Bump JamesIves/github-pages-deploy-action from 4.6.4 to 4.6.8 (#1101)

Bumps [JamesIves/github-pages-deploy-action](https://github.com/jamesives/github-pages-deploy-action) from 4.6.4 to 4.6.8.
- [Release notes](https://github.com/jamesives/github-pages-deploy-action/releases)
- [Commits](https://github.com/jamesives/github-pages-deploy-action/compare/v4.6.4...v4.6.8)

---
updated-dependencies:
- dependency-name: JamesIves/github-pages-deploy-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.ci/before_deploy.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-if [[ "$GITSECRET_DIST" == "rpm" ]]; then
-  # To deploy `rpm`-packages this utility is needed:
-  sudo apt-get install -y rpm;
-fi
-
-
-if [[ ! -z "$DOCKER_DIST" ]]; then
-  # When making a non-container build, this step will generate
-  # proper manifest files:
-  make "deploy-${GITSECRET_DIST}";
-fi

.ci/before_script.sh

@@ -1,23 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-# Docker:
-if [[ ! -z "$DOCKER_DIST" ]]; then
-  TEMPLATE="sobolevn/git-secret-docker-$DOCKER_DIST"
-  DOCKERFILE_PATH=".docker/${GITSECRET_DIST}/${DOCKER_DIST}"
-
-  # Building the local image:
-  docker build -t "$TEMPLATE" "$DOCKERFILE_PATH"
-fi
-
-# Mac:
-if [[ "$GITSECRET_DIST" == "brew" ]]; then
-  brew install "$GITSECRET_GPG_DEP"
-fi
-
-# Local linux (standart build):
-if [[ "$GITSECRET_DIST" == "none" ]] && [[ "$GITSECRET_GPG_DEP" == "gnupg2" ]]; then
-  # Installing custom GPG version:
-  sudo apt-get install -y gnupg2
-fi

.ci/docker-ci/alma/Dockerfile

@@ -0,0 +1,20 @@
+FROM almalinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Direct dependencies:
+    bash \
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    diffutils \
+    file \
+    findutils \
+    procps \
+    make \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/docker-ci/alpine/Dockerfile

@@ -0,0 +1,17 @@
+FROM alpine:3.20.3
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+# Don't install coreutils on Alpine,
+# so we get busybox versions of ps, stat, and ls. See #475
+RUN apk add --no-cache --update \
+  # Direct dependencies:
+  bash \
+  gawk \
+  git \
+  gnupg \
+  # Assumed to be present:
+  file \
+  make \
+  procps

.ci/docker-ci/arch/Dockerfile

@@ -0,0 +1,17 @@
+FROM archlinux:base-20220529.0.58327
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN pacman -Syu --needed --noconfirm \
+  # Direct dependencies:
+  bash \
+  gawk \
+  git \
+  gnupg \
+  # Assumed to be present:
+  diffutils \
+  file \
+  make \
+  procps
+

.ci/docker-ci/debian-gnupg1/Dockerfile

@@ -0,0 +1,21 @@
+FROM debian:12.7-slim
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND='noninteractive'
+ENV SECRETS_GPG_COMMAND='gpg1'
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Direct dependencies:
+    gawk \
+    git \
+    gnupg1 \
+    # Assumed to be present:
+    file \
+    procps \
+    make \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/*

.ci/docker-ci/debian-gnupg2/Dockerfile

@@ -0,0 +1,20 @@
+FROM debian:12.7-slim
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND='noninteractive'
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Direct dependencies:
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    file \
+    procps \
+    make \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/*

.ci/docker-ci/fedora/Dockerfile

@@ -0,0 +1,20 @@
+FROM fedora:40
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Direct dependencies:
+    bash \
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    diffutils \
+    file \
+    findutils \
+    procps \
+    make \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/docker-ci/rocky/Dockerfile

@@ -0,0 +1,20 @@
+FROM rockylinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Direct dependencies:
+    bash \
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    diffutils \
+    file \
+    findutils \
+    procps \
+    make \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/docker-ci/ubuntu/Dockerfile

@@ -0,0 +1,20 @@
+FROM ubuntu:23.10
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND="noninteractive"
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Direct dependencies:
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    file \
+    procps \
+    make \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/*

.ci/github_release_script.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env sh
+
+set -e
+
+# Installing additional deps:
+apk add --no-cache curl jq
+
+# https://gist.github.com/Jaskaranbir/d5b065173b3a6f164e47a542472168c1
+USER="$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f1)"
+PROJECT="$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f2)"
+
+LAST_RELEASE_TAG=$(curl \
+    --header "authorization: Bearer $GITHUB_TOKEN" \
+    --url "https://api.github.com/repos/$GITHUB_REPOSITORY/releases/latest" \
+  | jq .tag_name | sed 's/"//g'
+)
+echo "LAST_RELEASE_TAG=$LAST_RELEASE_TAG"
+if [ "$LAST_RELEASE_TAG" = 'null' ]; then
+  # Most likely, we are facing rate-limiting problems,
+  # just try again later.
+  exit 1
+fi
+
+NEW_CHANGELOG='CHANGELOG-RELEASE.md'
+
+# Generate new CHANGELOG.md with just the last changes
+github_changelog_generator \
+  --user "$USER" \
+  --project "$PROJECT" \
+  --token "$GITHUB_OAUTH_TOKEN" \
+  --since-tag "$LAST_RELEASE_TAG" \
+  --max-issues 100 \
+  --no-issues \
+  --release-branch 'master' \
+  --token "$GITHUB_TOKEN" \
+  --output "$NEW_CHANGELOG"
+
+echo 'Done! Changelog:'
+cat "$NEW_CHANGELOG"

.ci/release-ci/alma/Dockerfile

@@ -0,0 +1,12 @@
+FROM almalinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Required for our install script:
+    wget \
+    sudo \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/release-ci/alpine/Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:3.20.3
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN apk add --no-cache --update \
+  # Required for our install script:
+  bash \
+  wget

.ci/release-ci/debian/Dockerfile

@@ -0,0 +1,23 @@
+FROM debian:12.7-slim
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND='noninteractive'
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Required to work with https-based repos and custom signed packages:
+    apt-transport-https \
+    ca-certificates \
+    # Required for our install script:
+    gnupg \
+    sudo \
+    wget \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/* \
+  && adduser --disabled-password nonroot \
+  && adduser nonroot sudo \
+  && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+USER nonroot

.ci/release-ci/fedora/Dockerfile

@@ -0,0 +1,16 @@
+FROM fedora:40
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Required for our install script:
+    wget \
+    sudo \
+  && dnf clean all \
+  && rm -rf /var/cache/yum \
+  && adduser --password='' -m nonroot \
+  && echo 'nonroot ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+USER nonroot
+WORKDIR /home/nonroot

.ci/release-ci/rocky/Dockerfile

@@ -0,0 +1,12 @@
+FROM rockylinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Required for our install script:
+    wget \
+    sudo \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/release-ci/ubuntu/Dockerfile

@@ -0,0 +1,23 @@
+FROM ubuntu:23.10
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND='noninteractive'
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Required to work with https-based repos and custom signed packages:
+    apt-transport-https \
+    ca-certificates \
+    # Required for our install script:
+    gnupg \
+    sudo \
+    wget \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/* \
+  && adduser --disabled-password nonroot \
+  && adduser nonroot sudo \
+  && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+USER nonroot

.ci/releaser/alpine/Dockerfile

@@ -0,0 +1,40 @@
+# Initially copied from
+# https://github.com/jordansissel/fpm/blob/master/Dockerfile
+FROM alpine:3.20.3
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+ENV CODE_DIR='/code'
+ENV SECRETS_PROJECT_ROOT="$CODE_DIR"
+ENV NFPM_VERSION='2.15.1'
+
+RUN apk add --no-cache --update \
+    # fpm deps:
+    ruby \
+    ruby-dev \
+    ruby-etc \
+    gcc \
+    libffi-dev \
+    make \
+    libc-dev \
+    rpm \
+    tar \
+    # Direct dependencies:
+    bash \
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    curl \
+    # envsubst for `nfpm`:
+    gettext \
+  # Installing `nfpm`, it builds alpine packages:
+  && curl -sfL "https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz" --output 'nfpm.tar.gz' \
+  && tar -xf 'nfpm.tar.gz' nfpm \
+  && mv nfpm '/usr/local/bin' \
+  && chmod 755 '/usr/local/bin/nfpm' \
+  && rm -rf 'nfpm.tar.gz' \
+  # Installing `fpm`, it builds all other packages:
+  && gem install --no-document fpm
+
+WORKDIR $CODE_DIR

.ci/script.sh

@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-# Docker-baised builds:
-if [[ ! -z "$DOCKER_DIST" ]]; then
-  TEMPLATE="sobolevn/git-secret-docker-$DOCKER_DIST"
-  # Passing the `TRAVIS_COMMIT` into the container:
-  COMMAND="if [ ! -z ${TRAVIS_COMMIT} ]; then git checkout ${TRAVIS_COMMIT}; fi; make test-${GITSECRET_DIST}-ci"
-
-  # This will run the full intergration check inside the `docker` container:
-  # see `test-deb-ci` and `test-rpm-ci` in `Makefile`
-  docker run "$TEMPLATE" /bin/bash -c "$COMMAND"
-  docker ps -a
-fi
-
-# Local builds:
-if [[ "$GITSECRET_DIST" == "brew" ]] || [[ "$GITSECRET_DIST" == "none" ]]; then
-  # Only running `make test` on standard (non-docker) build,
-  # since it is called inside the docker container anyway.
-  make test
-fi
-
-if [[ ! -z "$(command -v shellcheck)" ]]; then
-  # This means, that `shellcheck` does exist, so run it:
-  echo 'running lint'
-  make lint
-fi

.docker/deb/debian/Dockerfile

@@ -1,23 +0,0 @@
-FROM debian:latest
-
-MAINTAINER Nikita Sobolev (mail@sobolevn.me)
-
-# Dependencies and project initialization:
-
-RUN apt-get update && \
-    apt-get install -y man make git apt-transport-https && \
-    apt-get install -y ruby ruby-dev ruby-build && \
-    apt-get autoremove && apt-get autoclean && \
-    mkdir /code
-
-# This will increase the container size, but speed up the build,
-# since this part will change, while the dependencies won't:
-
-WORKDIR /code
-
-# Removing `origin` for good:
-
-RUN git clone -q https://github.com/sobolevn/git-secret.git && \
-    cd git-secret && git remote rm origin
-
-WORKDIR /code/git-secret

.docker/deb/ubuntu/Dockerfile

@@ -1,23 +0,0 @@
-FROM ubuntu:latest
-
-MAINTAINER Nikita Sobolev (mail@sobolevn.me)
-
-# Dependencies and project initialization:
-
-RUN apt-get update && \
-    apt-get install -y man make git apt-transport-https && \
-    apt-get install -y ruby ruby-dev ruby-build && \
-    apt-get autoremove && apt-get autoclean && \
-    mkdir /code
-
-# This will increase the container size, but speed up the build,
-# since this part will change, while the dependencies won't:
-
-WORKDIR /code
-
-# Removing `origin` for good:
-
-RUN git clone -q https://github.com/sobolevn/git-secret.git && \
-    cd git-secret && git remote rm origin
-
-WORKDIR /code/git-secret

.docker/make/debian/Dockerfile

@@ -1,22 +0,0 @@
-FROM debian:latest
-
-MAINTAINER Nikita Sobolev (mail@sobolevn.me)
-
-# Dependencies and project initialization:
-
-RUN apt-get update && \
-    apt-get install -y man make git apt-transport-https && \
-    apt-get autoremove && apt-get autoclean
-
-# This will increase the container size, but speed up the build,
-# since this part will change, while the dependencies won't:
-
-RUN mkdir /code
-WORKDIR /code
-
-# Removing `origin` for good:
-
-RUN git clone -q https://github.com/sobolevn/git-secret.git && \
-    cd git-secret && git remote rm origin
-
-WORKDIR /code/git-secret

.docker/rpm/centos/Dockerfile

@@ -1,26 +0,0 @@
-FROM centos:latest
-
-MAINTAINER Nikita Sobolev (mail@sobolevn.me)
-
-ENV HOME /root
-
-RUN yum update -y && \
-    yum install -y epel-release && \
-    yum install -y dnf && \
-    dnf update -y && \
-    rpm -U "http://opensource.wandisco.com/centos/7/git/x86_64/wandisco-git-release-7-2.noarch.rpm" && \
-    dnf install -y gnupg man make gcc git tar > /dev/null && \
-    dnf install -y which pciutils redhat-rpm-config rpm-build zlib-devel && \
-    dnf -y group install 'Development tools' && \
-    dnf install -y ruby ruby-devel rubygems && \
-    dnf -y autoremove && \
-    mkdir /code
-
-WORKDIR /code
-
-# Removing `origin` for good:
-
-RUN git clone -q https://github.com/sobolevn/git-secret.git && \
-    cd git-secret && git remote rm origin
-
-WORKDIR /code/git-secret

.docker/rpm/fedora/Dockerfile

@@ -1,22 +0,0 @@
-FROM fedora:latest
-
-MAINTAINER Nikita Sobolev (mail@sobolevn.me)
-
-ENV HOME /root
-
-RUN dnf update -y && \
-    dnf install -y gnupg man make gcc git tar > /dev/null && \
-    dnf install -y which pciutils redhat-rpm-config rpm-build zlib-devel && \
-    dnf -y group install 'Development tools' && \
-    dnf install -y ruby ruby-devel rubygems && \
-    dnf -y autoremove && \
-    mkdir /code
-
-WORKDIR /code
-
-# Removing `origin` for good:
-
-RUN git clone -q https://github.com/sobolevn/git-secret.git && \
-    cd git-secret && git remote rm origin
-
-WORKDIR /code/git-secret

.editorconfig

@@ -8,17 +8,6 @@ indent_style = space
 trim_trailing_whitespace = true
 end_of_line = lf
 insert_final_newline = true
-
-[*.json]
-indent_size = 2
-
-[*.py]
-indent_size = 4
-
-[*.sh]
-indent_size = 2
-
-[*.bats]
 indent_size = 2
 
 [Makefile]

.gitattributes

@@ -1 +1,10 @@
-* text=auto
+# Excluding from GitHub languages:
+vendor/ linguist-vendored
+
+# Excluding from GitHub diff:
+*.1 linguist-generated
+*.7 linguist-generated
+
+# Excluding from `git diff`:
+*.1 -diff
+*.7 -diff

.github/FUNDING.yml

@@ -0,0 +1,5 @@
+# These are supported funding model platforms
+
+github: wemake-services
+open_collective: git-secret
+custom: https://boosty.to/sobolevn

.github/ISSUE_TEMPLATE.md

@@ -24,8 +24,17 @@ Any other comments?
 
 What versions of software are you using?
 ----------------------------------------
-**Operating system:** …
+**Operating system:** (`uname -a`) …
 
-**`git-secret` version:** …
+**`git-secret` path:** (`which git-secret`) …
 
-**Shell type and version:** …
+**`git-secret` version:** (`git secret --version`) …
+
+**`git` version:** (`git --version`) …
+
+**Shell type and version:** (`$SHELL --version`) …
+
+**`gpg` version:** (`gpg --version`) …
+
+<!-- Love git-secret? Please consider supporting our collective:
+👉  https://opencollective.com/git-secret/donate -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,9 +1,17 @@
 <!-- Thanks for sending a pull request!
 
