.gitattributes

@@ -1 +1,2 @@
 *.age binary
+testdata/testkit/* binary

.github/CONTRIBUTING.md

@@ -0,0 +1,32 @@
+## Issues
+
+I want to hear about any issues you encounter while using age.
+
+Particularly appreciated are well researched, complete [issues](https://github.com/FiloSottile/age/issues/new/choose) with lots of context, **focusing on the intended outcome and/or use case**. Issues don't have to be just about bugs: if something was hard to figure out or unexpected, please file a **[UX report](https://github.com/FiloSottile/age/discussions/new?category=UX-reports)**! ✨
+
+Not all issue reports might lead to a change, so please don't be offended if yours doesn't, but they are precious datapoints to understand how age could work better in aggregate.
+
+## Pull requests
+
+age is a little unusual in how it is maintained. I like to keep the code style consistent and complexity to a minimum, and going through many iterations of code review is a significant toil on both contributors and maintainers. age is also small enough that such a time investment is unlikely to pay off over ongoing contributions.
+
+Therefore, **be prepared for your change to get reimplemented rather than merged**, and please don't be offended if that happens. PRs are still appreciated as a way to clarify the intended behavior, but are not at all required: prefer focusing on providing detailed context in an issue report instead.
+
+<!-- ## Feature requests
+
+age is small, simple, and config-free by design. A lot of effort is put into resisting scope creep and enabling use cases by integrating and interoperating well with other projects rather than by adding features.
+
+In particular, I'm unlikely to merge into the main repo anything I don't use myself, as I would not be the best person to maintain it. However, I'm always happy to discuss, learn about, and link to any age-related project! -->
+
+## Other ways to contribute
+
+age itself is not community maintained, but its ecosystem very much is, and that's where a lot of the strength of age is! Here are some ideas for ways to contribute to age and its ecosystem, besides contributing to this repository.
+
+* **Write an article about how to use age for a certain community or use case.** The number one reason people don't use age is because they haven't heard about it and existing tutorials present more complex alternatives.
+* Integrate age into existing projects that might use it, for example replacing legacy alternatives.
+* Build and maintain an [age plugin](https://c2sp.org/age-plugin) for a KMS or platform.
+* Watch the [discussions](https://github.com/FiloSottile/age/discussions) and help other users.
+* Provide bindings in a language or framework that doesn't support age well.
+* Package age for an ecosystem that doesn't have packages yet.
+
+If you build or write something related to age, [let me know](https://github.com/FiloSottile/age/discussions/new?category=general)! 💖

