Bump JamesIves/github-pages-deploy-action from 4.6.4 to 4.6.8 (#1101)

Bumps [JamesIves/github-pages-deploy-action](https://github.com/jamesives/github-pages-deploy-action) from 4.6.4 to 4.6.8.
- [Release notes](https://github.com/jamesives/github-pages-deploy-action/releases)
- [Commits](https://github.com/jamesives/github-pages-deploy-action/compare/v4.6.4...v4.6.8)

---
updated-dependencies:
- dependency-name: JamesIves/github-pages-deploy-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.Dockerfiles/alpine/latest/Dockerfile

@@ -1,44 +0,0 @@
-FROM alpine:latest
-
-RUN apk add --no-cache --update \
-	bash \
-	build-base \
-	coreutils \
-	curl \
-	findutils \
-	gcc \
-	libffi-dev \
-	musl-dev \
-	net-tools \
-	openrc \
-	openssh \
-	openssh-server \
-	openssh-sftp-server \
-	openssl-dev \
-	py-boto \
-	py2-pip \
-	python2-dev \
-	rsyslog \
-	sudo \
-	xz \
- && pip install --upgrade pip \
- && if ! getent passwd <%= @username %>; then \
-      adduser -h /home/<%= @username %> -s /bin/bash -D <%= @username %>; \
-      passwd -d <%= @username %>; \
-    fi \
- && echo "<%= @username %> ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
- && echo "Defaults !requiretty" >> /etc/sudoers \
- && mkdir -p /home/<%= @username %>/.ssh \
- && chown -R <%= @username %> /home/<%= @username %>/.ssh \
- && chmod 0700 /home/<%= @username %>/.ssh \
- && echo '<%= IO.read(@public_key).strip %>' >> /home/<%= @username %>/.ssh/authorized_keys \
- && chown <%= @username %> /home/<%= @username %>/.ssh/authorized_keys \
- && chmod 0600 /home/<%= @username %>/.ssh/authorized_keys \
- && sed -ri 's/^#?PubkeyAuthentication\s+.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?PasswordAuthentication\s+.*/PasswordAuthentication no/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?ChallengeResponseAuthentication\s+.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \
- && echo "UseDNS=no" >> /etc/ssh/sshd_config \
- && rc-update add sshd
-
-EXPOSE 22

.Dockerfiles/centos/latest/Dockerfile

@@ -1,71 +0,0 @@
-FROM centos:latest
-
-ENV container="docker"
-
-RUN yum clean all \
- && yum makecache \
- && yum install -y epel-release \
- && yum makecache \
- && yum install -y \
-	curl \
-	findutils \
-	gcc \
-	glibc-langpack-en.x86_64  \
-	libffi-devel \
-	net-tools \
-	openssh-server \
-	openssl-devel \
-	python2-devel \
-	python2-pip \
-	redhat-lsb \
-	redhat-rpm-config \
-	sudo \
-	systemd \
- && pip install --upgrade pip \
- && yum clean all \
- && if ! getent passwd <%= @username %>; then \
-      useradd -d /home/<%= @username %> -m -s /usr/bin/bash -p '*' <%= @username %>; \
-    fi \
- && echo "<%= @username %> ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
- && echo "Defaults !requiretty" >> /etc/sudoers \
- && mkdir -p /home/<%= @username %>/.ssh \
- && chown -R <%= @username %> /home/<%= @username %>/.ssh \
- && chmod 0700 /home/<%= @username %>/.ssh \
- && echo '<%= IO.read(@public_key).strip %>' >> /home/<%= @username %>/.ssh/authorized_keys \
- && chown <%= @username %> /home/<%= @username %>/.ssh/authorized_keys \
- && chmod 0600 /home/<%= @username %>/.ssh/authorized_keys \
- && export LANG="en_US.UTF-8" && echo "LANG=\"en_US.UTF-8\"" > /etc/locale.conf \
- && cd /lib/systemd/system/sysinit.target.wants/; ls | grep -v systemd-tmpfiles-setup | /usr/bin/xargs rm -f $1 \
- && /usr/bin/rm -f /lib/systemd/system/multi-user.target.wants/* \
- && /usr/bin/rm -f /etc/systemd/system/*.wants/* \
- && /usr/bin/rm -f /lib/systemd/system/local-fs.target.wants/* \
- && /usr/bin/rm -f /lib/systemd/system/sockets.target.wants/*udev* \
- && /usr/bin/rm -f /lib/systemd/system/sockets.target.wants/*initctl* \
- && /usr/bin/rm -f /lib/systemd/system/basic.target.wants/* \
- && /usr/bin/rm -f /lib/systemd/system/anaconda.target.wants/*  \
- && /usr/bin/rm -f /lib/systemd/system/plymouth* \
- && /usr/bin/rm -f /lib/systemd/system/systemd-update-utmp* \
- && sed -ri 's/^#?PubkeyAuthentication\s+.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \
- && echo "UseDNS=no" >> /etc/ssh/sshd_config \
- && systemctl set-default multi-user.target \
- && ln -s /lib/systemd/system/sshd.service /etc/systemd/system/multi-user.target.wants/sshd.service \
- && ln -s /lib/systemd/system/systemd-journald.service /etc/systemd/system/multi-user.target.wants/systemd-journald.service \
- && echo $'[Unit]\
-\nDescription=Finish boot up\
-\nAfter=sshd.service\
-\n\
-\n[Service]\
-\nType=oneshot\
-\nRemainAfterExit=yes\
-\nExecStartPre=/bin/sleep 3s\
-\nExecStart=/bin/rm -f /run/nologin\
-\n\
-\n[Install]\
-\nWantedBy=default.target' >> /etc/systemd/system/FinishBootUp.service \
- && ln -s /etc/systemd/system/FinishBootUp.service /etc/systemd/system/multi-user.target.wants/FinishBootUp.service
-
-
-EXPOSE 22
-
-VOLUME [ "/sys/fs/cgroup" ]