 Here's how it's done:
-1. Make sure that you open your pull-request to the `develop` branch (master branch is protected, since some plugins use it when installed)
-2. Make sure that tests pass
-3. Make sure that your code has the same style
+0. If you are planning a large feature, please, discuss it first in a separate issue.
+   See also [CONTRIBUTING.md](https://github.com/sobolevn/git-secret/blob/master/CONTRIBUTING.md) if you haven't already.
+1. Make sure that you open your pull request against the `master` branch
+2. Make sure that your code has the same style as the surrounding code and git-secret in general
+3. Make sure your code passes using `shellcheck` with `make lint`
+4. You can also spell check your code using 'aspell -c {filename}'
+5. If you are adding or changing features, please add tests that cover the new behavior (in addition to the unchanged behavior if appropriate)
+6. Make sure that all tests pass
+7. Change the .md file(s) in man/man*/ to document your changes if appropriate
+   (regenerating man pages with 'make build-man' is optional)
+8. Add an entry to CHANGELOG.md explaining the change briefly and, if appropriate, referring to the related issue #
 
 Please make sure you click the link above to view the contribution guidelines, then fill out the blanks below. -->
 

.github/dependabot.yml

@@ -0,0 +1,83 @@
+# GitHub-native dependabot setup, configuration:
+# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
+version: 2
+
+updates:
+
+# Docs and GitHub Actions:
+
+- package-ecosystem: bundler
+  directory: "/docs"
+  schedule:
+    interval: daily
+
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+
+# Our CI and release docker images:
+
+- package-ecosystem: docker
+  directory: ".ci/releaser/alpine"
+  schedule:
+    interval: weekly
+
+# Release CI:
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/alpine"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/debian"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/ubuntu"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/centos"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/fedora"
+  schedule:
+    interval: weekly
+
+# Docker CI:
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/alpine"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/debian-gnupg1"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/debian-gnupg2"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/ubuntu"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/centos"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/fedora"
+  schedule:
+    interval: weekly

.github/workflows/build-man.yml

@@ -0,0 +1,25 @@
+
+name: build-man
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'docs/**/*'
+  pull_request:
+    paths:
+      - 'docs/**/*'
+  workflow_dispatch:
+
+concurrency: 
+  group: ${{ github.head_ref || github.run_id }}-build-man
+  cancel-in-progress: true
+
+jobs:
+  build-man:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Checks that manual generation works
+      run: make build-man

.github/workflows/github-pages.yml

@@ -0,0 +1,32 @@
+name: github-pages
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'man/**/*'
+      - 'docs/**/*'
+      - 'utils/*/install.sh'
+
+concurrency: 
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Build docs
+      run: make build-docs
+
+    - name: Deploy to Pages
+      uses: JamesIves/github-pages-deploy-action@v4.6.8
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        branch: gh-pages # The branch the action should deploy to.
+        folder: docs # The folder the action should deploy.
+        clean: true # Automatically remove deleted files from the deploy branch

.github/workflows/release-ci.yml

@@ -0,0 +1,91 @@
+name: release-ci
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'
+
+  # In case we change the some build scripts:
+  push:
+    branches:
+      - master
+    paths:
+      - 'utils/**'
+      - '.ci/release-ci/**'
+      - 'Makefile'
+      - '.github/workflows/release-ci.yml'
+  pull_request:
+    paths:
+      - 'utils/**'
+      - '.ci/release-ci/**'
+      - 'Makefile'
+      - '.github/workflows/release-ci.yml'
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  existing:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - release-type: deb
+            release-env: debian
+          - release-type: deb
+            release-env: ubuntu
+          - release-type: rpm
+            release-env: fedora
+          - release-type: rpm
+            release-env: rocky
+          - release-type: rpm
+            release-env: alma
+          #- release-type: apk      # temp removal of alpine releases for #881
+          #  release-env: alpine    # temp removal of alpine releases for #881
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run checks
+      run: |
+        SECRETS_RELEASE_ENV="${{ matrix.release-env }}" \
+        SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" \
+        make release-ci
+
+  # Keep in sync with `release.yml`:
+  dryrun:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        release-type:
+          - apk
+          - deb
+          - rpm
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run dry run of the release process
+      run: |
+        SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" \
+        SECRETS_DEPLOY_DRY_RUN=1 \
+        SECRETS_ARTIFACTORY_CREDENTIALS='fake' \
+          make release
+
+  # https://github.community/t/run-github-actions-job-only-if-previous-job-has-failed/174786/2
+  create-issue-on-failure:
+    name: Create an issue if release-ci cron failed
+    runs-on: ubuntu-latest
+    needs: [existing, dryrun]
+    if: ${{ github.event_name == 'schedule' && github.repository == 'sobolevn/git-secret' && always() && (needs.existing.result == 'failure' || needs.dryrun.result == 'failure') }}
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            await github.rest.issues.create({
+              owner: "sobolevn",
+              repo: "git-secret",
+              title: `release-ci failure on ${new Date().toDateString()}`,
+              body: "Details: https://github.com/sobolevn/git-secret/actions/workflows/release-ci.yml",
+            })

.github/workflows/release.yml

@@ -0,0 +1,45 @@
+name: release
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+
+jobs:
+  release-packages:
+    environment:
+      name: artifactory
+      url: https://gitsecret.jfrog.io/artifactory
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        release-type:
+          - apk
+          # - deb
+          # - rpm
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run checks
+      run: SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" make release
+      env:
+        SECRETS_ARTIFACTORY_CREDENTIALS: ${{ secrets.SECRETS_ARTIFACTORY_CREDENTIALS }}
+
+  # github-release:
+  #   runs-on: ubuntu-latest
+  #   needs: ['release-packages']
+  #   steps:
+  #   - uses: actions/checkout@v4
+  #   - run: make changelog
+  #     env:
+  #       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #   - uses: softprops/action-gh-release@v1
+  #     with:
+  #       # Generated above by `make changelog`:
+  #       body_path: CHANGELOG-RELEASE.md
+  #     env:
+  #       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -0,0 +1,89 @@
+name: test
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'docs/**'
+  pull_request:
+    paths-ignore:
+      - 'docs/**'
+  workflow_dispatch:
+
+concurrency: 
+  group: ${{ github.head_ref || github.run_id }}-test
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Shellcheck and Hadolint
+      run: make lint
+
+  docker-ci:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        docker-env:
+          - alma
+          - alpine
+          #- arch           # disable arch testing for now, see #916
+          - debian-gnupg1  # We need to test legacy version of gnupg
+          - debian-gnupg2
+          - fedora
+          - rocky
+          - ubuntu
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run checks
+      run: SECRETS_DOCKER_ENV="${{ matrix.docker-env }}" make docker-ci
+
+  osx-ci:
+    runs-on: macos-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        test-verbose: [0, 1]
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install deps
+      run: brew install gawk gnupg
+    - name: Run checks
+      run: SECRETS_TEST_VERBOSE=${{ matrix.test-verbose }} make test
+
+  freebsd-ci:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run checks
+      id: test
+      uses: vmactions/freebsd-vm@v1
+      with:
+        usesh: true
+        prepare: pkg install -y gnupg bash gmake git gawk
+        run: |
+          which -a bash
+          which -a shell
+          whoami
+          env
+          freebsd-version
+          gmake test
+
+  windows-wsl-ci:
+    runs-on: windows-latest
+    steps:
+    - uses: Vampire/setup-wsl@v3
+      with: 
+        update: 'true'
+        additional-packages: gnupg make man git gawk file
+    - run: git config --global core.autocrlf input
+    - uses: actions/checkout@v4
+    - shell: wsl-bash {0}
+      run: make test

.gitignore

@@ -29,7 +29,7 @@ $RECYCLE.BIN/
 # Linux trash folder which might appear on any partition or disk
 .Trash-*
 
-#####=== OSX ===#####
+#####=== MacOS ===#####
 .DS_Store
 .AppleDouble
 .LSOverride
@@ -126,10 +126,16 @@ _site/
 git-secret
 
 # Temporary packages:
-vendor/
 temp/
 
 # Packaging:
 build/
 *.deb
 *.fpm
+
+# Docs:
+docs/man
+docs/_posts
+docs/_includes/install-*.sh
+docs/_includes/version.txt
+CHANGELOG-RELEASE.md

.travis.yml

@@ -1,77 +0,0 @@
-matrix:
-  fast_finish: true
-  include:
-    - os: linux
-      env: GITSECRET_DIST="make"; DOCKER_DIST="debian"
-      services: docker
-      sudo: required
-      language: ruby
-    - os: linux
-      env: GITSECRET_DIST="deb"; DOCKER_DIST="debian";
-      services: docker
-      sudo: required
-      language: ruby
-    - os: linux
-      env: GITSECRET_DIST="deb"; DOCKER_DIST="ubuntu"
-      services: docker
-      sudo: required
-      language: ruby
-    - os: linux
-      env: GITSECRET_DIST="rpm"; DOCKER_DIST="fedora"
-      services: docker
-      sudo: required
-      language: ruby
-    - os: linux
-      env: GITSECRET_DIST="none"; GITSECRET_GPG_DEP="gnupg"; SECRETS_GPG_COMMAND="gpg"
-      sudo: required
-      language: ruby
-    - os: linux
-      env: GITSECRET_DIST="none"; GITSECRET_GPG_DEP="gnupg2"; SECRETS_GPG_COMMAND="gpg2"
-      sudo: required
-      language: ruby
-    - os: linux
-      env: GITSECRET_DIST="shellcheck"
-      sudo: required
-      language: ruby
-      addons:
-        apt:
-          sources:
-          - debian-sid
-          packages:
-          - shellcheck
-    - os: osx
-      env: GITSECRET_DIST="brew"; GITSECRET_GPG_DEP="gnupg2"; SECRETS_GPG_COMMAND="gpg2"
-      sudo: false
-      language: generic
-
-before_script:
-  - chmod +x ".ci/before_script.sh" && ".ci/before_script.sh"
-
-script:
-  - chmod +x ".ci/script.sh" && ".ci/script.sh"
-
-before_deploy:
-  - chmod +x ".ci/before_deploy.sh" && ".ci/before_deploy.sh"
-
-deploy:
-  - provider: bintray
-    on:
-      branch: master
-      condition: "$GITSECRET_DIST == deb"
-    file: "build/deb_descriptor.json"
-    user: "sobolevn"
-    key: "$BINTRAY_API_KEY"
-    passphrase: "$BINTRAY_GPG_PASS"
-  - provider: bintray
-    on:
-      branch: master
-      condition: "$GITSECRET_DIST == rpm"
-    file: "build/rpm_descriptor.json"
-    user: "sobolevn"
-    key: "$BINTRAY_API_KEY"
-    passphrase: "$BINTRAY_GPG_PASS"
-
-notifications:
-  email:
-    on_success: never
-    on_failure: change

