Skip to content

[1/3] Update GitHub Actions workflows and .gitignore#478

Merged
EthanHeilman merged 2 commits into
openpubkey:mainfrom
fdcastel:update-gh-actions
Mar 1, 2026
Merged

[1/3] Update GitHub Actions workflows and .gitignore#478
EthanHeilman merged 2 commits into
openpubkey:mainfrom
fdcastel:update-gh-actions

Conversation

@fdcastel
Copy link
Copy Markdown
Contributor

@fdcastel fdcastel commented Feb 23, 2026

Makes CI workflows fork-friendly and adds Windows build/test support to the CI pipeline.

This is the first of three PRs splitting the work from #389 (Windows SSH server support).

Changes

Fork-friendly workflows

  • build.yml: Run GoReleaser validation on all branches (not just main), enabling contributors to get build feedback on their feature branches.
  • ci.yml: Run CI on all branches with updated comments.
  • go.yml: Add push trigger (in addition to pull_request) for Go linting/checks on all branches, filtered to Go file changes.
  • zizmor.yml: Run GitHub Actions security analysis on all branches.

Windows CI

  • ci.yml: Add build-windows job (builds AMD64 + ARM64 binaries, verifies --version output).
  • ci.yml: Add test-windows job (runs go test ./... on Windows).

New workflows

  • release-fork.yml: Automated release workflow for forks. Triggers on version tags (v*), only runs when the repository is a fork. Uses GoReleaser to build and publish releases.

Other

  • .gitignore: Add entries for new build artifacts.

Testing

All existing tests continue to pass. The new Windows CI jobs verify that the codebase builds and tests cleanly on Windows.

Related

github-advanced-security[bot]
github-advanced-security AI found potential problems Feb 23, 2026
View reviewed changes
Comment thread .github/workflows/release-fork.yml Fixed
This was referenced Feb 23, 2026
Merged
Closed
@fdcastel fdcastel changed the title Update GitHub Actions workflows and .gitignore [1/3] Update GitHub Actions workflows and .gitignore Feb 23, 2026
@fdcastel
Copy link
Copy Markdown
Contributor Author

fdcastel commented Feb 23, 2026

Rebased with latest main.

@fdcastel
Copy link
Copy Markdown
Contributor Author

fdcastel commented Feb 23, 2026

@EthanHeilman when you have a chance, could you please take a look at this? It's the foundation for the upcoming PRs. 😅

@EthanHeilman
Copy link
Copy Markdown
Member

EthanHeilman commented Feb 24, 2026

I'll take a look at it tomorrow (Tuesday) night

@EthanHeilman
Copy link
Copy Markdown
Member

EthanHeilman commented Feb 25, 2026

@fdcastel I had some stuff come up, won't get a chance to review until Friday.

Can you resolve these issues?
image

@fdcastel
Copy link
Copy Markdown
Contributor Author

fdcastel commented Feb 27, 2026

Sorry, @EthanHeilman. Just one more day and I’ll get this fixed.

It’s been a bit of a chaotic week over here 😅

@EthanHeilman
Copy link
Copy Markdown
Member

EthanHeilman commented Feb 27, 2026

@fdcastel No worries, pretty much the same here. I got half of done what I planned to get done this week.

@fdcastel
Update GitHub Actions workflows and .gitignore
d2e5736 
- Make CI workflows fork-friendly (run on all branches)
- Add Windows build and test jobs to CI pipeline
- Add push triggers to Go Checks workflow
- Add release workflow for forks (release-fork.yml)
- Update .gitignore with new entries
@fdcastel
fix: Fixes the code injection via template expansion vulnerability in…
ffee3da 
… release-fork.yml.
@fdcastel
Copy link
Copy Markdown
Contributor Author

fdcastel commented Feb 27, 2026
edited
Loading

  • Rebased onto the latest main.
  • Resolved the Zizmor code injection warning.

Once this is approved and merged, I’ll rebase the other two PRs that depend on this one.

If you need anything else, just let me know. I’ll be working over the weekend.