.Dockerfiles/debian/latest/Dockerfile

@@ -1,66 +0,0 @@
-FROM debian:stable
-
-ENV DEBIAN_FRONTEND="noninteractive" container="docker"
-
-RUN apt-get update \
- && apt-get upgrade -y \
- && apt-get install -y \
-	apt-utils \
-	curl \
-	locales \
-	lsb-release \
-	net-tools \
-	openssh-server \
-	python-pip \
-	python2.7 \
-	sudo \
-	systemd \
- && pip install --upgrade pip \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
- && if ! getent passwd <%= @username %>; then \
-      useradd -d /home/<%= @username %> -m -s /bin/bash -p '*' <%= @username %>; \
-    fi \
- && echo "<%= @username %> ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
- && echo "Defaults !requiretty" >> /etc/sudoers \
- && mkdir -p /home/<%= @username %>/.ssh \
- && chown -R <%= @username %> /home/<%= @username %>/.ssh \
- && chmod 0700 /home/<%= @username %>/.ssh \
- && echo '<%= IO.read(@public_key).strip %>' >> /home/<%= @username %>/.ssh/authorized_keys \
- && chown <%= @username %> /home/<%= @username %>/.ssh/authorized_keys \
- && chmod 0600 /home/<%= @username %>/.ssh/authorized_keys \
- && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen \
- && cd /lib/systemd/system/sysinit.target.wants/; ls | grep -v systemd-tmpfiles-setup | /usr/bin/xargs rm -f $1 \
- && /bin/rm -f /lib/systemd/system/multi-user.target.wants/* \
- && /bin/rm -f /etc/systemd/system/*.wants/* \
- && /bin/rm -f /lib/systemd/system/local-fs.target.wants/* \
- && /bin/rm -f /lib/systemd/system/sockets.target.wants/*udev* \
- && /bin/rm -f /lib/systemd/system/sockets.target.wants/*initctl* \
- && /bin/rm -f /lib/systemd/system/basic.target.wants/* \
- && /bin/rm -f /lib/systemd/system/anaconda.target.wants/*  \
- && /bin/rm -f /lib/systemd/system/plymouth* \
- && /bin/rm -f /lib/systemd/system/systemd-update-utmp* \
- && sed -ri 's/^#?UsePAM\s+.*/UsePAM no/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?PubkeyAuthentication\s+.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \
- && echo "UseDNS=no" >> /etc/ssh/sshd_config \
- && systemctl set-default multi-user.target \
- && ln -s /lib/systemd/system/ssh.service /etc/systemd/system/multi-user.target.wants/ssh.service \
- && ln -s /lib/systemd/system/systemd-journald.service /etc/systemd/system/multi-user.target.wants/systemd-journald.service \
- && echo $'[Unit]\
-\nDescription=Finish boot up\
-\nAfter=ssh.service\
-\n\
-\n[Service]\
-\nType=oneshot\
-\nRemainAfterExit=yes\
-\nExecStartPre=/bin/sleep 3s\
-\nExecStart=/bin/rm -f /run/nologin\
-\n\
-\n[Install]\
-\nWantedBy=default.target' >> /etc/systemd/system/FinishBootUp.service \
- && ln -s /etc/systemd/system/FinishBootUp.service /etc/systemd/system/multi-user.target.wants/FinishBootUp.service
-
-EXPOSE 22
-
-VOLUME [ "/sys/fs/cgroup" ]

.Dockerfiles/fedora/latest/Dockerfile

@@ -1,69 +0,0 @@
-FROM fedora:latest
-
-ENV container="docker"
-
-RUN dnf clean all \
- && dnf makecache \
- && dnf install -y \
-	curl \
-	findutils \
-	gcc \
-	glibc-langpack-en.x86_64  \
-	libffi-devel \
-	net-tools \
-	openssh-server \
-	openssl-devel \
-	python2-devel \
-	python2-pip \
-	redhat-lsb \
-	redhat-rpm-config \
-	sudo \
-	systemd \
- && pip install --upgrade pip \
- && dnf clean all \
- && if ! getent passwd <%= @username %>; then \
-      useradd -d /home/<%= @username %> -m -s /usr/bin/bash -p '*' <%= @username %>; \
-    fi \
- && echo "<%= @username %> ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
- && echo "Defaults !requiretty" >> /etc/sudoers \
- && mkdir -p /home/<%= @username %>/.ssh \
- && chown -R <%= @username %> /home/<%= @username %>/.ssh \
- && chmod 0700 /home/<%= @username %>/.ssh \
- && echo '<%= IO.read(@public_key).strip %>' >> /home/<%= @username %>/.ssh/authorized_keys \
- && chown <%= @username %> /home/<%= @username %>/.ssh/authorized_keys \
- && chmod 0600 /home/<%= @username %>/.ssh/authorized_keys \
- && export LANG="en_US.UTF-8" && echo "LANG=\"en_US.UTF-8\"" > /etc/locale.conf \
- && cd /lib/systemd/system/sysinit.target.wants/; ls | grep -v systemd-tmpfiles-setup | /usr/bin/xargs rm -f $1 \
- && /usr/bin/rm -f /lib/systemd/system/multi-user.target.wants/* \
- && /usr/bin/rm -f /etc/systemd/system/*.wants/* \
- && /usr/bin/rm -f /lib/systemd/system/local-fs.target.wants/* \
- && /usr/bin/rm -f /lib/systemd/system/sockets.target.wants/*udev* \
- && /usr/bin/rm -f /lib/systemd/system/sockets.target.wants/*initctl* \
- && /usr/bin/rm -f /lib/systemd/system/basic.target.wants/* \
- && /usr/bin/rm -f /lib/systemd/system/anaconda.target.wants/*  \
- && /usr/bin/rm -f /lib/systemd/system/plymouth* \
- && /usr/bin/rm -f /lib/systemd/system/systemd-update-utmp* \
- && sed -ri 's/^#?PubkeyAuthentication\s+.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \
- && echo "UseDNS=no" >> /etc/ssh/sshd_config \
- && systemctl set-default multi-user.target \
- && ln -s /lib/systemd/system/sshd.service /etc/systemd/system/multi-user.target.wants/sshd.service \
- && ln -s /lib/systemd/system/systemd-journald.service /etc/systemd/system/multi-user.target.wants/systemd-journald.service \
- && echo $'[Unit]\
-\nDescription=Finish boot up\
-\nAfter=sshd.service\
-\n\
-\n[Service]\
-\nType=oneshot\
-\nRemainAfterExit=yes\
-\nExecStartPre=/bin/sleep 3s\
-\nExecStart=/bin/rm -f /run/nologin\
-\n\
-\n[Install]\
-\nWantedBy=default.target' >> /etc/systemd/system/FinishBootUp.service \
- && ln -s /etc/systemd/system/FinishBootUp.service /etc/systemd/system/multi-user.target.wants/FinishBootUp.service
-
-
-EXPOSE 22
-
-VOLUME [ "/sys/fs/cgroup" ]

