ci: adopt storage-go's GitHub Actions setup

Mirror the CI/release pipeline used by tigrisdata/storage-go so objgit
gets the same test matrix, supply-chain checks, and automated releases.

Workflows (.github/workflows), all with SHA-pinned actions:

- go.yml: matrix build/test across ubuntu/windows/macos + arm variants,
  running `go vet`, `go test`, and staticcheck on every push and PR. The
  full OS matrix matters here because objgit shells out to git/ssh/
  ssh-keygen for its protocol tests, so cross-platform regressions are
  real. A trailing `autorelease` job dispatches release.yaml on main so a
  green build can cut a release without manual steps.
- zizmor.yml: scans the workflow files themselves for CI misconfig and
  uploads SARIF; runs only when a workflow changes.
- lint-pr-titles.yaml: enforces conventional-commit PR titles, which is
  what semantic-release reads to decide the version bump.
- dco_check.yaml: requires Signed-off-by on every PR (DCO).
- pull_request_template.md: standard summary/details/test-plan checklist.

Release tooling:

- package.json carries the semantic-release config (commit-analyzer
  release rules, changelog, GitHub release, git asset commit), plus
  commitlint, lint-staged, and prettier so local commits match CI
  expectations. npmPublish is off; this is a Go binary, semantic-release
  is used purely for tagging/changelog/GitHub releases.
- release.yaml runs semantic-release on a throwaway release-* branch and
  opens a release PR (needs the WRITE_GH_TOKEN secret), matching
  storage-go's "release via PR" flow.
- .husky/{commit-msg,pre-commit} wire commitlint + npm test and
  lint-staged into git hooks; package-lock.json is committed so
  `npm ci` in release.yaml is reproducible.
- .prettierignore excludes CLAUDE.md; .gitignore now ignores
  node_modules.

Build/tooling:

- Add goimports and staticcheck as `go tool` directives so the format
  hook (`go tool goimports`) and local linting work without global
  installs, matching storage-go. `go mod tidy` also dropped a stale
  self-referential require on the old tangled.org module path left over
  from the org move.
- Drop the unused embedded s3Client from optRecorder in
  resilient_test.go: it overrides all nine interface methods directly,
  so the embed was dead and tripped staticcheck (U1000), which would
  have made the new pipeline red on its first run.

Docs:

- Consolidate agent guidance into AGENTS.md and point CLAUDE.md at it,
  matching storage-go's layout.

Assisted-by: Claude Opus 4.8 via Claude Code
Signed-off-by: Xe Iaso <xe@tigrisdata.com>

Author: Xe

.github/pull_request_template.md

@@ -0,0 +1,12 @@
+## Summary
+
+-
+-
+
+## Details
+
+## Test plan
+
+- [ ] Code compiles with `go build ./...`
+- [ ] Code formatted with `npm run format`
+- [ ] Manual testing

.github/workflows/dco_check.yaml

@@ -0,0 +1,9 @@
+name: DCO Check
+
+on: [pull_request]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: tisonkun/actions-dco@f1024cd563550b5632e754df11b7d30b73be54a5 # v1.1

.github/workflows/go.yml

@@ -0,0 +1,56 @@
+name: Go
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: read
+  actions: write
+
+jobs:
+  go_tests:
+    strategy:
+      matrix:
+        os:
+          - ubuntu-24.04
+          - windows-2025
+          - macos-15
+          - ubuntu-24.04-arm
+          - windows-11-arm
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          fetch-tags: true
+
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version: latest
+
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
+
+      - name: Test
+        run: |
+          go vet ./...
+          go test ./...
+
+      - uses: dominikh/staticcheck-action@024238d2898c874f26d723e7d0ff4308c35589a2 # v1.4.0
+        with:
+          version: "latest"
+          install-go: false
+
+  autorelease:
+    runs-on: ubuntu-latest
+    needs: [go_tests]
+    steps:
+      - name: "Cut release if CI passes"
+        if: "${{ github.ref == 'refs/heads/main' }}"
+        uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc # v1.2.4
+        with:
+          workflow: "release.yaml"

.github/workflows/lint-pr-titles.yaml

@@ -0,0 +1,20 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    steps:
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yaml

@@ -0,0 +1,78 @@
+name: Cut Release
+on:
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: true
+          fetch-tags: true
+          fetch-depth: 0
+          token: ${{ secrets.WRITE_GH_TOKEN }}
+
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        with:
+          node-version: "latest" # does not matter for our needs
+
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version: "stable"
+
+      - name: Setup Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Create release branch and run semantic-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          npm ci
+
+          # Create a unique release branch
+          TIMESTAMP=$(date +%s)
+          BRANCH_NAME="release-${TIMESTAMP}"
+
+          # Create and checkout release branch
+          git checkout -b "${BRANCH_NAME}"
+
+          # Run semantic-release on the release branch
+          npx semantic-release --debug
+
+          # Check if semantic-release made changes
+          if git diff --quiet origin/main HEAD 2>/dev/null || [ $(git rev-list --count HEAD ^origin/main) -eq 0 ]; then
+            echo "No release created"
+            exit 0
+          fi
+
+          # Push the release branch
+          git push origin "${BRANCH_NAME}"
+
+          # Get the version from the commit message or package.json
+          VERSION=$(node -p "require('./package.json').version" 2>/dev/null || echo "unknown")
+
+          # Create pull request
+          gh pr create \
+            --title "chore(release): ${VERSION}" \
+            --body "Automated release PR for version ${VERSION}. This PR includes updates to CHANGELOG.md and package.json. Once this PR is merged to main, the GitHub release will be created automatically." \
+            --base main \
+            --head "${BRANCH_NAME}" \
+            --label "release"
+
+      - name: Clean up old release branches
+        if: always()
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Get all release branches except the current one
+          for branch in $(git ls-remote --heads origin "release-*" | awk '{print $2}' | sed 's|refs/heads/||' | grep -v "^${BRANCH_NAME}$"); do
+            echo "Deleting old release branch: ${branch}"
+            git push origin --delete "${branch}" || true
+          done

.github/workflows/zizmor.yml

@@ -0,0 +1,35 @@
+name: zizmor
+
+on:
+  push:
+    paths:
+      - ".github/workflows/*.ya?ml"
+  pull_request:
+    paths:
+      - ".github/workflows/*.ya?ml"
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        with:
+          sarif_file: results.sarif
+          category: zizmor

.gitignore

@@ -1,2 +1,4 @@
 .env
-/objgitd
+/objgitd
+
+node_modules

.husky/commit-msg

@@ -0,0 +1,10 @@
+npx --no-install commitlint --edit "$1"
+
+case "$(cat $1)" in
+  *"[skip ci]"*)
+    exit 0
+    ;;
+  *)
+    npm test
+    ;;
+esac

.husky/pre-commit

@@ -0,0 +1 @@
+npx lint-staged

.prettierignore

@@ -0,0 +1 @@
+/CLAUDE.md