.github/workflows/build.yml

@@ -1,13 +1,26 @@
+name: Build and upload binaries
 on:
   release:
     types: [published]
   push:
   pull_request:
-name: Build binaries
+permissions:
+  contents: read
 jobs:
-  binaries:
-    name: Build and upload
+  build:
+    name: Build binaries
     runs-on: ubuntu-latest
+    environment: "Build, sign, release binaries"
+    strategy:
+      matrix:
+        include:
+          - {GOOS: linux, GOARCH: amd64}
+          - {GOOS: linux, GOARCH: arm, GOARM: 6}
+          - {GOOS: linux, GOARCH: arm64}
+          - {GOOS: darwin, GOARCH: amd64}
+          - {GOOS: darwin, GOARCH: arm64}
+          - {GOOS: windows, GOARCH: amd64}
+          - {GOOS: freebsd, GOARCH: amd64}
     steps:
       - name: Install Go
         uses: actions/setup-go@v2
@@ -17,58 +30,57 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
-      - name: Build binaries
+      - name: Build binary
         run: |
-          VERSION=$(git describe --tags)
-          function build_age() {
-            DIR="$(mktemp -d)"
-            mkdir "$DIR/age"
-            cp LICENSE "$DIR/age"
-            echo -e "\n---\n" >> "$DIR/age/LICENSE"
-            curl "https://golang.org/LICENSE?m=text" >> "$DIR/age/LICENSE"
-            go build -o "$DIR/age" -ldflags "-X main.Version=$VERSION" ./cmd/...
-            if [ "$GOOS" == "windows" ]; then
-              ( cd "$DIR"; zip age.zip -r age )
-              mv "$DIR/age.zip" "age-$VERSION-$GOOS-$GOARCH.zip"
-            else
-              tar -cvzf "age-$VERSION-$GOOS-$GOARCH.tar.gz" -C "$DIR" age
+          cp LICENSE "$RUNNER_TEMP/LICENSE"
+          echo -e "\n---\n" >> "$RUNNER_TEMP/LICENSE"
+          curl -L "https://go.dev/LICENSE?m=text" >> "$RUNNER_TEMP/LICENSE"
+          VERSION="$(git describe --tags)"
+          DIR="$(mktemp -d)"
+          mkdir "$DIR/age"
+          cp "$RUNNER_TEMP/LICENSE" "$DIR/age"
+          go build -o "$DIR/age" -ldflags "-X main.Version=$VERSION" -trimpath ./cmd/...
+          if [ "$GOOS" == "windows" ]; then
+            sudo apt-get update && sudo apt-get install -y osslsigncode
+            if [ -n "${{ secrets.SIGN_PASS }}" ]; then
+              for exe in "$DIR"/age/*.exe; do
+                /usr/bin/osslsigncode sign -t "http://timestamp.comodoca.com" \
+                  -certs .github/workflows/certs/uitacllc.crt \
+                  -key .github/workflows/certs/uitacllc.key \
+                  -pass "${{ secrets.SIGN_PASS }}" \
+                  -n age -in "$exe" -out "$exe.signed"
+                mv "$exe.signed" "$exe"
+              done
             fi
-          }
-          export CGO_ENABLED=0
-          GOOS=linux GOARCH=amd64 build_age
-          GOOS=linux GOARCH=arm GOARM=6 build_age
-          GOOS=linux GOARCH=arm64 build_age
-          GOOS=darwin GOARCH=amd64 build_age
-          GOOS=darwin GOARCH=arm64 build_age
-          GOOS=windows GOARCH=amd64 build_age
-          GOOS=freebsd GOARCH=amd64 build_age
+            ( cd "$DIR"; zip age.zip -r age )
+            mv "$DIR/age.zip" "age-$VERSION-$GOOS-$GOARCH.zip"
+          else
+            tar -cvzf "age-$VERSION-$GOOS-$GOARCH.tar.gz" -C "$DIR" age
+          fi
+        env:
+          CGO_ENABLED: 0
+          GOOS: ${{ matrix.GOOS }}
+          GOARCH: ${{ matrix.GOARCH }}
+          GOARM: ${{ matrix.GOARM }}
       - name: Upload workflow artifacts
         uses: actions/upload-artifact@v2
         with:
           name: age-binaries
           path: age-*
-      - name: Upload release artifacts
-        uses: actions/github-script@v3
-        if: ${{ github.event_name == 'release' }}
+  upload:
+    name: Upload release binaries
+    if: github.event_name == 'release'
+    needs: build
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download workflow artifacts
+        uses: actions/download-artifact@v2
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const fs = require("fs").promises;
-            const { repo: { owner, repo }, sha } = context;
-
-            const release = await github.repos.getReleaseByTag({
-              owner, repo,
-              tag: process.env.GITHUB_REF.replace("refs/tags/", ""),
-            });
-            console.log("Release:", { release });
-
-            for (let file of await fs.readdir(".")) {
-              if (!file.startsWith("age-")) continue;
-              console.log("Uploading", file);
-              await github.repos.uploadReleaseAsset({
-                owner, repo,
-                release_id: release.data.id,
-                name: file,
-                data: await fs.readFile(file),
-              });            
-            }
+          name: age-binaries
+      - name: Upload release artifacts
+        run: gh release upload "$GITHUB_REF_NAME" age-*
+        env:
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}

.github/workflows/certs/README

@@ -0,0 +1,14 @@
+In this folder there are
+
+    uitacllc.crt
+
+        PKCS#7 encoded certificate chain for a code signing certificate issued
+        to Up in the Air Consulting LLC valid until Sep 26 23:59:59 2024 GMT.
+
+        https://crt.sh/?id=5339775059
+
+    uitacllc.key
+
+        PEM encrypted private key for the leaf certificate above.
+        Its passphrase is long and randomly generated, so the awful legacy key
+        derivation doesn't really matter, and it makes osslsigncode happy.