.Dockerfiles/ubuntu/latest/Dockerfile

@@ -1,66 +0,0 @@
-FROM ubuntu:latest
-
-ENV DEBIAN_FRONTEND="noninteractive" container="docker"
-
-RUN apt-get update \
- && apt-get upgrade -y \
- && apt-get install -y \
-	apt-utils \
-	curl \
-	locales \
-	lsb-release \
-	net-tools \
-	openssh-server \
-	python-pip \
-	python2.7 \
-	sudo \
-	systemd \
- && pip install --upgrade pip \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
- && if ! getent passwd <%= @username %>; then \
-      useradd -d /home/<%= @username %> -m -s /bin/bash -p '*' <%= @username %>; \
-    fi \
- && echo "<%= @username %> ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
- && echo "Defaults !requiretty" >> /etc/sudoers \
- && mkdir -p /home/<%= @username %>/.ssh \
- && chown -R <%= @username %> /home/<%= @username %>/.ssh \
- && chmod 0700 /home/<%= @username %>/.ssh \
- && echo '<%= IO.read(@public_key).strip %>' >> /home/<%= @username %>/.ssh/authorized_keys \
- && chown <%= @username %> /home/<%= @username %>/.ssh/authorized_keys \
- && chmod 0600 /home/<%= @username %>/.ssh/authorized_keys \
- && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && /usr/sbin/locale-gen \
- && cd /lib/systemd/system/sysinit.target.wants/; ls | grep -v systemd-tmpfiles-setup | xargs rm -f $1 \
- && /bin/rm -f /lib/systemd/system/multi-user.target.wants/* \
- && /bin/rm -f /etc/systemd/system/*.wants/* \
- && /bin/rm -f /lib/systemd/system/local-fs.target.wants/* \
- && /bin/rm -f /lib/systemd/system/sockets.target.wants/*udev* \
- && /bin/rm -f /lib/systemd/system/sockets.target.wants/*initctl* \
- && /bin/rm -f /lib/systemd/system/basic.target.wants/* \
- && /bin/rm -f /lib/systemd/system/anaconda.target.wants/*  \
- && /bin/rm -f /lib/systemd/system/plymouth* \
- && /bin/rm -f /lib/systemd/system/systemd-update-utmp* \
- && sed -ri 's/^#?UsePAM\s+.*/UsePAM no/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?PubkeyAuthentication\s+.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \
- && echo "UseDNS=no" >> /etc/ssh/sshd_config \
- && systemctl set-default multi-user.target \
- && ln -s /lib/systemd/system/ssh.service /etc/systemd/system/multi-user.target.wants/ssh.service \
- && ln -s /lib/systemd/system/systemd-journald.service /etc/systemd/system/multi-user.target.wants/systemd-journald.service \
- && echo $'[Unit]\
-\nDescription=Finish boot up\
-\nAfter=ssh.service\
-\n\
-\n[Service]\
-\nType=oneshot\
-\nRemainAfterExit=yes\
-\nExecStartPre=/bin/sleep 3s\
-\nExecStart=/bin/rm -f /run/nologin\
-\n\
-\n[Install]\
-\nWantedBy=default.target' >> /etc/systemd/system/FinishBootUp.service \
- && ln -s /etc/systemd/system/FinishBootUp.service /etc/systemd/system/multi-user.target.wants/FinishBootUp.service
-
-EXPOSE 22
-
-VOLUME [ "/sys/fs/cgroup" ]

.Dockerfiles/ubuntu/rolling/Dockerfile

@@ -1,67 +0,0 @@
-FROM ubuntu:rolling
-
-ENV DEBIAN_FRONTEND="noninteractive" container="docker"
-
-RUN apt-get update \
- && apt-get upgrade -y \
- && apt-get install -y \
-	apt-utils \
-	curl \
-  rsync \
-	locales \
-	lsb-release \
-	net-tools \
-	openssh-server \
-	python-pip \
-	python2.7 \
-	sudo \
-	systemd \
- && pip install --upgrade pip \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
- && if ! getent passwd <%= @username %>; then \
-      useradd -d /home/<%= @username %> -m -s /bin/bash -p '*' <%= @username %>; \
-    fi \
- && echo "<%= @username %> ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \
- && echo "Defaults !requiretty" >> /etc/sudoers \
- && mkdir -p /home/<%= @username %>/.ssh \
- && chown -R <%= @username %> /home/<%= @username %>/.ssh \
- && chmod 0700 /home/<%= @username %>/.ssh \
- && echo '<%= IO.read(@public_key).strip %>' >> /home/<%= @username %>/.ssh/authorized_keys \
- && chown <%= @username %> /home/<%= @username %>/.ssh/authorized_keys \
- && chmod 0600 /home/<%= @username %>/.ssh/authorized_keys \
- && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && /usr/sbin/locale-gen \
- && cd /lib/systemd/system/sysinit.target.wants/; ls | grep -v systemd-tmpfiles-setup | xargs rm -f $1 \
- && /bin/rm -f /lib/systemd/system/multi-user.target.wants/* \
- && /bin/rm -f /etc/systemd/system/*.wants/* \
- && /bin/rm -f /lib/systemd/system/local-fs.target.wants/* \
- && /bin/rm -f /lib/systemd/system/sockets.target.wants/*udev* \
- && /bin/rm -f /lib/systemd/system/sockets.target.wants/*initctl* \
- && /bin/rm -f /lib/systemd/system/basic.target.wants/* \
- && /bin/rm -f /lib/systemd/system/anaconda.target.wants/*  \
- && /bin/rm -f /lib/systemd/system/plymouth* \
- && /bin/rm -f /lib/systemd/system/systemd-update-utmp* \
- && sed -ri 's/^#?UsePAM\s+.*/UsePAM no/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?PubkeyAuthentication\s+.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config \
- && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \
- && echo "UseDNS=no" >> /etc/ssh/sshd_config \
- && systemctl set-default multi-user.target \
- && ln -s /lib/systemd/system/ssh.service /etc/systemd/system/multi-user.target.wants/ssh.service \
- && ln -s /lib/systemd/system/systemd-journald.service /etc/systemd/system/multi-user.target.wants/systemd-journald.service \
- && echo $'[Unit]\
-\nDescription=Finish boot up\
-\nAfter=ssh.service\
-\n\
-\n[Service]\
-\nType=oneshot\
-\nRemainAfterExit=yes\
-\nExecStartPre=/bin/sleep 3s\
-\nExecStart=/bin/rm -f /run/nologin\
-\n\
-\n[Install]\
-\nWantedBy=default.target' >> /etc/systemd/system/FinishBootUp.service \
- && ln -s /etc/systemd/system/FinishBootUp.service /etc/systemd/system/multi-user.target.wants/FinishBootUp.service
-
-EXPOSE 22
-
-VOLUME [ "/sys/fs/cgroup" ]

.ci/after_deploy.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-# This file is required, because for some reason
-# travis deploys do not trigger metadata calculation.
-# See: https://github.com/sobolevn/git-secret/issues/89
-
-# This file is only called after successful deploy.
-
-# We need to execute custom call to the Bintray API:
-curl -X POST \
-  --user "sobolevn:$BINTRAY_API_KEY" \
-  -H "X-GPG-PASSPHRASE: $BINTRAY_GPG_PASS" \
-  "https://api.bintray.com/calc_metadata/sobolevn/$GITSECRET_DIST"

.ci/ansible-setup.sh

@@ -1,28 +0,0 @@
-#!/bin/sh
-## Script is sepcifically for use on travis-ci
-
-set -e
-
-## This is an example setup script that you would encapsulate the installation
-# What version of avm setup to use
-echo "Setting up Ansible Version Manager"
-AVM_VERSION="v1.0.0"
-## Install Ansible 2.3.1 using pip and label it 'v2.3'
-export ANSIBLE_VERSIONS_0="2.3.1.0"
-export INSTALL_TYPE_0="pip"
-export ANSIBLE_LABEL_0="v2.3"
-## Install Ansible 2.4.1 using pip and label it 'v2.4'
-export ANSIBLE_VERSIONS_1="2.4.1.0"
-export INSTALL_TYPE_1="pip"
-export ANSIBLE_LABEL_1="v2.4"
-# Whats the default version
-export ANSIBLE_DEFAULT_VERSION="v2.4"
-
-## Create a temp dir to download avm
-avm_dir="$(mktemp -d 2> /dev/null || mktemp -d -t 'mytmpdir')"
-git clone https://github.com/ahelal/avm.git "${avm_dir}" > /dev/null 2>&1
-
-## Run the setup
-/bin/sh ${avm_dir}/setup.sh
-
-exit 0

