentation to closely track templig.

Signed-off-by: Alexander Adam <alphaone23@gmail.com>

Author: AlphaOne1

.github/workflows/codeql.yml

@@ -94,8 +94,8 @@ jobs:
             shell: bash
             run: |
                 echo 'If you are using a "manual" build mode for one or more of the' \
-                  'languages you are analyzing, replace this with the commands to build' \
-                  'your code, for example:'
+                    'languages you are analyzing, replace this with the commands to build' \
+                    'your code, for example:'
                 echo '  make bootstrap'
                 echo '  make release'
                 exit 1

.github/workflows/compliance.yml

@@ -57,13 +57,13 @@ jobs:
 
           - name: Determine pushed commits
             id: range
+            env:
+                # Use GitHub-provided SHAs to build the range for this push
+                BEFORE: ${{ github.event.before }}
+                AFTER: ${{ github.sha }}
             run: |
                 set -euo pipefail
 
-                # Use GitHub-provided SHAs to build the range for this push
-                BEFORE="${{ github.event.before }}"
-                AFTER="${{ github.sha }}"
-
                 if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
                 then
                     # New branch or force push without previous SHA
@@ -73,6 +73,9 @@ jobs:
                 fi
 
           - name: Check for Signed-off-by
+            env:
+                GH_ACTOR: ${{ github.actor }}
+                GH_NAME: ${{ github.event.pusher.name }}
             run: |
                 set -euo pipefail
                 missing=""
@@ -101,8 +104,8 @@ jobs:
 
                         echo "Committer name:           $committer_name"
                         echo "Committer email:          $committer_email"
-                        echo "github.actor:             ${{ github.actor }}"
-                        echo "github.event.pusher.name: ${{ github.event.pusher.name }}"
+                        echo "github.actor:             $GH_ACTOR"
+                        echo "github.event.pusher.name: $GH_NAME"
                     fi
                 done < shas.txt
 
@@ -145,6 +148,9 @@ jobs:
                     | jq -r '.[].sha' > shas.txt
 
           - name: Check for Signed-off-by
+            env:
+                GH_ACTOR: ${{ github.actor }}
+                GH_NAME: ${{ github.event.pull_request.user.login}}
             run: |
                 set -euo pipefail
                 missing=""
@@ -171,10 +177,10 @@ jobs:
                         echo "Commit $sha missing Signed-off-by"
                         missing="true"
 
-                        echo "Committer name:           $committer_name"
-                        echo "Committer email:          $committer_email"
-                        echo "github.actor:             ${{ github.actor }}"
-                        echo "github.event.pusher.name: ${{ github.event.pusher.name }}"
+                        echo "Committer name:                       $committer_name"
+                        echo "Committer email:                      $committer_email"
+                        echo "github.actor:                         $GH_ACTOR"
+                        echo "github.event.pull_request.user.login: $GH_NAME"
                     fi
                 done < shas.txt
 

.github/workflows/dependency-review.yml

@@ -27,5 +27,6 @@ jobs:
 
           - name: 'Checkout Repository'
             uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
           - name: 'Dependency Review'
             uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0

.github/workflows/release.yml

@@ -33,23 +33,29 @@ jobs:
 
           - name: Generate source archive
             shell: bash
+            env:
+                TAG_NAME: ${{ github.event.release.tag_name }}
             run: |
                 set -euo pipefail
 
-                TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
+                PROJECT_NAME=`go list -m | sed -r 's/(.*\/)*(.+)/\2/'`
+                TAG=`echo "$TAG_NAME" | sed 's/\//-/g'`
                 git archive \
-                  --format=tar.gz \
-                  --prefix="dmorph-src-${TAG}/" \
-                  --output="dmorph-src-${TAG}.tar.gz" \
-                  "${{ github.event.release.tag_name }}"
+                    --format=tar.gz \
+                    --prefix="${PROJECT_NAME}-src-${TAG}/" \
+                    --output="${PROJECT_NAME}-src-${TAG}.tar.gz" \
+                    "$TAG_NAME"
 
           - name: Upload Release (via GitHub CLI)
             env:
                 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                TAG_NAME: ${{ github.event.release.tag_name }}
             shell: bash
             run: |
                 set -euo pipefail
-                gh release upload "${{ github.event.release.tag_name }}" dmorph-src-*.tar.gz --clobber
+                
+                PROJECT_NAME=`go list -m | sed -r 's/(.*\/)*(.+)/\2/'`
+                gh release upload "$TAG_NAME" ${PROJECT_NAME}-src-*.tar.gz --clobber
 
     ChecksumReleaseAssets:
         needs: Build
@@ -71,13 +77,14 @@ jobs:
           - name: Download all release assets via GitHub CLI
             env:
                 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                TAG_NAME: ${{ github.event.release.tag_name }}
             run: |
                 set -euo pipefail
 
                 mkdir -p release-assets
                 cd release-assets
                 # gets all assets of the release
-                gh release download "${{ github.event.release.tag_name }}" --clobber
+                gh release download "$TAG_NAME" --clobber
                 echo "Downloaded assets:"
                 ls -lah
 

.github/workflows/security.yml

@@ -18,7 +18,7 @@ jobs:
     GolangCI:
         runs-on: ubuntu-latest
         permissions:
-            contents: read
+            contents:        read
             security-events: write
         steps:
           - name: Harden Runner
@@ -35,7 +35,7 @@ jobs:
             uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
             with:
                 version: latest
-                args: --timeout=5m --output.sarif.path=golangci-lint-results.sarif --output.text.path=stdout
+                args:    --timeout=5m --output.sarif.path=golangci-lint-results.sarif --output.text.path=stdout
 