EthanHeilman
EthanHeilman approved these changes Mar 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@EthanHeilman EthanHeilman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@EthanHeilman EthanHeilman merged commit b96fb13 into openpubkey:main Mar 1, 2026
15 checks passed
renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request Apr 28, 2026
@renovate
chore(deps): update dependency openpubkey/opkssh to v0.14.0
e489b80 
##### [\`v0.14.0\`](https://github.com/openpubkey/opkssh/releases/tag/v0.14.0)

Adds support for sshing into windows servers.
Openssh 10.13 makes a breaking, non-backwards compatible change to how ssh certificates work, this breaks opkssh older than this release. This release creates a fix for this breaking change.

##### Changes

- feat: update to openpubkey 0.23.0 [@ianroberts](https://github.com/ianroberts) ([#510](openpubkey/opkssh#510))
- fix(ci): use `go run .` instead of `go run main.go` in gha workflow [@fdcastel](https://github.com/fdcastel) ([#506](openpubkey/opkssh#506))
- \[3/3] Add Windows SSH server support [@fdcastel](https://github.com/fdcastel) ([#480](openpubkey/opkssh#480))
- refactor: unify MockUserLookup into shared test helper package. Closes [#439](openpubkey/opkssh#439). [@fdcastel](https://github.com/fdcastel) ([#495](openpubkey/opkssh#495))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#500](openpubkey/opkssh#500))
- feat: add --inspect-cert and --verbose flags to login command. Closes [#353](openpubkey/opkssh#353). [@fdcastel](https://github.com/fdcastel) ([#497](openpubkey/opkssh#497))
- docs: Add GitHub Actions integration guide. Closes [#481](openpubkey/opkssh#481) [@fdcastel](https://github.com/fdcastel) ([#492](openpubkey/opkssh#492))
- test: cover full printed output of opkssh inspect. Closes [#356](openpubkey/opkssh#356) [@fdcastel](https://github.com/fdcastel) ([#493](openpubkey/opkssh#493))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#498](openpubkey/opkssh#498))
- Add `logout` command to remove opkssh-generated SSH keys. Closes [#317](openpubkey/opkssh#317). [@fdcastel](https://github.com/fdcastel) ([#496](openpubkey/opkssh#496))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#490](openpubkey/opkssh#490))
- \[2/3] Add permissions command [@fdcastel](https://github.com/fdcastel) ([#479](openpubkey/opkssh#479))
- bug: ensure provider arg doesn't skip remote-redirect-uri [@EthanHeilman](https://github.com/EthanHeilman) ([#471](openpubkey/opkssh#471))
- \[1/3] Update GitHub Actions workflows and .gitignore [@fdcastel](https://github.com/fdcastel) ([#478](openpubkey/opkssh#478))
- docs: Add AWS EC2 setup guide for opkssh [@Rishang](https://github.com/Rishang) ([#467](openpubkey/opkssh#467))

##### 🐛 Bug Fixes

- fix(deps): Update docker/build-push-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#512](openpubkey/opkssh#512))
- Fix for openssh 10.13 breaking principals wildcard in SSH certificates [@EthanHeilman](https://github.com/EthanHeilman) ([#513](openpubkey/opkssh#513))
- fix(deps): Update zizmorcore/zizmor-action action to v0.5.2 @[renovate\[bot\]](https://github.com/apps/renovate) ([#488](openpubkey/opkssh#488))
- fix(deps): Update dependency golangci/golangci-lint to v2.11.2 @[renovate\[bot\]](https://github.com/apps/renovate) ([#486](openpubkey/opkssh#486))
- fix(deps): Update goreleaser/goreleaser-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#484](openpubkey/opkssh#484))
- fix(deps): Update goreleaser/goreleaser-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#477](openpubkey/opkssh#477))
- fix(deps): Update actions/setup-go action to v6.3.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#482](openpubkey/opkssh#482))
- fix(deps): Update zizmorcore/zizmor-action action to v0.5.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#451](openpubkey/opkssh#451))
- fix(deps): Update Docker @[renovate\[bot\]](https://github.com/apps/renovate) ([#464](openpubkey/opkssh#464))

##### 🧰 Maintenance

- Improve install script to make linter happy, fix typo [@EthanHeilman](https://github.com/EthanHeilman) ([#514](openpubkey/opkssh#514))
sdwilsh pushed a commit to sdwilsh/ansible-playbooks that referenced this pull request Apr 30, 2026
@renovate @sdwilsh
chore(deps): update dependency openpubkey/opkssh to v0.14.0
869d212 
##### [\`v0.14.0\`](https://github.com/openpubkey/opkssh/releases/tag/v0.14.0)

Adds support for sshing into windows servers.
Openssh 10.13 makes a breaking, non-backwards compatible change to how ssh certificates work, this breaks opkssh older than this release. This release creates a fix for this breaking change.

