[1/3] Update GitHub Actions workflows and .gitignore

.github/workflows/build.yml

@@ -1,10 +1,11 @@
 name: Build
 
+# Validates GoReleaser can build on all branches (fork-friendly)
 on:
   pull_request:
   push:
     branches:
-      - main
+      - '**'  # Run on all branches
 
 permissions: {}
 

.github/workflows/ci.yml

@@ -1,11 +1,12 @@
 name: CI
 
-# Runs CI for pull requests and pushes to main
+# Runs CI for pull requests and pushes to any branch
+# This allows fork developers to get CI feedback on their branches
 on:
   pull_request:
   push:
     branches:
-      - main
+      - '**'  # Run on all branches
   # schedule:
   #   - cron: 0 14 * * MON-FRI # Every weekday at 14:00 UTC
 
@@ -33,6 +34,60 @@ jobs:
       run: go mod download
     - name: Build
       run: go build -v -o /dev/null
+
+  # Check that binary can be built on Windows
+  build-windows:
+    name: Build Windows
+    runs-on: windows-latest
+    timeout-minutes: 5
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+    - name: Install Go
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      with:
+        go-version-file: 'go.mod'
+    - name: Install dependencies
+      run: go mod download
+    - name: Build Windows AMD64
+      shell: pwsh
+      run: |
+        $env:GOOS = "windows"
+        $env:GOARCH = "amd64"
+        go build -v -o opkssh-amd64.exe
+    - name: Build Windows ARM64
+      shell: pwsh
+      run: |
+        $env:GOOS = "windows"
+        $env:GOARCH = "arm64"
+        go build -v -o opkssh-arm64.exe
+    - name: Test binary works
+      shell: pwsh
+      run: |
+        .\opkssh-amd64.exe --version
+
+  # Run Windows unit tests
+  test-windows:
+    name: 'Windows Tests'
+    runs-on: windows-latest
+    timeout-minutes: 8
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+    - name: Install Go
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      with:
+        go-version-file: 'go.mod'
+    - name: Install dependencies
+      run: go mod download
+    - name: Run unit tests
+      shell: pwsh
+      run: go test ./...
+
   # Run integration tests
   test:
     needs: build

.github/workflows/go.yml

@@ -1,11 +1,19 @@
 name: Go Checks
 
+# Run linting and tests on all branches when Go files change (fork-friendly)
 on:
   pull_request:
     paths:
       - "**.go"
       - "go.mod"
       - "go.sum"
+  push:
+    branches:
+      - '**'  # Run on all branches
+    paths:
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
 
 permissions: {}
 

.github/workflows/release-fork.yml

@@ -0,0 +1,41 @@
+name: Fork CD
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions: {}
+
+jobs:
+  goreleaser-release:
+    name: Build and release opkssh (forks only)
+    if: github.event.repository.fork == true
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Set up Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version-file: 'go.mod'
+          cache: false
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish GitHub release
+        run: gh release edit "$REF_NAME" --draft=false --repo "$REPOSITORY"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REF_NAME: ${{ github.ref_name }}
+          REPOSITORY: ${{ github.repository }}

.github/workflows/zizmor.yml

@@ -1,10 +1,13 @@
 name: GitHub Actions Security Analysis with zizmor 🌈
 
+# Run security scanning on all branches (fork-friendly)
 on:
   push:
-    branches: ["main"]
+    branches:
+      - '**'  # Run on all branches
   pull_request:
-    branches: ["**"]
+    branches:
+      - '**'
 
 permissions: {}
 

.gitignore

@@ -44,3 +44,5 @@ test/integration/testfile.txt
 .direnv
 .envrc
 opkssh
+
+tmp/