CHANGELOG.md

@@ -1,58 +1,351 @@
 # Changelog
 
+## {{Next Version}}
+
+### Misc
+
+- NOTE: Arch instructions now say to install from source. Arch tests removed temporarily (#916)
+- NOTE: there is an issue when repo directory (or a parent dir) contains a space (#135)
+- Improve error messaging when we cannot find git repo (#874)
+- Temporarily disable apk builds on alpine (#881)
+- Have `hide -v` show output from gnupg
+- Documentation updates and fixes
+
+
+## 0.5.0
+
+### Features
+
+- Adds `SECRETS_GPG_ARMOR` env variable to use `gpg --armor`
+  when encrypting files, so secret files are stored
+  in text format rather than binary (#631)
+- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811)
+- `git secret init` now sets `.gitsecret/keys` permission to 0700 (#811)
+- Improve verbose and non-verbose output
+
+### Bugfixes
+
+- Fix adding newlines to `.gitignore` entries (#643)
+- Fix `cat` and `reveal` on named files while in repo subdir (#710)
+- Fix `clean`, `hide`, `reveal` so they only remove marked secret files (#833)
+- Fix for `removeperson` if same email is present multiple times (#638)
+- Correct error message about files missing from .gitignore
+
+### Misc
+
+- Rename `killperson` command to `removeperson` (#684)
+- Improve error messaging decrypting nonexistent files (#706)
+- Improve, expand, correct, and update docs (#699)
+- Update docs for use with CI/CD server (#675)
+- Upgrade bats-core to v1.6.0 (#755)
+- Test, and build RPMS, with Rocky and Alma Linux instead of CentOS (#765)
+- Automate testing code on windows using WSL (#846)
+- Automate testing code on FreeBSD (#455)
+- Improve testing of .gitignore contents (#792)
+- Automate running verbose tests with SECRETS_TEST_VERBOSE=1 (#794)
+- Improve documentation about installing on Windows (#843)
+
+
+## 0.4.0
+
+### Bugfixes
+
+- Escape filenames with special characters before adding to `.gitignore`
+- Better error handling around telling an email twice (#634)
+- Fix for `-P` (#647)
+
+### Misc
+
+- Removed `test-kitchen`
+- Moved from `travis` to GitHub Actions
+- Changed almost all infrastructure code
+- Moved away from Bintray to Artifactory
+- Changes how GitHub Pages work
+- Add security disclaimer for git-secret-killperson
+- Improve documentation about releases
+- Man page improvements
+
+
+## Version 0.3.3
+
+### Bugfixes
+
+- In 'tell', warn about disabled, revoked, expired, or invalid keys (#552, #508, #317, #290, #283, #238)
+- Error if 'tell' is used on an email address with multiple keys (#552)
+- Don't let 'reveal' clobber secret files (#579)
+- Updated test key fixture that had expired (#607)
+
+### Misc
+
+- Improve docs about using gpg with git-secret (#577)
+- Text improvements and More about security in git-secret.7 man page (#603)
+- Reflect changes in ruby bundler during build process
+- Upgrade build process to ansible 2.9
+- Use shellcheck 0.7.1 with CI, not 'latest' (#609)
+- Improve output of `git-secret add`
+
+## Version 0.3.2
+
+### Bugfixes
+
+- Fix mention of version in git-secret add man page (#544)
+
+### Misc
+
+- Update developer docs, especially regarding mac, docker, and test-kitchen (#195)
+- Update man pages to mention version documented (#420)
+
+## Version 0.3.1
+
+### Misc
+
+- Update man pages
+
+## Version 0.3.0
+
+### Features
+
+- Support SECRETS_PINENTRY env var for gnupg --pinentry-mode parameter (#221)
+- Show output from gnupg if 'hide' fails (#516, #202, #317)
+- Add support for Busybox (#478)
+
+### Bugfixes
+
+- Use OSX's mktemp on OSX, even if there's another version in PATH. (#485)
+- Make rsync a build requirement on debian (#500)
+- Use gnupg1, not gnupg2, when tests specify gnupg1 (#241)
+- Note dependencies gawk, bash, and coreutils in linux packages (#493)
+- Handle case of key having no email and a comment (#527)
+- Avoid blank lines from output of 'clean -v'
+
+### Misc
+
+- Improve messaging and logic around deleting tmp files.
+- Add note about secrets and old keys (#499)
+- Transition build process from python 2 to python 3 (#487)
+- Upgrade build process from ansible 2.5 to ansible 2.8
+- Fix build process when installing gnupg2 source deps on Ubuntu
+- Close file descriptor 3 when running gnupg subprocesses (#521)
+- Small optimization in 'hide'
+- Improve code comments
+- Update docs to note that git-secret repos modified by git-secret 0.2.3 and
+  later are not backward compatible with pre-0.2.3 versions of git-secret. (#536)
+
+## Version 0.2.6
+
+### Features
+
+- git-secret is now available in Fedora, link added to README.md. (#315)
+- Support automated testing on windows with Travis CI (#372)
+- Support SECRETS_VERBOSE env var to enable verbosity (#323)
+- Use gpg without --quiet when decrypting in verbose mode (#394)
+- Add -v options to 'tell' and 'reveal', showing gpg output (#320, #395)
+- Change 'init' to never ignore .secret files (#362)
+- 'add' appends filepaths to .gitignore by default (#225)
+- Automate the GitHub release (#411)
+
+### Bugfixes
+
+- Fix 'hide -m' when used as first hide operation (#466)
+- Fix code to respect $TMPDIR when generating tmp files (#451)
+- Be more careful when deleting test files (#360)
+- Use separate directory when testing, instead of using $BATS_TMPDIR directly (#407)
+- Fix 'whoknows -l' and related tests on FreeBSD (#454)
+- Fix git-secret init when used on busybox (#475)
+- Update git-secret.io, fix utils/gh-branch.sh to use 'git all --add' (#344)
+- Fix link to homebrew's git-secret in README.md (#310)
+- Remove diagnostic output from test results (#324)
+- Remove un-needed redirection in 'reveal' (#325)
+- Fix link to current contributors in CONTRIBUTING.md (#331)
+- Fix tests when running from git hooks (#334)
+- Fix typo, remove temp directory in utils/tests.sh (#347)
+- Spelling fixes
+- Fix re: SECRETS_DIR in 'init' and SECRETS_EXTENSION in test_reveal.bats (#364)
+- git-secret will fail if you pass params or filenames that are not understood (#390)
+- Use SECRETS_GPG_COMMAND env var in gpg version check (#389)
+- Add header to git-secret.7 man page, for debian and doc improvement (#386)
+- Respect DESTDIR when installing as per GNU/debian/etc recommendations (#424)
+- Use git check-ignore to test for files ignored by git
+
+### Misc
+
+- Improve docs about hide -m option (#467)
+- Document SECRETS_VERBOSE and improve env var docs (#396)
+- Setting SECRETS_TEST_VERBOSE env var shows debug info during tests (EXPERIMENTAL)
+- Add documentation about how to write tests.
+- Suppress 'cleaning up temp files' messages unless in a verbose mode.
+- Improve git-secret user messaging.
+- Update CHANGELOG.md to mention fix for #281 in v0.2.5 (#311)
+- Add text explaining git-secret Style Guide and Development Philosophy
+- Use Shellcheck on tests/ files, changes for Shellcheck in tests/ (#368)
+- Use Shellcheck on MacOS/osx travis tests (#403)
+- Show commands run by Makefile as per debian upstream recommendations (#386)
+- Upgrade bats-core to v1.1.0, import bats-core into vendor/bats-core (#377)
+- Use gawk to parse emails from gpg output
+- Optimize code that parses keyrings
+- Remove unused code
+
+## Version 0.2.5
+
+### Features
+
+- Add support for FreeBSD (#244)
+- Add -l option to whoknows, which shows key expiration dates (#283)
+- Add -P option (preserve permissions) to reveal and hide (#172)
+- Add -F option (force, changing some errors to warnings) to hide and reveal (#253)
+- Allow user to specify name of secret dir at runtime using SECRETS_DIR env var, and test (#247, #250)
+
+### Bugfixes
+
+- Fix issues with spaces in paths and filenames (#226, #135)
+- Fix issue when 'hide' used in subdir of repo (#230)
+- Fix issues in 'changes' with trailing newlines (#291)
+- Fix 'hide' to only count actually hidden files as hidden (#280)
+- Fixed bugs and improved error messages (#174)
+- Issue error message when unable to hide a secret (#202, #238)
+- Accept gpg key with no name, only an email (#227)
+- Require keys to be specified by email, as documented (#267)
+- Disallow 'git secret tell' or 'killperson' with emails that are not in keyring (also #267)
+
+### Misc
+
+- Added notes about packages and for package maintainers (#281)
+- Improve documentation regarding operation with different versions of GPG (#274, #182)
+- Documentation improvements, error message and text improvements, and typo fixes (#254)
+- git-secret RFC#001 added, documenting a path towards independence from gpg binary formats (#208)
+- Add tests for expired gpg keys, and gpg keys with only emails (#276)
+
+## Version 0.2.4
+
+### Features
+
+- Added `git secret cat` feature (#141)
+
+### Bugfixes
+
+- `git secret hide` and `git secret changes` check for files more carefully (#153, #154)
+
+### Misc
+
+- Documentation and error message improvements (#126, #136, #144, #150)
+- Build and CI fixes (#152, #179, #186, #188, #189)
+- Migrate to `bats-core` bash testing framework
+
+## Version 0.2.3
+
+### Features
+
+- Added `-m` option to `hide` command, files will only be hidden when modifications are detected (#92)
+- Changed how path mappings file works: colon delimited FSDB in `.gitsecret/paths/mapping.cfg', so git-secret
+  can store checksums of hidden files. Note this means git-secret repos modified by git-secret 0.2.3
+  or later are not backward compatible with pre-0.2.3 versions of git-secret. (#92)
+- `git secret init` now adds `random_seed` to `.gitignore` (#93)
+
+### Bugfixes
+
+- Dropped `git check-ignore`, using `git add --dry-run` instead to check for ignored files (#105,#38)
+- Fixed `gnupg` >= 2.1 CI tests (#6)
+
+### Misc
+
+- Now users can run local CI tests using test-kitchen (#6)
+- Migrated travis ci tests to test-kitchen for Linux platforms.
+- Added more `gpg` version to test matrix (#99)
+- Added CentOS to test matrix (#38,#91)
+- All tested Linux platforms now use latest release of `shellcheck`
+- Added Alpine to test matrix, and apk is now built. (#75)
+
 ## Version 0.2.2
 
+### Features
+
 - Change how the `usage` command works (#48)
 - Now `git-secret` works from any place inside `git-tree` (#56)
-- Added `-d` option to the `hide` coomand: it deletes unencrypted files (#62)
+- Added `-d` option to the `hide` command: it deletes unencrypted files (#62)
 - Added new command `changes` to see the diff between the secret files (#64)
-- Fixed bug when `_user_required` was not working after reimporting keys (#74)
 - Now it is possible to provide multiple emails to the `killperson` command (#73)
 - Now it is possible to provide multiple emails to the `tell` command (#72)
+
+### Bugfixes
+
+- Fixed bug when `_user_required` was not working after re-importing keys (#74)
+- Refactored `hide` and `clean` commands to be shorter
+
+### Misc
+
 - Now every doc in this project refer to `git-secret.io` instead of old `gh-pages` website (#71)
 - Now installation section is removed from main `man` file (#70)
-- Now "See also" section in the `man`s are clickable (#69)
+- Now "See also" sections in the `man` pages are clickable (#69)
 - Added "Manual" section to the manuals (#61)
-- Added `centos` container for `ci` testing (#38)
-- Tests are refactored. Added `clean` command tests, removed a lot of hardcoded things, moved tests execution from `./temp` folder to `/tmp`, added a lot of new check in old tests, and some new test cases (#52)
-- Refactored `hide` and `clean` commands to be shorter
+- Added `CentOS` container for `ci` testing (#38)
+- Tests are refactored. Added `clean` command tests, removed a lot of hard-coded things, moved tests execution from `./temp` folder to `/tmp`, added a lot of new check in old tests, and some new test cases (#52)
 - `shellcheck` is now supported with `make lint`
 
-
 ## Version 0.2.1
 
-- Now everything is tested inside the `docker`-containers and `OSX` images on `travis`.
-- Added autodeploy to `bintray` in `.travis.yml`.
-- Added `.ci/` folder for continuous integration, refactored `utils/` folder.
+### Misc
+
 - Added `CONTRIBUTING.md` and `LICENSE.md`.
 - New brand logo in the `README.md`.
+- Added autodeploy to `bintray` in `.travis.yml`.
+- Now everything is tested inside the `docker`-containers and `OSX` (MacOS) images on `travis`.
+- Added `.ci/` folder for continuous integration, refactored `utils/` folder.
 - Everything is `shellcheck`ed (except `tests/`).
 
 ## Version 0.2.0
 
-- Added `changes` command to see the difference between current version of the hidden files and the commited one
+### Features
+
+- Added `changes` command to see the difference between current version of the hidden files and the committed one
 - Added `-f` option to the `reveal` command to remove prompts
-- Changed the way files were decrypted, now it is a separate function
+
+### Bugfixes
+
 - Some bugs are fixed
+
+### Misc
+
 - New installation instructions
+- Changed the way files were decrypted, now it is a separate function
 
 ## Version 0.1.2
 
+### Features
+
 - Added `-i` option to the `git-secret-add` command, which auto adds unignored files to the `.gitignore`
-- Documentation improved with `Configuration` section
-- Added extra tests: for custom filenames and new features
-- `Makefile` improvements with `.PHONY` and `install` target
+
+### Misc
+
 - `.github` templates added
+- Documentation improved with `Configuration` section
+- `Makefile` improvements with `.PHONY` and `install` target
+- Added extra tests: for custom filenames and new features
 
 ## Version 0.1.1
 
+### Features
+
 - Added `--dry-run` option to the `git secret` command, which prevents any actions.
-- Now `install_full_fixture()` returns a fingerprint
-- Now `uninstall_full_fixture()` receives two args
-- Fixed bug, when tests were failing with `gpg2`
-- New travis strategy: testing both `gpg` and `gpg2`
+
+### Misc
+
 - Removed animation from docs, now using `asciinema.org`
+- `install_full_fixture()` returns a fingerprint
+- `uninstall_full_fixture()` receives two args
+- Fixed bug when tests were failing with `gpg2`
+- New travis strategy: testing both `gpg` and `gpg2`
 
 ## Version 0.1.0
 
-- Initial release
+### Features
+
+- Implementation of git secret add
+- Implementation of git secret clean, with -v option
+- Implementation of git secret hide, with -c 'clean' and -v option
+- Implementation of git secret init
+- Implementation of git secret killperson
+- Implementation of git secret list
+- Implementation of git secret remove, with -c option
+- Implementation of git secret reveal, with -d homedir and -p passphrase options
+- Implementation of git secret tell, with -m email and -d homedir options
+- Implementation of git secret usage

CONTRIBUTING.md

@@ -2,92 +2,216 @@
 
 Your contributions are always welcome!
 
+
+## Getting started
+
+1. Create your own or pick an opened issue from the [tracker](https://github.com/sobolevn/git-secret/issues). Take a look at the [`help-wanted` tag](https://github.com/sobolevn/git-secret/labels/help%20wanted)
+
+2. Fork the git-secret repo and then clone the repository using a command like `git clone https://github.com/${YOUR_NAME}/git-secret.git`
+
+3. Make sure that everything works on the current platform by running `make test`.
+   You can also try the experimental `SECRETS_TEST_VERBOSE=1 make test`, which will
+   show you a lot of debug output while the tests are running.
+   Note that 'experimental' features may change or be removed in a future version of `git-secret`.
+
+4. If you want to test on multiple operating systems just push your PR, GitHub Actions will cover everything else
+
+Basically, our `make` file is the only thing you will need to work with this repo.
+
+
 ## Process
 
 ### Environment
 
-Before starting make sure you have:
+For development of `git-secret` you should have these tools locally:
 
 - git
 - bash
-- gnupg (or gnupg2)
-- [shellcheck](https://github.com/koalaman/shellcheck)
+- gawk
+- gnupg (or gnupg2), see below if not packaged by your distribution/OS (i.e. MacOS)
+- sha256sum (on freebsd and MacOS `shasum` is used instead)
+- make
 
-Only required if dealing with manuals, `gh-pages` or releases:
+To test `git-secret` you will need:
 
-- ruby, ruby-dev
+- [docker](https://www.docker.com/)
 
-### Getting started
+### Code style
 
-1. Create your own or pick an opened issue from the [tracker][tracker]. Take a look at the [`help-wanted` tag][help-wanted]
-2. Fork and clone your repository: `git clone https://github.com/${YOUR_NAME}/git-secret.git`
-3. Make sure that everything works fine by running `make test`
+New features and changes should aim to be as clear, concise, simple, and consistent
+
+1. clear: make it as obvious as possible what the code is doing
+
+2. concise: your PR should be as few characters (not just lines) of changes as _reasonable_.
+   However, generally choose clarity over being concise.
+   Clarity and conciseness can be in conflict with each other. But
+   it's more important for the code to be understandable than for it to be small.
+   Therefore favor writing clear code over making shorter diffs in your PRs.
+
+3. simple: this dovetails with the previous two items.
+   git-secret is a security product, so it's best to have the code be easy to understand.
+   This also aids future development and helps minimize bugs.
+
+4. consistent: Write code that is consistent with the surrounding code and the rest of the git-secret code base.
+   Every code base has its own conventions and style that develop and accrete over time.
+
+   Consistency also means that the inputs and outputs of git-secret should be as consistent as reasonable
+   with related Unix and git tools, and follow the 'rule of least surprise',
+   also known as the 'principle of least astonishment': <https://en.wikipedia.org/wiki/Principle_of_least_astonishment>
+
+We wrote this to clarify our thinking about how git-secret should be written.  Of course, these are philosophical goals,
+not necessities for releasing code, so balancing these four ideals _perfectly_ is both unwarranted and impossible.
+
+### Writing PRs
+
+If you're planning a large change to `git-secret` (for example, a lot of lines/characters of diffs, affecting multiple commands,
+changing/adding a lot of behavior, or adding multiple command-line options), it's best to discuss the changes in an Issue first.
+Also it's often best to implement larger or complex changes as a series of planned-out, smaller PRs,
+each making a small set of specific changes. This facilitates discussions of implementation, which often come to light
+only after seeing the actual code used to perform a task.
+
+As mentioned above, we seek to be consistent with surrounding git and Unix tools, so when writing changes to git-secret,
+think about the input, output, and command-line options that similar Unix commands use.
+
+Our favor toward traditional Unix and git command-style inputs and outputs can also mean it's appropriate to
+lean heavily on git and widely-used Unix command features instead of re-implementing them in code.
 
 ### Development Process
 
-1. Firstly, you will need to setup development hooks with `make install-hooks`
-2. Make changes to the files that need to be changed
-3. When making changes to any files inside `src/` you will need to rebuild the binary `git-secret` with `make clean && make build` command
-4. Run [`shellcheck`][shellcheck] against all your changes with `make lint`
-5. Now, add all your files to the commit with `git add --all` and commit changes with `git commit`, make sure you write a good message, which will explain your work
-6. When running `git commit` the tests will run automatically, your commit will be canceled if they fail
-7. Push to your repository, make a pull-request against `develop` branch. Please, make sure you have **one** commit per pull-request, it will be merge into one anyways
+1. Make changes to the git secret files that need to be changed
+
+2. When making changes to any files inside `src/`, for changes to take effect you will need to rebuild the `git-secret` script with `make clean && make build`
+
+3. Run `shellcheck` against all your changes with `make lint`.
+   You should also check your changes for spelling errors using 'aspell -c filename'.
+
+4. Add an entry to CHANGELOG.md, referring to the related issue # if appropriate
+
+5. Change the `man` source file(s) (we write them in markdown) in `man/man1` and `man/man7` to document your changes if appropriate
+
+6. Now, add all your files to the commit with `git add --all` and commit changes with `git commit`.
+   Write a good commit message which explains your work
+
+7. When running `git commit` the tests will run automatically, your commit will be canceled if they fail.
+   You can run the tests manually with `make clean build test`.
+
+8. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request,
+but don't worry, it's easy to `squash` PRs into a small number of commits when they're merged.
 