.ci/before_deploy.sh

@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-if [[ "$GITSECRET_DIST" == "rpm" ]]; then
-  # To deploy `rpm`-packages this utility is needed:
-  sudo apt-get install -y rpm;
-fi
-
-if [[ ! -z "$GITSECRET_DIST" ]] && [[ -z "$KITCHEN_REGEXP" ]]; then
-  # When making a non-container build, this step will generate
-  # proper manifest files:
-  make "deploy-$GITSECRET_DIST";
-fi

.ci/before_script.sh

@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-# Linux helper functions:
-function update_linux() {
-  sudo apt-get update -qq
-  sudo apt-get install -qq python-apt python-pycurl git python-pip ruby ruby-dev build-essential autoconf rpm
-  gem install bundler
-}
-
-function install_ansible {
-  bash .ci/ansible-setup.sh
-  bundle install
-  ~/.avm/v2.3/venv/bin/pip install netaddr ansible-lint
-  ~/.avm/v2.4/venv/bin/pip install netaddr ansible-lint
-}
-
-
-# Mac:
-if [[ "$GITSECRET_DIST" == "brew" ]]; then
-  gnupg_installed="$(brew list | grep -c "gnupg")"
-  [[ "$gnupg_installed" -ge 1 ]] || brew install gnupg
-  if [[ -f "/usr/local/bin/gpg1" ]]; then
-    ln -s /usr/local/bin/gpg1 /usr/local/bin/gpg
-  fi
-  brew install gawk
-fi
-
-# Linux:
-if [[ "$TRAVIS_OS_NAME" == "linux" ]] && [[ -n "$KITCHEN_REGEXP" ]]; then
-  update_linux
-  install_ansible
-fi

.ci/docker-ci/alma/Dockerfile

@@ -0,0 +1,20 @@
+FROM almalinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Direct dependencies:
+    bash \
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    diffutils \
+    file \
+    findutils \
+    procps \
+    make \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/docker-ci/alpine/Dockerfile

@@ -0,0 +1,17 @@
+FROM alpine:3.20.3
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+# Don't install coreutils on Alpine,
+# so we get busybox versions of ps, stat, and ls. See #475
+RUN apk add --no-cache --update \
+  # Direct dependencies:
+  bash \
+  gawk \
+  git \
+  gnupg \
+  # Assumed to be present:
+  file \
+  make \
+  procps

.ci/docker-ci/arch/Dockerfile

@@ -0,0 +1,17 @@
+FROM archlinux:base-20220529.0.58327
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN pacman -Syu --needed --noconfirm \
+  # Direct dependencies:
+  bash \
+  gawk \
+  git \
+  gnupg \
+  # Assumed to be present:
+  diffutils \
+  file \
+  make \
+  procps
+

.ci/docker-ci/debian-gnupg1/Dockerfile

@@ -0,0 +1,21 @@
+FROM debian:12.7-slim
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND='noninteractive'
+ENV SECRETS_GPG_COMMAND='gpg1'
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Direct dependencies:
+    gawk \
+    git \
+    gnupg1 \
+    # Assumed to be present:
+    file \
+    procps \
+    make \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/*

.ci/docker-ci/debian-gnupg2/Dockerfile

@@ -0,0 +1,20 @@
+FROM debian:12.7-slim
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND='noninteractive'
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Direct dependencies:
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    file \
+    procps \
+    make \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/*

.ci/docker-ci/fedora/Dockerfile

@@ -0,0 +1,20 @@
+FROM fedora:40
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Direct dependencies:
+    bash \
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    diffutils \
+    file \
+    findutils \
+    procps \
+    make \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/docker-ci/rocky/Dockerfile

@@ -0,0 +1,20 @@
+FROM rockylinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Direct dependencies:
+    bash \
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    diffutils \
+    file \
+    findutils \
+    procps \
+    make \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/docker-ci/ubuntu/Dockerfile

@@ -0,0 +1,20 @@
+FROM ubuntu:23.10
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND="noninteractive"
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Direct dependencies:
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    file \
+    procps \
+    make \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/*

.ci/github_release_script.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env sh
+
+set -e
+
+# Installing additional deps:
+apk add --no-cache curl jq
+
+# https://gist.github.com/Jaskaranbir/d5b065173b3a6f164e47a542472168c1
+USER="$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f1)"
+PROJECT="$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f2)"
+
+LAST_RELEASE_TAG=$(curl \
+    --header "authorization: Bearer $GITHUB_TOKEN" \
+    --url "https://api.github.com/repos/$GITHUB_REPOSITORY/releases/latest" \
+  | jq .tag_name | sed 's/"//g'
+)
+echo "LAST_RELEASE_TAG=$LAST_RELEASE_TAG"
+if [ "$LAST_RELEASE_TAG" = 'null' ]; then
+  # Most likely, we are facing rate-limiting problems,
+  # just try again later.
+  exit 1
+fi
+
+NEW_CHANGELOG='CHANGELOG-RELEASE.md'
+
+# Generate new CHANGELOG.md with just the last changes
+github_changelog_generator \
+  --user "$USER" \
+  --project "$PROJECT" \
+  --token "$GITHUB_OAUTH_TOKEN" \
+  --since-tag "$LAST_RELEASE_TAG" \
+  --max-issues 100 \
+  --no-issues \
+  --release-branch 'master' \
+  --token "$GITHUB_TOKEN" \
+  --output "$NEW_CHANGELOG"
+
+echo 'Done! Changelog:'
+cat "$NEW_CHANGELOG"

