Issue workflow

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -0,0 +1,64 @@
+name: Bug report
+description: Report a reproducible problem with the SSH library.
+title: "Bug: "
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a problem. Please include enough detail for maintainers to reproduce or reason about the issue.
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: What went wrong?
+    validations:
+      required: true
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps to reproduce
+      description: Include a minimal code sample or command sequence when possible.
+      placeholder: |
+        1. Configure client with ...
+        2. Connect to ...
+        3. Observe ...
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect to happen?
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+      description: What happened instead? Include stack traces or logs if available.
+      render: text
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Library version
+      placeholder: "0.2.2-SNAPSHOT"
+    validations:
+      required: true
+  - type: input
+    id: runtime
+    attributes:
+      label: Runtime
+      description: Kotlin/JDK/Android version, if relevant.
+      placeholder: "Kotlin 2.3.21, JDK 21"
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Server implementation, algorithms, platform, or anything else useful.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/compatibility-report.yml

@@ -0,0 +1,59 @@
+name: Compatibility report
+description: Report interoperability with a specific SSH server, algorithm, or client workflow.
+title: "Compatibility: "
+labels: [compatibility]
+body:
+  - type: input
+    id: server
+    attributes:
+      label: SSH server
+      description: Server implementation and version.
+      placeholder: "OpenSSH_9.9p2"
+    validations:
+      required: true
+  - type: input
+    id: library-version
+    attributes:
+      label: Library version
+      placeholder: "0.2.2-SNAPSHOT"
+    validations:
+      required: true
+  - type: dropdown
+    id: area
+    attributes:
+      label: Area
+      options:
+        - Connection setup
+        - Key exchange
+        - Host key verification
+        - Authentication
+        - Shell/session channel
+        - SFTP
+        - Port forwarding
+        - Agent forwarding
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    id: algorithms
+    attributes:
+      label: Algorithms and configuration
+      description: Include negotiated algorithms, client config, auth methods, or server config if known.
+      render: text
+    validations:
+      required: false
+  - type: textarea
+    id: behavior
+    attributes:
+      label: Observed behavior
+      description: What works or fails? Include logs or packet-level details if available.
+      render: text
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect based on other clients, server docs, or protocol references?
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/connectbot/cbssh/security/advisories/new
+    about: Please report vulnerabilities privately.

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,33 @@
+name: Feature request
+description: Suggest a new capability or API improvement.
+title: "Feature: "
+labels: [enhancement]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What are you trying to do, and what is missing today?
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: Describe the API, behavior, algorithm, or workflow you would like.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Workarounds, other libraries, or different designs you considered.
+    validations:
+      required: false
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Relevant RFCs, OpenSSH behavior, server compatibility, or examples.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/release-branch.yml

@@ -0,0 +1,34 @@
+name: Release branch
+description: Create a maintenance release branch.
+title: "Create release branch "
+labels: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        This release branch automation is for maintainers only. Submissions from non-maintainers will be rejected by the workflow.
+  - type: input
+    id: maintenanceBranch
+    attributes:
+      label: Maintenance branch
+      description: Branch to create for maintenance releases.
+      placeholder: "release/1.1"
+    validations:
+      required: true
+  - type: input
+    id: sourceBranch
+    attributes:
+      label: Source branch
+      description: Branch to cut from.
+      placeholder: "main"
+      value: "main"
+    validations:
+      required: true
+  - type: input
+    id: sourceRef
+    attributes:
+      label: Source ref
+      description: Optional exact ref or SHA. Leave blank to use the source branch tip.
+      placeholder: "main"
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/release.yml

@@ -0,0 +1,41 @@
+name: Release
+description: Prepare and publish a library release.
+title: "Release "
+labels: []
+body:
+  - type: markdown
+    attributes:
+      value: |
+        This release automation is for maintainers only. Submissions from non-maintainers will be rejected by the workflow.
+  - type: input
+    id: releaseVersion
+    attributes:
+      label: Release version
+      description: Version to publish, without the v tag prefix.
+      placeholder: "1.0.4"
+    validations:
+      required: true
+  - type: input
+    id: nextVersion
+    attributes:
+      label: Next version
+      description: Next development version after the release.
+      placeholder: "1.0.5-SNAPSHOT"
+    validations:
+      required: true
+  - type: input
+    id: targetBranch
+    attributes:
+      label: Target branch
+      description: Branch to release from and fast-forward on publish.
+      placeholder: "main"
+      value: "main"
+    validations:
+      required: true
+  - type: textarea
+    id: releaseNotes
+    attributes:
+      label: Release notes
+      description: Optional text to include in the annotated tag message.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/security.md

@@ -0,0 +1,14 @@
+---
+name: Security report
+about: Report a vulnerability or sensitive security issue.
+title: "Security: "
+labels: security
+---
+
+Please do not open a public issue for vulnerabilities or sensitive security reports.
+
+Use GitHub's private vulnerability reporting for this repository:
+
+https://github.com/connectbot/cbssh/security/advisories/new
+
+Contact the maintainers privately if private reporting is unavailable.