 ### Branches
 
-We have three long-live branches: `master`, `staging` and `develop` (and `gh-pages` for static site).
+We have two long-live branches: `master` for the git-secret code and man pages, and `gh-pages` for the static web site.
+The `gh-pages` branch tracks the `master` branch's `docs` folder, and is kept up-to-date using a GitHub Action.
 
-It basically looks like that:
+Development looks like this:
 
-> `your-branch` -> `develop` -> `staging` -> `master`
+> `your-branch` -> `master`
 
-- `master` branch is protected, since `antigen` and tools like it install the app from the main branch directly. So only fully tested code goes there
-- `staging` - this branch is used to create a new `git` tag and a `github` release, then it gets merged into `master`
-- `develop` is where the development is done and the branch you should send your pull-requests to
+- `master` branch is protected, so only fully tested code goes there. It is also used to create a new `git` tag and a `github` release
 
-### Continuous integration
+By convention, you can name your branches like `issue-###-short-description`, but that's not required.
+The `gh-pages` branch is used for the pages at `git-secret.io`. See 'Release Process' below.
 
-CI is done with the help of `travis`. `travis` handles multiple environments:
+### Writing tests
 
-- `Docker`-based jobs or so-called 'integration tests', these tests create a local release, install it with the package manager and then run unit-tests and system checks
-- `OSX` jobs, which handle basic unit-tests on `OSX`
-- Native `travis` jobs, which handle basic unit-tests and stylechecks
+`git-secret` uses [bats-core](https://github.com/bats-core/bats-core) for testing.
+See the files in tests/ and the `bats-core` documentation for details.
+
+Because the output of many commands can be affected by the SECRETS_VERBOSE environment
+variable (which enables verbosity), it's best not to expect a particular number of lines of
+output from commands.
 
 ### Release process
 
-The release process is defined in the `git`-hooks and `.travis.yml`.
+To create a new release, (you'll first need permission to commit to the repo, of course):
 
-When creating a commit inside the `staging` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) it will trigger two main events.
+Update the content of `CHANGELOG.md` for the release (this should be a matter of changing headers),
+and update the version string in `src/version.sh`.
 
-Firstly, new manuals will be created and added to the current commit with `make build-man` on `pre-commit` hook.
+When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`).
 
-Secondly, after the commit is successfully created it will also trigger `make build-gh-pages` target on `post-commit` hook, which will push new manuals to the [git-secret site][git-secret-site]. And the new `git` tag will be automatically created if the version is changed:
+Then, push your code to GitHub. It will start the CI.
+
+After all the checks have executed, GitHub Actions will test and build releases for specific platforms.
+
+While CI is doing it's building and testing, finish the release on github by pushing the new tag with:
 
 ```bash
-if [[ "$NEWEST_TAG" != "v${SCRIPT_VERSION}" ]]; then
-  git tag -a "v${SCRIPT_VERSION}" -m "version $SCRIPT_VERSION"
-fi
+git push --tags
 ```
 
-Then it will be merged inside `master` when ready.
+and then go to https://github.com/sobolevn/git-secret/releases to see that the new release is created. It might take some time.
 
-#### Travis releases
+#### GitHub automated releases
 
-When creating a commit inside `master` branch, `travis` on successful build will publish new `deb` and `rpm` packages to [`bintray`][bintray].
+We use GitHub actions to run the release process.
+We use `artifactory` as an environment for the release.
+You would need to get a review before release would be possible.
 
-If you wish to override a previous release (*be careful*) you will need to add `"override": 1` into `matrixParams`, see `deb-deploy.sh` and `rpm-deploy.sh`
+It can be reproduced locally with `make release`, but you will need `SECRETS_ARTIFACTORY_CREDENTIALS`.
+
+After packages are released to https://gitsecret.jfrog.io we trigger `release-ci` workflow to test that installation works correctly.
 
 #### Manual releases
 
-Releases to `brew` are made manually.
+Releases to `brew` are made manually, and involve opening a PR on the [Homebrew Core](https://github.com/Homebrew/homebrew-core) repo .
+To get started, see the
+[Homebrew docs about Formulae-related PRs](https://docs.brew.sh/How-To-Open-a-Homebrew-Pull-Request#formulae-related-pull-request)
+and `brew bump-formula-pr --help`
 
-#### Dockerhub releases
+### Downstream Packages
 
-[`Dockerhub`][Dockerhub] contains `Docker` images with different OS'es used for testing. It is updated via a `github` webhook on commit into `master`.
+There are several distributions and packaging systems that may already have git-secret packaged for your distribution (although sometimes their versions are not the most current, and we recommend all users upgrade to 0.2.5 or above).
 
-[tracker]: https://github.com/sobolevn/git-secret/issues
-[help-wanted]: https://github.com/sobolevn/git-secret/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22
-[shellcheck]: https://github.com/koalaman/shellcheck
-[git-secret-site]: http://git-secret.io
-[bintray]: https://bintray.com/sobolevn
-[Dockerhub]: https://hub.docker.com/r/sobolevn/git-secret/
+### Notes to Downstream Packagers (Those who make packages for specific OSes/distributions)
+
+First of all, thank you for packaging git-secret for your platform! We appreciate it.
+
+We also would like to welcome you to collaborate or discuss any issues, ideas or thoughts you have about
+git-secret by submitting [issue report](https://github.com/sobolevn/git-secret/issues)
+(which can also be feature requests) or
+[pull requests](https://help.github.com/en/articles/creating-a-pull-request)
+via the git repo at
+[git-secret on github](https://github.com/sobolevn/git-secret)
+
+Please let us know if there are any changes you'd like to see to the source,
+packaging, testing, documentation, or other aspect of git-secret.
+We look forward to hearing from you.
+
+
+## About GnuPG
+
+Here are some links to gnupg documentation that might be useful for those working with git-secret:
+
+- [GnuPG PDF Documentation](https://www.gnupg.org/documentation/manuals/gnupg.pdf)
+- [GnuPG doc/DETAILS File](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS)
+
+
+## Financial contributions
+
+We also welcome financial contributions in full transparency on our [open collective](https://opencollective.com/git-secret).
+Anyone can file an expense. If the expense makes sense for the development of the community, it will be "merged" in the ledger of our open collective by the core contributors and the person who filed the expense will be reimbursed.
+
+
+## Credits
+
+### Contributors
+
+Thank you to all the people who have already contributed
+to `git-secret` via commits to our git repository!
+
+[![List of contributors](https://opencollective.com/git-secret/contributors.svg?width=890&button=0)](https://github.com/sobolevn/git-secret/contributors)
+
+
+### Backers
+
+Thank you to all our backers! [[Become a backer](https://opencollective.com/git-secret#backer)]
+
+<object type="image/svg+xml" data="https://opencollective.com/git-secret/tiers/backer.svg?avatarHeight=36&width=600" style="max-width: 100%;"></object>
+
+
+### Sponsors
+
+Thank you to all our sponsors! (please ask your company to also support this open source project by [becoming a sponsor](https://opencollective.com/git-secret#sponsor))
+
+<object type="image/svg+xml" data="https://opencollective.com/git-secret/tiers/sponsor.svg?avatarHeight=36&width=600" style="max-width: 100%;"></object>

Makefile

@@ -1,14 +1,11 @@
-SHELL:=/usr/bin/env bash
+SHELL:=bash
 PREFIX?="/usr"
+DESTDIR?=
 
 #
 # Building:
 #
 
-git-secret: src/version.sh src/_utils/* src/commands/* src/main.sh
-	@cat $^ > "$@"; \
-	chmod +x git-secret; sync
-
 .PHONY: all
 all: build
 
@@ -17,130 +14,164 @@ clean:
 	@rm -f git-secret
 
 .PHONY: build
-build: git-secret
+build:
+	@cat src/version.sh > git-secret
+	@cat src/_utils/*.sh src/commands/*.sh >> git-secret
+	@cat src/main.sh >> git-secret
+	@chmod +x git-secret; sync
 
 .PHONY: install
 install:
-	@chmod +x "./utils/install.sh"; sync; \
-	"./utils/install.sh" "${PREFIX}"
+	"${SHELL}" ./utils/install.sh "${DESTDIR}${PREFIX}"
 
 .PHONY: uninstall
 uninstall:
-	@chmod +x "./utils/uninstall.sh"; sync; \
-	"./utils/uninstall.sh" "${PREFIX}"
+	"${SHELL}" ./utils/uninstall.sh "${DESTDIR}${PREFIX}"
 
 #
-# Testing:
+# Testing and linting:
 #
 
-.PHONY: install-test
-install-test:
-	@if [ ! -d "vendor/bats" ]; then \
-	git clone https://github.com/sstephenson/bats.git vendor/bats; fi
-
+# The $(shell echo $${PWD}) construct is to access *nix paths under windows
+# Under git for windows '$PATH' is set to windows paths, e.g. C:\Something
+# Using a sub-shell we get the raw *nix paths, e.g. /c/Something
 .PHONY: test
-test: install-test clean build
-	@chmod +x "./utils/tests.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats/bin:${PWD}:${PATH}"; \
-	"./utils/tests.sh"
+test: clean build
+	export SECRETS_PROJECT_ROOT="$(shell echo $${PWD})"; \
+	export PATH="$(shell echo $${PWD})/vendor/bats-core/bin:$(shell echo $${PWD}):$(shell echo $${PATH})"; \
+	"${SHELL}" ./utils/tests.sh
+
+# We use this script in CI and you can do this too!
+# What happens here?
+# 1. We pass `SECRETS_DOCKER_ENV` variable into this job
+# 2. Based on it, we select a proper `docker` image to run test on
+# 3. We execute `make test` inside the `docker` container
+.PHONY: docker-ci
+docker-ci: clean
+	@[ -z "${SECRETS_DOCKER_ENV}" ] \
+		&& echo 'SECRETS_DOCKER_ENV is unset' && exit 1 || true
+	docker build \
+		-f ".ci/docker-ci/$${SECRETS_DOCKER_ENV}/Dockerfile" \
+		-t "gitsecret-$${SECRETS_DOCKER_ENV}:latest" .
+	docker run --rm \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		"gitsecret-$${SECRETS_DOCKER_ENV}" \
+		make test
+
+.PHONY: lint-shell
+lint-shell:
+	docker pull koalaman/shellcheck:latest
+	docker run \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		-e SHELLCHECK_OPTS='-s bash -S style -a' \
+		--rm koalaman/shellcheck \
+		$$(find src .ci utils tests docs -type f \
+			-name '*.sh' -o -name '*.bash' -o -name '*.bats')
+
+.PHONY: lint-docker
+lint-docker:
+	docker pull hadolint/hadolint:latest-alpine
+	docker run \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		--rm hadolint/hadolint \
+		hadolint \
+			--ignore=DL3008 --ignore=DL3018 --ignore=DL3041 --ignore=DL3028 \
+			.ci/*/**/Dockerfile
+
+.PHONY: lint
+lint: lint-shell lint-docker
 
 #
-# Manuals:
+# Manuals and docs:
 #
 
-.PHONY: install-ronn
-install-ronn:
-	@if [ ! `gem list ronn -i` == "true" ]; then gem install ronn; fi
-
 .PHONY: clean-man
 clean-man:
-	@find "man/" -type f ! -name "*.ronn" -delete
+	@find "man/" -type f ! -name "*.md" -delete
 
 .PHONY: build-man
-build-man: install-ronn clean-man
-	@ronn --roff --organization="sobolevn" --manual="git-secret" man/*/*.ronn
+build-man: build
+	docker pull msoap/ruby-ronn
+	export GITSECRET_VERSION="$$(./git-secret --version)" && docker run \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		--rm msoap/ruby-ronn \
+		ronn --roff \
+			--organization=sobolevn \
+			--manual="git-secret $${GITSECRET_VERSION}" \
+			man/*/*.md
 
-.PHONY: build-gh-pages
-build-gh-pages:
-	@chmod +x "./utils/gh-branch.sh"; sync; \
-	"./utils/gh-branch.sh"
+.PHONY: build-docs
+build-docs: build-man
+	 "${SHELL}" docs/build.sh
 
-#
-# Development:
-#
+.PHONY: docs
+docs: build-docs
+	docker pull jekyll/jekyll
+	docker run \
+		--volume="$${PWD}/docs:/code" \
+		-w /code \
+		-p 4000:4000 \
+		--rm jekyll/jekyll \
+		jekyll serve --safe --strict_front_matter
 
-.PHONY: install-hooks
-install-hooks:
-	@ln -fs "${PWD}/utils/hooks/pre-commit.sh" "${PWD}/.git/hooks/pre-commit"; \
-	chmod +x "${PWD}/.git/hooks/pre-commit"; sync; \
-	ln -fs "${PWD}/utils/hooks/post-commit.sh" "${PWD}/.git/hooks/post-commit"; \
-	chmod +x "${PWD}/.git/hooks/post-commit"; sync
-
-.PHONY: develop
-develop: clean build install-hooks
-
-.PHONY: lint
-lint:
-	@find src utils -type f -name '*.sh' -print0 | xargs -0 -I {} shellcheck {}
+.PHONY: changelog
+changelog:
+	@[ -z "${GITHUB_REPOSITORY}" ] \
+		&& echo 'GITHUB_REPOSITORY is unset' && exit 1 || true
+	@[ -z "${GITHUB_TOKEN}" ] \
+		&& echo 'GITHUB_TOKEN is unset' && exit 1 || true
+	docker pull githubchangeloggenerator/github-changelog-generator
+	docker run \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		--entrypoint='' \
+		-e GITHUB_REPOSITORY \
+		-e GITHUB_TOKEN \
+		--rm githubchangeloggenerator/github-changelog-generator \
+		sh ".ci/github_release_script.sh"
 
 #
 # Packaging:
 #
 
-.PHONY: install-fpm
-install-fpm:
-	@if [ ! `gem list fpm -i` == "true" ]; then gem install fpm; fi
+.PHONY: build-release
+build-release: clean build-man
+	@[ -z "${SECRETS_RELEASE_TYPE}" ] \
+		&& echo 'SECRETS_RELEASE_TYPE is unset' && exit 1 || true
+	docker build \
+		-f ".ci/releaser/alpine/Dockerfile" \
+		-t "gitsecret-releaser:latest" .
+	docker run \
+		--volume="$${PWD}:/code" \
+		--rm gitsecret-releaser \
+		bash "./utils/$${SECRETS_RELEASE_TYPE}/build.sh"
 
-# .deb:
+.PHONY: release
+release: build-release
+	@[ -z "${SECRETS_ARTIFACTORY_CREDENTIALS}" ] \
+		&& echo 'SECRETS_ARTIFACTORY_CREDENTIALS is unset' && exit 1 || true
+	docker run \
+		--volume="$${PWD}:/code" \
+		-e SECRETS_ARTIFACTORY_CREDENTIALS \
+		-e SECRETS_DEPLOY_DRY_RUN \
+		--rm gitsecret-releaser \
+		bash "./utils/$${SECRETS_RELEASE_TYPE}/deploy.sh"
 