.ci/integration/gnupg-git/default.yml

@@ -1,131 +0,0 @@
----
-# host to test against
-- hosts: test-kitchen
-  remote_user: root
-  tasks:
-    - include_tasks: tasks/dependencies.yml
-
-    - name: Install build tools
-      package:
-        name: "{{ item }}"
-      with_items: "{{ build_tools }}"
-
-    - name: Check whether deb-src repos are enabled
-      command: grep -c -e "^deb-src.*" /etc/apt/sources.list
-      register: deb_src_check
-      ignore_errors: yes
-      when:
-        - ansible_os_family == "Debian"
-
-    - name: Set deb-src check results
-      set_fact:
-        deb_src_check_result: "{{ deb_src_check.stdout | default(0) | int }}"
-
-    - name: Enable Ubuntu main & restricted source repo
-      replace:
-        path: '/etc/apt/sources.list'
-        regexp: '^(#\s)(.*main\srestricted)$'
-        replace: '\2 # enabled'
-      when:
-        - ansible_distribution == "Ubuntu"
-        - deb_src_check_result >= 1
-
-    - name: Enable Debian source repos
-      replace:
-        path: '/etc/apt/sources.list'
-        regexp: '^(deb)(.*)$'
-        replace: '\1\2\ndeb-src\2'
-      when:
-        - ansible_distribution == "Debian"
-        - deb_src_check_result >= 1
-
-    - name: Install gnupg build dependencies for Debian based distros
-      apt:
-        name: gnupg2
-        state: build-dep
-        update_cache: yes
-      when:
-        - ansible_os_family == "Debian"
-
-    - name: Install gnupg build dependencies for RedHat based distros
-      command: bash -lc "yum --assumeyes install yum-utils && yum-builddep --assumeyes gnupg2"
-      when:
-        - ansible_os_family == "RedHat"
-
-    - name: Get GnuPG github api content
-      uri:
-        url: https://api.github.com/repos/gpg/gnupg/tags
-        method: GET
-        return_content: yes
-        body_format: json
-      register: gnupg_tags
-
-    - name: Set url for latest gnupg release source
-      set_fact:
-        gnupg_tarball_url: >-
-          {{
-            gnupg_tags.json |
-            selectattr('name','match','gnupg-2.*') |
-            map(attribute='tarball_url') | first
-          }}
-
-    - name: Download latest release of gnupg source
-      get_url:
-        url: "{{ gnupg_tarball_url }}"
-        dest: /tmp/gnupg.tar.gz
-        force: yes
-      retries: 5
-      delay: 10
-
-    - name: Extract gnupg source tarball
-      unarchive:
-        src: /tmp/gnupg.tar.gz
-        dest: /usr/local/src/
-
-    - name: Find gnupg src directory
-      find:
-        paths: /usr/local/src
-        patterns: "gpg-gnupg*"
-        file_type: directory
-        recurse: no
-      register: found_gpg_src
-
-    - name: Set gnupg src directory
-      set_fact:
-        gpg_src_path: "{{ found_gpg_src.files | map(attribute='path') | first }}"
-
-    - name: Run gnupg autogen
-      command: bash -lc "cd {{ gpg_src_path }} && ./autogen.sh "
-      changed_when: False
-
-    - name: Disable development msg for gnupg
-      lineinfile:
-        path: "{{ gpg_src_path }}/configure"
-        regexp: '^development_version=.*'
-        line: 'development_version=no'
-
-    - name: Set gnupg build config
-      set_fact:
-        gpg_build_config: >-
-          --sysconfdir=/etc
-          --prefix=/usr
-          --enable-symcryptrun
-          --docdir=/usr/share/doc/gnupg-2.2.0
-          --disable-rpath
-          --enable-maintainer-mode
-      changed_when: False
-
-    - name: Configure gnupg build
-      command: bash -lc "cd {{ gpg_src_path }} && ./configure {{ gpg_build_config }}"
-      changed_when: False
-
-    - name: Compile gnupg src
-      command: bash -lc "cd {{ gpg_src_path }} && make"
-      changed_when: False
-
-    - name: Install compiled gnupg
-      command: bash -lc "cd {{ gpg_src_path }}  && make install"
-      changed_when: False
-
-    - include_tasks: tasks/prep-tests.yml
-    - include_tasks: tasks/run-tests.yml

.ci/integration/gnupg-git/serverspec/default_spec.rb

@@ -1,53 +0,0 @@
-require_relative './spec_helper'
-
-describe 'git-secret::test' do
-
-  describe package('git-secret') do
-    it { should be_installed }
-  end
-
-  if host_inventory['platform'] == 'fedora'
-    describe command('find /tmp/git-secret/build -name "*.rpm"') do
-      its(:stdout) { should match /git-secret.*rpm/ }
-    end
-  elsif host_inventory['platform'] == 'alpine'
-    describe command('find /tmp/git-secret/build -name "*.apk"') do
-      its(:stdout) { should match /git-secret.*apk/ }
-    end
-  else
-    describe command('find /tmp/git-secret/build -name "*.deb"') do
-      its(:stdout) { should match /git-secret.*deb/ }
-    end
-  end
-
-  describe file('/.git-secret_test-passed') do
-    it { should exist }
-  end
-
-  describe file('/.git-secret_lint-passed') do
-    it { should exist }
-  end
-
-  if host_inventory['platform'] == 'fedora'
-    describe command('rpm --query --info git-secret') do
-      its(:exit_status) { should eq 0 }
-    end
-  elsif host_inventory['platform'] == 'alpine'
-    describe command('apk info git-secret') do
-      its(:exit_status) { should eq 0 }
-    end
-  else
-    describe command('dpkg-query --status git-secret') do
-      its(:exit_status) { should eq 0 }
-    end
-  end
-
-  describe command('man -w "git-secret"') do
-    its(:exit_status) { should eq 0 }
-  end
-
-  describe command('man -w "git-secret-init"') do
-    its(:exit_status) { should eq 0 }
-  end
-
-end

.ci/integration/gnupg-git/serverspec/spec_helper.rb

@@ -1,11 +0,0 @@
-require 'serverspec'
-
-# :backend can be either :exec or :ssh
-# since we are running local we use :exec
-set :backend, :exec
-
-RSpec.configure do |c|
-  c.before :all do
-    c.path = '/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin'
-  end
-end

.ci/integration/gnupg1/default.yml

@@ -1,38 +0,0 @@
----
-# host to test against
-- hosts: test-kitchen
-  remote_user: root
-  tasks:
-    - include_tasks: tasks/dependencies.yml
-
-    - name: Install gnupg
-      package:
-        name: "{{ item.name }}"
-        state: present
-      when:
-        - ansible_distribution == item.distribution
-      with_items:
-        - name: gnupg
-          distribution: Alpine
-        - name: gnupg
-          distribution: Fedora
-        - name: gnupg1
-          distribution: Debian
-        - name: gnupg1
-          distribution: Alpine
-
-    - name: Check for gpg1 binary
-      stat:
-        path: /usr/bin/gpg1
-      register: gpg1
-
-    - name: Make gpg1 default binary
-      file:
-        src: /usr/bin/gpg1
-        dest: /usr/bin/gpg
-        state: link
-        force: yes
-      when: gpg1.stat.exists
-
-    - include_tasks: tasks/prep-tests.yml
-    - include_tasks: tasks/run-tests.yml

.ci/integration/gnupg1/serverspec/default_spec.rb

@@ -1,53 +0,0 @@
-require_relative './spec_helper'
-
-describe 'git-secret::test' do
-
-  describe package('git-secret') do
-    it { should be_installed }
-  end
-
-  if host_inventory['platform'] == 'fedora' || host_inventory['platform'] == 'redhat'
-    describe command('find /tmp/git-secret/build -name "*.rpm"') do
-      its(:stdout) { should match /git-secret.*rpm/ }
-    end
-  elsif host_inventory['platform'] == 'alpine'
-    describe command('find /tmp/git-secret/build -name "*.apk"') do
-      its(:stdout) { should match /git-secret.*apk/ }
-    end
-  else
-    describe command('find /tmp/git-secret/build -name "*.deb"') do
-      its(:stdout) { should match(/git-secret.*deb/) }
-    end
-  end
-
-  describe file('/.git-secret_test-passed') do
-    it { should exist }
-  end
-
-  describe file('/.git-secret_lint-passed') do
-    it { should exist }
-  end
-
-  if host_inventory['platform'] == 'fedora' || host_inventory['platform'] == 'redhat'
-    describe command('rpm --query --info git-secret') do
-      its(:exit_status) { should eq 0 }
-    end
-  elsif host_inventory['platform'] == 'alpine'
-    describe command('apk info git-secret') do
-      its(:exit_status) { should eq 0 }
-    end
-  else
-    describe command('dpkg-query --status git-secret') do
-      its(:exit_status) { should eq 0 }
-    end
-  end
-
-  describe command('man -w "git-secret"') do
-    its(:exit_status) { should eq 0 }
-  end
-
-  describe command('man -w "git-secret-init"') do
-    its(:exit_status) { should eq 0 }
-  end
-
-end

