[3/3] Add Windows SSH server support

.github/workflows/ci.yml

@@ -87,6 +87,53 @@ jobs:
     - name: Run unit tests
       shell: pwsh
       run: go test ./...
+    - name: Run Pester tests
+      shell: pwsh
+      run: Invoke-Pester -Path scripts/windows/test -Output Detailed
+
+  # Check that binary can be built natively on Windows ARM64
+  build-windows-arm64:
+    name: Build Windows ARM64
+    runs-on: windows-11-arm
+    timeout-minutes: 5
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+    - name: Install Go
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      with:
+        go-version-file: 'go.mod'
+    - name: Install dependencies
+      run: go mod download
+    - name: Build Windows ARM64
+      shell: pwsh
+      run: go build -v -o opkssh-arm64.exe
+    - name: Test binary works
+      shell: pwsh
+      run: |
+        .\opkssh-arm64.exe --version
+
+  # Run Windows ARM64 unit tests
+  test-windows-arm64:
+    name: 'Windows ARM64 Tests'
+    runs-on: windows-11-arm
+    timeout-minutes: 8
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+    - name: Install Go
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      with:
+        go-version-file: 'go.mod'
+    - name: Install dependencies
+      run: go mod download
+    - name: Run unit tests
+      shell: pwsh
+      run: go test ./...
 
   # Run integration tests
   test:

.github/workflows/gha-windows.yml

@@ -0,0 +1,159 @@
+name: Test GitHub Provider Windows
+
+on:
+  push:
+
+jobs:
+  build:
+    name: Test on ${{ matrix.name }}
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      id-token: write
+      contents: read
+    timeout-minutes: ${{ matrix.timeout }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: Windows Server 2022
+            runner: windows-2022
+            timeout: 10
+            cache: true
+          - name: Windows Server 2025
+            runner: windows-2025
+            timeout: 10
+            cache: true
+          - name: Windows 11 ARM64
+            runner: windows-11-arm
+            timeout: 15
+            cache: false
+
+    steps:
+    - name: Install OpenSSH Server
+      run: |
+        Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
+
+    - name: Create default OpenSSH config files
+      run: |
+        Start-Service sshd
+        Start-Sleep -Seconds 2
+        Stop-Service sshd
+
+    - name: Enable OpenSSH Server logs
+      run: |
+        $sshdConfig = "$env:ProgramData\ssh\sshd_config"
+        (Get-Content $sshdConfig -Raw).Replace('#SyslogFacility AUTH', 'SyslogFacility LOCAL0').Replace('#LogLevel INFO', 'LogLevel Debug3') |
+            Set-Content $sshdConfig
+
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+
+    - name: Cache Go modules
+      if: matrix.cache
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+      with:
+        path: |
+          ~/go/pkg/mod
+          ~/.cache/go-build
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Install Go
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      with:
+        go-version-file: 'go.mod'
+
+    - name: Install dependencies
+      run: go mod download
+
+    - name: Build opkssh
+      run: go build -v -o opkssh.exe
+
+    - name: Install opkssh with local binary
+      run: |
+        powershell -ExecutionPolicy Bypass -File "scripts/windows/Install-OpksshServer.ps1" `
+          -InstallFrom "$PWD\opkssh.exe" `
+          -NoSshdRestart `
+          -Verbose
+
+    - name: Verify system PATH after install
+      run: |
+        $installDir = 'C:\Program Files\opkssh'
+        $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment'
+        $systemPath = (Get-ItemProperty -Path $regPath -Name Path).Path
+        $folders = $systemPath -split [IO.Path]::PathSeparator
+        $found = $folders | Where-Object { $_.TrimEnd([IO.Path]::DirectorySeparatorChar) -eq $installDir }
+        if (-not $found) {
+          throw "FAIL: '$installDir' was NOT found in the system PATH after install"
+        }
+        Write-Host "PASS: '$installDir' is in the system PATH after install"
+
+    - name: Add GitHub provider to opkssh configuration
+      run: |
+        $providersPath = 'C:\ProgramData\opk\providers'
+        if ((Get-Content -Path $providersPath -Raw) -notmatch "`r?`n$") {
+          Add-Content -Path $providersPath -Value ''
+        }
+        Add-Content -Path $providersPath -Value 'https://token.actions.githubusercontent.com github oidc'
+
+    - name: Add current repository to policy
+      run: |
+        & 'C:\Program Files\opkssh\opkssh.exe' add runneradmin "repo:${env:GITHUB_REPOSITORY}:ref:${env:GITHUB_REF}" https://token.actions.githubusercontent.com
+
+    - name: Start SSH service
+      run: Start-Service sshd
+
+    - name: Test SSH connection without opkssh (should fail)
+      run: |
+        ssh -o StrictHostKeyChecking=no -o PasswordAuthentication=no runneradmin@localhost dir 2>&1
+        if ($LASTEXITCODE -eq 0) { throw "SSH should have failed but succeeded" }
+        Write-Host "SSH correctly rejected without opkssh (exit code: $LASTEXITCODE)"
+        exit 0
+
+    - name: Login with GitHub OIDC
+      run: |
+        & 'C:\Program Files\opkssh\opkssh.exe' login github --print-id-token
+
+    - name: Test SSH connection with opkssh (should pass)
+      run: |
+        ssh -o StrictHostKeyChecking=no -o PasswordAuthentication=no runneradmin@localhost dir
+
+    - name: Debug - Dump opkssh config
+      run: |
+        Get-ChildItem 'C:\ProgramData\opk' -Recurse -ErrorAction Continue
+        Get-Content 'C:\ProgramData\opk\providers' -ErrorAction Continue
+        Get-Content 'C:\ProgramData\opk\auth_id' -ErrorAction Continue
+      if: always()
+
+    - name: Debug - Dump opkssh logs
+      run: |
+        Get-Content 'C:\ProgramData\opk\logs\opkssh.log' -ErrorAction Continue
+      if: always()
+
+    - name: Debug - Dump sshd logs
+      run: |
+        Get-Content 'C:\ProgramData\ssh\logs\sshd.log' -ErrorAction Continue
+      if: always()
+
+    - name: Uninstall opkssh
+      run: |
+        powershell -ExecutionPolicy Bypass -File "scripts/windows/Uninstall-OpksshServer.ps1" `
+          -Force `
+          -NoSshdRestart `
+          -Verbose
+
+    - name: Verify system PATH after uninstall
+      run: |
+        $installDir = 'C:\Program Files\opkssh'
+        $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment'
+        $systemPath = (Get-ItemProperty -Path $regPath -Name Path).Path
+        $folders = $systemPath -split [IO.Path]::PathSeparator
+        $found = $folders | Where-Object { $_.TrimEnd([IO.Path]::DirectorySeparatorChar) -eq $installDir }
+        if ($found) {
+          throw "FAIL: '$installDir' is still in the system PATH after uninstall"
+        }
+        Write-Host "PASS: '$installDir' was correctly removed from the system PATH after uninstall"

.goreleaser.yaml

@@ -20,10 +20,6 @@ builds:
     goarch:
       - amd64
       - arm64
-    # Ignore some builds until they are not tested
-    ignore:
-      - goos: windows
-        goarch: arm64
 
 # Make binaries available with the same naming format as before
 archives:
@@ -77,3 +73,7 @@ changelog:
 release:
   draft: true
   make_latest: true
+  extra_files:
+    - glob: scripts/windows/Install-OpksshServer.ps1
+    - glob: scripts/windows/Uninstall-OpksshServer.ps1
+    - glob: scripts/windows/Test-OpksshInstallation.ps1