feat(mdm): migrate script to go module

Author: shubham-stepsecurity

.github/workflows/go.yml

@@ -0,0 +1,44 @@
+name: Go
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+
+  test:
+    name: Test
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - run: make test
+
+  smoke:
+    name: Smoke Tests
+    runs-on: macos-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - run: make smoke

.github/workflows/release.yml

@@ -9,11 +9,10 @@ jobs:
   release:
     name: Build, Sign & Release
     runs-on: ubuntu-latest
-    environment: release
     permissions:
-      contents: write       # create tag, release, and upload assets
-      id-token: write       # Sigstore OIDC keyless signing
-      attestations: write   # SLSA build provenance
+      contents: write # create tag, release, and upload assets
+      id-token: write # OIDC token for cosign keyless signing and build provenance
+      attestations: write # SLSA build provenance
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
@@ -23,13 +22,15 @@ jobs:
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
 
-      - name: Extract version from script
+      - name: Extract version from source
         id: version
         run: |
-          version=$(grep -m1 '^AGENT_VERSION=' stepsecurity-dev-machine-guard.sh | sed 's/AGENT_VERSION="//;s/"//')
+          version=$(grep -m1 'Version.*=' internal/buildinfo/version.go | sed 's/.*"\(.*\)".*/\1/')
           if [ -z "$version" ]; then
-            echo "::error::Could not extract AGENT_VERSION from script"
+            echo "::error::Could not extract Version from internal/buildinfo/version.go"
             exit 1
           fi
           tag="v${version}"
@@ -40,52 +41,97 @@ jobs:
       - name: Check tag does not already exist
         run: |
           if git rev-parse "refs/tags/${{ steps.version.outputs.tag }}" >/dev/null 2>&1; then
-            echo "::error::Tag ${{ steps.version.outputs.tag }} already exists. Bump AGENT_VERSION in the script before releasing."
+            echo "::error::Tag ${{ steps.version.outputs.tag }} already exists. Bump Version in internal/buildinfo/version.go before releasing."
             exit 1
           fi
 
+      - name: Create tag
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git tag -a "${{ steps.version.outputs.tag }}" -m "Release ${{ steps.version.outputs.tag }}"
+          git push origin "${{ steps.version.outputs.tag }}"
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Install cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
-      - name: Sign script with Sigstore (keyless)
+      - name: Locate built binaries
+        id: binaries
         run: |
-          cosign sign-blob stepsecurity-dev-machine-guard.sh \
-            --bundle stepsecurity-dev-machine-guard.sh.bundle \
-            --yes
+          # GoReleaser keeps binaries in build subdirs (e.g. _amd64_v1, _arm64_v8.0)
+          AMD64=$(find dist -type f -name 'stepsecurity-dev-machine-guard' -path '*darwin_amd64*' | head -1)
+          ARM64=$(find dist -type f -name 'stepsecurity-dev-machine-guard' -path '*darwin_arm64*' | head -1)
 
-      - name: Verify signature
+          for label in "amd64:${AMD64}" "arm64:${ARM64}"; do
+            name="${label%%:*}"
+            path="${label#*:}"
+            if [ -z "$path" ] || [ ! -f "$path" ]; then
+              echo "::error::Binary not found for ${name}"
+              echo "dist/ contents:"
+              find dist -type f
+              exit 1
+            fi
+          done
+
+          echo "amd64=${AMD64}" >> "$GITHUB_OUTPUT"
+          echo "arm64=${ARM64}" >> "$GITHUB_OUTPUT"
+          echo "Found amd64: ${AMD64}"
+          echo "Found arm64: ${ARM64}"
+
+      - name: Sign artifacts with Sigstore (keyless)
         run: |
-          cosign verify-blob stepsecurity-dev-machine-guard.sh \
-            --bundle stepsecurity-dev-machine-guard.sh.bundle \
-            --certificate-identity-regexp "github.com/step-security/dev-machine-guard" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+          cosign sign-blob "${{ steps.binaries.outputs.amd64 }}" \
+            --bundle dist/stepsecurity-dev-machine-guard_darwin_amd64.bundle --yes
+          cosign sign-blob "${{ steps.binaries.outputs.arm64 }}" \
+            --bundle dist/stepsecurity-dev-machine-guard_darwin_arm64.bundle --yes
+          cosign sign-blob stepsecurity-dev-machine-guard.sh \
+            --bundle dist/stepsecurity-dev-machine-guard.sh.bundle --yes
 
