From c76a18196b10659c03674e06f8391b32df80830f Mon Sep 17 00:00:00 2001 From: James <133906218+yungcero@users.noreply.github.com> Date: Thu, 19 Feb 2026 08:43:31 -0700 Subject: [PATCH 1/2] fix: update ci --- .github/CODEOWNERS | 26 ++++ .github/FUNDING.yml | 8 ++ .github/ISSUE_TEMPLATE/bug_report.yml | 132 +++++++++++++++++++++ .github/ISSUE_TEMPLATE/config.yml | 11 ++ .github/ISSUE_TEMPLATE/feature_request.yml | 108 +++++++++++++++++ .github/ISSUE_TEMPLATE/security_report.yml | 69 +++++++++++ .github/PULL_REQUEST_TEMPLATE.md | 90 ++++++++++++++ .github/copilot-instructions.md | 132 +++++++++++++++++++++ .github/dependabot.yml | 51 ++++++++ .github/workflows/ci.yml | 118 ++++++++++++++++++ .github/workflows/codeql.yml | 54 +++++++++ .github/workflows/release.yml | 70 +++++++++++ 12 files changed, 869 insertions(+) create mode 100644 .github/CODEOWNERS create mode 100644 .github/FUNDING.yml create mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/feature_request.yml create mode 100644 .github/ISSUE_TEMPLATE/security_report.yml create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/copilot-instructions.md create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..a16ff1a --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,26 @@ +# CODEOWNERS for Agent Identity Protocol +# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# Default owner for everything +* @ArangoGutierrez + +# Core proxy implementation +/proxy/cmd/ @ArangoGutierrez +/proxy/pkg/ @ArangoGutierrez + +# Policy engine (security-critical) +/proxy/pkg/policy/ @ArangoGutierrez + +# DLP scanner (security-critical) +/proxy/pkg/dlp/ @ArangoGutierrez + +# Security documentation +/SECURITY.md @ArangoGutierrez +/.github/SECURITY/ @ArangoGutierrez + +# CI/CD configuration +/.github/workflows/ @ArangoGutierrez + +# Documentation +/docs/ @ArangoGutierrez +/README.md @ArangoGutierrez diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..d7dee0b --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,8 @@ +# Funding options for Agent Identity Protocol +# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository + +github: ArangoGutierrez +# ko_fi: # Your Ko-fi username +# patreon: # Your Patreon username +# open_collective: # Your Open Collective username +# custom: ["https://your-custom-link.com"] diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000..ad87bd1 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,132 @@ +name: πŸ› Bug Report +description: Report a bug or unexpected behavior +title: "[Bug]: " +labels: ["bug", "needs-triage"] +assignees: [] + +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to report a bug! Please fill out the sections below to help us diagnose the issue. + + - type: checkboxes + id: checklist + attributes: + label: Pre-submission Checklist + description: Please verify you've done the following + options: + - label: I have searched [existing issues](https://github.com/ArangoGutierrez/agent-identity-protocol/issues) to ensure this bug hasn't been reported + required: true + - label: I am using the latest version of AIP + required: true + - label: I have read the [documentation](https://github.com/ArangoGutierrez/agent-identity-protocol#readme) + required: true + + - type: textarea + id: description + attributes: + label: Bug Description + description: A clear and concise description of the bug + placeholder: What happened? What did you expect to happen? + validations: + required: true + + - type: textarea + id: reproduction + attributes: + label: Steps to Reproduce + description: Minimal steps to reproduce the behavior + placeholder: | + 1. Create policy file with... + 2. Run command... + 3. Send request... + 4. See error... + validations: + required: true + + - type: textarea + id: policy + attributes: + label: Policy File (agent.yaml) + description: If applicable, share your policy configuration (redact sensitive data) + render: yaml + placeholder: | + apiVersion: aip.io/v1alpha1 + kind: AgentPolicy + metadata: + name: my-policy + spec: + allowed_tools: + - list_files + + - type: textarea + id: logs + attributes: + label: Relevant Logs + description: Include any error messages or logs (run with `--verbose` for detailed output) + render: shell + placeholder: | + $ ./aip --policy agent.yaml --target "..." --verbose + [aip-proxy] ... + + - type: textarea + id: expected + attributes: + label: Expected Behavior + description: What should have happened? + validations: + required: true + + - type: dropdown + id: component + attributes: + label: Affected Component + description: Which part of AIP is affected? + options: + - Proxy Core + - Policy Engine + - DLP Scanner + - Human-in-the-Loop (UI Prompts) + - Audit Logging + - CLI / Flags + - Cursor Integration + - Documentation + - Other + validations: + required: true + + - type: input + id: version + attributes: + label: AIP Version + description: Output of `aip --version` or git commit hash + placeholder: v0.1.0 or commit abc1234 + validations: + required: true + + - type: dropdown + id: os + attributes: + label: Operating System + options: + - macOS (Apple Silicon) + - macOS (Intel) + - Linux (x86_64) + - Linux (ARM64) + - Windows + - Other + validations: + required: true + + - type: input + id: go-version + attributes: + label: Go Version (if building from source) + placeholder: go1.23.0 + + - type: textarea + id: additional + attributes: + label: Additional Context + description: Any other context, screenshots, or information that might help diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..e89b5f6 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,11 @@ +blank_issues_enabled: false +contact_links: + - name: πŸ’¬ GitHub Discussions + url: https://github.com/openagentidentityprotocol/aip-go/discussions + about: Ask questions and discuss ideas with the community + - name: πŸ”’ Security Vulnerabilities + url: https://github.com/openagentidentityprotocol/aip-go/security/advisories + about: Report security vulnerabilities privately (do NOT use issues) + - name: πŸ“– Documentation + url: https://github.com/openagentidentityprotocol/aip-go#readme + about: Read the documentation before opening an issue diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 0000000..1f1a5e3 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,108 @@ +name: ✨ Feature Request +description: Suggest a new feature or enhancement +title: "[Feature]: " +labels: ["enhancement", "needs-triage"] +assignees: [] + +body: + - type: markdown + attributes: + value: | + Thanks for suggesting a feature! Please describe your idea below. + + - type: checkboxes + id: checklist + attributes: + label: Pre-submission Checklist + options: + - label: I have searched [existing issues](https://github.com/ArangoGutierrez/agent-identity-protocol/issues) to ensure this hasn't been requested + required: true + - label: I have read the [roadmap](https://github.com/ArangoGutierrez/agent-identity-protocol#roadmap) to check if this is planned + required: true + + - type: dropdown + id: category + attributes: + label: Feature Category + description: What area does this feature relate to? + options: + - Policy Engine (new rules, constraints) + - Security (authentication, authorization) + - DLP (data loss prevention) + - Human-in-the-Loop (approval workflows) + - Audit & Observability + - Integration (Cursor, VSCode, other IDEs) + - Kubernetes / Cloud Deployment + - CLI / UX Improvements + - SDK / Client Libraries + - Documentation + - Other + validations: + required: true + + - type: textarea + id: problem + attributes: + label: Problem Statement + description: What problem does this feature solve? What's your use case? + placeholder: | + As a [type of user], I want to [do something] so that [benefit]. + + Currently, I have to... which is problematic because... + validations: + required: true + + - type: textarea + id: solution + attributes: + label: Proposed Solution + description: How do you envision this feature working? + placeholder: | + I would like AIP to support... + + Example configuration: + ```yaml + spec: + new_feature: + enabled: true + ``` + validations: + required: true + + - type: textarea + id: alternatives + attributes: + label: Alternatives Considered + description: Have you considered any alternative solutions or workarounds? + placeholder: | + 1. Alternative A: ... + 2. Alternative B: ... + 3. Current workaround: ... + + - type: dropdown + id: priority + attributes: + label: Priority + description: How important is this feature to you? + options: + - Nice to have + - Important for my use case + - Blocking my adoption of AIP + validations: + required: true + + - type: checkboxes + id: contribution + attributes: + label: Contribution + description: Would you be willing to contribute this feature? + options: + - label: I would be willing to submit a PR for this feature + - label: I can help test this feature + - label: I can help write documentation for this feature + + - type: textarea + id: additional + attributes: + label: Additional Context + description: Any other context, mockups, or references that might help diff --git a/.github/ISSUE_TEMPLATE/security_report.yml b/.github/ISSUE_TEMPLATE/security_report.yml new file mode 100644 index 0000000..69fce76 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/security_report.yml @@ -0,0 +1,69 @@ +name: πŸ”’ Security Concern +description: Report a security concern (NOT for vulnerabilities - see SECURITY.md) +title: "[Security]: " +labels: ["security", "needs-triage"] +assignees: [] + +body: + - type: markdown + attributes: + value: | + ⚠️ **IMPORTANT**: Do NOT use this form for security vulnerabilities! + + For vulnerabilities, please follow our [Security Policy](https://github.com/ArangoGutierrez/agent-identity-protocol/blob/main/SECURITY.md) and report privately. + + This form is for: + - Security hardening suggestions + - Questions about security architecture + - Requests for security documentation + - Compliance-related questions + + - type: checkboxes + id: not-vulnerability + attributes: + label: Confirmation + options: + - label: This is NOT a security vulnerability (those should be reported via SECURITY.md) + required: true + - label: I have read the [SECURITY.md](https://github.com/ArangoGutierrez/agent-identity-protocol/blob/main/SECURITY.md) file + required: true + + - type: dropdown + id: type + attributes: + label: Type of Security Concern + options: + - Security hardening suggestion + - Threat model question + - Compliance inquiry (SOC2, GDPR, HIPAA, etc.) + - Security documentation request + - Configuration best practices + - Other security-related question + validations: + required: true + + - type: textarea + id: description + attributes: + label: Description + description: Describe your security concern or question + placeholder: | + I'm wondering about the security implications of... + + Or: I suggest hardening X by doing Y because... + validations: + required: true + + - type: textarea + id: context + attributes: + label: Use Case / Context + description: Help us understand your security requirements + placeholder: | + We're deploying AIP in a [environment] with [requirements]... + + - type: textarea + id: additional + attributes: + label: Additional Context + description: Any references, compliance requirements, or other relevant information diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..3ce39e1 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,90 @@ +## Summary + + + +## Related Issues + + + +## Type of Change + + + +- [ ] πŸ› Bug fix (non-breaking change that fixes an issue) +- [ ] ✨ New feature (non-breaking change that adds functionality) +- [ ] πŸ’₯ Breaking change (fix or feature that would cause existing functionality to change) +- [ ] πŸ“ Documentation update +- [ ] πŸ”§ Configuration change +- [ ] ♻️ Refactoring (no functional changes) +- [ ] πŸ§ͺ Test improvement +- [ ] πŸ”’ Security fix + +## Changes Made + + + +- +- +- + +## Testing + + + +- [ ] Unit tests added/updated +- [ ] Manual testing performed +- [ ] Tested with real MCP server +- [ ] Tested policy enforcement + +### Test Commands + +```bash +# Commands used to test +cd proxy +make test +make build +./bin/aip --policy examples/agent.yaml --target "python3 test/echo_server.py" --verbose +``` + +## Policy Impact + + + +- [ ] No policy changes +- [ ] New policy feature (describe below) +- [ ] Policy behavior change (describe migration path) + +## Security Checklist + + + +- [ ] No new dependencies with known vulnerabilities +- [ ] No secrets or credentials in code +- [ ] Audit logging maintained for new operations +- [ ] Input validation added for new parameters +- [ ] Documentation updated for security implications + +## Documentation + +- [ ] README updated (if needed) +- [ ] Code comments added for complex logic +- [ ] Example configurations updated +- [ ] CHANGELOG entry added (for user-facing changes) + +## Screenshots / Recordings + + + +## Checklist + +- [ ] My code follows the project's code style (`make lint` passes) +- [ ] I have performed a self-review of my code +- [ ] I have commented my code, particularly in hard-to-understand areas +- [ ] My changes generate