.github/workflows/certs/uitacllc.key

@@ -0,0 +1,42 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,B93C1A166F3677D68FB9CB3E8A184729
+
+UriYsaq3tLyvycDDB2YeQ+9L1P5VCPcfVkYR1ocleF8WxNDUPdz3RqbryAZZdXVO
+0bcvAHTXkdI4Oiw5mN0S8fGsNq9zn+pyResx3lXtgN3oCDCe2SQn28uEEKxPzud5
+0NRXYoBP+pLDjiuQ/6Lp7DovnAO/uxaPFvYRMiknNVOhwyHGWZyuUe01S9J9im7y
+vgc1wkyQzmABIhARynEXHp3KnM9aF8X1/ck839lQRBFrvRFNm5rqiON26spr1Hu5
+znrbVGROYk0XNdH5VHDk7V9k+v2WLL/b4nxlMymZpDzr9pXzX8olpLnQrarsMbHe
+ysfXNTtQi5Dq6KXURW8VA4DmxAzTRNUxe2aA4JnAEyFU5LDLetTN9F9M7BUkHbXH
+RpSbZqDjPwg7U98vuSwxjIkncHSiYYi3FmSoupLvV+eIP6qRSgONdzGlP5NTn4Lh
+N1lYMPHPldH6UjLHrldkYN16TQlrqNHZExN91XvsZVjpyAgErY18xwi3CTEco45D
+fRqsiWXtoas4LkafhSY0vfl5aFhY9YPUpS6uFdgWBvgcQeYb8meX5Nr4dNXVk5Wa
+yRlYlW/X0TWC0T9qaBOPN/z7OWO5aL4jYRcKQQ+aR8gFcHGGCpRAKD369OneXfOQ
+MD9UHoPG4WTBg/NU9OSskcywfuSOkwAGfBVNXrnEj6tYFjsjYK2nC2gm+opUCfm0
+a1FeDb5nQSOgOJKUCO6Aj+0NvDvVLUOsTk1lfzSugIkmUOdV+rXHnrZC+90q8KfN
+S2JlzwSZNg0e+VxZpnD7k7axHkbHrbebtrLvzKVnrh3s0OFAXN0isMw7yhhWtzUe
+mPoQTZusLDOAJe/QPuNlDUgr4uoVZtoXrPzoZZkw2VFLwYy2g/EYvlK9BdVVTnRm
+9Hq9IBDrZw+SV/7roaeVOXbzrQoxEoXcL7eo6iWvV5Q7Ll5C4ovelHKy3IAzcpYP
+6LKfxAO2sIKTALrHbtBNG+O4RTtxOva1hyg27V4v2k53CF/GhoBRPSpbbupwppXc
+lJJ9RtMTRfhCv/ObhdsJED+YUqFifTJfcnQ1iGN8dnBuGrjXxVCN0wgmv46Pdhn0
+tUfGlkFquOOWamaVaIvp6JCVUDa1ezMzleILoYvrxvOuP+dGVrwTwVCXpx4JuUgp
+d72/w+EnqlZnwsAzdrErJFXnHux981ZoojmG94km1B6gPPwMB8JRcD67lfhG/vne
+IpTuuzGaSInf24cGNig01hbBuKSg79yNY0llkECPBXbEhfkemEMhg1WHoNP2eG8j
+MHS5OCT5KiOfi77pSO3M2mGB1HWYE5R0lcMibukK9ZdyIYcTeMZ0RcGm6YSNv570
+ok/Ex4LUCW66AIWFefmbIOtJSIMHlNKWRPJwnJxVoE5qgH0f/2xL3k15vpI55lAS
+sabzegnYlElPbUlZGhgwjKknxgqMhFIW/ZS0h2FukFLwipr4qI47nHWz5dguNkYn
+48sSKg3YMhVx/sT+X2A/6zqsC+p4PT7Ti5ruWb7S9L9vRuBdIDNE9qAwuz0g8Bs3
+WhOx6OW2ZqDQEuRhN0lyGA0mwRC4HPFE9b8dnN8lNm+RsnMfNoFxzPnqtsxhEAwa
+2a4ijT97ka94lDy7WQ2bwLRz7trKV/T6MeETKE4s7+z2dMTr1f8IwA2uCovFmO9T
+aMQAePFEtDT3qwIPu0zH1ocSCkZ50f7RgVmp4FNn03uT/TnsASrr5CS9m8A9gjEn
+QiztQyqt27fTT61YkNdA6lwbpFiByugVbS+mWsNa9kvBkgQkcMQwgrELmU9sYdBT
+nRMa60i0nEINT/x3zFvT6R7Dl/O8/QhXLeYv20X2roghPw48IovLb8x7dT3YEQSn
+ARIXXVPxwOVvS8xcCa69/+1HjC6vNG9dNNnAsVHxB8mDTBqmmLzAMOVzDoNWEgDd
+zoRhQ3ORb1brPlKWg8um/svLiSV63ZYi2J8LPamoGmZ/7J8i5rjOpOeG493UICBR
+JymmYGUo6/C1Ze8swdMHApVU/spo0s8BCGkMjYUAaxXD7RufN2DuY30Vny/DMn4y
+XasuHS9RstD2Okv25PD06Y2H52HJ6MNdArmPZRe0k2ZbhATs5dXOfmaF5Z0f4IkE
+G+hsxE1wlCo900ewntx16sBCbI0v9aE+Napf2+ueqPQ06CdfiTG5yOmeXzgR/8zS
+KVmTHpmmFpYtj/N350BLAVb/Hwzmh+ieWnO7TUjvNAHUn2i5LZU65rN3GOlPyIlz
+DzB2T6KjOUPFKqSRrIin14HLyf5w0vDuJhe5Zpe0hhYKvoKhwCEVefbmkasWeso3
+xsXxOOoL39GA0QpYjR6ztqR8fS9jTeu5IY+zY5LO8yS7+StP3H8CcqRMuxb3ntym
+-----END RSA PRIVATE KEY-----