.github/scripts/comment-issue-failure.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+log_file="$1"
+workflow_name="$2"
+
+body_file="$(mktemp)"
+redacted_log="$(mktemp)"
+if [[ -s "${log_file}" ]]; then
+  cp "${log_file}" "${redacted_log}"
+  if [[ -n "${PUSH_TOKEN:-}" ]]; then
+    perl -0pi -e 'BEGIN { $s = $ENV{PUSH_TOKEN} // "" } if (length $s) { s/\Q$s\E/<redacted PUSH_TOKEN>/g }' "${redacted_log}"
+  fi
+  if [[ -n "${GH_TOKEN:-}" ]]; then
+    perl -0pi -e 'BEGIN { $s = $ENV{GH_TOKEN} // "" } if (length $s) { s/\Q$s\E/<redacted GH_TOKEN>/g }' "${redacted_log}"
+  fi
+fi
+
+{
+  echo "${workflow_name} failed."
+  echo
+  echo '```text'
+  if [[ -s "${redacted_log}" ]]; then
+    tail -n 80 "${redacted_log}"
+  else
+    echo "No script output was captured."
+  fi
+  echo '```'
+  echo
+  echo "Run: ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+} >"${body_file}"
+
+gh issue comment "${ISSUE_NUMBER}" --body-file "${body_file}"

.github/scripts/create-release-branch.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+script_dir="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=.github/scripts/release-common.sh
+source "${script_dir}/release-common.sh"
+
+require_maintainer
+
+maintenance_branch="$(extract_issue_field_line "Maintenance branch")"
+source_branch="$(extract_issue_field_line "Source branch")"
+source_ref="$(extract_issue_field_line "Source ref" || true)"
+
+validate_maintenance_branch "${maintenance_branch}"
+validate_release_target_branch "${source_branch}"
+if [[ -z "${source_ref}" ]]; then
+  source_ref="origin/${source_branch}"
+elif [[ "${source_ref}" == "${source_branch}" ]]; then
+  source_ref="origin/${source_branch}"
+fi
+if [[ "${source_ref}" == -* ]]; then
+  echo "Source ref must not start with '-'."
+  exit 1
+fi
+
+require_missing_remote_branch "${maintenance_branch}"
+require_remote_branch "${source_branch}"
+
+configure_git_credentials
+git fetch origin "+refs/heads/${source_branch}:refs/remotes/origin/${source_branch}" --tags
+git rev-parse --verify --end-of-options "${source_ref}^{commit}" >/dev/null
+if ! git merge-base --is-ancestor -- "${source_ref}^{commit}" "origin/${source_branch}"; then
+  echo "Source ref ${source_ref} is not reachable from origin/${source_branch}."
+  exit 1
+fi
+git push origin "${source_ref}^{commit}:refs/heads/${maintenance_branch}"
+gh issue comment "${ISSUE_NUMBER}" --body "Created ${maintenance_branch} from ${source_ref}."

.github/scripts/prepare-release.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+script_dir="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=.github/scripts/release-common.sh
+source "${script_dir}/release-common.sh"
+
+require_maintainer
+
+release_version="$(extract_issue_field_line "Release version")"
+next_version="$(extract_issue_field_line "Next version")"
+target_branch="$(extract_issue_field_line "Target branch")"
+
+validate_release_version "${release_version}"
+validate_next_version "${next_version}"
+validate_release_target_branch "${target_branch}"
+
+tag_name="v${release_version}"
+work_branch="release-work/${release_version}"
+
+require_missing_remote_tag "${tag_name}"
+require_remote_branch "${target_branch}"
+require_missing_remote_branch "${work_branch}"
+
+configure_git_author
+configure_git_credentials
+git fetch origin "+refs/heads/${target_branch}:refs/remotes/origin/${target_branch}" --tags
+git checkout -B "${work_branch}" "origin/${target_branch}"
+
+./gradlew release \
+  -Pcbssh.release.noPush=true \
+  -Prelease.useAutomaticVersion=true \
+  -Prelease.releaseVersion="${release_version}" \
+  -Prelease.newVersion="${next_version}"
+
+git push origin "HEAD:refs/heads/${work_branch}"
+
+{
+  echo "release_version=${release_version}"
+  echo "next_version=${next_version}"
+  echo "target_branch=${target_branch}"
+  echo "work_branch=${work_branch}"
+  echo "tag_name=${tag_name}"
+} >>"${GITHUB_OUTPUT}"