##### Changes

- feat: update to openpubkey 0.23.0 [@ianroberts](https://github.com/ianroberts) ([#510](openpubkey/opkssh#510))
- fix(ci): use `go run .` instead of `go run main.go` in gha workflow [@fdcastel](https://github.com/fdcastel) ([#506](openpubkey/opkssh#506))
- \[3/3] Add Windows SSH server support [@fdcastel](https://github.com/fdcastel) ([#480](openpubkey/opkssh#480))
- refactor: unify MockUserLookup into shared test helper package. Closes [#439](openpubkey/opkssh#439). [@fdcastel](https://github.com/fdcastel) ([#495](openpubkey/opkssh#495))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#500](openpubkey/opkssh#500))
- feat: add --inspect-cert and --verbose flags to login command. Closes [#353](openpubkey/opkssh#353). [@fdcastel](https://github.com/fdcastel) ([#497](openpubkey/opkssh#497))
- docs: Add GitHub Actions integration guide. Closes [#481](openpubkey/opkssh#481) [@fdcastel](https://github.com/fdcastel) ([#492](openpubkey/opkssh#492))
- test: cover full printed output of opkssh inspect. Closes [#356](openpubkey/opkssh#356) [@fdcastel](https://github.com/fdcastel) ([#493](openpubkey/opkssh#493))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#498](openpubkey/opkssh#498))
- Add `logout` command to remove opkssh-generated SSH keys. Closes [#317](openpubkey/opkssh#317). [@fdcastel](https://github.com/fdcastel) ([#496](openpubkey/opkssh#496))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#490](openpubkey/opkssh#490))
- \[2/3] Add permissions command [@fdcastel](https://github.com/fdcastel) ([#479](openpubkey/opkssh#479))
- bug: ensure provider arg doesn't skip remote-redirect-uri [@EthanHeilman](https://github.com/EthanHeilman) ([#471](openpubkey/opkssh#471))
- \[1/3] Update GitHub Actions workflows and .gitignore [@fdcastel](https://github.com/fdcastel) ([#478](openpubkey/opkssh#478))
- docs: Add AWS EC2 setup guide for opkssh [@Rishang](https://github.com/Rishang) ([#467](openpubkey/opkssh#467))

##### 🐛 Bug Fixes

- fix(deps): Update docker/build-push-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#512](openpubkey/opkssh#512))
- Fix for openssh 10.13 breaking principals wildcard in SSH certificates [@EthanHeilman](https://github.com/EthanHeilman) ([#513](openpubkey/opkssh#513))
- fix(deps): Update zizmorcore/zizmor-action action to v0.5.2 @[renovate\[bot\]](https://github.com/apps/renovate) ([#488](openpubkey/opkssh#488))
- fix(deps): Update dependency golangci/golangci-lint to v2.11.2 @[renovate\[bot\]](https://github.com/apps/renovate) ([#486](openpubkey/opkssh#486))
- fix(deps): Update goreleaser/goreleaser-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#484](openpubkey/opkssh#484))
- fix(deps): Update goreleaser/goreleaser-action action to v7 @[renovate\[bot\]](https://github.com/apps/renovate) ([#477](openpubkey/opkssh#477))
- fix(deps): Update actions/setup-go action to v6.3.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#482](openpubkey/opkssh#482))
- fix(deps): Update zizmorcore/zizmor-action action to v0.5.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#451](openpubkey/opkssh#451))
- fix(deps): Update Docker @[renovate\[bot\]](https://github.com/apps/renovate) ([#464](openpubkey/opkssh#464))

##### 🧰 Maintenance

- Improve install script to make linter happy, fix typo [@EthanHeilman](https://github.com/EthanHeilman) ([#514](openpubkey/opkssh#514))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EthanHeilman EthanHeilman EthanHeilman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fdcastel @EthanHeilman @github-advanced-security