chore(deps): bump github.com/apple/swift-argument-parser from 1.4.0 to 1.7.1

.github/dependabot.yml

@@ -0,0 +1,20 @@
+version: 2
+
+updates:
+  - package-ecosystem: "swift"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: "npm"
+    directory: "/vscode-pastewatch"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5

.github/workflows/ci.yml

@@ -22,6 +22,22 @@ jobs:
       - name: Run Tests
         run: swift test
 
+  build-linux:
+    name: Build and Test (Linux)
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: swift-actions/setup-swift@v2
+        with:
+          swift-version: "5.9"
+
+      - name: Build CLI
+        run: swift build --product PastewatchCLI
+
+      - name: Run Tests
+        run: swift test
+
   lint:
     name: Lint
     runs-on: macos-14
@@ -32,4 +48,40 @@ jobs:
         run: brew install swiftlint
 
       - name: Run SwiftLint
-        run: swiftlint lint --strict || true
+        run: swiftlint lint --strict
+
+  auto-tag:
+    name: Auto-tag version bumps
+    runs-on: ubuntu-22.04
+    needs: [build, build-linux, lint]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Check for version bump commit
+        id: check
+        run: |
+          MSG=$(git log -1 --format='%s')
+          if echo "$MSG" | grep -qE '^chore: bump version to [0-9]+\.[0-9]+\.[0-9]+$'; then
+            VERSION=$(echo "$MSG" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+            echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+            echo "should_tag=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "should_tag=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create and push tag
+        if: steps.check.outputs.should_tag == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+        run: |
+          TAG="v${{ steps.check.outputs.version }}"
+          git tag "$TAG"
+          if [ -n "$GH_TOKEN" ]; then
+            git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
+          fi
+          git push origin "$TAG"

.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  analyze-swift:
+    name: Analyze Swift
+    runs-on: macos-14
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Select Xcode
+        run: sudo xcode-select -s /Applications/Xcode_15.2.app
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: swift
+
+      - name: Build
+        run: swift build -c release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:swift"
+
+  analyze-javascript:
+    name: Analyze JavaScript (VS Code Extension)
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript-typescript"

.github/workflows/release.yml

@@ -4,33 +4,107 @@ on:
   push:
     tags:
       - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag (e.g., v0.2.0)'
+        required: true
 
 permissions:
   contents: write
 
 jobs:
+  resolve:
+    name: Resolve Tag
+    runs-on: ubuntu-22.04
+    outputs:
+      tag: ${{ steps.tag.outputs.tag }}
+      ref: ${{ steps.tag.outputs.ref }}
+    steps:
+      - name: Resolve tag and ref
+        id: tag
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "tag=${{ github.event.inputs.tag }}" >> "$GITHUB_OUTPUT"
+            echo "ref=${{ github.event.inputs.tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+            echo "ref=${{ github.ref }}" >> "$GITHUB_OUTPUT"
+          fi
+
+  test:
+    name: Test
+    runs-on: macos-14
+    needs: resolve
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.resolve.outputs.ref }}
+
+      - name: Select Xcode
+        run: sudo xcode-select -s /Applications/Xcode_15.2.app
+
+      - name: Run Tests
+        run: swift test
+
+  build-linux:
+    name: Build Linux Release
+    runs-on: ubuntu-22.04
+    needs: [resolve, test]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.resolve.outputs.ref }}
+
+      - uses: swift-actions/setup-swift@v2
+        with:
+          swift-version: "5.9"
+
+      - name: Build CLI
+        run: |
+          swift build -c release --product PastewatchCLI
+          mkdir -p release
+          cp .build/release/PastewatchCLI release/pastewatch-cli-linux-amd64
+
+      - name: Generate SHA256
+        run: |
+          cd release
+          sha256sum pastewatch-cli-linux-amd64 > pastewatch-cli-linux-amd64.sha256
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: linux-release
+          path: release/
+
   build:
     name: Build Release
     runs-on: macos-14
+    needs: [resolve, test, build-linux]
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.resolve.outputs.ref }}
 
       - name: Select Xcode
         run: sudo xcode-select -s /Applications/Xcode_15.2.app
 
-      - name: Build Release Binary
+      - name: Build Release Binaries
         run: |
           swift build -c release
           mkdir -p release
-          cp .build/release/pastewatch release/
+          cp .build/release/Pastewatch release/pastewatch
+          cp .build/release/PastewatchCLI release/pastewatch-cli
 
       - name: Create App Bundle
         run: |
+          VERSION="${{ needs.resolve.outputs.tag }}"
+          VERSION="${VERSION#v}"
           mkdir -p "release/Pastewatch.app/Contents/MacOS"
           mkdir -p "release/Pastewatch.app/Contents/Resources"
-          cp .build/release/pastewatch "release/Pastewatch.app/Contents/MacOS/Pastewatch"
+          cp .build/release/Pastewatch "release/Pastewatch.app/Contents/MacOS/Pastewatch"
           cp Sources/Pastewatch/Resources/AppIcon.icns "release/Pastewatch.app/Contents/Resources/AppIcon.icns"
-          cat > "release/Pastewatch.app/Contents/Info.plist" << 'EOF'
+          cat > "release/Pastewatch.app/Contents/Info.plist" << EOF
           <?xml version="1.0" encoding="UTF-8"?>
           <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
           <plist version="1.0">
@@ -50,7 +124,7 @@ jobs:
               <key>CFBundlePackageType</key>
               <string>APPL</string>
               <key>CFBundleShortVersionString</key>
-              <string>${GITHUB_REF_NAME#v}</string>
+              <string>${VERSION}</string>
               <key>CFBundleVersion</key>
               <string>1</string>
               <key>LSMinimumSystemVersion</key>
@@ -67,30 +141,116 @@ jobs:
 