.ci/integration/gnupg1/serverspec/spec_helper.rb

@@ -1,11 +0,0 @@
-require 'serverspec'
-
-# :backend can be either :exec or :ssh
-# since we are running local we use :exec
-set :backend, :exec
-
-RSpec.configure do |c|
-  c.before :all do
-    c.path = '/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin'
-  end
-end

.ci/integration/gnupg2/default.yml

@@ -1,42 +0,0 @@
----
-# host to test against
-- hosts: test-kitchen
-  remote_user: root
-  tasks:
-    - include_tasks: tasks/dependencies.yml
-
-    - name: Install gnupg
-      package:
-        name: "{{ item.name }}"
-        state: present
-      when:
-        - ansible_distribution == item.distribution
-      with_items:
-        - name: gnupg
-          distribution: Alpine
-        - name: gnupg2
-          distribution: Fedora
-        - name: gnupg2
-          distribution: Ubuntu
-        - name: gnupg
-          distribution: Debian
-        - name: gnupg
-          distribution: Alpine
-
-    - name: Check for gpg2 binary
-      stat:
-        path: /usr/bin/gpg2
-      register: gpg2
-
-    - name: Make gpg2 default binary
-      file:
-        src: /usr/bin/gpg2
-        dest: /usr/bin/gpg
-        state: link
-        force: yes
-      when:
-        - gpg2.stat.exists
-        - gpg2.stat.islnk == False
-
-    - include_tasks: tasks/prep-tests.yml
-    - include_tasks: tasks/run-tests.yml

.ci/integration/gnupg2/serverspec/default_spec.rb

@@ -1,53 +0,0 @@
-require_relative './spec_helper'
-
-describe 'git-secret::test' do
-
-  describe package('git-secret') do
-      it { should be_installed }
-  end
-
-  if host_inventory['platform'] == 'fedora' || host_inventory['platform'] == 'redhat'
-    describe command('find /tmp/git-secret/build -name "*.rpm"') do
-      its(:stdout) { should match(/git-secret.*rpm/) }
-    end
-  elsif host_inventory['platform'] == 'alpine'
-    describe command('find /tmp/git-secret/build -name "*.apk"') do
-      its(:stdout) { should match /git-secret.*apk/ }
-    end
-  else
-    describe command('find /tmp/git-secret/build -name "*.deb"') do
-      its(:stdout) { should match(/git-secret.*deb/) }
-    end
-  end
-
-  describe file('/.git-secret_test-passed') do
-    it { should exist }
-  end
-
-  describe file('/.git-secret_lint-passed') do
-    it { should exist }
-  end
-
-  if host_inventory['platform'] == 'fedora' || host_inventory['platform'] == 'redhat'
-    describe command('rpm --query --info git-secret') do
-      its(:exit_status) { should eq 0 }
-    end
-  elsif host_inventory['platform'] == 'alpine'
-    describe command('apk info git-secret') do
-      its(:exit_status) { should eq 0 }
-    end
-  else
-    describe command('dpkg-query --status git-secret') do
-      its(:exit_status) { should eq 0 }
-    end
-  end
-
-  describe command('man -w "git-secret"') do
-    its(:exit_status) { should eq 0 }
-  end
-
-  describe command('man -w "git-secret-init"') do
-    its(:exit_status) { should eq 0 }
-  end
-
-end

.ci/integration/gnupg2/serverspec/spec_helper.rb

@@ -1,11 +0,0 @@
-require 'serverspec'
-
-# :backend can be either :exec or :ssh
-# since we are running local we use :exec
-set :backend, :exec
-
-RSpec.configure do |c|
-  c.before :all do
-    c.path = '/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin'
-  end
-end

.ci/integration/tasks/dependencies.yml

@@ -1,41 +0,0 @@
----
-- name: Load a variable file based on the OS type, or a default if not found.
-  include_vars: "{{ item }}"
-  with_first_found:
-    - "{{ ansible_distribution }}.yml"
-    - "{{ ansible_os_family }}.yml"
-    - "default.yml"
-
-- name: Install Dependencies
-  package:
-    name: "{{ item }}"
-    state: present
-  with_items: "{{ test_dependencies }}"
-
-- name: Get bats
-  git:
-    repo: 'https://github.com/sstephenson/bats.git'
-    dest: /opt/bats
-
-- name: Install bats
-  file:
-    src: /opt/bats/libexec/bats
-    dest: /usr/bin/bats
-    state: link
-
-- name: Get ShellCheck
-  get_url:
-    url: https://storage.googleapis.com/shellcheck/shellcheck-latest.linux.x86_64.tar.xz
-    dest: /tmp/shellcheck.tar.xz
-
-- name: Install ShellCheck
-  command: tar xvf /tmp/shellcheck.tar.xz -C /usr/bin --strip-components=1
-  args:
-    warn: no
-    creates: /usr/bin/shellcheck
-
-- name: Install fpm
-  gem:
-    name: fpm
-    state: present
-    user_install: no

.ci/integration/tasks/prep-tests.yml

@@ -1,36 +0,0 @@
----
-- name: Get OS package type
-  set_fact:
-    os_pkg_type: "{{ item.os_pkg_type }}"
-  when:
-    - item.os_family == ansible_os_family
-  with_items:
-    - os_family: RedHat
-      os_pkg_type: "rpm"
-    - os_family: Debian
-      os_pkg_type: "deb"
-    - os_family: Suse
-      os_pkg_type: "rpm"
-    - os_family: Alpine
-      os_pkg_type: "apk"
-  changed_when: false
-  tags:
-    - skip_ansible_lint
-
-- name: Get gpg version
-  command: gpg --version
-  register: gpg_version
-  changed_when: False
-
-- name: Print gpg version
-  debug:
-    msg: "Running test againts {{ gpg_version.stdout_lines | first | string }}."
-  changed_when: False
-
-- name: Copy git-secret src
-  synchronize:
-    src: /opt/workspace/
-    dest: /tmp/git-secret
-    archive: false
-    owner: no
-    recursive: yes

