SemRels · mwaldheim · May 24, 2026 · May 24, 2026 · May 24, 2026 · May 24, 2026
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":dependencyDashboard",
+    ":semanticCommits",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "labels": ["type: chore"],
+  "reviewers": ["mwaldheim", "tboerger"],
+  "schedule": ["before 6am on monday"],
+  "golang": {
+    "postUpdateOptions": ["gomodTidy"]
+  },
+  "packageRules": [
+    {
+      "description": "Group all GitHub Actions minor/patch updates",
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch", "digest"],
+      "groupName": "GitHub Actions",
+      "automerge": false
+    },
+    {
+      "description": "Group Go module minor/patch updates",
+      "matchManagers": ["gomod"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "Go dependencies",
+      "automerge": false
+    },
+    {
+      "description": "Automerge Go toolchain patch updates",
+      "matchManagers": ["gomod"],
+      "matchDepTypes": ["golang"],
+      "matchUpdateTypes": ["patch"],
+      "automerge": true
+    }
+  ]
+}
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,51 @@
+# CI — build, test and lint on every push and PR
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test (Go ${{ matrix.go }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        go: ["1.24", "1.25", "1.26"]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go }}
+          cache: true
+
+      - name: Download modules
+        run: go mod download
+
+      - name: Build
+        run: go build ./...
+
+      - name: Test
+        run: go test ./...
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.24"
+          cache: true
+
+      - uses: golangci/golangci-lint-action@v8
+        with:
+          version: v2.1.6
diff --git a/.github/workflows/dco.yaml b/.github/workflows/dco.yaml
@@ -0,0 +1,41 @@
+# DCO — require Signed-off-by on all commits
+name: DCO
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  dco:
+    name: DCO Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Check Signed-off-by on all commits
+        run: |
+          BASE="${{ github.event.pull_request.base.sha }}"
+          HEAD="${{ github.event.pull_request.head.sha }}"
+          MISSING=0
+
+          while IFS= read -r sha; do
+            body=$(git log -1 --format="%B" "$sha")
+            if ! echo "$body" | grep -qE "^Signed-off-by: .+ <.+>$"; then
+              echo "::error::Commit $sha is missing a valid Signed-off-by trailer."
+              echo "  Message: $(git log -1 --format='%s' $sha)"
+              MISSING=$((MISSING + 1))
+            fi
+          done < <(git log --format="%H" "$BASE..$HEAD")
+
+          if [ "$MISSING" -gt 0 ]; then
+            echo ""
+            echo "::error::$MISSING commit(s) are missing 'Signed-off-by: Name <email>'."
+            echo "Fix with: git rebase --signoff HEAD~$MISSING && git push --force-with-lease"
+            exit 1
+          fi
+          echo "All commits have a valid Signed-off-by trailer ✓"
diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
@@ -0,0 +1,31 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2026 The semrel Authors
+
+name: Renovate
+
+on:
+  schedule:
+    - cron: "0 5 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+concurrency:
+  group: renovate
+  cancel-in-progress: false
+
+jobs:
+  renovate:
+    name: Renovate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Renovate
+        uses: renovatebot/github-action@v46.1.14
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN != '' && secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2026 The semrel Authors
+
+name: REUSE
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: read
+
+jobs:
+  reuse:
+    name: REUSE Compliance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: REUSE lint
+        uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -0,0 +1,43 @@
+# OpenSSF Scorecard
+name: Scorecard
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: "30 2 * * 1" # Weekly on Monday
+
+permissions: read-all
+
+jobs:
+  scorecard:
+    name: Scorecard Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: true
+
+      - uses: ossf/scorecard-action@v2.4.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SCORECARD_TOKEN: ${{ secrets.SCORECARD_TOKEN }}
+        with:
+          results_file: scorecard-results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: scorecard-results
+          path: scorecard-results.sarif
+          retention-days: 5
+
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: scorecard-results.sarif
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,37 @@
+# Binaries
+/bin/
+/dist/
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Go build cache
+/vendor/
+
+# Test output
+*.test
+*.out
+coverage.txt
+coverage.html
+
+# Editor artifacts
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# OS artifacts
+.DS_Store
+Thumbs.db
+
+# Release artifacts
+/release/
+checksums.txt
+*.sig
+*.intoto.jsonl
+
+# Local config overrides
+.semrel.local.yaml
diff --git a/.reuse/dep5 b/.reuse/dep5
@@ -0,0 +1,7 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: semrel-plugins
+Source: https://github.com/SemRels/semrel-plugins
+
+Files: *
+Copyright: 2026 The semrel Authors
+License: Apache-2.0
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,5 @@
+# Contributing to go-semrel-plugins
+
+For plugin release publishing conventions, binary naming, checksums, and registry visibility, follow the canonical guide in [`semrel-registry`](https://github.com/SemRels/semrel-registry/blob/main/docs/release-guide.md).
+
+Use this repository for SDK work and for publishing plugin releases that should be aggregated into the registry.