Initial import

Signed-off-by: Pierre-Henri Symoneaux <[email protected]>

.github/actions/lint-commit/action.yaml

@@ -0,0 +1,27 @@
+name: Lint Conventional Commits
+description: Verify that all the commits complies to the conventional commit convention
+
+inputs:
+  config:
+    description: Path to the configuration file
+    default: .github/commitlint.config.js
+
+runs:
+  using: composite
+  steps:
+    - name: Install commitlint
+      shell: bash
+      run: |
+        npm install conventional-changelog-conventionalcommits
+        npm install commitlint@latest
+        npm install @commitlint/{cli,config-conventional}
+
+    - name: Validate current commit (last commit) with commitlint
+      if: github.event_name == 'push'
+      shell: bash
+      run: npx commitlint --config ${{ inputs.config }} --last --verbose
+
+    - name: Validate PR commits with commitlint
+      if: github.event_name == 'pull_request'
+      shell: bash
+      run: npx commitlint --config ${{ inputs.config }} --from ${{ github.event.pull_request.head.sha }}~${{ github.event.pull_request.commits }} --to ${{ github.event.pull_request.head.sha }} --verbose

.github/actions/setup-build-env/action.yaml

@@ -0,0 +1,10 @@
+name: Setup Build Env
+description: Setup build environment with go and protoc
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: "1.23"

.github/commitlint.config.js

@@ -0,0 +1,14 @@
+const Configuration = {
+    // See https://github.com/conventional-changelog/commitlint/blob/master/%40commitlint/config-conventional/src/index.ts
+    extends: ['@commitlint/config-conventional'],
+    rules: {
+        'subject-case': [
+            0,
+            'never',
+            // Allow Sentence-case. See https://commitlint.js.org/reference/rules.html#subject-case
+            ['start-case', 'pascal-case', 'upper-case']
+        ]
+    }
+};
+
+module.exports = Configuration;

.github/dependabot.yml

@@ -0,0 +1,21 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directories:
+      - "/"
+    registries: "*"
+    schedule:
+      interval: "weekly"
+    allow:
+      - dependency-type: all
+    open-pull-requests-limit: 20

.github/goreleaser.yaml

@@ -0,0 +1,50 @@
+# Make sure to check the documentation at https://goreleaser.com
+project_name: okms-cli
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+
+    - go test -v ./...
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./cmd/okms
+    id: "okms"
+    binary: okms
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of uname.
+    name_template: >-
+      {{ .ProjectName }}-
+      {{- .Os }}-
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+checksum:
+  name_template: "checksums.txt"
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+changelog:
+  sort: asc
+
+sboms:
+  - artifacts: archive
+    cmd: syft
+
+release:
+  prerelease: auto

.github/release-note.toml

@@ -0,0 +1,85 @@
+# git-cliff ~ default configuration file
+# https://git-cliff.org/docs/configuration
+#
+# Lines starting with "#" are comments.
+# Configuration options are organized into tables and keys.
+# See documentation for more information on available options.
+
+[changelog]
+# changelog header
+header = ""
+# template for the changelog body
+# https://keats.github.io/tera/docs/#introduction
+body = """
+{% for group, commits in commits | group_by(attribute="group") %}
+    ### {{ group | striptags | trim | upper_first }}
+    {% for commit in commits %}
+        - {% if commit.scope %}*({{ commit.scope }})* {% endif %}\
+            {% if commit.breaking %}[**breaking**] {% endif %}\
+            {{ commit.message | upper_first }}\
+    {% endfor %}
+  {% endfor %}
+{% set breaking = (commits | filter(attribute="breaking", value=true) | map(attribute="breaking_description")) -%}
+{% if breaking -%}
+  ### ⚠️ BREAKING CHANGES:
+  {% for bk in breaking %}
+    - {{ bk -}} 
+  {% endfor %}
+{% endif %}
+"""
+# template for the changelog footer
+footer = ""
+# remove the leading and trailing s
+trim = true
+# postprocessors
+postprocessors = [
+  # { pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" }, # replace repository URL
+]
+
+[git]
+# parse the commits based on https://www.conventionalcommits.org
+conventional_commits = true
+# filter out the commits that are not conventional
+filter_unconventional = false
+# process each line of a commit as an individual commit
+split_commits = false
+# regex for preprocessing the commit messages
+commit_preprocessors = [
+  # Replace issue numbers
+  #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
+  # Check spelling of the commit with https://github.com/crate-ci/typos
+  # If the spelling is incorrect, it will be automatically fixed.
+  #{ pattern = '.*', replace_command = 'typos --write-changes -' },
+]
+# regex for parsing and grouping commits
+commit_parsers = [
+  { message = "^feat", group = "<!-- 0 -->🚀 Features" },
+  { message = "^fix", group = "<!-- 1 -->🐛 Bug Fixes" },
+  { message = "^doc", group = "<!-- 3 -->📚 Documentation" },
+  { message = "^perf", group = "<!-- 4 -->⚡ Performance" },
+  { message = "^refactor", group = "<!-- 2 -->🚜 Refactor" },
+  { message = "^style", group = "<!-- 5 -->🎨 Styling" },
+  { message = "^test", group = "<!-- 6 -->🧪 Testing" },
+  { message = "^chore\\(release\\): prepare for", skip = true },
+  { message = "^chore\\(pr\\)", skip = true },
+  { message = "^chore\\(pull\\)", skip = true },
+  { message = "^chore|^ci|^chore\\(deps\\)", group = "<!-- 7 -->⚙️ Miscellaneous Tasks" },
+  { body = ".*security", group = "<!-- 8 -->🛡️ Security" },
+  { message = "^revert", group = "<!-- 9 -->◀️ Revert" },
+]
+# protect breaking changes from being skipped due to matching a skipping commit_parser
+protect_breaking_commits = false
+# filter out the commits that are not matched by commit parsers
+filter_commits = false
+# regex for matching git tags
+# tag_pattern = "v[0-9].*"
+# regex for skipping tags
+# skip_tags = ""
+# regex for ignoring tags
+# ignore_tags = ""
+# sort the tags topologically
+topo_order = false
+# sort the commits inside sections by oldest/newest order
+sort_commits = "oldest"
+# limit the number of commits included in the changelog.
+# limit_commits = 42

