Initial commit

Author: samjtro

.editorconfig

@@ -0,0 +1,71 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+
+# Go files
+[*.go]
+indent_style = tab
+indent_size = 4
+
+# YAML files
+[*.{yml,yaml}]
+indent_style = space
+indent_size = 2
+
+# JSON files
+[*.json]
+indent_style = space
+indent_size = 2
+
+# Markdown files
+[*.md]
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = false
+
+# Makefile
+[Makefile]
+indent_style = tab
+
+# justfile
+[justfile]
+indent_style = space
+indent_size = 4
+
+# Shell scripts
+[*.sh]
+indent_style = space
+indent_size = 4
+
+# Protobuf
+[*.proto]
+indent_style = space
+indent_size = 2
+
+# Web files
+[*.{html,css,js,ts,tsx,jsx}]
+indent_style = space
+indent_size = 2
+
+# Configuration files
+[*.{toml,ini,cfg}]
+indent_style = space
+indent_size = 2
+
+# Dockerfile
+[Dockerfile*]
+indent_style = space
+indent_size = 4
+
+# Git files
+[.git*]
+indent_style = space
+indent_size = 2

.github/workflows/ci.yml

@@ -0,0 +1,168 @@
+name: CI
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main ]
+
+env:
+  GO_VERSION: '1.23.4'
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          
+      - name: Install golangci-lint
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.61.0
+          
+      - name: Run golangci-lint
+        run: golangci-lint run ./...
+
+  test:
+    name: Test
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        go: ['1.22', '1.23.4']
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go }}
+          
+      - name: Run tests
+        run: |
+          go test -v -race -coverprofile=coverage.out -covermode=atomic ./...
+          
+      - name: Upload coverage
+        if: matrix.os == 'ubuntu-latest' && matrix.go == env.GO_VERSION
+        uses: codecov/codecov-action@v4
+        with:
+          file: ./coverage.out
+          fail_ci_if_error: false
+
+  build-sharedlib:
+    name: Build Shared Libraries
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-latest
+            target: linux-amd64
+            output: signer-amd64.so
+          - os: macos-latest
+            target: darwin-arm64
+            output: signer-arm64.dylib
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          
+      - name: Vendor dependencies
+        run: |
+          go mod download
+          go mod vendor
+          
+      - name: Build shared library
+        run: |
+          mkdir -p build
+          if [ "${{ matrix.os }}" = "ubuntu-latest" ]; then
+            CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -buildmode=c-shared -trimpath -ldflags="-s -w" -o build/${{ matrix.output }} ./sharedlib/sharedlib.go
+          else
+            CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 go build -buildmode=c-shared -trimpath -ldflags="-s -w" -o build/${{ matrix.output }} ./sharedlib/sharedlib.go
+          fi
+          
+      - name: Verify shared library
+        run: |
+          ls -la build/
+          file build/${{ matrix.output }}
+          
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sharedlib-${{ matrix.target }}
+          path: build/${{ matrix.output }}
+
+  e2e-test:
+    name: End-to-End Test
+    needs: build-sharedlib
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          
+      - name: Download Linux shared library
+        uses: actions/download-artifact@v4
+        with:
+          name: sharedlib-linux-amd64
+          path: build/
+          
+      - name: Run E2E tests
+        run: |
+          chmod +x scripts/e2e-test.sh
+          ./scripts/e2e-test.sh
+          
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          
+      - name: Run gosec
+        run: |
+          go install github.com/securego/gosec/v2/cmd/gosec@latest
+          gosec -fmt=json -out=security-report.json ./... || true
+          
+      - name: Upload security report
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-report
+          path: security-report.json
+          
+  build-cross-platform:
+    name: Cross-Platform Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          
+      - name: Build for multiple platforms
+        run: |
+          make build-cross || echo "No main binary to build"
+          
+  docker-build:
+    name: Docker Build Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        
+      - name: Test Docker build
+        run: |
+          if [ -f Dockerfile ]; then
+            docker build -t tmpl:test .
+          else
+            echo "No Dockerfile found, skipping Docker build"
+          fi

.github/workflows/release.yml

@@ -0,0 +1,136 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.23.4'
+          
+      - name: Validate tag
+        run: |
+          if ! [[ "${{ github.ref_name }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?$ ]]; then
+            echo "Invalid tag format. Expected format: vX.Y.Z or vX.Y.Z-suffix"
+            exit 1
+          fi
+          
+      - name: Build release artifacts
+        run: |
+          make clean
+          make vendor
+          
+          # Build shared libraries
+          just build-all
+          
+          # Create checksums
+          cd build
+          sha256sum * > checksums.txt
+          cd ..
+          
+      - name: Create release archive
+        run: |
+          VERSION=${{ github.ref_name }}
+          mkdir -p release
+          
+          # Archive each platform separately
+          tar -czf release/tmpl-${VERSION}-darwin-arm64.tar.gz -C build signer-arm64.dylib
+          tar -czf release/tmpl-${VERSION}-linux-amd64.tar.gz -C build signer-amd64.so
+          
+          # Create source archive
+          git archive --format=tar.gz --prefix=tmpl-${VERSION}/ -o release/tmpl-${VERSION}-source.tar.gz HEAD
+          
+          # Copy checksums
+          cp build/checksums.txt release/
+          
+      - name: Generate changelog
+        id: changelog
+        run: |
+          echo "## What's Changed" > changelog.md
+          echo "" >> changelog.md
+          
+          # Get commits since last tag
+          LAST_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+          if [ -z "$LAST_TAG" ]; then
+            git log --pretty=format:"* %s (%h)" >> changelog.md
+          else
+            git log ${LAST_TAG}..HEAD --pretty=format:"* %s (%h)" >> changelog.md
+          fi
+          
+          echo "" >> changelog.md
+          echo "" >> changelog.md
+          echo "**Full Changelog**: https://github.com/${{ github.repository }}/compare/${LAST_TAG}...${{ github.ref_name }}" >> changelog.md
+          
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          body_path: changelog.md
+          files: |
+            release/*.tar.gz
+            release/checksums.txt
+          draft: false
+          prerelease: ${{ contains(github.ref_name, '-') }}
+          
+  build-binaries:
+    name: Build Cross-Platform Binaries
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - goos: linux
+            goarch: amd64
+          - goos: linux
+            goarch: arm64
+          - goos: darwin
+            goarch: amd64
+          - goos: darwin
+            goarch: arm64
+          - goos: windows
+            goarch: amd64
+    steps:
+      - uses: actions/checkout@v4
+        
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.23.4'
+          
+      - name: Build shared library
+        env:
+          CGO_ENABLED: 1
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+        run: |
+          # Skip Windows shared library builds (not supported)
+          if [ "${{ matrix.goos }}" != "windows" ]; then
+            make vendor
+            
+            OUTPUT_EXT="so"
+            if [ "${{ matrix.goos }}" = "darwin" ]; then
+              OUTPUT_EXT="dylib"
+            fi
+            
+            mkdir -p build
+            go build -buildmode=c-shared -trimpath -ldflags="-s -w" \
+              -o build/signer-${{ matrix.goarch }}.${OUTPUT_EXT} \
+              ./sharedlib/sharedlib.go || echo "Build failed for ${{ matrix.goos }}/${{ matrix.goarch }}"
+          fi
+          
+      - name: Upload artifacts
+        if: matrix.goos != 'windows'
+        uses: actions/upload-artifact@v4
+        with:
+          name: sharedlib-${{ matrix.goos }}-${{ matrix.goarch }}
+          path: build/*