.ci/integration/tasks/run-tests.yml

@@ -1,69 +0,0 @@
----
-- name: Run ci-test
-  command: bash -lc "cd /tmp/git-secret && make test"
-  changed_when: False
-  ignore_errors: yes
-  register: test_results
-  environment:
-    PATH: /usr/local/bin:{{ ansible_env.PATH }}
-
-- name: Print ci-test results
-  debug:
-    var: test_results.stdout_lines
-
-- name: Create file when ci-test passes
-  file:
-    path: /.git-secret_test-passed
-    state: touch
-  when:
-    - test_results.rc == 0
-
-- name: Run lint
-  command: bash -lc "cd /tmp/git-secret && make lint"
-  ignore_errors: yes
-  register: lint_results
-  changed_when: False
-
-- name: Print lint results
-  debug:
-    var: lint_results.stdout_lines
-
-- name: Create file when lint passes
-  file:
-    path: /.git-secret_lint-passed
-    state: touch
-  when:
-    - lint_results.rc == 0
-
-- name: Create git-secret {{ os_pkg_type }} package
-  command: bash -lc "cd /tmp/git-secret && make build-{{ os_pkg_type }}"
-  changed_when: False
-  ignore_errors: yes
-  register: test_results
-  environment:
-    PATH: /usr/local/bin:{{ ansible_env.PATH }}
-
-- name: Find git-secret {{ os_pkg_type }} file
-  find:
-    paths: /tmp/git-secret/build
-    patterns: "*.{{ os_pkg_type }}"
-    recurse: yes
-  register: pkg_location
-
-- name: Set git-secret {{ os_pkg_type }} location
-  set_fact:
-    pkg_path: "{{ pkg_location.files | map(attribute='path') | first }}"
-  when:
-    - pkg_location is defined
-
-- name: Install git-secret {{ os_pkg_type }} package
-  command: bash -lc "{{ item.command }} {{ pkg_path }}"
-  when:
-    - item.os_family == ansible_os_family
-  with_items:
-    - command: "rpm --nodeps --install --force"
-      os_family: "RedHat"
-    - command: "dpkg --force-all --install"
-      os_family: "Debian"
-    - command: "apk add --allow-untrusted"
-      os_family: "Alpine"

.ci/integration/vars/Alpine.yml

@@ -1,15 +0,0 @@
----
-test_dependencies:
-  - gawk
-  - git
-  - make
-  - man
-  - procps
-  - rsync
-  - ruby
-  - ruby-dev
-  - tar
-
-build_tools:
-  - make
-  - tar

.ci/integration/vars/CentOS.yml

@@ -1,19 +0,0 @@
----
-test_dependencies:
-  - gawk
-  - git
-  - make
-  - man
-  - redhat-rpm-config
-  - rpm-build
-  - rsync
-  - ruby-devel
-  - rubygems
-  - rubygems-devel
-
-build_tools:
-  - ImageMagick
-  - autoconf
-  - automake
-  - texinfo
-  - transfig

.ci/integration/vars/Debian.yml

@@ -1,16 +0,0 @@
----
-test_dependencies:
-  - gawk
-  - git
-  - make
-  - man
-  - ruby-dev
-  - rubygems
-
-build_tools:
-  - autoconf
-  - automake
-  - build-essential
-  - imagemagick
-  - texinfo
-  - transfig

.ci/integration/vars/Fedora.yml

@@ -1,19 +0,0 @@
----
-test_dependencies:
-  - gawk
-  - git
-  - make
-  - man
-  - redhat-rpm-config
-  - rpm-build
-  - rsync
-  - ruby-devel
-  - rubygems
-  - rubygems-devel
-
-build_tools:
-  - ImageMagick
-  - autoconf
-  - automake
-  - texinfo
-  - transfig

.ci/integration/vars/Ubuntu.yml

@@ -1,16 +0,0 @@
----
-test_dependencies:
-  - gawk
-  - git
-  - make
-  - man
-  - ruby-dev
-  - rubygems
-
-build_tools:
-  - autoconf
-  - automake
-  - build-essential
-  - imagemagick
-  - texinfo
-  - transfig

.ci/integration/vars/default.yml

@@ -1,16 +0,0 @@
----
-test_dependencies:
-  - gawk
-  - make
-  - git
-  - ruby-dev
-  - rubygems
-  - man
-
-build_tools:
-  - autoconf
-  - automake
-  - build-essential
-  - imagemagick
-  - texinfo
-  - transfig

.ci/release-ci/alma/Dockerfile

@@ -0,0 +1,12 @@
+FROM almalinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Required for our install script:
+    wget \
+    sudo \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/release-ci/alpine/Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:3.20.3
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN apk add --no-cache --update \
+  # Required for our install script:
+  bash \
+  wget

.ci/release-ci/debian/Dockerfile

@@ -0,0 +1,23 @@
+FROM debian:12.7-slim
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND='noninteractive'
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Required to work with https-based repos and custom signed packages:
+    apt-transport-https \
+    ca-certificates \
+    # Required for our install script:
+    gnupg \
+    sudo \
+    wget \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/* \
+  && adduser --disabled-password nonroot \
+  && adduser nonroot sudo \
+  && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+USER nonroot

.ci/release-ci/fedora/Dockerfile

@@ -0,0 +1,16 @@
+FROM fedora:40
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Required for our install script:
+    wget \
+    sudo \
+  && dnf clean all \
+  && rm -rf /var/cache/yum \
+  && adduser --password='' -m nonroot \
+  && echo 'nonroot ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+USER nonroot
+WORKDIR /home/nonroot

.ci/release-ci/rocky/Dockerfile

@@ -0,0 +1,12 @@
+FROM rockylinux:8
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+RUN dnf -y update \
+  && dnf install -y \
+    # Required for our install script:
+    wget \
+    sudo \
+  && dnf clean all \
+  && rm -rf /var/cache/yum

.ci/release-ci/ubuntu/Dockerfile

@@ -0,0 +1,23 @@
+FROM ubuntu:23.10
+
+LABEL maintainer="mail@sobolevn.me"
+LABEL vendor="git-secret team"
+
+ENV DEBIAN_FRONTEND='noninteractive'
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends -y \
+    # Required to work with https-based repos and custom signed packages:
+    apt-transport-https \
+    ca-certificates \
+    # Required for our install script:
+    gnupg \
+    sudo \
+    wget \
+  # Cleaning cache:
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get clean -y && rm -rf /var/lib/apt/lists/* \
+  && adduser --disabled-password nonroot \
+  && adduser nonroot sudo \
+  && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+USER nonroot

.ci/releaser/alpine/Dockerfile

@@ -0,0 +1,40 @@
+# Initially copied from
+# https://github.com/jordansissel/fpm/blob/master/Dockerfile
+FROM alpine:3.20.3
+
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+
+ENV CODE_DIR='/code'
+ENV SECRETS_PROJECT_ROOT="$CODE_DIR"
+ENV NFPM_VERSION='2.15.1'
+
+RUN apk add --no-cache --update \
+    # fpm deps:
+    ruby \
+    ruby-dev \
+    ruby-etc \
+    gcc \
+    libffi-dev \
+    make \
+    libc-dev \
+    rpm \
+    tar \
+    # Direct dependencies:
+    bash \
+    gawk \
+    git \
+    gnupg \
+    # Assumed to be present:
+    curl \
+    # envsubst for `nfpm`:
+    gettext \
+  # Installing `nfpm`, it builds alpine packages:
+  && curl -sfL "https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz" --output 'nfpm.tar.gz' \
+  && tar -xf 'nfpm.tar.gz' nfpm \
+  && mv nfpm '/usr/local/bin' \
+  && chmod 755 '/usr/local/bin/nfpm' \
+  && rm -rf 'nfpm.tar.gz' \
+  # Installing `fpm`, it builds all other packages:
+  && gem install --no-document fpm
+
+WORKDIR $CODE_DIR