           - name: Upload golangci-lint results to GitHub Security tab
             uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
@@ -45,7 +45,7 @@ jobs:
     TrivyCode:
         runs-on: ubuntu-latest
         permissions:
-            contents: read
+            contents:        read
             security-events: write
         steps:
           - name: Harden Runner
@@ -59,11 +59,11 @@ jobs:
           - name: Run Trivy vulnerability scanner in fs mode
             uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
             with:
-                scan-type: 'fs'
+                scan-type:      'fs'
                 ignore-unfixed: true
-                format: 'sarif'
-                output: 'trivy-results.sarif'
-                severity: 'CRITICAL,HIGH'
+                format:         'sarif'
+                output:         'trivy-results.sarif'
+                severity:       'CRITICAL,HIGH'
 
           - name: Upload Trivy scan results to GitHub Security tab
             uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
@@ -77,7 +77,7 @@ jobs:
                   - "stable"
         runs-on: ubuntu-latest
         permissions:
-            contents: read
+            contents:        read
             security-events: write
         steps:
           - name: Harden Runner
@@ -89,13 +89,14 @@ jobs:
             uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
             with:
                 go-version-input: ${{matrix.go-version}}
-                output-format: sarif
-                output-file: govulncheck-results.sarif
+                output-format:    sarif
+                output-file:      govulncheck-results.sarif
 
           - name: Print Sarif
             id: printSarif
-            run:  |
+            run: |
                 cat govulncheck-results.sarif
+
                 if grep results govulncheck-results.sarif
                 then
                     echo "hasResults=true" >> $GITHUB_OUTPUT

.github/workflows/test.yml

@@ -148,7 +148,7 @@ jobs:
 #
 #          - name: Upload fuzz failure seed corpus as run artifact
 #            if: failure()
-#            uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+#            uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
 #            with:
 #                name: testdata
 #                path: testdata

GOVERNANCE.md

@@ -58,3 +58,34 @@ stated.
 The BDFL may alternatively decide to move to a Steering Committee governance
 model, in which case this document must be replaced with a new description of
 roles and responsibilities.
+
+
+Access to Sensitive Resources
+-----------------------------
+
+The following project members have access to sensitive resources (GitHub
+Secrets, Repository Settings, Release Keys):
+
+* Alexander Adam (@AlphaOne1) - BDFL / Primary Maintainer
+
+Currently, no other contributors have administrative access to the
+build infrastructure or cryptographic keys.
+
+
+Project Continuity
+------------------
+
+To ensure the project's continuity, the following measures are taken:
+
+*GitHub Successor*: A designated successor has been appointed in the GitHub
+account settings to take over repository management if the primary maintainer is
+incapacitated.
+
+<!-- Currently this is not implemented, uncomment, if is indeed enacted:
+*Access Recovery*: Recovery keys for the repository and build infrastructure are
+stored in a secure digital vault with emergency access enabled for a trusted
+party.
+-->
+
+*Forking*: As a fallback, the MPL-2.0 license ensures that the community can
+fork and continue the project at any time.

README.md

@@ -5,6 +5,18 @@
 <!-- markdownlint-disable MD013 MD033 MD041 -->
 <p align="center">
     <img src="dmorph_logo.svg" width="40%" alt="Logo"><br>
+    <a href="https://github.com/AlphaOne1/dmorph/blob/HEAD/go.mod"
+       rel="external noopener noreferrer"
+       target="_blank">
+        <img src="https://img.shields.io/github/go-mod/go-version/AlphaOne1/dmorph"
+             alt="Go Version">
+    </a>
+    <a href="https://github.com/AlphaOne1/dmorph/releases"
+       rel="external noopener noreferrer"
+       target="_blank">
+        <img src="https://img.shields.io/github/v/release/AlphaOne1/dmorph"
+             alt="Latest Release">
+    </a>
     <a href="https://github.com/AlphaOne1/dmorph/actions/workflows/test.yml"
        rel="external noopener noreferrer"
        target="_blank">
@@ -59,6 +71,12 @@
         <img src="https://api.reuse.software/badge/github.com/AlphaOne1/dmorph"
             alt="REUSE compliance">
     </a>
+    <!-- <a href="https://slsa.dev"
+       rel="external noopener noreferrer"
+       target="_blank">
+        <img src="https://slsa.dev/images/gh-badge-level3.svg"
+             alt="SLSA Level 3">
+    </a> -->
     <a href="https://app.fossa.com/projects/git%2Bgithub.com%2FAlphaOne1%2Fdmorph?ref=badge_shield&issueType=license"
        rel="external noopener noreferrer"
        target="_blank">
@@ -113,6 +131,17 @@ To install *DMorph*, you can use the following command:
 $ go get github.com/AlphaOne1/dmorph
 ```
 
+<!--Builds are secured with SLSA Level 3 provenance via slsa-framework/slsa-github-generator.
+The downloaded source archive together with the provenance file `multiple.intoto.jsonl`
+can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier/)
+(replace the `<VERSION>` with the one you actually downloaded):
+
+```bash
+$ slsa-verifier verify-artifact dmorph-src-v<VERSION>.tar.gz \
+    --provenance-path multiple.intoto.jsonl                  \
+    --source-uri github.com/AlphaOne1/dmorph                 \
+    --source-tag v<VERSION>
+```-->
 
 Getting Started
 ---------------