Implements Authenticode signing for Windows binaries to reduce AV false positives.
Changes:
- Add scripts/sign-windows.sh for osslsigncode-based signing
- Update .goreleaser.yml with post-build signing hook
- Update release.yml to install osslsigncode and pass secrets
- Update docs/ANTIVIRUS.md with signing verification instructions
- Update scripts/README.md with signing script documentation
The signing is gracefully degraded - releases continue without signing
if the certificate secrets are not configured.
Required secrets for signing:
- WINDOWS_SIGNING_CERT_PFX_BASE64: base64-encoded PFX certificate
- WINDOWS_SIGNING_CERT_PASSWORD: certificate password
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
npm deprecated classic tokens and now requires either granular tokens
with 2FA or OIDC trusted publishing. This updates the workflow to use
the latter, which is npm recommended approach for CI/CD.
Requires configuring trusted publisher on npmjs.com:
- Organization: steveyegge
- Repository: beads
- Workflow: release.yml
Generated with Claude Code
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds comprehensive Git worktree support for beads issue tracking:
Core changes:
- New internal/git/gitdir.go package for worktree detection
- GetGitDir() returns proper .git location (main repo, not worktree)
- Updated all hooks to use git.GetGitDir() instead of local helper
- BeadsDir() now prioritizes main repository's .beads directory
Features:
- Hooks auto-install in main repo when run from worktree
- Shared .beads directory across all worktrees
- Config option no-install-hooks to disable auto-install
- New bd worktree subcommand for diagnostics
Documentation:
- New docs/WORKTREES.md with setup instructions
- Updated CHANGELOG.md and AGENT_INSTRUCTIONS.md
Testing:
- Updated tests to use exported git.GetGitDir()
- Added worktree detection tests
Co-authored-by: Claude <noreply@anthropic.com>
Closes: #478
- Use Node.js 22
- Install npm@latest (requires >= 11.5.1 for OIDC)
- Remove --provenance flag (automatic with trusted publishing)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove registry-url from setup-node to let npm use OIDC trusted publishing
directly without the .npmrc interference.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add 'if: always()' to publish-pypi job so it runs even if goreleaser fails
- Remove 'go test' from .goreleaser.yml since CI already runs tests
- This ensures MCP server gets published even if binary release has issues
- Change version.go constants to variables for ldflags to work
- Fix changelog regex to properly match feat(scope): and fix(scope):
- Enable windows/arm64 builds (pure Go, no CGO issues)
- Add concurrency guard to release workflow
Oracle review feedback implemented.
- Add .goreleaser.yml for automated releases
- Add .github/workflows/release.yml triggered on version tags
- Build matrix: darwin/linux/windows for amd64/arm64
- Update install.sh to download from GitHub releases first
- Add install.sh symlink at root for convenience
- Update RELEASING.md with automation documentation
Closes#89 (vendorable executables as releases)
Implements bd-85
Amp-Thread-ID: https://ampcode.com/threads/T-02baad43-7e97-4710-bc60-777643d2eb77
Co-authored-by: Amp <amp@ampcode.com>
