olcf · ajruckman · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,172 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+    tags: ["v*.*.*"]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  quality:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - uses: golangci/golangci-lint-action@v9
+        with:
+          version: v2.12.2
+
+  dockerfile:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v6
+      - uses: hadolint/hadolint-action@v3.3.0
+        with:
+          dockerfile: build/containers/deployment/release.Dockerfile
+          ignore: DL3026,DL3018,DL3033,DL3007,DL3041
+
+  vulnerabilities:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: golang/govulncheck-action@v1
+        with:
+          go-version-file: go.mod
+
+  tidy:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - run: |
+          go mod tidy
+          go mod vendor
+          git add -N .
+          git diff --exit-code
+
+  unit:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - run: make test
+
+  validate-version:
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v6
+      - run: |
+          tag_version=${GITHUB_REF_NAME#v}
+          file_version=$(cat VERSION)
+          echo "Tag version: ${tag_version}"
+          echo "File version: ${file_version}"
+          if [ "${tag_version}" != "${file_version}" ]; then
+            echo "ERROR: Tag version (${tag_version}) does not match VERSION file (${file_version})"
+            exit 1
+          fi
+
+  build-image:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    needs:
+      - quality
+      - dockerfile
+      - vulnerabilities
+      - tidy
+      - unit
+    permissions:
+      contents: read
+      packages: write
+    env:
+      PUSH: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+    steps:
+      - uses: actions/checkout@v6
+      - uses: docker/login-action@v4
+        if: env.PUSH == 'true'
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/metadata-action@v6
+        id: meta
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern={{raw}}
+            type=ref,event=branch
+            type=sha
+      - uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: build/containers/deployment/release.Dockerfile
+          push: ${{ env.PUSH == 'true' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          provenance: false
+
+  release:
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    needs:
+      - quality
+      - vulnerabilities
+      - tidy
+      - unit
+      - validate-version
+    permissions:
+      contents: write
+    env:
+      CGO_ENABLED: "0"
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+      - run: |
+          build_target() {
+            os="$1"
+            arch="$2"
+            ext="${3:-}"
+            pkg="s3m-${os}-${arch}"
+            bin="${pkg}${ext}"
+            echo "Building ${bin}"
+            GOOS="${os}" GOARCH="${arch}" GOFLAGS="-mod=vendor" go build -trimpath -o "release/${bin}" ./cmd/main
+            tar -C release -czf "release/${pkg}.tar.gz" "${bin}"
+            rm "release/${bin}"
+          }
+          mkdir -p release
+          build_target linux amd64
+          build_target linux arm64
+          build_target darwin amd64
+          build_target darwin arm64
+          build_target windows amd64 ".exe"
+          (cd release && sha256sum *.tar.gz > checksums.sha256.txt)
+      - env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release create "${GITHUB_REF_NAME}" \
+            --verify-tag \
+            --title "Release ${GITHUB_REF_NAME}" \
+            --notes "S3M CLI ${GITHUB_REF_NAME}" \
+            release/*.tar.gz release/checksums.sha256.txt
diff --git a/.golangci.yml b/.golangci.yml
@@ -12,6 +12,12 @@ linters:
     # Disable the dependency allowlist; we are happy with existing license check mechanisms
     - depguard
 
+    # Deprecated; superseded by gomodguard_v2, which we leave enabled but unconfigured
+    - gomodguard
+
+    # Repeated strings here are declarative JSON-Schema vocabulary; constants hurt readability
+    - goconst
+
     # Allow building errors dynamically
     - err113
 

diff --git a/vendor/github.com/olcf/s3m-apis/LICENSE-APACHE b/vendor/github.com/olcf/s3m-apis/LICENSE-APACHE