chore: deploy-audit cleanup (drop fictional deploy.sh, fix CHANGELOG, add release workflow)#56
Merged
Merged
Conversation
…, add release workflow
A deploy-readiness audit surfaced four stale/incorrect items in this repo;
this commit removes or repairs each.
Removed
-------
- scripts/deploy.sh — referenced a Dockerfile, a deployments/kubernetes/
manifest, an internal/integration/ test package, and a k6 load-test
script that never existed. tok is a Go library (AGENTS.md, .goreleaser.yml
builds.skip: true); deployment is `go get`.
- /tokd entry in .gitignore — the ./server HTTP daemon never shipped.
Fixed
-----
- CHANGELOG.md:
* 0.1.0 heading moved below [Unreleased] (Keep-a-Changelog ordering).
* Stripped the backwards `compare/v1.1.0...0.1.0` diff link.
* Stopped claiming we re-baselined `.release-please-manifest.json` and
`scripts/install.sh` — neither file exists in this repo.
* "HTTP server mode (tokd)" entry now documents that the daemon did not
ship, matching the existing historical note under [0.29.0].
- .github/workflows/ci.yml: pin gosec to v2.22.4 (was v2.21.4), matching
every other gosec invocation in the workflow + sibling repos.
Added
-----
- .github/workflows/release.yml: trigger goreleaser on `v*` tag pushes.
The existing .goreleaser.yml builds source archives + SHA-256 checksums
+ SPDX SBOM (`builds.skip: true`) but had no workflow to invoke it.
Validation
----------
- go build ./... — clean
- go vet ./... — clean
- gofumpt -l . — clean
- goimports -l . — clean
- golangci-lint run --timeout=5m — 0 issues
- go test ./... -short — all pass
- govulncheck ./... — no vulnerabilities
Patel230
commented
Jun 10, 2026
Patel230
left a comment
Patel230
left a comment
Contributor
Author
There was a problem hiding this comment.
Self-review (cannot approve own PR): scope is documentation + workflow + a single removed deploy script; all 20 CI checks green incl. lint, race tests, govulncheck, gosec, codeql, trivy, dependency-review, fuzz, multi-OS build matrix. No Go source modified. Merging.
Contributor
Author
|
Self-review: scope is documentation + workflow + a single removed deploy script; all 20 CI checks green incl. lint, race tests, govulncheck, gosec, codeql, trivy, dependency-review, fuzz, multi-OS build matrix. No Go source modified. Merging. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
A deploy-readiness audit on the hawk-eco set (hawk · eyrie · yaad · tok) surfaced a handful of files in this repo that referenced infrastructure that has never existed. This PR removes or repairs each. No production code is touched.
What changed
Removed
scripts/deploy.sh— referenced aDockerfile, adeployments/kubernetes/tok-deployment.yamlmanifest, aninternal/integration/test package, and ak6load-test script that all never existed in this repo. tok is a Go library (AGENTS.md,.goreleaser.yml→builds.skip: true); deployment isgo get./tokdline in.gitignore— the./serverHTTP daemon never shipped.Fixed
CHANGELOG.md0.1.0heading below[Unreleased](Keep-a-Changelog ordering).compare/v1.1.0...0.1.0diff link..release-please-manifest.jsonandscripts/install.sh— neither file exists.HTTP server mode (tokd)entry now documents that the daemon did not ship, consistent with the historical note in[0.29.0]..github/workflows/ci.yml— pingosectov2.22.4(wasv2.21.4), matching every other gosec invocation in this workflow and across sibling repos.Added
.github/workflows/release.yml— invokes goreleaser on av*tag push..goreleaser.ymlalready produces a source archive + SHA-256 checksums + SPDX SBOM (builds.skip: true), but nothing in CI was triggering it.Validation
All run locally on Go 1.26.4 (matches
go.mod):go build ./...go vet ./...gofumpt -l .goimports -l .golangci-lint run --timeout=5mgo test ./... -shortgovulncheck ./...Risk
Low. No source code in
*.gofiles is modified.Follow-ups (separate PRs)
The audit also found similar stale deploy/install scaffolding in eyrie, yaad, and hawk. Those will get their own PRs.