       - name: Generate checksums
         run: |
-          sha256sum stepsecurity-dev-machine-guard.sh > checksums.txt
-          sha256sum stepsecurity-dev-machine-guard.sh.bundle >> checksums.txt
-          echo "Checksums:"
-          cat checksums.txt
+          SUMS="dist/stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS"
+          sha256sum "${{ steps.binaries.outputs.amd64 }}" >> "$SUMS"
+          sha256sum "${{ steps.binaries.outputs.arm64 }}" >> "$SUMS"
+          sha256sum stepsecurity-dev-machine-guard.sh >> "$SUMS"
 
-      - name: Create tag
+      - name: Upload signature bundles and checksums to release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git tag -a "${{ steps.version.outputs.tag }}" -m "Release ${{ steps.version.outputs.tag }}"
-          git push origin "${{ steps.version.outputs.tag }}"
+          gh release upload "${{ steps.version.outputs.tag }}" \
+            dist/stepsecurity-dev-machine-guard_darwin_amd64.bundle \
+            dist/stepsecurity-dev-machine-guard_darwin_arm64.bundle \
+            dist/stepsecurity-dev-machine-guard.sh.bundle \
+            dist/stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS \
+            --clobber
 
-      - name: Create GitHub Release
-        uses: step-security/action-gh-release@d45511d7589f080cf54961ff056b9705a74fd160 # v2.5.0
-        with:
-          tag_name: ${{ steps.version.outputs.tag }}
-          name: ${{ steps.version.outputs.tag }}
-          generate_release_notes: true
-          files: |
-            stepsecurity-dev-machine-guard.sh
-            stepsecurity-dev-machine-guard.sh.bundle
-            checksums.txt
+      - name: Mark release as immutable (not a draft, not a prerelease)
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release edit "${{ steps.version.outputs.tag }}" \
+            --draft=false \
+            --prerelease=false \
+            --latest
 
       - name: Attest build provenance
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
-          subject-path: stepsecurity-dev-machine-guard.sh
+          subject-path: |
+            ${{ steps.binaries.outputs.amd64 }}
+            ${{ steps.binaries.outputs.arm64 }}
+            stepsecurity-dev-machine-guard.sh

.gitignore

@@ -17,5 +17,9 @@
 !docs/**/*.html
 !images/**/*.html
 
+# Go build artifacts
+/stepsecurity-dev-machine-guard
+dist/
+
 # Temporary files
 todo-remove/

.goreleaser.yml

@@ -0,0 +1,34 @@
+version: 2
+project_name: stepsecurity-dev-machine-guard
+
+builds:
+  - id: stepsecurity-dev-machine-guard
+    main: ./cmd/stepsecurity-dev-machine-guard
+    binary: stepsecurity-dev-machine-guard
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w
+      - -X github.com/step-security/dev-machine-guard/internal/buildinfo.GitCommit={{.FullCommit}}
+      - -X github.com/step-security/dev-machine-guard/internal/buildinfo.ReleaseTag={{.Tag}}
+      - -X github.com/step-security/dev-machine-guard/internal/buildinfo.ReleaseBranch={{.Branch}}
+    env:
+      - CGO_ENABLED=0
+
+archives:
+  - format: binary
+    name_template: "{{ .Binary }}_{{ .Os }}_{{ .Arch }}"
+
+checksum:
+  name_template: "{{ .ProjectName }}_{{ .Version }}_SHA256SUMS"
+  algorithm: sha256
+
+release:
+  extra_files:
+    - glob: stepsecurity-dev-machine-guard.sh

Makefile

@@ -0,0 +1,27 @@
+BINARY  := stepsecurity-dev-machine-guard
+MODULE  := github.com/step-security/dev-machine-guard
+VERSION := $(shell grep -m1 'Version' internal/buildinfo/version.go | sed 's/.*"//;s/".*//')
+COMMIT  := $(shell git rev-parse --short HEAD 2>/dev/null || echo "unknown")
+BRANCH  := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "unknown")
+TAG     := $(shell git describe --tags --exact-match 2>/dev/null || echo "dev")
+LDFLAGS := -s -w \
+	-X $(MODULE)/internal/buildinfo.GitCommit=$(COMMIT) \
+	-X $(MODULE)/internal/buildinfo.ReleaseTag=$(TAG) \
+	-X $(MODULE)/internal/buildinfo.ReleaseBranch=$(BRANCH)
+
+.PHONY: build test lint clean smoke
+
+build:
+	go build -trimpath -ldflags "$(LDFLAGS)" -o $(BINARY) ./cmd/stepsecurity-dev-machine-guard
+
+test:
+	go test ./... -v -race -count=1
+
+lint:
+	golangci-lint run ./...
+
+clean:
+	rm -f $(BINARY)
+
+smoke: build
+	bash tests/test_smoke_go.sh