xscriptor · xscriptor · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,188 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: "Existing tag to publish (for example: v1.2.3)"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+env:
+  CARGO_TERM_COLOR: always
+  RELEASE_TAG: ${{ github.event_name == 'workflow_dispatch' && inputs.release_tag || github.ref_name }}
+
+jobs:
+  build-linux-ubuntu:
+    name: Build Linux (Ubuntu)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Build
+        run: cargo build --release --locked
+      - name: Package
+        run: |
+          asset="gitnapse-${RELEASE_TAG}-linux-ubuntu-x86_64.tar.gz"
+          tar -C target/release -czf "${asset}" gitnapse
+          echo "ASSET=${asset}" >> "$GITHUB_ENV"
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: asset-linux-ubuntu
+          path: ${{ env.ASSET }}
+          if-no-files-found: error
+          retention-days: 7
+
+  build-linux-arch:
+    name: Build Linux (Arch)
+    runs-on: ubuntu-latest
+    container:
+      image: archlinux:latest
+    steps:
+      - name: Install build dependencies
+        run: pacman -Syu --noconfirm --needed base-devel curl ca-certificates git openssl pkgconf
+      - name: Install Rust
+        run: |
+          curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal
+          echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Build
+        run: cargo build --release --locked
+      - name: Package
+        run: |
+          asset="gitnapse-${RELEASE_TAG}-linux-arch-x86_64.tar.gz"
+          tar -C target/release -czf "${asset}" gitnapse
+          echo "ASSET=${asset}" >> "$GITHUB_ENV"
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: asset-linux-arch
+          path: ${{ env.ASSET }}
+          if-no-files-found: error
+          retention-days: 7
+
+  build-linux-fedora:
+    name: Build Linux (Fedora)
+    runs-on: ubuntu-latest
+    container:
+      image: fedora:latest
+    steps:
+      - name: Install build dependencies
+        run: dnf -y install curl gcc gcc-c++ make pkgconf-pkg-config openssl-devel ca-certificates git tar gzip
+      - name: Install Rust
+        run: |
+          curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal
+          echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Build
+        run: cargo build --release --locked
+      - name: Package
+        run: |
+          asset="gitnapse-${RELEASE_TAG}-linux-fedora-x86_64.tar.gz"
+          tar -C target/release -czf "${asset}" gitnapse
+          echo "ASSET=${asset}" >> "$GITHUB_ENV"
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: asset-linux-fedora
+          path: ${{ env.ASSET }}
+          if-no-files-found: error
+          retention-days: 7
+
+  build-windows:
+    name: Build Windows
+    runs-on: windows-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Build
+        run: cargo build --release --locked
+      - name: Package
+        shell: pwsh
+        run: |
+          $asset = "gitnapse-$env:RELEASE_TAG-windows-x86_64.zip"
+          Compress-Archive -Path "target/release/gitnapse.exe" -DestinationPath $asset -Force
+          "ASSET=$asset" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: asset-windows
+          path: ${{ env.ASSET }}
+          if-no-files-found: error
+          retention-days: 7
+
+  build-macos:
+    name: Build macOS
+    runs-on: macos-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Build
+        run: cargo build --release --locked
+      - name: Package
+        run: |
+          arch="$(uname -m)"
+          asset="gitnapse-${RELEASE_TAG}-macos-${arch}.tar.gz"
+          tar -C target/release -czf "${asset}" gitnapse
+          echo "ASSET=${asset}" >> "$GITHUB_ENV"
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: asset-macos
+          path: ${{ env.ASSET }}
+          if-no-files-found: error
+          retention-days: 7
+
+  publish-release:
+    name: Publish GitHub Release
+    runs-on: ubuntu-latest
+    needs:
+      - build-linux-ubuntu
+      - build-linux-arch
+      - build-linux-fedora
+      - build-windows
+      - build-macos
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v5
+        with:
+          pattern: asset-*
+          path: dist
+          merge-multiple: true
+      - name: Generate GitHub App token
+        id: app_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.RELEASE_GH_APP_ID }}
+          private-key: ${{ secrets.RELEASE_GH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+      - name: Show assets
+        run: ls -lah dist
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Sign assets (keyless)
+        run: |
+          for file in dist/*; do
+            cosign sign-blob --yes "$file" \
+              --output-signature "${file}.sig" \
+              --output-certificate "${file}.pem"
+          done
+      - name: Create or update release
+        env:
+          GH_TOKEN: ${{ steps.app_token.outputs.token }}
+        run: |
+          gh release view "${RELEASE_TAG}" >/dev/null 2>&1 || \
+          gh release create "${RELEASE_TAG}" --title "${RELEASE_TAG}" --generate-notes
+          gh release upload "${RELEASE_TAG}" dist/* --clobber
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,36 @@
+name: Security And Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  checks:
+    name: Rust Checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+
+      - name: Format check
+        run: cargo fmt --all -- --check
+
+      - name: Lints
+        run: cargo clippy --all-targets --all-features -- -D warnings
+
+      - name: Tests
+        run: cargo test --all-targets --all-features
+
+      - name: Dependency vulnerability audit
+        run: cargo audit --ignore RUSTSEC-2023-0071
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
 /target
+.env
+*.pem
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -0,0 +1,33 @@
+# Code of Conduct
+
+## Our Commitment
+
+We are committed to providing a respectful, inclusive, and harassment-free environment for everyone participating in GitNapse.
+
+## Expected Behavior
+
+- Be respectful in communication and reviews.
+- Focus on constructive feedback.
+- Assume positive intent and ask clarifying questions.
+- Accept and provide feedback professionally.
+
+## Unacceptable Behavior
+
+- Harassment, threats, or discriminatory language.
+- Personal attacks, insults, or trolling.
+- Publishing private information without consent.
+- Any conduct that harms community collaboration.
+
+## Scope
+
+This Code of Conduct applies to repository discussions, issues, pull requests, and any project-related communication channels.
+
+## Enforcement
+
+Project maintainers are responsible for clarifying and enforcing this policy. Reports are reviewed confidentially and handled fairly.
+
+## Reporting
+
+To report violations, contact:
+
+- [x@xscriptor.com](mailto:x@xscriptor.com)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,41 @@
+# Contributing to GitNapse
+
+Thanks for your interest in contributing.
+
+## Workflow
+
+1. Create a branch from `main`.
+2. Implement your change.
+3. Run local validation.
+4. Open a Pull Request targeting `main`.
+
+`main` is protected. Direct pushes are not allowed.
+
+## Local Validation
+
+Run at minimum:
+
+```bash
+cargo check
+```
+
+If your changes affect behavior, update documentation in `README.md` and `docs/`.
+
+## Pull Request Guidelines
+
+- Keep PRs focused and scoped.
+- Describe motivation, implementation details, and test evidence.
+- Link related issues if available.
+- Resolve review comments before merge.
+
+## Commit Guidance
+
+Use clear commit messages, for example:
+
+- `feat: add authenticated @me repository listing`
+- `fix: handle oauth runtime initialization`
+- `docs: add release collaboration section`
+
+## Security
+
+Do not open public issues for sensitive vulnerabilities. Use the process in [SECURITY.md](./SECURITY.md).
-Original file line number
+Diff line change
@@ -1 +1,3 @@
     /target
+    .env
+    *.pem