-.PHONY: build-deb
-build-deb: clean build install-fpm
-	@chmod +x "./utils/build-utils.sh"; sync; \
-	chmod +x "./utils/deb/deb-build.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/deb/deb-build.sh"
-
-.PHONY: test-deb-ci
-test-deb-ci: install-test build-deb
-	@chmod +x "./utils/deb/deb-ci.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats/bin:${PATH}"; \
-	"./utils/deb/deb-ci.sh"
-
-.PHONY: deploy-deb
-deploy-deb: build-deb
-	@chmod +x "./utils/deb/deb-deploy.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/deb/deb-deploy.sh"
-
-# .rpm:
-
-.PHONY: build-rpm
-build-rpm: clean build install-fpm
-	@chmod +x "./utils/build-utils.sh"; sync; \
-	chmod +x "./utils/rpm/rpm-build.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/rpm/rpm-build.sh"
-
-.PHONY: test-rpm-ci
-test-rpm-ci: install-test build-rpm
-	@chmod +x "./utils/rpm/rpm-ci.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats/bin:${PATH}"; \
-	"./utils/rpm/rpm-ci.sh"
-
-.PHONY: deploy-rpm
-deploy-rpm: build-rpm
-	@chmod +x "./utils/rpm/rpm-deploy.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/rpm/rpm-deploy.sh"
-
-# make:
-
-.PHONY: test-make-ci
-test-make-ci: clean install-test
-	@chmod +x "./utils/make/make-ci.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats/bin:${PATH}"; \
-	"./utils/make/make-ci.sh"
+.PHONY: release-ci
+release-ci:
+	@[ -z "${SECRETS_RELEASE_ENV}" ] \
+		&& echo 'SECRETS_RELEASE_ENV is unset' && exit 1 || true
+	@[ -z "${SECRETS_RELEASE_TYPE}" ] \
+		&& echo 'SECRETS_RELEASE_TYPE is unset' && exit 1 || true
+	docker build \
+		-f ".ci/release-ci/$${SECRETS_RELEASE_ENV}/Dockerfile" \
+		-t "gitsecret-release-$${SECRETS_RELEASE_ENV}:latest" .
+	docker run --rm \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		"gitsecret-release-$${SECRETS_RELEASE_ENV}" \
+		bash -c "set -e; bash "./utils/$${SECRETS_RELEASE_TYPE}/install.sh""

README.md

@@ -1,37 +1,123 @@
 # git-secret
 
-[![Build Status](https://img.shields.io/travis/sobolevn/git-secret/master.svg)](https://travis-ci.org/sobolevn/git-secret) [![Homebrew](https://img.shields.io/homebrew/v/git-secret.svg)](http://braumeister.org/formula/git-secret) [![Bintray deb](https://img.shields.io/bintray/v/sobolevn/deb/git-secret.svg)](https://bintray.com/sobolevn/deb/git-secret/view) [![Dockerhub](https://img.shields.io/docker/pulls/sobolevn/git-secret.svg)](https://hub.docker.com/r/sobolevn/git-secret/)
 
-[![git-secret](https://raw.githubusercontent.com/sobolevn/git-secret/gh-pages/images/git-secret-big.png)](http://git-secret.io/)
+[![test](https://github.com/sobolevn/git-secret/actions/workflows/test.yml/badge.svg?branch=master&event=push)](https://github.com/sobolevn/git-secret/actions/workflows/test.yml)
+[![release-ci](https://github.com/sobolevn/git-secret/actions/workflows/release-ci.yml/badge.svg)](https://github.com/sobolevn/git-secret/actions/workflows/release-ci.yml)
+[![Homebrew](https://img.shields.io/homebrew/v/git-secret.svg)](https://formulae.brew.sh/formula/git-secret)
+[![Supporters](https://img.shields.io/opencollective/all/git-secret.svg?color=gold&label=supporters)](https://opencollective.com/git-secret)
+
+[![git-secret](https://raw.githubusercontent.com/sobolevn/git-secret/gh-pages/images/git-secret-big.png)](https://git-secret.io/)
+
 
 ## What is `git-secret`?
 
-`git-secret` is a bash tool to store your private data inside a git repo. How’s that? Basically, it just encrypts, using `gpg`, the tracked files with the public keys of all the users that you trust. So everyone of them can decrypt these files using only their personal secret key. Why deal with all this private-public keys stuff? Well, to make it easier for everyone to manage access rights. There are no passwords that change. When someone is out - just delete their public key, re-encrypt the files, and they won’t be able to decrypt secrets anymore.
+`git-secret` is a bash tool which stores private data inside a git repo.
+`git-secret` encrypts files with permitted users' public keys,
+allowing users you trust to access encrypted data using pgp and their secret keys.
+
+With `git-secret`, changes to access rights are simplified, and private-public key issues are handled for you.
+
+When someone's permission is revoked, secrets do not need to be changed with `git-secret` -
+just remove their key from the repo's keyring using `git secret removeperson their@email.com`,
+re-encrypt the files, and they won't be able to decrypt secrets anymore.
+If you think the user might have copied the secrets or keys when they had access, then
+you should also change the secrets.
+
 
 ## Preview
 
-[![git-secret terminal preview](https://asciinema.org/a/41811.png)](https://asciinema.org/a/41811?autoplay=1)
+[![git-secret terminal preview](git-secret.gif)](https://asciinema.org/a/41811?autoplay=1)
 
-## Usage
-
-See the [git-secret site](http://git-secret.io/).
 
 ## Installation
 
-See the [installation section](http://git-secret.io/#installation).
+`git-secret` [supports `brew`](https://formulae.brew.sh/formula/git-secret), just type: `brew install git-secret`
+
+It also supports `apt` and `yum`. You can also use `make` if you want to.
+See the [installation section](https://sobolevn.me/git-secret/installation) for the details.
+
+### Requirements
+
+`git-secret` relies on several external packages:
+
+- `bash` since `3.2.57` (it is hard to tell the correct `patch` release)
+- `gawk` since `4.0.2`
+- `git` since `1.8.3.1`
+- `gpg` since `gnupg 1.4` to `gnupg 2.X`
+- `sha256sum` since `8.21` (on freebsd and MacOS `shasum` is used instead)
+
 
 ## Contributing
 
-See [CONTRIBUTING.md](CONTRIBUTING.md).
+Do you want to help the project? Find an [issue](https://github.com/sobolevn/git-secret/issues)
+and send a PR. It is more than welcomed! See [CONTRIBUTING.md](CONTRIBUTING.md) on how to do that.
+
+### Security
+
+In order to encrypt (git-secret hide -m) files only when modified, the path
+mappings file tracks sha256sum checksums of the files added (git-secret add) to
+git-secret's path mappings filesystem database. Although, the chances of
+encountering a sha collision are low, it is recommend that you pad files with
+random data for greater security. Or avoid using  the `-m` option altogether.
+If your secret file holds more data than just a single password these
+precautions should not be necessary, but could be followed for greater
+security.
+
+If you found any security related issues, please do not disclose it in public. Send an email to `mail@sobolevn.me`
+
 
 ## Changelog
 
-See [CHANGELOG.md](CHANGELOG.md).
+`git-secret` uses [semver](https://semver.org/). See [CHANGELOG.md](CHANGELOG.md).
+
+
+## Packagers
+
+Thanks to all the people and groups who package `git-secret` for easier install on particular OSes and distributions!
+
+[![Packaging status](https://repology.org/badge/vertical-allrepos/git-secret.svg)](https://repology.org/project/git-secret/versions)
+
+Here are some packagings of `git-secret` that we're aware of:
+
+- https://formulae.brew.sh/formula/git-secret
+- https://packages.ubuntu.com/bionic/git-secret
+- https://src.fedoraproject.org/rpms/git-secret
+- https://aur.archlinux.org/packages/git-secret/
+- https://pkgs.alpinelinux.org/package/edge/testing/x86/git-secret
+- https://packages.debian.org/sid/git-secret
+- https://github.com/void-linux/void-packages/blob/master/srcpkgs/git-secret/template
+
+Such packages are considered 'downstream' because the git-secret code 'flows' from the `git-secret` [repository](https://git-secret.io/installation)
+to the various rpm/deb/dpkg/etc packages that are created for specific OSes and distributions.
+
+We have also added notes specifically for packagers in [CONTRIBUTING.md](CONTRIBUTING.md).
+
+
+## Sponsors
+
+Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/git-secret#sponsor)]
+
+[![Sponsors](https://opencollective.com/git-secret/tiers/sponsor.svg?width=890)](https://opencollective.com/git-secret)
+
+
+## Backers
+
+Thanks to all our backers!
+
+[![Backers](https://opencollective.com/git-secret/tiers/backer.svg?width=890&avatarHeight=36)](https://opencollective.com/git-secret)
+
+
+## Contributors
+
+This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
+<a href="https://github.com/sobolevn/git-secret/graphs/contributors"><img src="https://opencollective.com/git-secret/contributors.svg?width=890" /></a>
+
 
 ## License
 
 MIT. See [LICENSE.md](LICENSE.md) for details.
 
+
 ## Thanks
 
 Special thanks to [Elio Qoshi](https://elioqoshi.me/sq/) from [ura](http://ura.design/) for the awesome logo.

RFC/RFC001.md

@@ -0,0 +1,142 @@
+# RFC 0001 - A stable and forwards compatible public key storage format
+
+**Feature Name:** Stable public key storage
+
+**Status:** Final
+
+**Type:** Enhancement
+
+**Related components:** Core
+
+**Start Date:** 2018-06-14
+
+**Author:** Simon Massey
+
+**GitHub issues:** 
+
+* #136 GnuPG2 2.2 vs 2.1 conflicts in keybox format
+
+## Summary
+
+A new internal public key storage format that avoids forwards compatibility issues between GPG releases. This proposal will keep forwards compatibility with older versions of git-secret. 
+
+## Motivation
+
+GPG maintains backwards compatibility but not forwards compatibility. Running a new GPG version can and will upgrade the keyring storage files in a way that is not recognized by older versions of GPG. This is not normally a problem for typical GPG usage. Users will upgrade and rarely downgrade. It is a problem for git-secret as the keyring storage is committed to git and shared between users. Someone using an older version of GPG can no longer open the upgraded keyring file. 
+
+## Approach
+
+git-secret will move away from using the keyring format as shared storage of public keys. Instead, it will store public keys as exported keys in ASCII armor format. The public key export format is stable and forwards compatible. GPG users will typically be running different GPG or PGP versions and are able to exchange keys successfully. Bugs that affect git-secret's ability to use exported public keys will likely affect typical GPG key exchange usage. Such bugs are likely to be caught and fixed by the wider open source community. 
+
+git-secret may need to store and process meta-data about keys to make it efficient to work with keys that are stored within individual files. It will use the machine-readable ["colon listings format"](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS) for this purpose. 
+
+It is anticipated that `bash` and `gawk` will be sufficient to work efficiently with the new file formats. 
+
+## Design
+
+The new storage format will be implemented as follows: 
+
+1. Keys will be stored in `~/.gitsecret/keys` in `gpg  --armor --export` format. The use of ASCII armor rather than binary format is to make debugging of key related issues easier. The filename of the key will be `<keyid>.pub.gpg` (using Field 5 the "64-bit keyid" of the colon listings format)
+1. Key meta data will be stored alongside the key file in the `gpg --keyid-format long --with-colons` format. The file name will be `<keyid>.pub.cln`
+1. A folder `~/.gitsecret/cache` will be added to `.gitignore`. At this location, a public keyring will be maintained on a per user bases and won't be shared between users. This is simply a "keyring cache" of the keys used to encrypt files. 
+
+git-secret-tell will: 
+
+1. Scan the set of `*.pub.cln` files to find all currently told identities. If the given identity is in the list do nothing. 
+1. If the given identity isn't listed run `gpg  --armor --export` against the users `$HOME` keyring to create the  `<key-id>.pub.gpg`. 
+1. Run `--keyid-format long --with-colons` of the exported key to create the `<key-id>.pub.cln`. 
+
+Note that the additional steps to ensure that older versions of git-secret know about the newly told identity will be outlined below. 
+
+git-secret-hide will: 
+
+1. Extract the list of "64-bit keyid"s who are told from the `*.pub.cln` files. Note that multiple identities can be listed against each key. 
+1. Checked this against the list of "64-bit keyid"s in the "keyring cache" at `~/.gitsecret/cache`. 
+1. Import any missing keys into the "keyring cache". It is anticipated that `gawk` will be sufficient to perform this calculation. 
+1. Run the current logic using the "keyring cache". 
+
+Note that the additional steps to ensure that older versions of git-secret know about the newly told user will be outlined below. 
+
+git-secret-whoknows will:
+
+1. The list of identities will be loaded by parsing the `.pub.cln` files. Note that multiple identities can be listed against each key. 
+
+git-secret-usage will:
+
+1. Document the git-secret-migrate command discussed in the next section. 
+
+git-secret-reveal will:
+
+* Be unchanged.  
+
+git-secret-remove will:
+
+* Be unchanged. 
+
+git-secret-list will:
+
+* Be unchanged. 
+
+git-secret-killperson will:
+
+1. Remove the key from the keyring cache.
+1. Delete both `<key-id>.pub.gpg` and `<key-id>.pub.cln` files.
+
+git-secret-init will:
+
+1. Add `~/.gitsecret/cache` into `.gitignore`.
+1. Run any current logic using the ignored "keyring cache".
+
+git-secret-clean will:
+
+* Be unchanged. 
+
+git-secret-changes will:
+
+1. Show differences the `<key-id>.pub.gpg` and `<key-id>.pub.cln` files in `~/.gitsecret/keys`.
+
+git-secret-add will:
+
+* Be unchanged. 
+
+A new command git-secret-migrate will:
+
+1. Create the folder `~/.gitsecret/cache` and add it to the `.gitignore` file. 
+1. Extract all keys from the old keyring generating `<key-id>.pub.gpg` and `<key-id>.pub.cln` files in `~/.gitsecret/keys`
+
+## Version Compatibility
+
+Backwards compatibility will the old keyring storage approach will be maintained as follows:
+
+1. For each changed command a guard will be added that checks for the existence of `.gitsecret/cache`.
+1. If the folder exists it proceeds as normal.
+1. If it does not exist it will report that the repo was initialized by an older version of git-secret and tell the user to run git-secret-migrate
+
+Forwards compatibility with older versions of git-secret will be maintained as follows. 
+
+git-secret-hide will:
+
+1. Have a guard that will check for the existence of the old keyring. If it exists it will check it for any new public keys and extract them into the new format prior to running. 
+
+git-secret-tell will:
+
+1. Will check for the existence of the old keyring. If it exists it will load the new public key into it. 
+
+git-secret-killperson
+
+1. Will check for the existence of the old keyring. If it exists it will delete the user from it. 
+
+
+## Drawbacks
+
+To maintain forward compatibility the approach requires the existing logic to kept working for a period of time. We can give a deprecated warning if the forwards compatibility logic is running. The warning can be suppressed using a command-line flag. 
+
+## Alternatives
+
+What other designs have been considered? Unknown. 
+
+What is the impact of not doing this? Team members are locked out of secrets when only one other team member upgrades GPG. This can go undetected until the victims needs the secrets in a hurry for production support. Bad things then happen. 
+
+## Unresolved questions
+
+What parts of the design are still to be done? None. 

