chore: move signing to a reusable workflow and call it from PR

Signed-off-by: James Nesbitt <jnesbitt@mirantis.com>

Author: james-nesbitt

.github/workflows/build-and-sign.yml

@@ -0,0 +1,83 @@
+# Cross-compile selected platforms, then DigiCert-sign artifacts. Add triggers under `on:` as needed.
+# Fork PRs are skipped (no secrets). Requires SM_* repository secrets and SM_* vars for DigiCert.
+
+name: Build and sign (DigiCert)
+
+permissions:
+  contents: read
+  actions: write
+
+on:
+  pull_request:
+    branches: [main]
+
+env:
+  # Unique per run; safe for PR, manual runs, and future triggers.
+  SIGNING_ARTIFACT_NAME: launchpad-signing-${{ github.run_id }}
+
+jobs:
+  build-for-signing:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    name: Build binaries for signing
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - name: Build binaries
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p dist
+          read -r -a platforms <<< "windows/amd64 darwin/amd64"
+          for platform in "${platforms[@]}"; do
+            GOOS=${platform%/*}
+            GOARCH=${platform#*/}
+            output_name="dist/launchpad_${GOOS}_${GOARCH}"
+            if [ "$GOOS" = "windows" ]; then
+              output_name+=".exe"
+            fi
+            echo "Building $output_name"
+            GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go
+          done
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.SIGNING_ARTIFACT_NAME }}
+          path: dist/
+
+  sign-binaries:
+    needs: build-for-signing
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    name: Sign binaries
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.SIGNING_ARTIFACT_NAME }}
+          path: dist/
+
+      - name: Decode SM client certificate
+        run: |
+          SM_CLIENT_CERT_FILE="${{ runner.temp }}/sm_client_cert.p12"
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > "$SM_CLIENT_CERT_FILE"
+          echo "SM_CLIENT_CERT_FILE=$SM_CLIENT_CERT_FILE" >> "$GITHUB_ENV"
+        shell: bash
+
+      - name: DigiCert Software Trust Manager
+        uses: digicert/code-signing-software-trust-action@v1
+        with:
+          simple-signing-mode: true
+          keypair-alias: ${{ vars.SM_KEYPAIR_ALIAS }}
+          input: dist/
+        env:
+          SM_HOST: ${{ vars.SM_HOST }}
+          SM_API_KEY: ${{ secrets.SM_API_KEY }}
+          SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: launchpad-binaries-signed
+          path: dist/

.github/workflows/build.yml

@@ -1,32 +1,30 @@
-# Build and test workflow for Launchpad
-# Triggered on PRs and pushes to main.
+# Build and test on push to main (unsigned); DigiCert build+sign is in build-and-sign.yml.
 
 name: Build and Test
+
 permissions:
   contents: read
-  packages: write  # Required for uploading artifacts
+  actions: write # upload-artifact
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
 
 jobs:
   build:
-    name: Build Binaries
+    name: Build binaries
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
-
+          go-version-file: go.mod
       - name: Build binaries
+        shell: bash
         run: |
+          set -euo pipefail
           mkdir -p dist
-          platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64")
+          platforms=(linux/amd64 linux/arm64 windows/amd64 windows/arm64 darwin/amd64 darwin/arm64)
           for platform in "${platforms[@]}"; do
             GOOS=${platform%/*}
             GOARCH=${platform#*/}
@@ -37,28 +35,23 @@ jobs:
             echo "Building $output_name"
             GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go
           done
-
-      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v4
         with:
           name: launchpad-binaries
           path: dist/
 
   test:
-    name: Run Tests
+    name: Tests
     runs-on: ubuntu-latest
     needs: build
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.22"
-
-      - name: Run unit tests
-        run: go test -v ./...
-
-      - name: Run integration tests
-        run: go test -v -tags=integration ./test/integration
+          go-version-file: go.mod
+      - name: Unit tests
+        run: make unit-test
+        env:
+          TEST_FLAGS: -short
+      - name: Integration tests
+        run: make integration-test

