CI Pipeline (#1)

* Add CI, release, and dependabot workflows

CI runs on push and PR: builds, vets, and tests across Linux/macOS/Windows
on Go 1.21 (go.mod minimum) and latest stable. golangci-lint runs as a
separate job on Linux.

Release fires on vX.Y.Z tag pushes. It verifies the tag lives on main,
runs the test suite, and drafts a GitHub Release with auto-generated
notes. Tags containing "-" are marked as pre-releases. Because this is a
library, no binaries are built — proxy.golang.org picks up the tag and
consumers pull source via go get.

Dependabot keeps gomod and github-actions deps current.

README gains a Releasing section describing the tag-driven flow.

* Pin actions to full SHAs and fix lint findings

Pin every third-party GitHub Action to a full 40-char commit SHA with
the semver in a trailing comment. Tags are mutable; SHAs are not. This
defends against supply-chain attacks that move tags to malicious refs
(see tj-actions/changed-files, March 2025). Dependabot's
github-actions ecosystem keeps these pins current.

Bump to latest stable versions while pinning:
- actions/checkout v6.0.2
- actions/setup-go v6.4.0
- golangci/golangci-lint-action v9.2.0
- softprops/action-gh-release v3.0.0

Also clear the four errcheck findings golangci-lint v2 flagged on
fmt.Fprintf writes to stdout, by switching to cobra's cmd.Printf which
swallows the error by design.

* Bump to Go 1.25 and fix Windows CI

Go 1.25 becomes the minimum supported version in go.mod, and every CI
and release job pins to the same version so the matrix is OS-only now.

Windows jobs were failing under pwsh: `go test -race
-coverprofile=coverage.out -covermode=atomic ./...` was being
misparsed, with `.out` treated as a package argument. Force `shell:
bash` at the job level so all steps run under the same shell on every
runner, which also fixes the failure.

Author: bueti

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5

.github/workflows/ci.yml

@@ -0,0 +1,50 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    defaults:
+      run:
+        shell: bash
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
+        with:
+          go-version: "1.25"
+          check-latest: true
+      - name: Verify modules
+        run: go mod verify
+      - name: Build
+        run: go build ./...
+      - name: Vet
+        run: go vet ./...
+      - name: Test
+        run: go test -race -coverprofile=coverage.out -covermode=atomic ./...
+
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
+        with:
+          go-version: "1.25"
+          check-latest: true
+      - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20  # v9.2.0
+        with:
+          version: latest
+          args: --timeout=5m

.github/workflows/release.yml

@@ -0,0 +1,37 @@
+name: Release
+
+on:
+  push:
+    tags: ["v*"]
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
+        with:
+          go-version: "1.25"
+          check-latest: true
+      - name: Verify tag is on main
+        run: |
+          git fetch origin main
+          if ! git merge-base --is-ancestor "$GITHUB_SHA" origin/main; then
+            echo "::error::tag ${GITHUB_REF_NAME} is not on main"
+            exit 1
+          fi
+      - name: Verify modules
+        run: go mod verify
+      - name: Test
+        run: go test -race ./...
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda  # v3.0.0
+        with:
+          generate_release_notes: true
+          draft: false
+          prerelease: ${{ contains(github.ref_name, '-') }}

README.md

@@ -133,6 +133,19 @@ Try it:
 go run ./example skills print
 ```
 
+## Releasing
+
+Releases are cut by pushing a semver tag to `main`:
+
+```sh
+git tag v0.1.0
+git push origin v0.1.0
+```
+
+The `Release` workflow verifies the tag lives on `main`, runs the test suite, and drafts a GitHub Release with auto-generated notes. `proxy.golang.org` picks up the tag automatically, so `go get github.com/bueti/skillgen@v0.1.0` works immediately.
+
+Pre-release tags (e.g. `v0.2.0-rc.1`) are marked as pre-releases on GitHub.
+
 ## Status
 
 - **M1** — single-skill mode, cobra integration, Claude Code-compatible frontmatter ✅

cmd.go

@@ -44,7 +44,7 @@ func newGenerateCmd(root *cobra.Command, opts []Option) *cobra.Command {
 			}
 			skills, _ := g.Skills()
 			for _, s := range skills {
-				fmt.Fprintf(cmd.OutOrStdout(), "wrote %s/%s\n", dir, s.Filename)
+				cmd.Printf("wrote %s/%s\n", dir, s.Filename)
 			}
 			return nil
 		},

example/main.go

@@ -6,7 +6,6 @@
 package main
 
 import (
-	"fmt"
 	"os"
 
 	"github.com/bueti/skillgen"
@@ -31,7 +30,7 @@ func main() {
 		Example: "mytool build api --tag v1.2.3",
 		Args:    cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			fmt.Fprintf(cmd.OutOrStdout(), "would build %s\n", args[0])
+			cmd.Printf("would build %s\n", args[0])
 			return nil
 		},
 	}
@@ -49,7 +48,7 @@ func main() {
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			env, _ := cmd.Flags().GetString("env")
-			fmt.Fprintf(cmd.OutOrStdout(), "would deploy %s to %s\n", args[0], env)
+			cmd.Printf("would deploy %s to %s\n", args[0], env)
 			return nil
 		},
 	}
@@ -62,7 +61,7 @@ func main() {
 		Short: "Show current deployment state",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			fmt.Fprintf(cmd.OutOrStdout(), "status: %s is healthy\n", args[0])
+			cmd.Printf("status: %s is healthy\n", args[0])
 			return nil
 		},
 	}

go.mod

@@ -1,6 +1,6 @@
 module github.com/bueti/skillgen
 
-go 1.21
+go 1.25
 
 require (
 	github.com/spf13/cobra v1.10.2