From d2e5736cba39f27b0e600d125018370b2b229a46 Mon Sep 17 00:00:00 2001
From: "F.D.Castel" <fdcastel@gmail.com>
Date: Mon, 23 Feb 2026 02:53:45 -0300
Subject: [PATCH 1/2] Update GitHub Actions workflows and .gitignore

- Make CI workflows fork-friendly (run on all branches)
- Add Windows build and test jobs to CI pipeline
- Add push triggers to Go Checks workflow
- Add release workflow for forks (release-fork.yml)
- Update .gitignore with new entries
---
 .github/workflows/build.yml        |  3 +-
 .github/workflows/ci.yml           | 59 +++++++++++++++++++++++++++++-
 .github/workflows/go.yml           |  8 ++++
 .github/workflows/release-fork.yml | 39 ++++++++++++++++++++
 .github/workflows/zizmor.yml       |  7 +++-
 .gitignore                         |  2 +
 6 files changed, 113 insertions(+), 5 deletions(-)
 create mode 100644 .github/workflows/release-fork.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bd7ec025..5d2ed5c2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,10 +1,11 @@
 name: Build
 
+# Validates GoReleaser can build on all branches (fork-friendly)
 on:
   pull_request:
   push:
     branches:
-      - main
+      - '**'  # Run on all branches
 
 permissions: {}
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 85b81551..8b594d6e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,11 +1,12 @@
 name: CI
 
-# Runs CI for pull requests and pushes to main
+# Runs CI for pull requests and pushes to any branch
+# This allows fork developers to get CI feedback on their branches
 on:
   pull_request:
   push:
     branches:
-      - main
+      - '**'  # Run on all branches
   # schedule:
   #   - cron: 0 14 * * MON-FRI # Every weekday at 14:00 UTC
 
@@ -33,6 +34,60 @@ jobs:
       run: go mod download
     - name: Build
       run: go build -v -o /dev/null
+  
+  # Check that binary can be built on Windows
+  build-windows:
+    name: Build Windows
+    runs-on: windows-latest
+    timeout-minutes: 5
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+    - name: Install Go
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      with:
+        go-version-file: 'go.mod'
+    - name: Install dependencies
+      run: go mod download
+    - name: Build Windows AMD64
+      shell: pwsh
+      run: |
+        $env:GOOS = "windows"
+        $env:GOARCH = "amd64"
+        go build -v -o opkssh-amd64.exe
+    - name: Build Windows ARM64
+      shell: pwsh
+      run: |
+        $env:GOOS = "windows"
+        $env:GOARCH = "arm64"
+        go build -v -o opkssh-arm64.exe
+    - name: Test binary works
+      shell: pwsh
+      run: |
+        .\opkssh-amd64.exe --version
+  
+  # Run Windows unit tests
+  test-windows:
+    name: 'Windows Tests'
+    runs-on: windows-latest
+    timeout-minutes: 8
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+    - name: Install Go
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      with:
+        go-version-file: 'go.mod'
+    - name: Install dependencies
+      run: go mod download
+    - name: Run unit tests
+      shell: pwsh
+      run: go test ./...
+  
   # Run integration tests
   test:
     needs: build
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 55f97bad..4650ed54 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -1,11 +1,19 @@
 name: Go Checks
 
+# Run linting and tests on all branches when Go files change (fork-friendly)
 on:
   pull_request:
     paths:
       - "**.go"
       - "go.mod"
       - "go.sum"
+  push:
+    branches:
+      - '**'  # Run on all branches
+    paths:
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
 
 permissions: {}
 
diff --git a/.github/workflows/release-fork.yml b/.github/workflows/release-fork.yml
new file mode 100644
index 00000000..8727a905
--- /dev/null
+++ b/.github/workflows/release-fork.yml
@@ -0,0 +1,39 @@
+name: Fork CD
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions: {}
+
+jobs:
+  goreleaser-release:
+    name: Build and release opkssh (forks only)
+    if: github.event.repository.fork == true
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Set up Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version-file: 'go.mod'
+          cache: false
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish GitHub release
+        run: gh release edit "${{ github.ref_name }}" --draft=false --repo "${{ github.repository }}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index f33bfe31..c43e6c6f 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -1,10 +1,13 @@
 name: GitHub Actions Security Analysis with zizmor 🌈
 
+# Run security scanning on all branches (fork-friendly)
 on:
   push:
-    branches: ["main"]
+    branches:
+      - '**'  # Run on all branches
   pull_request:
-    branches: ["**"]
+    branches:
+      - '**'
 
 permissions: {}
 
diff --git a/.gitignore b/.gitignore
index 52a17382..4846a245 100644
--- a/.gitignore
+++ b/.gitignore
@@ -44,3 +44,5 @@ test/integration/testfile.txt
 .direnv
 .envrc
 opkssh
+
+tmp/
\ No newline at end of file

From ffee3da778e891c4cc1da83bd9cfbcc17e40a55b Mon Sep 17 00:00:00 2001
From: "F.D.Castel" <fdcastel@gmail.com>
Date: Fri, 27 Feb 2026 17:48:47 -0300
Subject: [PATCH 2/2] fix: Fixes the code injection via template expansion
 vulnerability in release-fork.yml.

---
 .github/workflows/release-fork.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-fork.yml b/.github/workflows/release-fork.yml
index 8727a905..ac621fe7 100644
--- a/.github/workflows/release-fork.yml
+++ b/.github/workflows/release-fork.yml
@@ -34,6 +34,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Publish GitHub release
-        run: gh release edit "${{ github.ref_name }}" --draft=false --repo "${{ github.repository }}"
+        run: gh release edit "$REF_NAME" --draft=false --repo "$REPOSITORY"
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REF_NAME: ${{ github.ref_name }}
+          REPOSITORY: ${{ github.repository }}
\ No newline at end of file