docs/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+group :jekyll_plugins do
+  gem "jekyll", ">= 3.6.3"
+  gem "jekyll-seo-tag", "~> 2.8.0"
+end

docs/Gemfile.lock

@@ -0,0 +1,81 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    bigdecimal (3.1.8)
+    colorator (1.1.0)
+    concurrent-ruby (1.3.4)
+    em-websocket (0.5.3)
+      eventmachine (>= 0.12.9)
+      http_parser.rb (~> 0)
+    eventmachine (1.2.7)
+    ffi (1.17.0-x86_64-linux-gnu)
+    ffi (1.17.0-x86_64-linux-musl)
+    forwardable-extended (2.6.0)
+    google-protobuf (4.28.1-x86_64-linux)
+      bigdecimal
+      rake (>= 13)
+    http_parser.rb (0.8.0)
+    i18n (1.14.6)
+      concurrent-ruby (~> 1.0)
+    jekyll (4.3.4)
+      addressable (~> 2.4)
+      colorator (~> 1.0)
+      em-websocket (~> 0.5)
+      i18n (~> 1.0)
+      jekyll-sass-converter (>= 2.0, < 4.0)
+      jekyll-watch (~> 2.0)
+      kramdown (~> 2.3, >= 2.3.1)
+      kramdown-parser-gfm (~> 1.0)
+      liquid (~> 4.0)
+      mercenary (>= 0.3.6, < 0.5)
+      pathutil (~> 0.9)
+      rouge (>= 3.0, < 5.0)
+      safe_yaml (~> 1.0)
+      terminal-table (>= 1.8, < 4.0)
+      webrick (~> 1.7)
+    jekyll-sass-converter (3.0.0)
+      sass-embedded (~> 1.54)
+    jekyll-seo-tag (2.8.0)
+      jekyll (>= 3.8, < 5.0)
+    jekyll-watch (2.2.1)
+      listen (~> 3.0)
+    kramdown (2.4.0)
+      rexml
+    kramdown-parser-gfm (1.1.0)
+      kramdown (~> 2.0)
+    liquid (4.0.4)
+    listen (3.9.0)
+      rb-fsevent (~> 0.10, >= 0.10.3)
+      rb-inotify (~> 0.9, >= 0.9.10)
+    mercenary (0.4.0)
+    pathutil (0.16.2)
+      forwardable-extended (~> 2.6)
+    public_suffix (6.0.1)
+    rake (13.2.1)
+    rb-fsevent (0.11.2)
+    rb-inotify (0.11.1)
+      ffi (~> 1.0)
+    rexml (3.3.7)
+    rouge (4.4.0)
+    safe_yaml (1.0.5)
+    sass-embedded (1.78.0-x86_64-linux-gnu)
+      google-protobuf (~> 4.27)
+    sass-embedded (1.78.0-x86_64-linux-musl)
+      google-protobuf (~> 4.27)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
+    unicode-display_width (2.6.0)
+    webrick (1.8.1)
+
+PLATFORMS
+  x86_64-linux
+  x86_64-linux-musl
+
+DEPENDENCIES
+  jekyll (>= 3.6.3)
+  jekyll-seo-tag (~> 2.8.0)
+
+BUNDLED WITH
+   2.2.2

docs/_config.yml

@@ -0,0 +1,17 @@
+# Site settings
+title: git-secret
+email: mail@sobolevn.me
+description: Shell scripts to encrypt your private data inside a git repository.
+baseurl: "/git-secret" # the subpath of your site, e.g. /blog
+url: "https://sobolevn.me" # the base hostname & protocol for your site
+
+# GitHub links:
+github_username: sobolevn
+github_changelog: "https://github.com/sobolevn/git-secret/blob/master/CHANGELOG.md"
+
+# Seo settings:
+plugins:
+  - jekyll-seo-tag
+
+# Build settings
+markdown: kramdown

docs/_includes/favicons.html

@@ -0,0 +1,33 @@
+<link rel="apple-touch-icon" sizes="57x57"
+    href="/images/favicons/apple-icon-57x57.png">
+<link rel="apple-touch-icon" sizes="60x60"
+    href="/images/favicons/apple-icon-60x60.png">
+<link rel="apple-touch-icon" sizes="72x72"
+    href="/images/favicons/apple-icon-72x72.png">
+<link rel="apple-touch-icon" sizes="76x76"
+    href="/images/favicons/apple-icon-76x76.png">
+<link rel="apple-touch-icon" sizes="114x114"
+    href="/images/favicons/apple-icon-114x114.png">
+<link rel="apple-touch-icon" sizes="120x120"
+    href="/images/favicons/apple-icon-120x120.png">
+<link rel="apple-touch-icon" sizes="144x144"
+    href="/images/favicons/apple-icon-144x144.png">
+<link rel="apple-touch-icon" sizes="152x152"
+    href="/images/favicons/apple-icon-152x152.png">
+<link rel="apple-touch-icon" sizes="180x180"
+    href="/images/favicons/apple-icon-180x180.png">
+<link rel="icon" type="image/png" sizes="192x192"
+    href="/images/favicons/android-icon-192x192.png">
+<link rel="icon" type="image/png" sizes="32x32"
+    href="/images/favicons/favicon-32x32.png">
+<link rel="icon" type="image/png" sizes="96x96"
+    href="/images/favicons/favicon-96x96.png">
+<link rel="icon" type="image/png" sizes="16x16"
+    href="/images/favicons/favicon-16x16.png">
+
+<link rel="manifest" href="/images/favicons/manifest.json">
+
+<meta name="msapplication-TileColor" content="#ffffff">
+<meta name="msapplication-TileImage"
+    content="/images/favicons/ms-icon-144x144.png">
+<meta name="theme-color" content="#ffffff">

docs/_includes/footer.html

@@ -0,0 +1,38 @@
+<footer class="site-footer">
+
+  <div class="wrapper">
+
+    <h2 class="footer-heading">{{ site.title }}</h2>
+
+    <div class="footer-col-wrapper">
+      <div class="footer-col footer-col-1">
+        <ul class="contact-list">
+          <li><a href="http://wemake.services">wemake.services</a></li>
+          <li><a href="mailto:{{ site.email }}">{{ site.email }}</a></li>
+        </ul>
+      </div>
+
+      <div class="footer-col footer-col-2">
+        <ul class="social-media-list">
+          {% if site.github_username %}
+          <li>
+            {% include icon-github.html username=site.github_username %}
+          </li>
+          {% endif %}
+
+          {% if site.twitter_username %}
+          <li>
+            {% include icon-twitter.html username=site.twitter_username %}
+          </li>
+          {% endif %}
+        </ul>
+      </div>
+
+      <div class="footer-col footer-col-3">
+        <p>{{ site.description }}</p>
+      </div>
+    </div>
+
+  </div>
+
+</footer>

docs/_includes/head.html

@@ -0,0 +1,18 @@
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+
+  <title>{% if page.title %}{{ page.title }}{% else %}{{ site.title }}{% endif %}</title>
+  <meta name="description" content="{% if page.excerpt %}{{ page.excerpt | strip_html | strip_newlines | truncate: 160 }}{% else %}{{ site.description }}{% endif %}">
+
+  <link rel="stylesheet" href="{{ "/css/main.css" | prepend: site.baseurl }}">
+  <link rel="canonical"
+    href="{{ page.url | replace:'index.html','' | prepend: site.baseurl | prepend: site.url }}">
+  <link rel="alternate" type="application/rss+xml" title="{{ site.title }}"
+    href="{{ "/feed.xml" | prepend: site.baseurl | prepend: site.url }}">
+
+  {% include favicons.html %}
+
+  {% seo %}
+</head>

docs/_includes/header.html

@@ -0,0 +1,38 @@
+<header class="site-header">
+
+  <div class="wrapper">
+
+    <a class="site-title" href="{{ site.baseurl }}/">
+      {{ site.title }} v{% include version.txt %}
+    </a>
+
+    <div class="site-nav">
+      <a href="#" class="menu-icon">
+        <svg viewBox="0 0 18 15">
+          <path fill="#424242" d="M18,1.484c0,0.82-0.665,1.484-1.484,1.484H1.484C0.665,2.969,0,2.304,0,1.484l0,0C0,0.665,0.665,0,1.484,0 h15.031C17.335,0,18,0.665,18,1.484L18,1.484z"/>
+          <path fill="#424242" d="M18,7.516C18,8.335,17.335,9,16.516,9H1.484C0.665,9,0,8.335,0,7.516l0,0c0-0.82,0.665-1.484,1.484-1.484 h15.031C17.335,6.031,18,6.696,18,7.516L18,7.516z"/>
+          <path fill="#424242" d="M18,13.516C18,14.335,17.335,15,16.516,15H1.484C0.665,15,0,14.335,0,13.516l0,0 c0-0.82,0.665-1.484,1.484-1.484h15.031C17.335,12.031,18,12.696,18,13.516L18,13.516z"/>
+        </svg>
+      </a>
+
+      <div class="trigger">
+        <!-- Place this tag where you want the button to render. -->
+        <a class="github-button" href="https://github.com/sobolevn/git-secret" data-icon="octicon-star" data-size="large" data-show-count="true" aria-label="Star git-secret on GitHub">
+          Star
+        </a>
+      </div>
+    </div>
+
+  </div>
+
+  <nav class="site-navigation">
+    <a href="{{ "/installation" | prepend: site.baseurl }}">Installation</a>
+    <a href="{{ "/#commands" | prepend: site.baseurl }}">Commands</a>
+    <a href="{{ "/plugins" | prepend: site.baseurl }}">External plugins</a>
+    <a href="{{ site.github_changelog }}">Changelog</a>
+  </nav>
+
+</header>
+
+<!-- Required for GitHub buttons. -->
+<script async defer src="https://buttons.github.io/buttons.js"></script>

docs/_includes/icon-github.html

@@ -0,0 +1,4 @@
+<a href="https://github.com/{{ include.username }}">
+    <span class="icon icon--github">{% include icon-github.svg %}</span>
+    <span class="username">{{ include.username }}</span>
+</a>

docs/_includes/icon-github.svg

@@ -0,0 +1 @@
+<svg viewBox="0 0 16 16"><path fill="#828282" d="M7.999,0.431c-4.285,0-7.76,3.474-7.76,7.761 c0,3.428,2.223,6.337,5.307,7.363c0.388,0.071,0.53-0.168,0.53-0.374c0-0.184-0.007-0.672-0.01-1.32 c-2.159,0.469-2.614-1.04-2.614-1.04c-0.353-0.896-0.862-1.135-0.862-1.135c-0.705-0.481,0.053-0.472,0.053-0.472 c0.779,0.055,1.189,0.8,1.189,0.8c0.692,1.186,1.816,0.843,2.258,0.645c0.071-0.502,0.271-0.843,0.493-1.037 C4.86,11.425,3.049,10.76,3.049,7.786c0-0.847,0.302-1.54,0.799-2.082C3.768,5.507,3.501,4.718,3.924,3.65 c0,0,0.652-0.209,2.134,0.796C6.677,4.273,7.34,4.187,8,4.184c0.659,0.003,1.323,0.089,1.943,0.261 c1.482-1.004,2.132-0.796,2.132-0.796c0.423,1.068,0.157,1.857,0.077,2.054c0.497,0.542,0.798,1.235,0.798,2.082 c0,2.981-1.814,3.637-3.543,3.829c0.279,0.24,0.527,0.713,0.527,1.437c0,1.037-0.01,1.874-0.01,2.129 c0,0.208,0.14,0.449,0.534,0.373c3.081-1.028,5.302-3.935,5.302-7.362C15.76,3.906,12.285,0.431,7.999,0.431z"/></svg>

docs/_includes/icon-twitter.html

@@ -0,0 +1,4 @@
+<a href="https://twitter.com/{{ include.username }}">
+    <span class="icon icon--twitter">{% include icon-twitter.svg %}</span>
+    <span class="username">{{ include.username }}</span>
+</a>

docs/_includes/icon-twitter.svg

@@ -0,0 +1 @@
+<svg viewBox="0 0 16 16"><path fill="#828282" d="M15.969,3.058c-0.586,0.26-1.217,0.436-1.878,0.515c0.675-0.405,1.194-1.045,1.438-1.809c-0.632,0.375-1.332,0.647-2.076,0.793c-0.596-0.636-1.446-1.033-2.387-1.033c-1.806,0-3.27,1.464-3.27,3.27 c0,0.256,0.029,0.506,0.085,0.745C5.163,5.404,2.753,4.102,1.14,2.124C0.859,2.607,0.698,3.168,0.698,3.767 c0,1.134,0.577,2.135,1.455,2.722C1.616,6.472,1.112,6.325,0.671,6.08c0,0.014,0,0.027,0,0.041c0,1.584,1.127,2.906,2.623,3.206 C3.02,9.402,2.731,9.442,2.433,9.442c-0.211,0-0.416-0.021-0.615-0.059c0.416,1.299,1.624,2.245,3.055,2.271 c-1.119,0.877-2.529,1.4-4.061,1.4c-0.264,0-0.524-0.015-0.78-0.046c1.447,0.928,3.166,1.469,5.013,1.469 c6.015,0,9.304-4.983,9.304-9.304c0-0.142-0.003-0.283-0.009-0.423C14.976,4.29,15.531,3.714,15.969,3.058z"/></svg>

docs/_includes/why.md

@@ -0,0 +1,49 @@
+
+## Intro
+
+There's a well known issue with deploying and configuring software on servers: 
+generally you have to store your private data 
+(such as database passwords, application secret-keys, OAuth secret keys, etc) 
+outside of the git repository. 
+
+If you do choose to store these secrets unencrypted in your git repo, 
+even if the repository is private, it is a security risk to copy 
+the secrets everywhere you check out your repo.
+
+What are some drawbacks of storing secrets separately from your git repo?
+
+1. These files are not version controlled. 
+Filenames, locations, and passwords change from time to time,
+or new information appears, and other information is removed. 
+When secrets are stored separately from your repo,
+you can not tell for sure which version of the configuration file was used with each commit
+or deploy.
+
+2. When building the automated deployment system there will be one extra step: 
+download and place these secret-configuration files where they need to be. 
+This also means you have to maintain extra secure servers where all your secrets are stored.
+
+
+### How does `git-secret` solve these problems?
+
+1. `git-secret` encrypts files and stores them inside your `git` repository, providing a history of changes for every commit.
+2. `git-secret` doesn't require any extra deploy operations other than providing the appropriate
+private key (to allow decryption), and using `git secret reveal`
+to decrypt all the secret files.
+
+### What is `git-secret`?
+
+`git-secret` is a bash tool to store your private data inside a `git` repo. 
+
+How's that? Basically, it uses `gpg` to encrypt files with the 
+public keys of the users that you trust, and which you have specified with
+`git secret tell email@address.id`.
+Then these users can decrypt these files using their personal secret key. 
+
+Why deal with all this private/public key stuff? 
+To make it easier to manage access rights. 
+When you want to remove someone's access, use `git secret removeperson email@address.id`
+to delete their public key from your repo's git-secret keyring, and reencrypt the files. 
+Then they won't be able to decrypt secrets anymore.
+
+[![git-secret terminal preview](https://raw.githubusercontent.com/sobolevn/git-secret/master/git-secret.gif)](https://asciinema.org/a/41811?autoplay=1)

docs/_layouts/default.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+  {% include head.html %}
+
+  <body>
+
+    {% include header.html %}
+
+    <div class="page-content">
+      <div class="wrapper">
+        {{ content }}
+      </div>
+    </div>
+
+    {% include footer.html %}
+
+    <!-- Place this tag in your head or just before your close body tag. -->
+    <script async defer src="https://buttons.github.io/buttons.js"></script>
+  </body>
+
+</html>

docs/_layouts/page.html

@@ -0,0 +1,14 @@
+---
+layout: default
+---
+<article class="post">
+
+  <header class="post-header">
+    <h1 class="post-title">{{ page.title }}</h1>
+  </header>
+
+  <div class="post-content">
+    {{ content }}
+  </div>
+
+</article>

