Mirantis · james-nesbitt · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml
@@ -0,0 +1,83 @@
+# Cross-compile selected platforms, then DigiCert-sign artifacts. Add triggers under `on:` as needed.
+# Fork PRs are skipped (no secrets). Requires SM_* repository secrets and SM_* vars for DigiCert.
+
+name: Build and sign (DigiCert)
+
+permissions:
+  contents: read
+  actions: write
+
+on:
+  pull_request:
+    branches: [main]
+
+env:
+  # Unique per run; safe for PR, manual runs, and future triggers.
+  SIGNING_ARTIFACT_NAME: launchpad-signing-${{ github.run_id }}
+
+jobs:
+  build-for-signing:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    name: Build binaries for signing
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - name: Build binaries
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p dist
+          read -r -a platforms <<< "windows/amd64 darwin/amd64"
+          for platform in "${platforms[@]}"; do
+            GOOS=${platform%/*}
+            GOARCH=${platform#*/}
+            output_name="dist/launchpad_${GOOS}_${GOARCH}"
+            if [ "$GOOS" = "windows" ]; then
+              output_name+=".exe"
+            fi
+            echo "Building $output_name"
+            GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go
+          done
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.SIGNING_ARTIFACT_NAME }}
+          path: dist/
+
+  sign-binaries:
+    needs: build-for-signing
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    name: Sign binaries
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.SIGNING_ARTIFACT_NAME }}
+          path: dist/
+
+      - name: Decode SM client certificate
+        run: |
+          SM_CLIENT_CERT_FILE="${{ runner.temp }}/sm_client_cert.p12"
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > "$SM_CLIENT_CERT_FILE"
+          echo "SM_CLIENT_CERT_FILE=$SM_CLIENT_CERT_FILE" >> "$GITHUB_ENV"
+        shell: bash
+
+      - name: DigiCert Software Trust Manager
+        uses: digicert/code-signing-software-trust-action@v1
+        with:
+          simple-signing-mode: true
+          keypair-alias: ${{ vars.SM_KEYPAIR_ALIAS }}
+          input: dist/
+        env:
+          SM_HOST: ${{ vars.SM_HOST }}
+          SM_API_KEY: ${{ secrets.SM_API_KEY }}
+          SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: launchpad-binaries-signed
+          path: dist/
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,32 +1,30 @@
-# Build and test workflow for Launchpad
-# Triggered on PRs and pushes to main.
+# Build and test on push to main (unsigned); DigiCert build+sign is in build-and-sign.yml.
 
 name: Build and Test
+
 permissions:
   contents: read
-  packages: write  # Required for uploading artifacts
+  actions: write # upload-artifact
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
 
 jobs:
   build:
-    name: Build Binaries
+    name: Build binaries
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
-
+          go-version-file: go.mod
       - name: Build binaries
+        shell: bash
         run: |
+          set -euo pipefail
           mkdir -p dist
-          platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64")
+          platforms=(linux/amd64 linux/arm64 windows/amd64 windows/arm64 darwin/amd64 darwin/arm64)
           for platform in "${platforms[@]}"; do
             GOOS=${platform%/*}
             GOARCH=${platform#*/}
@@ -37,28 +35,23 @@ jobs:
             echo "Building $output_name"
             GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go
           done
-
-      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v4
         with:
           name: launchpad-binaries
           path: dist/
 
   test:
-    name: Run Tests
+    name: Tests
     runs-on: ubuntu-latest
     needs: build
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.22"
-
-      - name: Run unit tests
-        run: go test -v ./...
-
-      - name: Run integration tests
-        run: go test -v -tags=integration ./test/integration
+          go-version-file: go.mod
+      - name: Unit tests
+        run: make unit-test
+        env:
+          TEST_FLAGS: -short
+      - name: Integration tests
+        run: make integration-test
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -1,88 +1,71 @@
-# PR validation workflow for Launchpad
-# Triggered on PRs to main branch.
+# PR validation for Launchpad (lint, tests, security). Build+sign is in build-and-sign.yml.
 
 name: PR Validation
 
 permissions:
   contents: read
-  pull-requests: write  # Required for PR comments or labels
 
 on:
   pull_request:
-    branches: [ main ]
-    paths:
-      - "**.go"
-      - "go.mod"
-      - "go.sum"
-      - "test/**"
-      - "examples/**"
-      - ".github/workflows/**"
-    paths-ignore:
-      - "**.md"
-      - "docs/**"
+    branches: [main]
 
 jobs:
   lint:
-    name: Lint Code
+    name: Lint
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
-
-      - name: Run golangci-lint
-        run: make lint
+          go-version-file: go.mod
+      - name: go mod tidy check
+        run: go mod tidy -v && git diff --exit-code
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v9.2.0
+        with:
+          version: latest
+          skip-cache: true
+          only-new-issues: false
+          args: --verbose
 
   unit-test:
-    name: Unit Tests
-    runs-on: ubuntu-latest
+    name: Unit Tests (${{ matrix.os }})
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
-
-      - name: Run unit tests
+          go-version-file: go.mod
+      - name: Unit tests
         run: make unit-test
+        env:
+          TEST_FLAGS: -short
 
-  integration-test:
-    name: Integration Tests
+  security-scan:
+    name: Security scan
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
-
-      - name: Run integration tests
-        run: make integration-test
-
-
+          go-version-file: go.mod
+      - name: govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: Run security scan
+        run: make security-scan
 
-  security-scan:
-    name: Security Scan
+  integration-test:
+    name: Integration Tests
+    needs: security-scan
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
-
-      - name: Install govulncheck
-        run: go install golang.org/x/vuln/cmd/govulncheck@latest
-
-      - name: Run security scan
-        run: govulncheck ./...
+          go-version-file: go.mod
+      - name: Integration tests
+        run: make integration-test