From 970a4848c4b3d13e204465504740652cf0200b95 Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 1 Mar 2026 14:09:33 +0100 Subject: [PATCH 01/10] Add GitHub Actions CI workflow for testing and linting Adds a CI pipeline that runs on pushes and PRs to main with two jobs: - Test: build, vet, and test with race detector and coverage - Lint: golangci-lint via the official action Both jobs clone go-didcomm alongside the repo to satisfy the replace directive. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 63 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..e380a33 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,63 @@ +name: CI + +on: + push: + branches: [main] + pull_request: + branches: [main] + +permissions: + contents: read + +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - name: Checkout tap-go + uses: actions/checkout@v4 + with: + submodules: recursive + + - name: Checkout go-didcomm + uses: actions/checkout@v4 + with: + repository: Notabene-id/go-didcomm + path: ../go-didcomm + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + + - name: Build + run: go build ./... + + - name: Vet + run: go vet ./... + + - name: Test + run: go test -race -coverprofile=coverage.out ./... + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Checkout tap-go + uses: actions/checkout@v4 + + - name: Checkout go-didcomm + uses: actions/checkout@v4 + with: + repository: Notabene-id/go-didcomm + path: ../go-didcomm + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + + - name: golangci-lint + uses: golangci/golangci-lint-action@v6 + with: + version: latest From bd73d477798b1ba0488c87253d29c11206c2c011 Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 1 Mar 2026 14:11:39 +0100 Subject: [PATCH 02/10] Fix CI: use git clone for go-didcomm dependency actions/checkout doesn't allow checking out to paths outside the workspace. Use git clone directly instead. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e380a33..f4efcd0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,11 +19,8 @@ jobs: with: submodules: recursive - - name: Checkout go-didcomm - uses: actions/checkout@v4 - with: - repository: Notabene-id/go-didcomm - path: ../go-didcomm + - name: Clone go-didcomm + run: git clone --depth 1 https://github.com/Notabene-id/go-didcomm.git ../go-didcomm - name: Set up Go uses: actions/setup-go@v5 @@ -46,11 +43,8 @@ jobs: - name: Checkout tap-go uses: actions/checkout@v4 - - name: Checkout go-didcomm - uses: actions/checkout@v4 - with: - repository: Notabene-id/go-didcomm - path: ../go-didcomm + - name: Clone go-didcomm + run: git clone --depth 1 https://github.com/Notabene-id/go-didcomm.git ../go-didcomm - name: Set up Go uses: actions/setup-go@v5 From 59206a4537fe5b48feb5843b75b56763d6cd91cf Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 1 Mar 2026 14:12:21 +0100 Subject: [PATCH 03/10] Add govulncheck job to CI Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f4efcd0..90976b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,3 +55,24 @@ jobs: uses: golangci/golangci-lint-action@v6 with: version: latest + + vulncheck: + name: Vulncheck + runs-on: ubuntu-latest + steps: + - name: Checkout tap-go + uses: actions/checkout@v4 + + - name: Clone go-didcomm + run: git clone --depth 1 https://github.com/Notabene-id/go-didcomm.git ../go-didcomm + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + + - name: Install govulncheck + run: go install golang.org/x/vuln/cmd/govulncheck@latest + + - name: Run govulncheck + run: govulncheck ./... From 75c7d23946f0bab2bba8e792490c8e02d5d8633c Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 1 Mar 2026 14:13:50 +0100 Subject: [PATCH 04/10] Fix lint: install golangci-lint from source for Go 1.25 compat The pre-built golangci-lint binary (v1.64.8) was built with Go 1.24 and can't target Go 1.25. Install from source via go install so it uses the Go 1.25 toolchain. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 90976b5..61fe141 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,10 +51,11 @@ jobs: with: go-version-file: go.mod + - name: Install golangci-lint + run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest + - name: golangci-lint - uses: golangci/golangci-lint-action@v6 - with: - version: latest + run: golangci-lint run ./... vulncheck: name: Vulncheck From c4dbe35748a2061f3be8f4cdc5515d03c93018f4 Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 1 Mar 2026 14:17:02 +0100 Subject: [PATCH 05/10] Remove local replace directive and fix lint issue - Use published go-didcomm v0.1.0 instead of local ../go-didcomm replace - Simplify CI by removing go-didcomm clone steps - Fix SA1012 lint: use context.TODO() instead of nil in client_test.go Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 15 +++------------ client_test.go | 3 ++- go.mod | 4 +--- go.sum | 2 ++ 4 files changed, 8 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61fe141..7886ce0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,14 +14,11 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - name: Checkout tap-go + - name: Checkout uses: actions/checkout@v4 with: submodules: recursive - - name: Clone go-didcomm - run: git clone --depth 1 https://github.com/Notabene-id/go-didcomm.git ../go-didcomm - - name: Set up Go uses: actions/setup-go@v5 with: @@ -40,12 +37,9 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - name: Checkout tap-go + - name: Checkout uses: actions/checkout@v4 - - name: Clone go-didcomm - run: git clone --depth 1 https://github.com/Notabene-id/go-didcomm.git ../go-didcomm - - name: Set up Go uses: actions/setup-go@v5 with: @@ -61,12 +55,9 @@ jobs: name: Vulncheck runs-on: ubuntu-latest steps: - - name: Checkout tap-go + - name: Checkout uses: actions/checkout@v4 - - name: Clone go-didcomm - run: git clone --depth 1 https://github.com/Notabene-id/go-didcomm.git ../go-didcomm - - name: Set up Go uses: actions/setup-go@v5 with: diff --git a/client_test.go b/client_test.go index ccfeffa..1023acc 100644 --- a/client_test.go +++ b/client_test.go @@ -1,6 +1,7 @@ package tap import ( + "context" "encoding/json" "testing" @@ -46,7 +47,7 @@ func TestClient_ReceivePlainMessage(t *testing.T) { dc := didcomm.NewClient(nil, nil) client := NewClient(dc) - result, err := client.Receive(nil, envelope) + result, err := client.Receive(context.TODO(), envelope) if err != nil { t.Fatalf("Receive: %v", err) } diff --git a/go.mod b/go.mod index 208d01c..65927a4 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/TransactionAuthorizationProtocol/tap-go go 1.25.0 require ( - github.com/Notabene-id/go-didcomm v0.0.0 + github.com/Notabene-id/go-didcomm v0.1.0 github.com/google/uuid v1.6.0 ) @@ -24,5 +24,3 @@ require ( golang.org/x/crypto v0.46.0 // indirect golang.org/x/sys v0.39.0 // indirect ) - -replace github.com/Notabene-id/go-didcomm => ../go-didcomm diff --git a/go.sum b/go.sum index 535e74e..504d17c 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,7 @@ filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo= filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc= +github.com/Notabene-id/go-didcomm v0.1.0 h1:qouUDL3vXiJRu8c2pIfk2cZre7NtO9WN4TqAbqCqVnM= +github.com/Notabene-id/go-didcomm v0.1.0/go.mod h1:wIm3s9UCKYYLe2zIysHjTKj7SCU9g25HUWWWc8h9mho= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= From d81e76b928dac7347d4413c1f56b4732733c1e4b Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 1 Mar 2026 14:25:23 +0100 Subject: [PATCH 06/10] Make vulncheck non-blocking Currently fails due to Go 1.25.0 stdlib vulnerabilities that are fixed in 1.25.2+. Use continue-on-error so it reports without failing CI. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7886ce0..abc158c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,4 +67,5 @@ jobs: run: go install golang.org/x/vuln/cmd/govulncheck@latest - name: Run govulncheck + continue-on-error: true run: govulncheck ./... From 55c812927a7de5700ceaea54af82bef3d39f2514 Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 1 Mar 2026 14:30:18 +0100 Subject: [PATCH 07/10] Bump Go to 1.25.3 to fix stdlib vulnerabilities Updates go.mod from 1.25.0 to 1.25.3, fixing all 10 stdlib vulns reported by govulncheck. Vulncheck can now fail CI properly. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 1 - go.mod | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index abc158c..7886ce0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,5 +67,4 @@ jobs: run: go install golang.org/x/vuln/cmd/govulncheck@latest - name: Run govulncheck - continue-on-error: true run: govulncheck ./... diff --git a/go.mod b/go.mod index 65927a4..4e72d62 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/TransactionAuthorizationProtocol/tap-go -go 1.25.0 +go 1.25.3 require ( github.com/Notabene-id/go-didcomm v0.1.0 From 549c06f6eebd0647c03a287491436931f9ea275f Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 1 Mar 2026 14:31:56 +0100 Subject: [PATCH 08/10] Add documentation requirements and initial CHANGELOG - Add Documentation requirements section to CLAUDE.md with rules for maintaining CHANGELOG.md, README.md, and CLAUDE.md - Remove stale local replace directive reference from CLAUDE.md - Create initial CHANGELOG.md with unreleased changes from this PR Co-Authored-By: Claude Opus 4.6 --- CHANGELOG.md | 17 +++++++++++++++++ CLAUDE.md | 8 +++++++- 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..fa1dc93 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,17 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/), +and this project adheres to [Semantic Versioning](https://semver.org/). + +## [Unreleased] + +### Added + +- GitHub Actions CI with test, lint (golangci-lint), and vulncheck jobs + +### Changed + +- Bumped Go from 1.25.0 to 1.25.3 to fix stdlib vulnerabilities +- Use published go-didcomm v0.1.0 instead of local replace directive diff --git a/CLAUDE.md b/CLAUDE.md index 666694e..54bc5f7 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -83,7 +83,7 @@ Each message file follows the same pattern: ### Dependencies -- `github.com/Notabene-id/go-didcomm` — DIDComm v2 (`Message`, `Client`, resolvers). Uses local replace directive. +- `github.com/Notabene-id/go-didcomm` — DIDComm v2 (`Message`, `Client`, resolvers) - `github.com/google/uuid` — message ID generation ### Test vectors @@ -101,3 +101,9 @@ The `Agent.For` field uses `ForField` type, which handles JSON marshaling of bot - All body structs must have `Context` (`@context`) and `Type` (`@type`) fields, set automatically by constructors - Thread-based messages (replies) take a `thid` parameter; initiating messages do not - Test files include: JSON round-trip, constructor validation (required fields), `ParseBody` dispatch, and test vector loading where available + +## Documentation requirements + +- **CHANGELOG.md** — Maintain a `CHANGELOG.md` in the project root using [Keep a Changelog](https://keepachangelog.com/) format. Update it with every user-facing change (new features, bug fixes, breaking changes, dependency updates). Group entries under `Added`, `Changed`, `Fixed`, `Removed` sections within version headings. +- **README.md** — Update `README.md` whenever changes affect public API, usage examples, installation instructions, or project capabilities. +- **CLAUDE.md** — Update this file whenever changes affect architecture, file layout, commands, dependencies, or development guidelines (e.g., new message types added to the file layout table, new commands, changed patterns). From ec1212a22bdbc86423c7543418ff2a4031ea54d4 Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 1 Mar 2026 14:34:17 +0100 Subject: [PATCH 09/10] Bump Go to 1.25.5 to fix remaining stdlib vulnerabilities 1.25.3 still had 4 crypto/x509 vulns fixed in 1.25.5. Co-Authored-By: Claude Opus 4.6 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 4e72d62..da2f271 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/TransactionAuthorizationProtocol/tap-go -go 1.25.3 +go 1.25.5 require ( github.com/Notabene-id/go-didcomm v0.1.0 From 604a84c2aa57ed551a19c60df3c1541d53c1f367 Mon Sep 17 00:00:00 2001 From: Pelle Braendgaard Date: Sun, 1 Mar 2026 14:46:39 +0100 Subject: [PATCH 10/10] Upgrade to Go 1.26.0 Go 1.26 is the latest stable release (Feb 2026). Includes Green Tea GC by default and ~30% reduced cgo overhead. Co-Authored-By: Claude Opus 4.6 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index da2f271..94b0f68 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/TransactionAuthorizationProtocol/tap-go -go 1.25.5 +go 1.26.0 require ( github.com/Notabene-id/go-didcomm v0.1.0