.github/workflows/go.yml

@@ -1,129 +1,71 @@
-# PR validation workflow for Launchpad
-# Triggered on PRs to main branch.
+# PR validation for Launchpad (lint, tests, security). Build+sign is in build-and-sign.yml.
 
 name: PR Validation
 
 permissions:
   contents: read
-  pull-requests: write  # Required for PR comments or labels
 
 on:
   pull_request:
-    branches: [ main ]
+    branches: [main]
 
 jobs:
-#  lint:
-#    name: Lint Code
-#    runs-on: ubuntu-latest
-#    steps:
-#      - name: Checkout code
-#        uses: actions/checkout@v4
-#
-#      - name: Set up Go
-#        uses: actions/setup-go@v5
-#        with:
-#          go-version: "1.25"
-#
-#      - name: golangci-lint
-#        uses: golangci/golangci-lint-action@v6
-#        with:
-#          version: latest
-#          install-mode: goinstall
-#          args: --timeout=5m
-
-  unit-test:
-    name: Unit Tests
+  lint:
+    name: Lint
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
-
-      - name: Run unit tests
-        run: make unit-test
+          go-version-file: go.mod
+      - name: go mod tidy check
+        run: go mod tidy -v && git diff --exit-code
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v9.2.0
+        with:
+          version: latest
+          skip-cache: true
+          only-new-issues: false
+          args: --verbose
 
-  integration-test:
-    name: Integration Tests
-    runs-on: ubuntu-latest
+  unit-test:
+    name: Unit Tests (${{ matrix.os }})
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
-
-      - name: Run integration tests
-        run: make integration-test
-
-
+          go-version-file: go.mod
+      - name: Unit tests
+        run: make unit-test
+        env:
+          TEST_FLAGS: -short
 
   security-scan:
-    name: Security Scan
+    name: Security scan
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
-
-      - name: Install govulncheck
+          go-version-file: go.mod
+      - name: govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
-
       - name: Run security scan
-        run: govulncheck ./...
+        run: make security-scan
 
-  # TODO: REMOVE THIS JOB BEFORE MERGING - IT IS FOR TESTING SIGNING ONLY
-  test-signing:
-    name: Test DigiCert Signing
+  integration-test:
+    name: Integration Tests
+    needs: security-scan
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
-
-      - name: Build binaries for signing test
-        run: |
-          mkdir -p dist
-          platforms=("windows/amd64" "darwin/amd64")
-          for platform in "${platforms[@]}"; do
-            GOOS=${platform%/*}
-            GOARCH=${platform#*/}
-            output_name="dist/launchpad_${GOOS}_${GOARCH}"
-            if [ "$GOOS" = "windows" ]; then
-              output_name+=".exe"
-            fi
-            echo "Building $output_name"
-            GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go
-          done
-
-      - name: Setup SM_CLIENT_CERT_FILE from base64 secret data
-        run: |
-          SM_CLIENT_CERT_FILE="${{ runner.temp }}/sm_client_cert.p12"
-          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > "$SM_CLIENT_CERT_FILE"
-          echo "SM_CLIENT_CERT_FILE=$SM_CLIENT_CERT_FILE" >> $GITHUB_ENV
-        shell: bash
-
-      - name: Setup Software Trust Manager and Sign Binaries
-        uses: digicert/code-signing-software-trust-action@v1
-        with:
-          simple-signing-mode: true
-          keypair-alias: ${{ vars.SM_KEYPAIR_ALIAS }}
-          input: dist/
-        env:
-          SM_HOST: ${{ vars.SM_HOST }}
-          SM_API_KEY: ${{ secrets.SM_API_KEY }}
-          SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
-          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+          go-version-file: go.mod
+      - name: Integration tests
+        run: make integration-test