[pull] master from ghostunnel:master

.github/workflows/compile.yml

@@ -21,10 +21,14 @@ jobs:
         uses: docker/setup-buildx-action@v3
         with:
           install: true
-      - name: Build container (alpine)
-        run: 'docker buildx build -f Dockerfile-alpine .'
-      - name: Build container (debian)
-        run: 'docker buildx build -f Dockerfile-debian .'
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: '1.25.x'
+      - name: Build containers
+        run: go tool mage -v docker:build
+        env:
+          GITHUB_REF: ${{ github.ref }}
 
   build-linux:
     name: Build (Linux)
@@ -50,18 +54,18 @@ jobs:
           fetch-tags: true
       - name: Build binary
         run: |
-          CGO_ENABLED=1 GOARCH=amd64 make ghostunnel
+          go tool mage -compile ./mage-bin
+          CGO_ENABLED=1 GOARCH=amd64 ./mage-bin -v go:build
           mv ghostunnel ghostunnel-linux-amd64
-          make clean
-          CGO_ENABLED=1 GOARCH=arm64 CC=aarch64-linux-gnu-gcc make ghostunnel
+          CGO_ENABLED=1 GOARCH=arm64 CC=aarch64-linux-gnu-gcc ./mage-bin -v go:build
           mv ghostunnel ghostunnel-linux-arm64
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-linux-amd64-${{ matrix.os }}
           path: ghostunnel-linux-amd64
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-linux-arm64-${{ matrix.os }}
           path: ghostunnel-linux-arm64
@@ -85,24 +89,24 @@ jobs:
           fetch-tags: true
       - name: Build binary
         run: |
-          CGO_ENABLED=1 GOARCH=amd64 make ghostunnel
+          go tool mage -compile ./mage-bin
+          CGO_ENABLED=1 GOARCH=amd64 ./mage-bin -v go:build
           mv ghostunnel ghostunnel-darwin-amd64
-          make clean
-          CGO_ENABLED=1 GOARCH=arm64 make ghostunnel
+          CGO_ENABLED=1 GOARCH=arm64 ./mage-bin -v go:build
           mv ghostunnel ghostunnel-darwin-arm64
           lipo -create -output ghostunnel-darwin-universal ghostunnel-darwin-amd64 ghostunnel-darwin-arm64
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-darwin-amd64
           path: ghostunnel-darwin-amd64
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-darwin-arm64
           path: ghostunnel-darwin-arm64
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-darwin-universal
           path: ghostunnel-darwin-universal
@@ -125,9 +129,9 @@ jobs:
           fetch-depth: 100
           fetch-tags: true
       - name: Build binary
-        run: make ghostunnel
+        run: go tool mage -v go:build
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-windows-amd64
           path: ghostunnel

.github/workflows/docker.yml

@@ -1,5 +1,7 @@
 ---
 name: Docker
+permissions:
+  contents: read
 
 on:
   push:
@@ -8,7 +10,7 @@ on:
 
 jobs:
   buildx:
-    name: Build container
+    name: Build and publish containers
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
@@ -22,20 +24,17 @@ jobs:
         uses: docker/setup-buildx-action@v3
         with:
           install: true
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: '1.25.x'
       - name: Login to Docker Hub
         uses: docker/login-action@v3 
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Build container (alpine/latest)
-        if: ${{ github.ref == 'refs/heads/master' }}
-        run: 'docker buildx build -f Dockerfile-alpine --push -t ghostunnel/ghostunnel:latest -t ghostunnel/ghostunnel:latest-alpine --platform linux/amd64,linux/arm64,linux/arm/v7 .'
-      - name: Build container (debian/latest)
-        if: ${{ github.ref == 'refs/heads/master' }}
-        run: 'docker buildx build -f Dockerfile-debian --push -t ghostunnel/ghostunnel:latest-debian --platform linux/amd64,linux/arm64,linux/arm/v7 .'
-      - name: Build container (alpine/tagged)
-        if: ${{ github.ref != 'refs/heads/master' }}
-        run: 'docker buildx build -f Dockerfile-alpine --push -t ghostunnel/ghostunnel:$(git describe --tags --abbrev=0) -t ghostunnel/ghostunnel:$(git describe --tags --abbrev=0)-alpine --platform linux/amd64,linux/arm64,linux/arm/v7 .'
-      - name: Build container (debian/tagged)
-        if: ${{ github.ref != 'refs/heads/master' }}
-        run: 'docker buildx build -f Dockerfile-debian --push -t ghostunnel/ghostunnel:$(git describe --tags --abbrev=0)-debian --platform linux/amd64,linux/arm64,linux/arm/v7 .'
+      - name: Build and publish containers
+        run: go tool mage -v docker:push
+        env:
+          GITHUB_REF: ${{ github.ref }}
+          DOCKER_PLATFORMS: "linux/amd64,linux/arm64,linux/arm/v7"

