rubyatscale · martinemde · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -2,7 +2,7 @@ name: Security audit
 
 on:
   schedule:
-    - cron: 0 0 * * 1
+    - cron: '0 0 * * 1'
   push:
     paths:
       - '**/Cargo.toml'
@@ -13,7 +13,10 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/audit-check@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v4
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Run security audit
+        run: cargo audit
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -53,12 +53,26 @@ jobs:
       - name: Run cargo clippy
         run: cargo clippy --all-targets --all-features
 
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Run security audit
+        run: cargo audit
+
   release:
     runs-on: macos-latest
     needs:
       - test
       - lints
       - check
+      - security-audit
     outputs:
       new_version: ${{ steps.check_for_version_changes.outputs.new_version }}
       changed: ${{ steps.check_for_version_changes.outputs.changed }}
@@ -102,22 +116,33 @@ jobs:
     needs: release
     runs-on: macos-latest
     if: ${{needs.release.outputs.new_version}}
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v3
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
       - name: Build
         run: cargo build --release --target aarch64-apple-darwin --target x86_64-apple-darwin
 
-      - name: Upload mac universal binary
+      - name: Create mac universal binary
         run: |
           # This combines the intel and m1 binaries into a single binary
           lipo -create -output target/pks target/aarch64-apple-darwin/release/pks target/x86_64-apple-darwin/release/pks
 
           # Creates artifact for homebrew. -C means run from `target` directory
           tar -czf target/pks-mac.tar.gz -C target pks
 
-          # This tarball is a binary that is executable
-          gh release upload $NEW_VERSION target/pks-mac.tar.gz
+      - name: Sign mac binary with cosign
+        run: |
+          cosign sign-blob --yes --output-signature target/pks-mac.tar.gz.sig target/pks-mac.tar.gz
 
+      - name: Upload mac universal binary and signature
+        run: |
+          gh release upload $NEW_VERSION target/pks-mac.tar.gz target/pks-mac.tar.gz.sig
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NEW_VERSION: ${{ needs.release.outputs.new_version }}
@@ -126,21 +151,38 @@ jobs:
     needs: release
     if: ${{needs.release.outputs.new_version}}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
       - name: Update local toolchain
         run: |
           cargo install cross
+
       - name: Build linux binaries
         run: |
           cross build --release --target x86_64-unknown-linux-gnu
           cross build --release --target aarch64-unknown-linux-gnu
-      - name: Upload linux binaries
+
+      - name: Create linux binary tarballs
+        run: |
+          tar -czf target/x86_64-unknown-linux-gnu.tar.gz -C target/x86_64-unknown-linux-gnu/release pks
+          tar -czf target/aarch64-unknown-linux-gnu.tar.gz -C target/aarch64-unknown-linux-gnu/release pks
+
+      - name: Sign linux binaries with cosign
+        run: |
+          cosign sign-blob --yes --output-signature target/x86_64-unknown-linux-gnu.tar.gz.sig target/x86_64-unknown-linux-gnu.tar.gz
+          cosign sign-blob --yes --output-signature target/aarch64-unknown-linux-gnu.tar.gz.sig target/aarch64-unknown-linux-gnu.tar.gz
+
+      - name: Upload linux binaries and signatures
         run: |
-          tar -czf target/x86_64-unknown-linux-gnu.tar.gz -C target/x86_64-unknown-linux-gnu/release pks 
-          tar -czf target/aarch64-unknown-linux-gnu.tar.gz -C target/aarch64-unknown-linux-gnu/release pks 
-          gh release upload $NEW_VERSION target/x86_64-unknown-linux-gnu.tar.gz
-          gh release upload $NEW_VERSION target/aarch64-unknown-linux-gnu.tar.gz 
+          gh release upload $NEW_VERSION target/x86_64-unknown-linux-gnu.tar.gz target/x86_64-unknown-linux-gnu.tar.gz.sig
+          gh release upload $NEW_VERSION target/aarch64-unknown-linux-gnu.tar.gz target/aarch64-unknown-linux-gnu.tar.gz.sig
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NEW_VERSION: ${{ needs.release.outputs.new_version }}

diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
@@ -0,0 +1,68 @@
+name: Release Binaries
+
+on:
+  release:
+    types: [published]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  upload-mac-universal-bin:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build macOS binaries
+        run: cargo build --release --target aarch64-apple-darwin --target x86_64-apple-darwin
+
+      - name: Create universal binary and upload
+        run: |
+          # Combine intel and m1 binaries into a single universal binary
+          lipo -create -output target/pks target/aarch64-apple-darwin/release/pks target/x86_64-apple-darwin/release/pks
+
+          # Create tarball for homebrew
+          tar -czf target/pks-mac.tar.gz -C target pks
+
+          # Upload to release
+          gh release upload ${{ github.event.release.tag_name }} target/pks-mac.tar.gz
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  upload-linux-bin:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install cross
+        run: cargo install cross
+
+      - name: Build linux binaries
+        run: |
+          cross build --release --target x86_64-unknown-linux-gnu
+          cross build --release --target aarch64-unknown-linux-gnu
+
+      - name: Upload linux binaries
+        run: |
+          tar -czf target/x86_64-unknown-linux-gnu.tar.gz -C target/x86_64-unknown-linux-gnu/release pks
+          tar -czf target/aarch64-unknown-linux-gnu.tar.gz -C target/aarch64-unknown-linux-gnu/release pks
+          gh release upload ${{ github.event.release.tag_name }} target/x86_64-unknown-linux-gnu.tar.gz
+          gh release upload ${{ github.event.release.tag_name }} target/aarch64-unknown-linux-gnu.tar.gz
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-dotslash-files:
+    name: Generate DotSlash files
+    needs:
+      - upload-linux-bin
+      - upload-mac-universal-bin
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: facebook/dotslash-publish-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          config: .github/workflows/dotslash-config.json
+          tag: ${{ github.event.release.tag_name }}
diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml
@@ -0,0 +1,28 @@
+name: Release-plz
+
+permissions:
+  pull-requests: write
+  contents: write
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release-plz:
+    name: Release-plz
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Run release-plz
+        uses: release-plz/action@v0.5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}