docs/_layouts/post.html

@@ -0,0 +1,30 @@
+---
+layout: default
+---
+<article class="post" itemscope itemtype="http://schema.org/BlogPosting">
+
+  <header class="post-header">
+    <h1 class="post-title" itemprop="name headline">
+        {{ page.title }}
+    </h1>
+
+    <p class="post-meta">
+        <time datetime="{{ page.date | date_to_xmlschema }}" itemprop="datePublished">
+            {{ page.date | date: "%b %-d, %Y" }}
+        </time>
+
+        {% if page.author %}
+            • <span itemprop="author" itemscope itemtype="http://schema.org/Person">
+                <span itemprop="name">
+                    {{ page.author }}
+                </span>
+            </span>
+        {% endif %}
+    </p>
+  </header>
+
+  <div class="post-content" itemprop="articleBody">
+    {{ content }}
+  </div>
+
+</article>

docs/_sass/_base.scss

@@ -0,0 +1,206 @@
+/**
+ * Reset some basic elements
+ */
+body, h1, h2, h3, h4, h5, h6,
+p, blockquote, pre, hr,
+dl, dd, ol, ul, figure {
+    margin: 0;
+    padding: 0;
+}
+
+
+
+/**
+ * Basic styling
+ */
+body {
+    font: $base-font-weight #{$base-font-size}/#{$base-line-height} $base-font-family;
+    color: $text-color;
+    background-color: $background-color;
+    -webkit-text-size-adjust: 100%;
+    -webkit-font-feature-settings: "kern" 1;
+    -moz-font-feature-settings: "kern" 1;
+    -o-font-feature-settings: "kern" 1;
+    font-feature-settings: "kern" 1;
+    font-kerning: normal;
+}
+
+
+
+/**
+ * Set `margin-bottom` to maintain vertical rhythm
+ */
+h1, h2, h3, h4, h5, h6,
+p, blockquote, pre,
+ul, ol, dl, figure,
+%vertical-rhythm {
+    margin-bottom: $spacing-unit / 2;
+}
+
+
+
+/**
+ * Images
+ */
+img {
+    max-width: 100%;
+    vertical-align: middle;
+}
+
+
+
+/**
+ * Figures
+ */
+figure > img {
+    display: block;
+}
+
+figcaption {
+    font-size: $small-font-size;
+}
+
+
+
+/**
+ * Lists
+ */
+ul, ol {
+    margin-left: $spacing-unit;
+}
+
+li {
+    > ul,
+    > ol {
+         margin-bottom: 0;
+    }
+}
+
+
+
+/**
+ * Headings
+ */
+h1, h2, h3, h4, h5, h6 {
+    font-weight: $base-font-weight;
+}
+
+
+
+/**
+ * Links
+ */
+a {
+    color: $brand-color;
+    text-decoration: none;
+
+    &:visited {
+        color: darken($brand-color, 15%);
+    }
+
+    &:hover {
+        color: $text-color;
+        text-decoration: underline;
+    }
+}
+
+
+
+/**
+ * Blockquotes
+ */
+blockquote {
+    color: $purple-color;
+    border-left: 4px solid $purple-color-light;
+    padding-left: $spacing-unit / 2;
+    font-size: 18px;
+    letter-spacing: -1px;
+    font-style: italic;
+
+    > :last-child {
+        margin-bottom: 0;
+    }
+}
+
+
+
+/**
+ * Code formatting
+ */
+pre,
+code {
+    font-size: 15px;
+    border: 1px solid $purple-color-light;
+    border-radius: 3px;
+    background-color: #eef;
+}
+
+code {
+    padding: 1px 5px;
+}
+
+pre {
+    padding: 8px 12px;
+    overflow-x: auto;
+
+    > code {
+        border: 0;
+        padding-right: 0;
+        padding-left: 0;
+    }
+}
+
+
+
+/**
+ * Wrapper
+ */
+.wrapper {
+    max-width: -webkit-calc(#{$content-width} - (#{$spacing-unit} * 2));
+    max-width:         calc(#{$content-width} - (#{$spacing-unit} * 2));
+    margin-right: auto;
+    margin-left: auto;
+    padding-right: $spacing-unit;
+    padding-left: $spacing-unit;
+    @extend %clearfix;
+
+    @include media-query($on-laptop) {
+        max-width: -webkit-calc(#{$content-width} - (#{$spacing-unit}));
+        max-width:         calc(#{$content-width} - (#{$spacing-unit}));
+        padding-right: $spacing-unit / 2;
+        padding-left: $spacing-unit / 2;
+    }
+}
+
+
+
+/**
+ * Clearfix
+ */
+%clearfix {
+
+    &:after {
+        content: "";
+        display: table;
+        clear: both;
+    }
+}
+
+
+
+/**
+ * Icons
+ */
+.icon {
+
+    > svg {
+        display: inline-block;
+        width: 16px;
+        height: 16px;
+        vertical-align: middle;
+
+        path {
+            fill: $purple-color;
+        }
+    }
+}

docs/_sass/_layout.scss

@@ -0,0 +1,276 @@
+/**
+ * Site header
+ */
+.site-header {
+    border-top: 5px solid $purple-color-dark;
+    border-bottom: 1px solid $purple-color-light;
+    min-height: 56px;
+
+    // Positioning context for the mobile navigation icon
+    position: relative;
+}
+
+.site-title {
+    font-size: 26px;
+    font-weight: 300;
+    line-height: 56px;
+    letter-spacing: -1px;
+    margin-bottom: 0;
+    float: left;
+
+    &,
+    &:visited {
+        color: $purple-color-dark;
+    }
+}
+
+.site-nav {
+    @extend %clearfix;
+    float: right;
+    line-height: 56px;
+
+    .menu-icon {
+        display: none;
+    }
+
+    .page-link {
+        color: $text-color;
+        line-height: $base-line-height;
+
+        // Gaps between nav items, but not on the last one
+        &:not(:last-child) {
+            margin-right: 20px;
+        }
+    }
+
+    @include media-query($on-palm) {
+        position: absolute;
+        top: 9px;
+        right: $spacing-unit / 2;
+        background-color: $background-color;
+        border: 1px solid $purple-color-light;
+        border-radius: 5px;
+        text-align: right;
+
+        .menu-icon {
+            display: block;
+            float: right;
+            width: 36px;
+            height: 26px;
+            line-height: 0;
+            padding-top: 10px;
+            text-align: center;
+
+            > svg {
+                width: 18px;
+                height: 15px;
+
+                path {
+                    fill: $purple-color-dark;
+                }
+            }
+        }
+
+        .trigger {
+            clear: both;
+            display: none;
+        }
+
+        &:hover .trigger, &:active .trigger {
+            display: block;
+            padding-bottom: 5px;
+        }
+
+        .page-link {
+            display: block;
+            padding: 5px 10px;
+
+            &:not(:last-child) {
+                margin-right: 0;
+            }
+            margin-left: 20px;
+        }
+    }
+
+    .trigger {
+        padding-top: 13px;
+    }
+}
+
+
+
+/**
+ * Site footer
+ */
+.site-footer {
+    border-top: 1px solid $purple-color-light;
+    padding: $spacing-unit 0;
+}
+
+.footer-heading {
+    font-size: 18px;
+    margin-bottom: $spacing-unit / 2;
+}
+
+.contact-list,
+.social-media-list {
+    list-style: none;
+    margin-left: 0;
+}
+
+.footer-col-wrapper {
+    font-size: 15px;
+    color: $grey-color;
+    margin-left: -$spacing-unit / 2;
+    @extend %clearfix;
+}
+
+.footer-col {
+    float: left;
+    margin-bottom: $spacing-unit / 2;
+    padding-left: $spacing-unit / 2;
+}
+
+.footer-col-1 {
+    width: -webkit-calc(35% - (#{$spacing-unit} / 2));
+    width:         calc(35% - (#{$spacing-unit} / 2));
+}
+
+.footer-col-2 {
+    width: -webkit-calc(20% - (#{$spacing-unit} / 2));
+    width:         calc(20% - (#{$spacing-unit} / 2));
+}
+
+.footer-col-3 {
+    width: -webkit-calc(45% - (#{$spacing-unit} / 2));
+    width:         calc(45% - (#{$spacing-unit} / 2));
+}
+
+@include media-query($on-laptop) {
+    .footer-col-1,
+    .footer-col-2 {
+        width: -webkit-calc(50% - (#{$spacing-unit} / 2));
+        width:         calc(50% - (#{$spacing-unit} / 2));
+    }
+
+    .footer-col-3 {
+        width: -webkit-calc(100% - (#{$spacing-unit} / 2));
+        width:         calc(100% - (#{$spacing-unit} / 2));
+    }
+}
+
+@include media-query($on-palm) {
+    .footer-col {
+        float: none;
+        width: -webkit-calc(100% - (#{$spacing-unit} / 2));
+        width:         calc(100% - (#{$spacing-unit} / 2));
+    }
+}
+
+
+
+/**
+ * Page content
+ */
+.page-content {
+    padding: $spacing-unit 0;
+}
+
+.page-heading {
+    font-size: 20px;
+}
+
+.post-list {
+    li {
+        margin-bottom: 10px;
+    }
+}
+
+.post-meta {
+    font-size: $small-font-size;
+    color: $grey-color;
+}
+
+.post-link {
+    display: block;
+    font-size: 24px;
+}
+
+
+
+/**
+ * Posts
+ */
+.post-header {
+    margin-bottom: $spacing-unit;
+}
+
+.post-title {
+    font-size: 42px;
+    letter-spacing: -1px;
+    line-height: 1;
+
+    @include media-query($on-laptop) {
+        font-size: 36px;
+    }
+}
+
+.post-content {
+    margin-bottom: $spacing-unit;
+
+    h2 {
+        font-size: 32px;
+
+        @include media-query($on-laptop) {
+            font-size: 28px;
+        }
+    }
+
+    h3 {
+        font-size: 26px;
+
+        @include media-query($on-laptop) {
+            font-size: 22px;
+        }
+    }
+
+    h4 {
+        font-size: 20px;
+
+        @include media-query($on-laptop) {
+            font-size: 18px;
+        }
+    }
+}
+
+
+/**
+ * Navigation
+ */
+.site-navigation {
+    @extend .wrapper;
+
+    display: flex;
+    justify-content: space-between;
+    flex-wrap: wrap;
+
+    a {
+        color: $purple-color-dark;
+
+        @include media-query($on-laptop) {
+            flex-basis: 100%;
+            text-align: center;
+        }
+    }
+}
+
+
+/**
+ * Homepage
+ */
+ .home {
+    .home-logo-image {
+        margin-top: 50px;
+        margin-bottom: 70px;
+    }
+ }

docs/_sass/_syntax-highlighting.scss

@@ -0,0 +1,71 @@
+/**
+ * Syntax highlighting styles
+ */
+.highlight {
+    background: #fff;
+    @extend %vertical-rhythm;
+
+    .highlighter-rouge & {
+      background: #eef;
+    }
+
+    .c     { color: #998; font-style: italic } // Comment
+    .err   { color: #a61717; background-color: #e3d2d2 } // Error
+    .k     { font-weight: bold } // Keyword
+    .o     { font-weight: bold } // Operator
+    .cm    { color: #998; font-style: italic } // Comment.Multiline
+    .cp    { color: #999; font-weight: bold } // Comment.Preproc
+    .c1    { color: #998; font-style: italic } // Comment.Single
+    .cs    { color: #999; font-weight: bold; font-style: italic } // Comment.Special
+    .gd    { color: #000; background-color: #fdd } // Generic.Deleted
+    .gd .x { color: #000; background-color: #faa } // Generic.Deleted.Specific
+    .ge    { font-style: italic } // Generic.Emph
+    .gr    { color: #a00 } // Generic.Error
+    .gh    { color: #999 } // Generic.Heading
+    .gi    { color: #000; background-color: #dfd } // Generic.Inserted
+    .gi .x { color: #000; background-color: #afa } // Generic.Inserted.Specific
+    .go    { color: #888 } // Generic.Output
+    .gp    { color: #555 } // Generic.Prompt
+    .gs    { font-weight: bold } // Generic.Strong
+    .gu    { color: #aaa } // Generic.Subheading
+    .gt    { color: #a00 } // Generic.Traceback
+    .kc    { font-weight: bold } // Keyword.Constant
+    .kd    { font-weight: bold } // Keyword.Declaration
+    .kp    { font-weight: bold } // Keyword.Pseudo
+    .kr    { font-weight: bold } // Keyword.Reserved
+    .kt    { color: #458; font-weight: bold } // Keyword.Type
+    .m     { color: #099 } // Literal.Number
+    .s     { color: #d14 } // Literal.String
+    .na    { color: #008080 } // Name.Attribute
+    .nb    { color: #0086B3 } // Name.Builtin
+    .nc    { color: #458; font-weight: bold } // Name.Class
+    .no    { color: #008080 } // Name.Constant
+    .ni    { color: #800080 } // Name.Entity
+    .ne    { color: #900; font-weight: bold } // Name.Exception
+    .nf    { color: #900; font-weight: bold } // Name.Function
+    .nn    { color: #555 } // Name.Namespace
+    .nt    { color: #000080 } // Name.Tag
+    .nv    { color: #008080 } // Name.Variable
+    .ow    { font-weight: bold } // Operator.Word
+    .w     { color: #bbb } // Text.Whitespace
+    .mf    { color: #099 } // Literal.Number.Float
+    .mh    { color: #099 } // Literal.Number.Hex
+    .mi    { color: #099 } // Literal.Number.Integer
+    .mo    { color: #099 } // Literal.Number.Oct
+    .sb    { color: #d14 } // Literal.String.Backtick
+    .sc    { color: #d14 } // Literal.String.Char
+    .sd    { color: #d14 } // Literal.String.Doc
+    .s2    { color: #d14 } // Literal.String.Double
+    .se    { color: #d14 } // Literal.String.Escape
+    .sh    { color: #d14 } // Literal.String.Heredoc
+    .si    { color: #d14 } // Literal.String.Interpol
+    .sx    { color: #d14 } // Literal.String.Other
+    .sr    { color: #009926 } // Literal.String.Regex
+    .s1    { color: #d14 } // Literal.String.Single
+    .ss    { color: #990073 } // Literal.String.Symbol
+    .bp    { color: #999 } // Name.Builtin.Pseudo
+    .vc    { color: #008080 } // Name.Variable.Class
+    .vg    { color: #008080 } // Name.Variable.Global
+    .vi    { color: #008080 } // Name.Variable.Instance
+    .il    { color: #099 } // Literal.Number.Integer.Long
+}

docs/build.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+# Should be called from the root folder, not inside `docs/` folder
+# See `make build-docs`
+
+set -e
+
+MAN_LOCATION='man/man1'
+MAN7_LOCATION='man/man7'
+POSTS_LOCATION='docs/_posts'
+
+
+function checkout_manuals {
+  cp -r man/ docs/man
+}
+
+
+function copy_to_posts {
+  # Cleaning old files:
+  rm -f "$POSTS_LOCATION/*.md"
+  rm -rf "$POSTS_LOCATION"
+  mkdir -p "$POSTS_LOCATION"
+
+  # Moving new command files:
+  local timestamp
+  local current_date
+
+  timestamp=$(date "+%Y-%m-%d %H:%M:%S %z")
+  current_date=$(date "+%Y-%m-%d")
+
+  # Creating command reference:
+  for com in "$MAN_LOCATION"/git-secret-*.1.md; do
+    local short_name
+    short_name=$(echo "$com" | sed -n "s|$MAN_LOCATION/\(.*\)\.1\.md|\1|p")
+    local command_header="---
+layout: post
+title: '${short_name}'
+date: ${timestamp}
+permalink: ${short_name}
+categories: command
+---"
+
+    local post_filename="$POSTS_LOCATION/${current_date}-${short_name}.md"
+    echo "$command_header" > "$post_filename"
+    cat "$com" >> "$post_filename"
+  done
+
+  # Creating main usage file:
+  local usage_header="---
+layout: post
+title: 'git-secret'
+date: ${timestamp}
+permalink: git-secret
+categories: usage
+---"
+  local usage_filename="$POSTS_LOCATION/${current_date}-git-secret.md"
+  echo "$usage_header" > "$usage_filename"
+  cat "$MAN7_LOCATION/git-secret.7.md" >> "$usage_filename"
+}
+
+
+function copy_install_scripts {
+  # We test these scripts using `release-ci`,
+  # so, installation instructions will always be up-to-date:
+  cp utils/deb/install.sh docs/_includes/install-deb.sh
+  cp utils/rpm/install.sh docs/_includes/install-rpm.sh
+  cp utils/apk/install.sh docs/_includes/install-apk.sh
+}
+
+
+function copy_version {
+   ./git-secret --version > docs/_includes/version.txt
+}
+
+
+checkout_manuals
+copy_to_posts
+copy_install_scripts
+copy_version