.github/workflows/release.yml

@@ -27,19 +27,21 @@ jobs:
         with:
           fetch-depth: 0
       - name: Build binary
+        env:
+          VERSION: ${{ github.ref_name }}
         run: |
-          CGO_ENABLED=1 GOARCH=amd64 make VERSION=$GITHUB_REF_NAME ghostunnel
+          go tool mage -compile ./mage-bin
+          CGO_ENABLED=1 GOARCH=amd64 ./mage-bin -v go:build
           mv ghostunnel ghostunnel-linux-amd64
-          make clean
-          CGO_ENABLED=1 GOARCH=arm64 CC=aarch64-linux-gnu-gcc make VERSION=$GITHUB_REF_NAME ghostunnel
+          CGO_ENABLED=1 GOARCH=arm64 CC=aarch64-linux-gnu-gcc ./mage-bin -v go:build
           mv ghostunnel ghostunnel-linux-arm64
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-linux-amd64
           path: ghostunnel-linux-amd64
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-linux-arm64
           path: ghostunnel-linux-arm64
@@ -61,25 +63,27 @@ jobs:
         with:
           fetch-depth: 0
       - name: Build binary
+        env:
+          VERSION: ${{ github.ref_name }}
         run: |
-          CGO_ENABLED=1 GOARCH=amd64 make VERSION=$GITHUB_REF_NAME ghostunnel
+          go tool mage -compile ./mage-bin
+          CGO_ENABLED=1 GOARCH=amd64 ./mage-bin -v go:build
           mv ghostunnel ghostunnel-darwin-amd64
-          make clean
-          CGO_ENABLED=1 GOARCH=arm64 make VERSION=$GITHUB_REF_NAME ghostunnel
+          CGO_ENABLED=1 GOARCH=arm64 ./mage-bin -v go:build
           mv ghostunnel ghostunnel-darwin-arm64
           lipo -create -output ghostunnel-darwin-universal ghostunnel-darwin-amd64 ghostunnel-darwin-arm64
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-darwin-amd64
           path: ghostunnel-darwin-amd64
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-darwin-arm64
           path: ghostunnel-darwin-arm64
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-darwin-universal
           path: ghostunnel-darwin-universal
@@ -101,11 +105,13 @@ jobs:
         with:
           fetch-depth: 0
       - name: Build binary
+        env:
+          VERSION: ${{ github.ref_name }}
         run: |
-          make VERSION=$GITHUB_REF_NAME ghostunnel
+          go tool mage -v go:build
           mv ghostunnel ghostunnel-windows-amd64.exe
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ghostunnel-windows-amd64.exe
           path: ghostunnel-windows-amd64.exe
@@ -151,7 +157,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Download artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: ghostunnel-${{ matrix.target.os }}-${{ matrix.target.arch }}
           path: dist
@@ -179,7 +185,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Download artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: ghostunnel-${{ matrix.target.os }}-${{ matrix.target.arch }}.exe
           path: dist

.github/workflows/test.yml

@@ -1,5 +1,7 @@
 ---
 name: Test 
+permissions:
+  contents: read
 
 on:
   push:
@@ -8,8 +10,8 @@ on:
     branches: [ master ]
 
