feat: init project (#1)

Author: loicsikidi

.envrc

@@ -0,0 +1,2 @@
+watch_file shell.nix
+use nix

.github/workflows/go-test.yaml

@@ -0,0 +1,70 @@
+name: Go tests
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+  schedule: # daily at 19:00 UTC
+    - cron: '0 19 * * *'
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        go:
+          - { go-version: stable }
+          - { go-version: oldstable }
+          - { go-version-file: go.mod }
+        deps:
+          - locked
+          - latest
+        # Exclude (oldstable, latest) and (go.mod, latest)
+        # root cause: latest version of boulder requires Go 1.25.0
+        exclude:
+          - go: { go-version: oldstable }
+            deps: latest
+          # - go: { go-version-file: go.mod }
+          #   deps: latest
+    steps:
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version: ${{ matrix.go.go-version }}
+          go-version-file: ${{ matrix.go.go-version-file }}
+      - uses: geomys/sandboxed-step@7d75eb49d17fdeeb3656b3a57d35932d205bcfb9 # v1.2.1
+        with:
+          run: |
+            if [ "${{ matrix.deps }}" = "latest" ]; then
+              go get -u -t ./...
+            fi
+            go test -v -race ./...
+  staticcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version: stable
+      - uses: geomys/sandboxed-step@7d75eb49d17fdeeb3656b3a57d35932d205bcfb9 # v1.2.1
+        with:
+          run: go run honnef.co/go/tools/cmd/staticcheck@latest ./...
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version: stable
+      - uses: geomys/sandboxed-step@7d75eb49d17fdeeb3656b3a57d35932d205bcfb9 # v1.2.1
+        with:
+          run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...

.github/workflows/lint.yaml

@@ -0,0 +1,49 @@
+name: Lint checks
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  pre-commit:
+    name: pre-commit hooks
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+      - name: Install Nix
+        uses: cachix/install-nix-action@0b0e072294b088b73964f1d72dfdac0951439dbd # v31.8.4
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run pre-commit hooks
+        run: nix-shell --run "pre-commit run --all-files"
+
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+      - name: Install Golang
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@e7fa5ac41e1cf5b7d48e45e42232ce7ada589601 # v9.1.0
+        with:
+          version: latest
+          install-mode: binary
+          skip-cache: true

.github/workflows/release.yaml

@@ -0,0 +1,62 @@
+name: Release CLI & OCI
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions: {}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write        # publish release
+      id-token: write        # required for Cosign keyless (OIDC)
+      attestations: write    # publish attestations
+      packages: write        # publish oci images
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          fetch-depth: 0  # Required for GoReleaser changelog
+          persist-credentials: false
+
+      - name: Setup QEMU (for docker buildx multi-arch)
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Setup Go based on go.mod
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Attest checksums.txt provenance
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        with:
+          subject-checksums: dist/checksums.txt

.github/workflows/zizmor.yaml

@@ -0,0 +1,23 @@
+name: zizmor security scan
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0

.golangci.yml

@@ -0,0 +1,11 @@
+version: "2"
+run:
+  timeout: 2m
+ 
+linters:
+  default: standard
+  exclusions:
+    rules:
+      - path: _test\.go
+        linters:
+          - errcheck

.goreleaser.yaml

@@ -0,0 +1,115 @@
+version: 2
+
+project_name: tpm-trust
+
+builds:
+  - id: tpm-trust
+    main: ./
+    binary: tpm-trust
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w -X main.builtBy=goreleaser
+
+archives:
+  - id: tpm-trust-archives
+    ids:
+      - tpm-trust
+    formats: [ 'tar.gz' ]
+    name_template: "tpm-trust_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+
+checksum:
+  name_template: "checksums.txt"
+  algorithm: sha256
+
+sboms:
+  - artifacts: archive
+  - id: source
+    artifacts: source
+
+# Signature in Sigstore bundle format
+signs:
+  - id: cosign-checksum
+    cmd: cosign
+    signature: "${artifact}.sigstore.json"
+    args:
+      - "sign-blob"
+      - "--bundle=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
+
+release:
+  github:
+    owner: loicsikidi
+    name: "{{ .ProjectName }}"
+  draft: true
+  prerelease: auto
+  mode: append
+  header: |
+    ## {{ .ProjectName }} {{ .Tag }}
+
+    ### What's Changed
+
+    This release contains the `tpm-trust` binary and OCI images built from commit [{{ .FullCommit }}](https://github.com/loicsikidi/{{ .ProjectName }}/tree/{{ .FullCommit }}).
+
+    ### Artifacts
+
+    - **`tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION`** - CLI binaries for various platforms (stored in archives)
+    - **`tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json`** - SBOMs for the binaries in SPDX format
+    - **`checksums.txt`** - SHA-256 checksums of all artifacts
+    - **`checksums.txt.sigstore.json`** - Sigstore signature bundle for checksum verification
+
+    ### Verification
+
+    > [!IMPORTANT]
+    > If you are not familiar with the concepts around software supply chain security,
+    > (eg. build provenance attestation, keyless signature, etc.), please read the following resources first:
+    > - [Cosign Signing Overview](https://docs.sigstore.dev/cosign/signing/overview/)
+    > - [SLSA provenance attestation](https://slsa.dev/spec/v1.2/provenance)
+    > - [GitHub attest-build-provenance action](https://github.com/actions/attest-build-provenance)
+
+    For complete security verification, follow this two-step process:
+
+    **Step 1: Verify Integrity with Cosign**
+
+    First, verify the **integrity** of the checksums file using Cosign:
+
+    > [!TIP]
+    > Make sure to use **`cosign >= v2.4.3`** to support the [Sigstore bundle format](https://docs.sigstore.dev/about/bundle/).
+
+    ```bash
+    # Verify the checksums signature
+    cosign verify-blob \
+      --bundle checksums.txt.sigstore.json \
+      --certificate-identity-regexp 'https://github.com/loicsikidi/{{ .ProjectName }}/.github/workflows/release.yaml@refs/tags/{{ .Tag }}' \
+      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+      checksums.txt
+
+    # Verify any artifact matches the checksum
+    sha256sum -c checksums.txt
+    ```
+
+    **Step 2: Verify Provenance with GitHub CLI**
+
+    Once the checksum integrity is established, verify the **provenance** using GitHub's attestation system:
+
+    ```bash
+    # Verify the archive
+    gh attestation verify tpm-trust_{{ .Version }}_linux_amd64.tar.gz --repo loicsikidi/{{ .ProjectName }}
+    ```
+  footer: |
+    **Generated with GoReleaser 🚀**
+
+changelog:
+  use: github
+  sort: asc
+  filters:
+    exclude:
+      - '^docs'
+      - '^test'

LICENSE

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2025, Loïc Sikidi
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.