.github/workflows/build.yaml

@@ -0,0 +1,60 @@
+# This workflow will build a golang project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
+
+name: build
+
+on:
+  push:
+    branches: ["main"]
+  workflow_call: {}
+
+jobs:
+  cli:
+    strategy:
+      matrix:
+        tags: ["", "yubikey"]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-build-env
+
+      - name: Install libpcsclite-dev
+        run: sudo apt update && sudo apt install libpcsclite-dev
+        if: contains(matrix.tags, 'yubikey')
+
+      - run: go mod tidy
+
+      - name: Generate
+        run: go generate ./...
+
+      - name: Build CLI
+        run: go build -v -ldflags="-s -w" -tags="${{ matrix.tags }}" -o . ./cmd/...
+
+      - name: Unit Test CLI
+        run: go test -v -tags="${{ matrix.tags }}" ./...
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: cli
+          path: |
+            ./okms
+          retention-days: 5
+        if: matrix.tags == ''
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-build-env
+
+      - run: go mod tidy
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          # Require: The version of golangci-lint to use.
+          # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
+          # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit.
+          version: v1.60
+          # args: --build-tags yubikey
+          args: --timeout 3m

.github/workflows/pull-request.yaml

@@ -0,0 +1,31 @@
+name: pull-request
+
+on:
+  pull_request:
+    branches: ["main"]
+
+# jobs:
+#   check-commit:
+#     runs-on: ubuntu-latest
+#     steps:
+#       - uses:  ytanikin/[email protected]
+#         with:
+#           add_label: 'false'
+#           task_types: '["feat","fix","doc","perf","refactor","style","test","chore","ci","build","revert"]'
+
+jobs:
+  commitlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Lint commits
+        if: github.event.pull_request.user.login != 'dependabot[bot]'
+        uses: ./.github/actions/lint-commit
+
+  build:
+    needs:
+      - commitlint
+    uses: ./.github/workflows/build.yaml
+    secrets: inherit

.github/workflows/release.yaml

@@ -0,0 +1,69 @@
+name: release
+
+on:
+  push:
+    # run only against tags
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  packages: write
+  # issues: write
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+    secrets: inherit
+
+  docker-build:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - uses: ./.github/actions/setup-build-env
+      - uses: ko-build/[email protected]
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - run: KO_DOCKER_REPO=ghcr.io/ovh/okms-cli ko build --tags ${{ github.ref_name }},latest --push --bare --platform=linux/arm64,linux/amd64 ./cmd/okms
+
+  goreleaser:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - run: git fetch --force --tags
+      - uses: ./.github/actions/setup-build-env
+      - name: Install Syft
+        run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+      # More assembly might be required: Docker logins, GPG, etc. It all depends
+      # on your needs.
+      - name: Generate a changelog
+        uses: orhun/git-cliff-action@v4
+        with:
+          config: .github/release-note.toml
+          args: --verbose --current
+        env:
+          OUTPUT: tmp.CHANGELOG.md
+      - uses: goreleaser/goreleaser-action@v6
+        with:
+          # either 'goreleaser' (default) or 'goreleaser-pro':
+          distribution: goreleaser
+          version: latest
+          args: release --clean --release-notes tmp.CHANGELOG.md -f .github/goreleaser.yaml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+