no new warnings +- [ ] New and existing unit tests pass locally (`make test`) +- [ ] Any dependent changes have been merged and published + +--- + + +/cc @ArangoGutierrez diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 0000000..cb7cac9 --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,132 @@ +# GitHub Copilot Instructions for AIP + +This document provides context for GitHub Copilot when working on the Agent Identity Protocol codebase. + +## Project Overview + +AIP (Agent Identity Protocol) is a **zero-trust security layer for AI agents**. It provides: + +1. **Policy Enforcement Proxy**: Intercepts MCP (Model Context Protocol) tool calls +2. **Manifest-Driven Security**: Declarative YAML policies define what agents can do +3. **Human-in-the-Loop**: Native OS prompts for sensitive operations +4. **DLP (Data Loss Prevention)**: Redacts sensitive data in tool responses +5. **Audit Logging**: Immutable JSONL logs for compliance + +## Architecture + +``` +β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” +β”‚ MCP Client │────▢│ AIP Proxy │────▢│ MCP Server β”‚ +β”‚ (Agent) │◀────│ Policy Engine │◀────│ (Subprocess) β”‚ +β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ +``` + +The proxy is a **stdin/stdout passthrough** that: +- Reads JSON-RPC from stdin (client requests) +- Checks `tools/call` requests against policy +- Forwards allowed requests to subprocess +- Returns errors for blocked requests +- Scans responses for sensitive data (DLP) +- Logs all decisions to audit file + +## Code Style + +### Go Guidelines + +- **Format**: Always run `gofmt -s -w .` +- **Imports**: Standard library first, then external, then internal +- **Errors**: Wrap with context using `fmt.Errorf("context: %w", err)` +- **Logging**: + - `logger` (stderr) for operational logs + - `auditLogger` (file) for audit trail + - **NEVER** write to stdout except JSON-RPC responses + +### Critical Constraints + +1. **stdout is sacred**: Only JSON-RPC messages go to stdout +2. **Fail-closed**: Unknown operations = deny +3. **Zero-trust**: Every tool call is checked, no implicit permissions + +## Key Files + +| Path | Purpose | +|------|---------| +| `implementations/go-proxy/cmd/aip-proxy/main.go` | Entry point, proxy logic | +| `implementations/go-proxy/pkg/policy/engine.go` | Policy loading and evaluation | +| `implementations/go-proxy/pkg/dlp/scanner.go` | DLP regex scanning | +| `implementations/go-proxy/pkg/audit/logger.go` | JSONL audit logging | +| `implementations/go-proxy/pkg/ui/prompt.go` | Native OS dialogs | +| `implementations/go-proxy/pkg/protocol/types.go` | JSON-RPC types | + +## Common Tasks + +### Adding a New Policy Feature + +1. Update `implementations/go-proxy/pkg/policy/engine.go` with new evaluation logic +2. Update policy types in the same file +3. Add tests in `engine_test.go` +4. Update example policies in `implementations/go-proxy/examples/` +5. Document in README or docs/ + +### Adding a New CLI Flag + +1. Add flag definition in `parseFlags()` in `main.go` +2. Update usage message +3. Add handling logic +4. Update README with new flag + +### Adding DLP Pattern + +1. Patterns are defined in policy YAML under `spec.dlp.patterns` +2. Test regex in `dlp/scanner_test.go` +3. Add example to `implementations/go-proxy/examples/agent.yaml` + +## Testing + +```bash +cd proxy +make test # Run all tests +make lint # Lint checks +make build # Build binary +make run-demo # Test with echo server +``` + +## Policy YAML Structure + +```yaml +apiVersion: aip.io/v1alpha1 +kind: AgentPolicy +metadata: + name: policy-name +spec: + mode: enforce | monitor + allowed_tools: + - tool_name + tool_rules: + - tool: tool_name + action: allow | block | ask + allow_args: + arg_name: "regex_pattern" + dlp: + patterns: + - name: "Pattern Name" + regex: "pattern" +``` + +## Security Considerations + +When writing code for AIP: + +1. **Input Validation**: Always validate policy YAML fields +2. **Regex Safety**: Use timeouts for regex evaluation (DoS prevention) +3. **Memory Safety**: Don't hold sensitive data longer than needed +4. **Audit Trail**: Log security-relevant decisions +5. **Error Messages**: Don't leak internal paths or secrets + +## MCP Protocol + +AIP speaks JSON-RPC over stdio. Key methods: + +- `tools/call` - Agent invokes a tool (intercepted by AIP) +- `tools/list` - List available tools (passthrough) +- Other methods - Passed through without policy check diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..402b342 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,51 @@ +# Dependabot configuration for Agent Identity Protocol +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates + +version: 2 + +updates: + # Go modules (proxy) + - package-ecosystem: "gomod" + directory: "/proxy" + schedule: + interval: "weekly" + day: "monday" + time: "09:00" + timezone: "America/Los_Angeles" + open-pull-requests-limit: 10 + commit-message: + prefix: "deps(go)" + labels: + - "dependencies" + - "go" + reviewers: + - "ArangoGutierrez" + groups: + # Group minor and patch updates together + go-minor-patch: + patterns: + - "*" + update-types: + - "minor" + - "patch" + + # GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "09:00" + timezone: "America/Los_Angeles" + open-pull-requests-limit: 5 + commit-message: + prefix: "deps(actions)" + labels: + - "dependencies" + - "github-actions" + reviewers: + - "ArangoGutierrez" + groups: + actions-all: + patterns: + - "*" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..ea4bf99 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,118 @@ +# CI Pipeline for Agent Identity Protocol +# +# Runs on every push and PR to ensure code quality: +# - Build verification +# - Unit tests with coverage +# - Linting (go vet, staticcheck) +# - Security scanning (govulncheck) + +name: CI + +on: + push: + branches: [main] + pull_request: + branches: [main] + +permissions: + contents: read + +env: + GO_VERSION: "1.25" + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Set up Go + uses: actions/setup-go@v6 + with: + go-version: ${{ env.GO_VERSION }} + cache-dependency-path: implementations/go-proxy/go.sum + + - name: Build + working-directory: implementations/go-proxy + run: make build + + - name: Verify binary exists + run: test -f implementations/go-proxy/bin/aip + + test: + name: Test + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Set up Go + uses: actions/setup-go@v6 + with: + go-version: ${{ env.GO_VERSION }} + cache-dependency-path: implementations/go-proxy/go.sum + + - name: Run tests + working-directory: implementations/go-proxy + run: go test -v -race -coverprofile=coverage.out -covermode=atomic ./... + + - name: Upload coverage + uses: codecov/codecov-action@v5 + with: + files: implementations/go-proxy/coverage.out + flags: unittests + fail_ci_if_error: false + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Set up Go + uses: actions/setup-go@v6 + with: + go-version: ${{ env.GO_VERSION }} + cache-dependency-path: implementations/go-proxy/go.sum + + - name: Run go vet + working-directory: implementations/go-proxy + run: go vet ./... + + - name: Check formatting + working-directory: implementations/go-proxy + run: | + if [ -n "$(gofmt -l .)" ]; then + echo "Code is not formatted. Run 'gofmt -w .'" + gofmt -d . + exit 1 + fi + + - name: Run golangci-lint + uses: golangci/golangci-lint-action@v9 + with: + version: latest + working-directory: implementations/go-proxy + args: --timeout=5m + + security: + name: Security Scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Set up Go + uses: actions/setup-go@v6 + with: + go-version: ${{ env.GO_VERSION }} + cache-dependency-path: implementations/go-proxy/go.sum + + - name: Run govulncheck + working-directory: implementations/go-proxy + run: | + go install golang.org/x/vuln/cmd/govulncheck@latest + govulncheck ./... diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..4fac3d2 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,54 @@ +# CodeQL Security Analysis +# +# Performs semantic code analysis to find security vulnerabilities. +# Results appear in GitHub Security tab. +# +# Documentation: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql + +name: "CodeQL" + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + # Run weekly on Monday at 6:00 UTC + - cron: '0 6 * * 1' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ['go'] + + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + # Use extended security queries for more comprehensive analysis + queries: +security-extended + + - name: Autobuild + uses: github/codeql-action/autobuild@v4 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{ matrix.language }}" + # Don't fail the workflow if upload fails (code scanning may not be enabled) + # To enable: Settings β†’ Code security and analysis