       - name: Create DMG
         run: |
-          hdiutil create -volname "Pastewatch" -srcfolder release/Pastewatch.app -ov -format UDZO release/Pastewatch-${{ github.ref_name }}.dmg
+          TAG="${{ needs.resolve.outputs.tag }}"
+          hdiutil create -volname "Pastewatch" -srcfolder release/Pastewatch.app -ov -format UDZO "release/Pastewatch-${TAG}.dmg"
 
       - name: Create ZIP
         run: |
+          TAG="${{ needs.resolve.outputs.tag }}"
           cd release
-          zip -r Pastewatch-${{ github.ref_name }}.zip Pastewatch.app
+          zip -r "Pastewatch-${TAG}.zip" Pastewatch.app
 
       - name: Generate SHA256 checksums
         run: |
+          TAG="${{ needs.resolve.outputs.tag }}"
           cd release
-          shasum -a 256 Pastewatch-${{ github.ref_name }}.dmg > Pastewatch-${{ github.ref_name }}.dmg.sha256
-          shasum -a 256 Pastewatch-${{ github.ref_name }}.zip > Pastewatch-${{ github.ref_name }}.zip.sha256
+          shasum -a 256 "Pastewatch-${TAG}.dmg" > "Pastewatch-${TAG}.dmg.sha256"
+          shasum -a 256 "Pastewatch-${TAG}.zip" > "Pastewatch-${TAG}.zip.sha256"
           shasum -a 256 pastewatch > pastewatch.sha256
+          shasum -a 256 pastewatch-cli > pastewatch-cli.sha256
+
+      - name: Download Linux amd64 artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: linux-release
+          path: release/
+
+      - name: Extract release notes from CHANGELOG
+        id: notes
+        run: |
+          TAG="${{ needs.resolve.outputs.tag }}"
+          VERSION="${TAG#v}"
+          # Extract the [VERSION] section from CHANGELOG.md
+          # Matches "## [0.19.0]" and captures until the next "## [" header
+          NOTES=$(awk -v ver="## [${VERSION}]" '
+            BEGIN { found=0 }
+            index($0, ver) == 1 { found=1; next }
+            found && /^## \[/ { exit }
+            found { print }
+          ' CHANGELOG.md | sed '/^$/N;/^\n$/d')
+
+          if [ -z "$NOTES" ]; then
+            NOTES="Release ${TAG}"
+          fi
+
+          # Write to file to avoid quoting issues
+          echo "$NOTES" > /tmp/release-notes.md
 
       - name: Create Release
         uses: softprops/action-gh-release@v1
         with:
+          tag_name: ${{ needs.resolve.outputs.tag }}
+          body_path: /tmp/release-notes.md
           files: |
-            release/Pastewatch-${{ github.ref_name }}.dmg
-            release/Pastewatch-${{ github.ref_name }}.dmg.sha256
-            release/Pastewatch-${{ github.ref_name }}.zip
-            release/Pastewatch-${{ github.ref_name }}.zip.sha256
+            release/Pastewatch-${{ needs.resolve.outputs.tag }}.dmg
+            release/Pastewatch-${{ needs.resolve.outputs.tag }}.dmg.sha256
+            release/Pastewatch-${{ needs.resolve.outputs.tag }}.zip
+            release/Pastewatch-${{ needs.resolve.outputs.tag }}.zip.sha256
             release/pastewatch
             release/pastewatch.sha256
-          generate_release_notes: true
+            release/pastewatch-cli
+            release/pastewatch-cli.sha256
+            release/pastewatch-cli-linux-amd64
+            release/pastewatch-cli-linux-amd64.sha256
+          generate_release_notes: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update Homebrew formula
+        env:
+          GH_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+        run: |
+          TAG="${{ needs.resolve.outputs.tag }}"
+          VERSION_NUM="${TAG#v}"
+          SHA256=$(shasum -a 256 release/pastewatch-cli | awk '{print $1}')
+
+          cat > /tmp/pastewatch.rb << FORMULA
+          # typed: false
+          # frozen_string_literal: true
+
+          class Pastewatch < Formula
+            desc "Sensitive data scanner — deterministic detection and obfuscation for text content"
+            homepage "https://github.com/ppiankov/pastewatch"
+            version "${VERSION_NUM}"
+            license "MIT"
+
+            depends_on :macos
+            depends_on arch: :arm64
+
+            url "https://github.com/ppiankov/pastewatch/releases/download/${TAG}/pastewatch-cli"
+            sha256 "${SHA256}"
+
+            def install
+              bin.install "pastewatch-cli"
+            end
+
+            test do
+              assert_match "pastewatch-cli", shell_output("#{bin}/pastewatch-cli version")
+            end
+          end
+          FORMULA
+
+          # Remove leading whitespace from heredoc
+          sed -i '' 's/^          //' /tmp/pastewatch.rb
+
+          if [ -n "$GH_TOKEN" ]; then
+            EXISTING_SHA=$(gh api repos/ppiankov/homebrew-tap/contents/Formula/pastewatch.rb --jq .sha 2>/dev/null || echo '')
+            gh api repos/ppiankov/homebrew-tap/contents/Formula/pastewatch.rb \
+              --method PUT \
+              --field message="Update pastewatch to ${TAG}" \
+              --field content="$(base64 -i /tmp/pastewatch.rb)" \
+              --field sha="${EXISTING_SHA}" \
+              || echo "Homebrew tap update failed — check HOMEBREW_TAP_TOKEN secret"
+          else
+            echo "HOMEBREW_TAP_TOKEN not set — skipping Homebrew update"
+          fi