.github/workflows/interop.yml

@@ -1,5 +1,7 @@
 name: Interoperability tests
 on: push
+permissions:
+  contents: read
 jobs:
   trigger:
     name: Trigger

.github/workflows/ronn.yml

@@ -1,14 +1,18 @@
+name: Generate man pages
 on:
   push:
     branches:
       - '**'
     paths:
       - '**.ronn'
-name: Generate man pages
+      - '**/ronn.yml'
+      - '**/ronn/**'
+permissions:
+  contents: read
 jobs:
   ronn:
-    runs-on: ubuntu-latest
     name: Ronn
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -24,10 +28,31 @@ jobs:
             awk '/Filippo Valsorda/ { $0 = "<p>Filippo Valsorda <a href=\"mailto:age@filippo.io\" data-bare-link=\"true\">age@filippo.io</a></p>" } { print }' "$f" > "$f.tmp"
             mv "$f.tmp" "$f"
           done
+      - name: Upload generated files
+        uses: actions/upload-artifact@v3
+        with:
+          name: man-pages
+          path: |
+            doc/*.1
+            doc/*.html
+  commit:
+    name: Commit changes
+    needs: ronn
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Download generated files
+        uses: actions/download-artifact@v2
+        with:
+          name: man-pages
+          path: doc/
       - name: Commit and push if changed
         run: |-
           git config user.name "GitHub Actions"
           git config user.email "actions@users.noreply.github.com"
-          git add -A
+          git add doc/
           git commit -m "doc: regenerate groff and html man pages" || exit 0
           git push

.github/workflows/test.yml

@@ -1,12 +1,14 @@
-on: [push, pull_request]
 name: Go tests
+on: [push, pull_request]
+permissions:
+  contents: read
 jobs:
   test:
     name: Test
     strategy:
       fail-fast: false
       matrix:
-        go: [1.16.x, 1.17.x]
+        go: [1.18.x, 1.19.x]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -20,3 +22,47 @@ jobs:
           fetch-depth: 0
       - name: Run tests
         run: go test -race ./...
+  freebsd:
+    name: Test (FreeBSD)
+    runs-on: macos-10.15
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Run tests
+        # Unpinned Action allowed with read-only permissions.
+        uses: vmactions/freebsd-vm@v0
+        with:
+          prepare: |
+            freebsd-version
+            pkg install -y go
+            go version
+          run: go test -buildvcs=false -race ./...
+  gotip:
+    name: Test (Go tip)
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Install Go tip (UNIX)
+        if: runner.os != 'Windows'
+        run: |
+          git clone --filter=tree:0 https://go.googlesource.com/go $HOME/gotip
+          cd $HOME/gotip/src && ./make.bash
+          echo "$HOME/gotip/bin" >> $GITHUB_PATH
+      - name: Install Go tip (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          git clone --filter=tree:0 https://go.googlesource.com/go $HOME/gotip
+          cd $HOME/gotip/src && ./make.bat
+          echo "$HOME/gotip/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - run: go version
+      - name: Run tests
+        run: go test -race ./...