β†’ Code scanning + upload: always + continue-on-error: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..69a0625 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,70 @@ +# Release Pipeline for Agent Identity Protocol +# +# Triggers on version tags (v*) and creates: +# - Cross-platform binaries (Linux, macOS, Windows) +# - GitHub Release with changelog +# - Homebrew formula (future) + +name: Release + +on: + push: + tags: + - "v*" + +permissions: + contents: write + +env: + GO_VERSION: "1.25" + +jobs: + release: + name: Build and Release + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v6 + with: + go-version: ${{ env.GO_VERSION }} + cache-dependency-path: implementations/go-proxy/go.sum + + - name: Run tests before release + working-directory: implementations/go-proxy + run: go test -v ./... + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + distribution: goreleaser + version: "~> v2" + args: release --clean + workdir: implementations/go-proxy + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + verify-release: + name: Verify Release Artifacts + needs: release + runs-on: ubuntu-latest + steps: + - name: Download release artifacts + run: | + gh release download ${{ github.ref_name }} \ + --repo ${{ github.repository }} \ + --pattern "*.tar.gz" \ + --dir ./artifacts + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Verify checksums + run: | + cd artifacts + if [ -f checksums.txt ]; then + sha256sum -c checksums.txt + fi From d1359e5dce62906b1ef66a312ec0ec84a3a51de6 Mon Sep 17 00:00:00 2001 From: James <133906218+yungcero@users.noreply.github.com> Date: Thu, 19 Feb 2026 08:52:46 -0700 Subject: [PATCH 2/2] fix: update build paths --- .github/workflows/ci.yml | 24 ++++++++++++------------ .github/workflows/release.yml | 6 +++--- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ea4bf99..1498de5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,14 +32,14 @@ jobs: uses: actions/setup-go@v6 with: go-version: ${{ env.GO_VERSION }} - cache-dependency-path: implementations/go-proxy/go.sum + cache-dependency-path: ./go.sum - name: Build - working-directory: implementations/go-proxy + working-directory: ./ run: make build - name: Verify binary exists - run: test -f implementations/go-proxy/bin/aip + run: test -f ./bin/aip test: name: Test @@ -52,16 +52,16 @@ jobs: uses: actions/setup-go@v6 with: go-version: ${{ env.GO_VERSION }} - cache-dependency-path: implementations/go-proxy/go.sum + cache-dependency-path: ./go.sum - name: Run tests - working-directory: implementations/go-proxy + working-directory: ./ run: go test -v -race -coverprofile=coverage.out -covermode=atomic ./... - name: Upload coverage uses: codecov/codecov-action@v5 with: - files: implementations/go-proxy/coverage.out + files: ./coverage.out flags: unittests fail_ci_if_error: false @@ -76,14 +76,14 @@ jobs: uses: actions/setup-go@v6 with: go-version: ${{ env.GO_VERSION }} - cache-dependency-path: implementations/go-proxy/go.sum + cache-dependency-path: ./go.sum - name: Run go vet - working-directory: implementations/go-proxy + working-directory: ./ run: go vet ./... - name: Check formatting - working-directory: implementations/go-proxy + working-directory: ./ run: | if [ -n "$(gofmt -l .)" ]; then echo "Code is not formatted. Run 'gofmt -w .'" @@ -95,7 +95,7 @@ jobs: uses: golangci/golangci-lint-action@v9 with: version: latest - working-directory: implementations/go-proxy + working-directory: ./ args: --timeout=5m security: @@ -109,10 +109,10 @@ jobs: uses: actions/setup-go@v6 with: go-version: ${{ env.GO_VERSION }} - cache-dependency-path: implementations/go-proxy/go.sum + cache-dependency-path: ./go.sum - name: Run govulncheck - working-directory: implementations/go-proxy + working-directory: ./ run: | go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 69a0625..1daa2d8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,10 +32,10 @@ jobs: uses: actions/setup-go@v6 with: go-version: ${{ env.GO_VERSION }} - cache-dependency-path: implementations/go-proxy/go.sum + cache-dependency-path: ./go.sum - name: Run tests before release - working-directory: implementations/go-proxy + working-directory: ./ run: go test -v ./... - name: Run GoReleaser @@ -44,7 +44,7 @@ jobs: distribution: goreleaser version: "~> v2" args: release --clean - workdir: implementations/go-proxy + workdir: ./ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}