docs/css/main.scss

@@ -0,0 +1,58 @@
+---
+# Only the main Sass file needs front matter (the dashes are enough)
+---
+@charset "utf-8";
+
+
+
+// Our variables
+$base-font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+$base-font-size:   16px;
+$base-font-weight: 400;
+$small-font-size:  $base-font-size * 0.875;
+$base-line-height: 1.5;
+
+$spacing-unit:     30px;
+
+$text-color:       #111;
+$background-color: #fdfdfd;
+
+$grey-color:       #828282;
+$grey-color-light: lighten($grey-color, 40%);
+$grey-color-dark:  darken($grey-color, 25%);
+
+$purple-color:       rgb(238, 81, 59);
+$purple-color-light: lighten($purple-color, 40%);
+$purple-color-dark:  darken($purple-color, 25%);
+
+$brand-color:      $purple-color;
+
+// Width of the content area
+$content-width:    800px;
+
+$on-palm:          600px;
+$on-laptop:        800px;
+
+
+
+// Use media queries like this:
+// @include media-query($on-palm) {
+//     .wrapper {
+//         padding-right: $spacing-unit / 2;
+//         padding-left: $spacing-unit / 2;
+//     }
+// }
+@mixin media-query($device) {
+    @media screen and (max-width: $device) {
+        @content;
+    }
+}
+
+
+
+// Import partials from `sass_dir` (defaults to `_sass`)
+@import
+        "base",
+        "layout",
+        "syntax-highlighting"
+;

docs/feed.xml

@@ -0,0 +1,30 @@
+---
+layout: null
+---
+<?xml version="1.0" encoding="UTF-8"?>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+  <channel>
+    <title>{{ site.title | xml_escape }}</title>
+    <description>{{ site.description | xml_escape }}</description>
+    <link>{{ site.url }}{{ site.baseurl }}/</link>
+    <atom:link href="{{ "/feed.xml" | prepend: site.baseurl | prepend: site.url }}" rel="self" type="application/rss+xml"/>
+    <pubDate>{{ site.time | date_to_rfc822 }}</pubDate>
+    <lastBuildDate>{{ site.time | date_to_rfc822 }}</lastBuildDate>
+    <generator>Jekyll v{{ jekyll.version }}</generator>
+    {% for post in site.posts limit:10 %}
+      <item>
+        <title>{{ post.title | xml_escape }}</title>
+        <description>{{ post.content | xml_escape }}</description>
+        <pubDate>{{ post.date | date_to_rfc822 }}</pubDate>
+        <link>{{ post.url | prepend: site.baseurl | prepend: site.url }}</link>
+        <guid isPermaLink="true">{{ post.url | prepend: site.baseurl | prepend: site.url }}</guid>
+        {% for tag in post.tags %}
+        <category>{{ tag | xml_escape }}</category>
+        {% endfor %}
+        {% for cat in post.categories %}
+        <category>{{ cat | xml_escape }}</category>
+        {% endfor %}
+      </item>
+    {% endfor %}
+  </channel>
+</rss>

docs/images/favicons/browserconfig.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="utf-8"?>
+<browserconfig><msapplication><tile><square70x70logo src="/ms-icon-70x70.png"/><square150x150logo src="/ms-icon-150x150.png"/><square310x310logo src="/ms-icon-310x310.png"/><TileColor>#ffffff</TileColor></tile></msapplication></browserconfig>

docs/images/favicons/manifest.json

@@ -0,0 +1,41 @@
+{
+ "name": "App",
+ "icons": [
+  {
+   "src": "\/android-icon-36x36.png",
+   "sizes": "36x36",
+   "type": "image\/png",
+   "density": "0.75"
+  },
+  {
+   "src": "\/android-icon-48x48.png",
+   "sizes": "48x48",
+   "type": "image\/png",
+   "density": "1.0"
+  },
+  {
+   "src": "\/android-icon-72x72.png",
+   "sizes": "72x72",
+   "type": "image\/png",
+   "density": "1.5"
+  },
+  {
+   "src": "\/android-icon-96x96.png",
+   "sizes": "96x96",
+   "type": "image\/png",
+   "density": "2.0"
+  },
+  {
+   "src": "\/android-icon-144x144.png",
+   "sizes": "144x144",
+   "type": "image\/png",
+   "density": "3.0"
+  },
+  {
+   "src": "\/android-icon-192x192.png",
+   "sizes": "192x192",
+   "type": "image\/png",
+   "density": "4.0"
+  }
+ ]
+}

docs/index.html

@@ -0,0 +1,43 @@
+---
+layout: default
+---
+
+<div class="home">
+
+  <img src="{{ "/images/git-secret-big.png" | prepend: site.baseurl }}"
+       alt="git-secret"
+       title="git-secret"
+       class="home-logo-image" />
+
+  <h1>Synopsis</h1>
+
+  {% capture markdown_file %}
+    {% include why.md %}
+  {% endcapture %}
+
+  {{ markdown_file | markdownify }}
+
+  {% for post in site.categories.usage %}
+    {{ post.content }}
+  {% endfor %}
+
+  <h2 class="page-heading" id="commands">Command Reference</h2>
+
+  <ul class="post-list">
+    {% for post in site.categories.command %}
+      <li>
+        <h2>
+          <a class="post-link" href="{{ post.url | prepend: site.baseurl }}">
+            {{ post.title }}
+          </a>
+        </h2>
+      </li>
+    {% endfor %}
+  </ul>
+
+  <p class="rss-subscribe">
+    subscribe
+    <a href="{{ "/feed.xml" | prepend: site.baseurl }}">via RSS</a>
+  </p>
+
+</div>

docs/installation.md

@@ -0,0 +1,156 @@
+---
+layout: default
+---
+
+# Installation
+
+## Dependencies
+
+`git-secret` relies on two dependencies: `git` and `gpg`. Download and install them before using this project. `git-secret` is tested to work with:
+
+```
+git version 2.7.0
+gpg (GnuPG) 1.4.20
+```
+
+## Supported platforms
+
+`git-secret` is tested with `Mac OS X` >= 10.9, `Ubuntu` >= 14.04, `Debian` >= 8.3, 
+`Fedora` / `Rocky Linux` / `AlmaLinux`, `FreeBSD`, and `Windows` >= 10 using `WSL`.
+You can check the full list of automated test platforms
+[here](https://github.com/sobolevn/git-secret/blob/master/.github/workflows/test.yml).
+
+We are always interested in getting `git-secret` working and tested on additional systems.
+If you get `git-secret` working on a new system and the tests pass for you, 
+you can add a GitHub Action to test your platform to that file. 
+Also we welcome improvements to tests or `git-secret` code for any platform.
+
+## Installation process
+
+There are several ways to install `git-secret`, depending on your OS and distribution.
+They generally all have different installation processes, so we only go into 
+a short explanation of each. 
+(We welcome documentation improvements.)
+
+---
+
+### Mac OS X / Homebrew
+
+This is a packaging system for OSX. To install `git-secret` on OSX, you can install
+`homebrew` and then use:
+
+```bash
+brew install git-secret
+````
+
+---
+
+### Debian-Type Systems / `deb` package
+
+`deb` is a packaging system for [Debian](https://www.debian.org/) and related linux
+distributions.
+
+You can find the `deb` repository [here](https://gitsecret.jfrog.io/artifactory/git-secret-deb/).
+Pre-requirements: make sure you have installed `apt-transport-https` and `ca-certificates`
+
+```bash
+{% include install-deb.sh %}
+```
+
+---
+
+### Red Hat Systems / `rpm` package
+
+`rpm` is a packaging system for Fedora, CentOS, and other Red Hat based linux distributions.
+You can find the `rpm` repository [here](https://gitsecret.jfrog.io/artifactory/git-secret-rpm/).
+
+```bash
+{% include install-rpm.sh %}
+```
+
+---
+
+### Alpine Systems / `apk` package
+
+`apk` is a packaging system for Alpine.
+You can find the `apk` `git-secret` packaging 
+[here](https://gitsecret.jfrog.io/artifactory/git-secret-apk/),
+and you can see a list of supported architectures 
+[here](https://github.com/sobolevn/git-secret/blob/master/utils/apk/meta.sh)
+
+```bash
+{% include install-apk.sh %}
+```
+
+---
+
+### Arch Linux
+
+Use `Manual Installation` method described below.
+
+---
+
+### Windows / `WSL`, `Cygwin`, `MSYS`, or `Mingw-w64`
+
+`git-secret` depends on many unix tools and features that Windows systems do not usually
+include by default.  Therefore to get `git-secret` running on Windows you have to 
+install these tools, probably using one of the toolkits described below. 
+Each has a different install and setup process. There may also be other 
+ways to install the unix prerequisites on Windows.
+
+Once the prerequisite unix tools are installed,
+you can use the Manual Installation instructions below to 
+manually install `git-secret` (see below).  
+
+Some ways to install the required unix tools on windows include
+WSL, CYGWIN, MSYS, and Mingw-w64 
+(internally, these tools may share some components).
+
+Documenting how each is installed and used is beyond the scope of this document, 
+so we will cover the topic in broad strokes. Improvements to this documentation
+(or any other git-secret documentation) are welcome. 
+
+Again, after you install the unix tools needed, you can install 
+`git-secret` on windows using the `Manual Installation` steps below.
+
+#### WSL
+
+Perhaps the easiest way to get `git-secret` operating on windows is using `WSL`
+(if your system supports it). 
+Here are instructions to install [WSL](https://docs.microsoft.com/en-us/windows/wsl/install)
+You'll need to install these additional packages: `gnupg`, `make`, `man`, `git`, `gawk`, `file`.
+
+We have successfully set up automated testing of `git-secret` on `WSL`, 
+so we are confident this method works.
+
+#### Mingw-w64
+
+Another way to install the prerequisites for `git-secret` on Windows is to use 
+[Mingw-w64](https://www.mingw-w64.org/) and install the needed packages.
+By default, the `Mingw-w64` installation will be saved to `C:\msys64`. You'll need to 
+install `make` and probably other tools such as `gnupg`, `make`, `man`, `git`, and `gawk`. 
+(This list might not be complete). 
+
+#### MSYS and Cygwin
+
+`git-secret` also works with [MSYS](https://www.msys2.org/)
+and [Cygwin](https://www.cygwin.com/), and we have gotten _most_ of the way to getting
+`git-secret`'s self-tests running on these setups with Windows (see 
+[windows-related issues](https://github.com/sobolevn/git-secret/issues?q=is%3Aissue+is%3Aopen+windows)).
+
+We welcome contributions to `git-secret` and its documentation .
+
+---
+
+### Manual Installation
+
+```bash
+git clone https://github.com/sobolevn/git-secret.git git-secret
+cd git-secret && make build
+PREFIX="/usr/local" make install
+```
+
+Note that you can change `PREFIX` to be any directory you subsequently include in in your `PATH`
+environment variable. We generally recommend you stick to the default 
+install locations for simplicity, but if you know what you're doing you are welcome to change it.
+

docs/plugins.md

@@ -0,0 +1,9 @@
+---
+layout: default
+---
+
+# External plugins
+
+Here's a list of external plugins for `git-secret` developed by other awesome developers:
+
+- [git-secret-diff](https://github.com/msilvestre/git-secret-diff) adds `git secret diff` command similar to `git diff` to see changes in your secrets in different commits

git-secret.plugin.zsh

@@ -1,21 +0,0 @@
-#!/usr/bin/env zsh
-
-# Copyright 2016 Sobolev Nikita <mail@sobolevn.me>
-#
-# Licensed under the MIT License
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Create binary:
-PLUGIN_DIR="$(dirname "$0")"
-
-if [ ! -f "$PLUGIN_DIR/git-secret" ]; then
-  cd "$PLUGIN_DIR" && make build && cd ..
-fi
-
-# Add our plugin's bin diretory to user's path
-export PATH="${PATH}:${PLUGIN_DIR}"

man/man1/git-secret-add.1.md

@@ -0,0 +1,39 @@
+git-secret-add - starts to track added files.
+=============================================
+
+## SYNOPSIS
+
+    git secret add [-v] [-i] <pathspec>...
+
+
+## DESCRIPTION
+`git secret add` - tells `git secret` which files hold secrets.
+
+Adds filepath(s) into `.gitsecret/paths/mapping.cfg`.
+(It is not recommended to alter `.gitsecret/paths/mapping.cfg` manually.)
+
+As of 0.2.6, this command also ensures the filepath is in `.gitignore`
+as the contents are now considered secret and should not be committed into the repository unencrypted.
+
+The `add` action will fail unless there are already users in `git-secret`'s keyring.
+
+
+(See [git-secret(7)](https://git-secret.io/git-secret) for information about renaming the .gitsecret
+folder using the SECRETS_DIR environment variable.
+
+## OPTIONS
+
+    -v  - verbose, shows extra information.
+    -i  - does nothing, adding paths to .gitignore is now the default behavior.
+    -h  - shows this help.
+
+
+## MANUAL
+
+Run `man git-secret-add` to see this document.
+
+
+## SEE ALSO
+
+[git-secret-init(1)](https://git-secret.io/git-secret-init), [git-secret-tell(1)](https://git-secret.io/git-secret-tell),
+[git-secret-hide(1)](https://git-secret.io/git-secret-hide), [git-secret-reveal(1)](https://git-secret.io/git-secret-reveal)

man/man1/git-secret-add.1.ronn

@@ -1,30 +0,0 @@
-git-secret-add - starts to track added files.
-=============================================
-
-## SYNOPSIS
-
-    git secret add [-i] <pathspec>...
-
-
-## DESCRIPTION
-`git-secret-add` adds a filepath(es) into the `.gitsecret/paths/mapping.cfg`. When adding files, ensure that they are ignored by `git`, since they must be secure and not be commited into the remote repository unencrypted.
-
-If there's no users in the `git-secret`'s keyring, when adding a file, an exception will be raised.
-
-It is not recommened to add filenames directly into the `.gitsecret/paths/mapping.cfg`, use the command.
-
-
-## OPTIONS
-
-    -i  - auto adds given files to the `.gitignore` if they are unignored at the moment.
-    -h  - shows this help.
-
-
-## MANUAL
-
-Run `man git-secret-add` to see this note.
-
-
-## SEE ALSO
-
-[git-secret-init(1)](http://git-secret.io/git-secret-init), [git-secret-tell(1)](http://git-secret.io/git-secret-tell), [git-secret-hide(1)](http://git-secret.io/git-secret-hide), [git-secret-reveal(1)](http://git-secret.io/git-secret-reveal)