autonoco
diff --git a/‎.github/dependabot.yml‎
Lines changed: 31 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 147 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 147 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 61 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 9 additions & 0 deletions b/‎.gitignore‎
Lines changed: 9 additions & 0 deletions
@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "09:00"
+      timezone: America/Los_Angeles
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - buttons
+    commit-message:
+      prefix: chore
+      include: scope
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "09:00"
+      timezone: America/Los_Angeles
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - buttons
+    commit-message:
+      prefix: chore
+      include: scope
@@ -0,0 +1,147 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+# Cancel older runs on the same branch/PR when a new commit is pushed.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+env:
+  # Pinned Go toolchain. Bumping this also resolves stdlib CVEs
+  # tracked in autonoco/autono#331. 1.26.2 adds fixes for four
+  # more vulnerabilities (GO-2026-4866 x509 auth bypass, -4870
+  # TLS 1.3 KeyUpdate DoS, -4946/-4947 x509 DoS) that 1.26.1
+  # is still exposed to.
+  GO_VERSION: "1.26.2"
+
+jobs:
+  test:
+    name: Test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Verify module integrity
+        run: go mod verify
+
+      - name: Build
+        run: go build ./...
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Unit tests (with race detector)
+        run: go test -race -count=1 ./internal/...
+
+      - name: Integration tests
+        run: go test -count=1 ./test/integration/...
+
+  gosec:
+    name: gosec
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Install gosec
+        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
+
+      - name: Run gosec
+        run: gosec ./...
+
+  govulncheck:
+    name: govulncheck
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        run: govulncheck ./...
+
+  gitleaks:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    env:
+      # Pinned so Dependabot (or a follow-up PR) can bump it intentionally.
+      # gitleaks-action@v2 requires a license for private repos, so we
+      # install the binary directly instead — free regardless of repo
+      # visibility and also faster.
+      GITLEAKS_VERSION: "8.30.1"
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Full history so gitleaks can scan every commit.
+
+      - name: Install gitleaks
+        run: |
+          curl -sSfL -o gitleaks.tar.gz \
+            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          tar -xzf gitleaks.tar.gz gitleaks
+          sudo install -m 0755 gitleaks /usr/local/bin/gitleaks
+          rm -f gitleaks gitleaks.tar.gz
+          gitleaks version
+
+      - name: Scan repository
+        run: gitleaks detect --source . --verbose --redact --no-banner
+
+  build-release:
+    name: Build (release ldflags)
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Tags + full history so `git describe` works.
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Build with version injection (make build)
+        run: make build
+
+      - name: Smoke test binary
+        run: ./buttons --help
@@ -0,0 +1,61 @@
+name: Release
+
+# Runs goreleaser on every semver tag push (v*). For a snapshot build
+# that doesn't publish, run locally:
+#
+#   goreleaser release --snapshot --clean --skip=publish
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write   # Create the GitHub Release.
+  packages: write   # Push Docker images to ghcr.io.
+
+jobs:
+  goreleaser:
+    name: goreleaser
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Full history + tags for goreleaser changelog.
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.26.2"
+          cache: true
+
+      # QEMU + Buildx let us build the linux/arm64 image from an amd64
+      # runner. goreleaser's dockers: block drives `docker buildx build`
+      # with per-platform flags; buildx transparently uses QEMU for the
+      # non-native arch.
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Log in to GHCR so goreleaser can push the built images. The
+      # default GITHUB_TOKEN has packages:write from the permissions
+      # block above, so no PAT is required for pushes to ghcr.io.
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: "~> v2"  # Track the v2 major.
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,9 @@
+buttons
+dist/
+.claude/
+.env
+.env.*
+*.pem
+*.key
+AUDIT.md
+.DS_Store