 jobs:
-  build:
-    name: Unit tests
+  test:
+    name: Tests
     strategy:
       matrix:
         version: [1.25.x]
@@ -23,64 +25,47 @@ jobs:
         id: go
       - name: Checkout
         uses: actions/checkout@v6
-      - name: Build binary
-        run: make ghostunnel
+      - name: Set up Python
+        if: matrix.os != 'windows-latest'
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.11.x'
       - name: Run tests
-        run: make unit
-
-  integration-linux:
-    name: Integration tests (Linux)
-    strategy:
-      matrix:
-        version: [1.25]
-        os: [ubuntu-22.04, ubuntu-24.04]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: Run tests 
-        run: GO_VERSION=${{ matrix.version }} make docker-test
+        run: go tool mage -v test:all
       - name: Codecov upload
+        if: ${{ github.actor != 'dependabot[bot]' && matrix.os != 'windows-latest' }}
         uses: codecov/codecov-action@v5
-        if: ${{ github.actor != 'dependabot[bot]' }}
         with:
           files: ./coverage/all.profile
-          flags: linux
+          flags: ${{ contains(matrix.os, 'ubuntu') && 'linux' || (contains(matrix.os, 'macos') && 'darwin' || 'windows') }}
           fail_ci_if_error: true
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-
-  integration-darwin:
-    name: Integration tests (Darwin)
+      
+  test-docker:
+    name: Tests (PKCS#11/SoftHSM)
     strategy:
       matrix:
-        version: [1.25.x]
-        os: [macos-latest]
+        version: [1.25]
+        os: [ubuntu-24.04]
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Checkout
+        uses: actions/checkout@v6
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.version }}
-        id: go
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: '3.11.x'
-      - name: Install gocovmerge
-        run: go install github.com/wadey/gocovmerge@latest
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: Run tests
-        run: make test
+      - name: Run tests in Docker
+        run: GO_VERSION=${{ matrix.version }} go tool mage -v test:docker
       - name: Codecov upload
         uses: codecov/codecov-action@v5
         if: ${{ github.actor != 'dependabot[bot]' }}
         with:
           files: ./coverage/all.profile
-          flags: darwin
+          flags: linux
           fail_ci_if_error: true
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}

.gitignore

@@ -11,6 +11,8 @@
 *.crt
 *.out
 ghostunnel
+ghostunnel.man
+mage-bin
 ghostunnel.exe
 ghostunnel.test
 ghostunnel.certstore
@@ -20,3 +22,4 @@ dist/
 .idea
 bazel-*
 coverage/
+test-keys/

.golangci.yml

@@ -0,0 +1,22 @@
+version: "2"
+
+linters:
+  # Use default linters (errcheck, govet, ineffassign, staticcheck, unused)
+  default: standard
+  # Enable human-readable exclusion presets including std-error-handling
+  # which excludes common error handling patterns like Close()
+  exclusions:
+    presets:
+      - std-error-handling
+      - common-false-positives
+    rules:
+      # Additional exclusions for os.Remove() in tests - cleanup that's best-effort
+      - linters:
+          - errcheck
+        text: "os.Remove"
+        path: "_test\\.go"
+  settings:
+    errcheck:
+      # Additional functions to exclude from checking
+      exclude-functions:
+        - (*github.com/ghostunnel/ghostunnel/certloader.spiffeTLSConfigSource).Close

CONTRIBUTING.md

@@ -5,7 +5,7 @@ by forking the repository and sending a pull request.
 
 When submitting code, please make efforts to follow existing conventions and
 style in order to keep the code as readable as possible. Please also make sure
-all tests pass by running `make test`, and format your code with `go fmt`.
+all tests pass by running `mage test`, and format your code with `go fmt`.
 
 Note that ghostunnel relies heavily on integration tests written in Python that
 run checks on a live instance. If you are adding new features or changing

Dockerfile-alpine

@@ -9,14 +9,16 @@
 FROM golang:1.25-alpine AS build
 
 # Dependencies
-RUN apk add --no-cache --update gcc musl-dev libtool make git
+RUN apk add --no-cache --update gcc musl-dev libtool git
 
 # Copy source
 COPY . /go/src/github.com/ghostunnel/ghostunnel
 
-# Build
+# Install mage and build
 RUN cd /go/src/github.com/ghostunnel/ghostunnel && \
-    GO111MODULE=on make clean ghostunnel && \
+    go install github.com/magefile/mage@latest && \
+    export PATH=$PATH:$(go env GOPATH)/bin && \
+    mage -v go:build && \
     cp ghostunnel /usr/bin/ghostunnel
 
 # Create a multi-stage build with the binary