From ecc4169cd9738de333c2af5371507354858a0637 Mon Sep 17 00:00:00 2001
From: skidoodle <contact@albert.lol>
Date: Tue, 21 Apr 2026 06:02:31 +0200
Subject: [PATCH] ci setup (pls work)

---
 .github/workflows/ci.yml                    | 23 ++++++++++
 .github/workflows/go-ossf-slsa3-publish.yml | 51 +++++++++++++++++++++
 .github/workflows/image.yml                 | 47 -------------------
 .slsa-goreleaser.yaml                       | 39 ++++++++++++++++
 main.go                                     |  4 ++
 5 files changed, 117 insertions(+), 47 deletions(-)
 create mode 100644 .github/workflows/ci.yml
 create mode 100644 .github/workflows/go-ossf-slsa3-publish.yml
 delete mode 100644 .github/workflows/image.yml
 create mode 100644 .slsa-goreleaser.yaml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..ef89c3e
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,23 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.26.2'
+
+      - name: Build
+        run: go build -v ./...
+
+      - name: Test with Coverage
+        run: go test -v -coverprofile=coverage.out ./...
diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..b183fc5
--- /dev/null
+++ b/.github/workflows/go-ossf-slsa3-publish.yml
@@ -0,0 +1,51 @@
+name: SLSA Release
+on:
+  release:
+    types: [created]
+
+permissions: read-all
+
+jobs:
+  build:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.26.2'
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        id: run-goreleaser
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+          config: .slsa-goreleaser.yaml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate hashes
+        id: hash
+        run: |
+          cd dist
+          echo "hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true
diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
deleted file mode 100644
index 9660c6c..0000000
--- a/.github/workflows/image.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-name: Publish Image to GHCR
-
-on:
-  push:
-    branches:
-      - main
-
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
-jobs:
-  build-and-push:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
diff --git a/.slsa-goreleaser.yaml b/.slsa-goreleaser.yaml
new file mode 100644
index 0000000..3bdb6c6
--- /dev/null
+++ b/.slsa-goreleaser.yaml
@@ -0,0 +1,39 @@
+version: 2
+
+builds:
+  - id: pastebin
+    binary: pastebin
+    main: .
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+      - -tags=netgo
+    ldflags:
+      - -s -w -extldflags "-static"
+      - -X main.Version={{.Version}}
+
+archives:
+  - format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+    name_template: "pastebin_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+
+checksum:
+  name_template: 'checksums.txt'
+  algorithm: sha256
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
diff --git a/main.go b/main.go
index edc241d..351d63c 100644
--- a/main.go
+++ b/main.go
@@ -15,6 +15,10 @@ import (
 	"github.com/skidoodle/pastebin/store"
 )
 
+var (
+	Version = "devel"
+)
+
 type config struct {
 	addr    string
 	maxSize int64