.ci/script.sh

@@ -1,25 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-function run_kitchen_tests {
-  ansible --version
-  ruby --version
-  python --version
-  pip --version
-  bundler --version
-  bundle show
-  bundle exec kitchen test --test-base-path="$PWD/.ci/integration" $KITCHEN_REGEXP
-}
-
-# Local builds:
-if [[ "$GITSECRET_DIST" == "brew" ]]; then
-  # Only running `make test` on standard (non-docker) build,
-  # since it is called inside the docker container anyway.
-  make test
-fi
-
-# Linux:
-if [[ "$TRAVIS_OS_NAME" == "linux" ]] && [[ -n "$KITCHEN_REGEXP" ]]; then
-  run_kitchen_tests
-fi

.editorconfig

@@ -8,17 +8,6 @@ indent_style = space
 trim_trailing_whitespace = true
 end_of_line = lf
 insert_final_newline = true
-
-[*.json]
-indent_size = 2
-
-[*.py]
-indent_size = 4
-
-[*.sh]
-indent_size = 2
-
-[*.bats]
 indent_size = 2
 
 [Makefile]

.gitattributes

@@ -1 +1,10 @@
-* text=auto
+# Excluding from GitHub languages:
+vendor/ linguist-vendored
+
+# Excluding from GitHub diff:
+*.1 linguist-generated
+*.7 linguist-generated
+
+# Excluding from `git diff`:
+*.1 -diff
+*.7 -diff

.github/FUNDING.yml

@@ -0,0 +1,5 @@
+# These are supported funding model platforms
+
+github: wemake-services
+open_collective: git-secret
+custom: https://boosty.to/sobolevn

.github/ISSUE_TEMPLATE.md

@@ -36,4 +36,5 @@ What versions of software are you using?
 
 **`gpg` version:** (`gpg --version`) …
 
-**`git` version:** (`git --version`) …
+<!-- Love git-secret? Please consider supporting our collective:
+👉  https://opencollective.com/git-secret/donate -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,10 +1,17 @@
 <!-- Thanks for sending a pull request!
 
 Here's how it's done:
-0. If you are planing a large feature, please, discuss it first in the separate issue
-1. Make sure that you open your pull-request to the `develop` branch (master branch is protected anyways)
-2. Make sure that tests pass
-3. Make sure that your code has the same style
+0. If you are planning a large feature, please, discuss it first in a separate issue.
+   See also [CONTRIBUTING.md](https://github.com/sobolevn/git-secret/blob/master/CONTRIBUTING.md) if you haven't already.
+1. Make sure that you open your pull request against the `master` branch
+2. Make sure that your code has the same style as the surrounding code and git-secret in general
+3. Make sure your code passes using `shellcheck` with `make lint`
+4. You can also spell check your code using 'aspell -c {filename}'
+5. If you are adding or changing features, please add tests that cover the new behavior (in addition to the unchanged behavior if appropriate)
+6. Make sure that all tests pass
+7. Change the .md file(s) in man/man*/ to document your changes if appropriate
+   (regenerating man pages with 'make build-man' is optional)
+8. Add an entry to CHANGELOG.md explaining the change briefly and, if appropriate, referring to the related issue #
 
 Please make sure you click the link above to view the contribution guidelines, then fill out the blanks below. -->
 

.github/dependabot.yml

@@ -0,0 +1,83 @@
+# GitHub-native dependabot setup, configuration:
+# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
+version: 2
+
+updates:
+
+# Docs and GitHub Actions:
+
+- package-ecosystem: bundler
+  directory: "/docs"
+  schedule:
+    interval: daily
+
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+
+# Our CI and release docker images:
+
+- package-ecosystem: docker
+  directory: ".ci/releaser/alpine"
+  schedule:
+    interval: weekly
+
+# Release CI:
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/alpine"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/debian"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/ubuntu"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/centos"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/release-ci/fedora"
+  schedule:
+    interval: weekly
+
+# Docker CI:
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/alpine"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/debian-gnupg1"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/debian-gnupg2"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/ubuntu"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/centos"
+  schedule:
+    interval: weekly
+
+- package-ecosystem: docker
+  directory: ".ci/docker-ci/fedora"
+  schedule:
+    interval: weekly

.github/workflows/build-man.yml

@@ -0,0 +1,25 @@
+
+name: build-man
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'docs/**/*'
+  pull_request:
+    paths:
+      - 'docs/**/*'
+  workflow_dispatch:
+
+concurrency: 
+  group: ${{ github.head_ref || github.run_id }}-build-man
+  cancel-in-progress: true
+
+jobs:
+  build-man:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Checks that manual generation works
+      run: make build-man

.github/workflows/github-pages.yml

@@ -0,0 +1,32 @@
+name: github-pages
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'man/**/*'
+      - 'docs/**/*'
+      - 'utils/*/install.sh'
+
+concurrency: 
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Build docs
+      run: make build-docs
+
+    - name: Deploy to Pages
+      uses: JamesIves/github-pages-deploy-action@v4.6.8
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        branch: gh-pages # The branch the action should deploy to.
+        folder: docs # The folder the action should deploy.
+        clean: true # Automatically remove deleted files from the deploy branch

.github/workflows/release-ci.yml

@@ -0,0 +1,91 @@
+name: release-ci
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'
+
+  # In case we change the some build scripts:
+  push:
+    branches:
+      - master
+    paths:
+      - 'utils/**'
+      - '.ci/release-ci/**'
+      - 'Makefile'
+      - '.github/workflows/release-ci.yml'
+  pull_request:
+    paths:
+      - 'utils/**'
+      - '.ci/release-ci/**'
+      - 'Makefile'
+      - '.github/workflows/release-ci.yml'
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  existing:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - release-type: deb
+            release-env: debian
+          - release-type: deb
+            release-env: ubuntu
+          - release-type: rpm
+            release-env: fedora
+          - release-type: rpm
+            release-env: rocky
+          - release-type: rpm
+            release-env: alma
+          #- release-type: apk      # temp removal of alpine releases for #881
+          #  release-env: alpine    # temp removal of alpine releases for #881
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run checks
+      run: |
+        SECRETS_RELEASE_ENV="${{ matrix.release-env }}" \
+        SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" \
+        make release-ci
+
+  # Keep in sync with `release.yml`:
+  dryrun:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        release-type:
+          - apk
+          - deb
+          - rpm
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run dry run of the release process
+      run: |
+        SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" \
+        SECRETS_DEPLOY_DRY_RUN=1 \
+        SECRETS_ARTIFACTORY_CREDENTIALS='fake' \
+          make release
+
+  # https://github.community/t/run-github-actions-job-only-if-previous-job-has-failed/174786/2
+  create-issue-on-failure:
+    name: Create an issue if release-ci cron failed
+    runs-on: ubuntu-latest
+    needs: [existing, dryrun]
+    if: ${{ github.event_name == 'schedule' && github.repository == 'sobolevn/git-secret' && always() && (needs.existing.result == 'failure' || needs.dryrun.result == 'failure') }}
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            await github.rest.issues.create({
+              owner: "sobolevn",
+              repo: "git-secret",
+              title: `release-ci failure on ${new Date().toDateString()}`,
+              body: "Details: https://github.com/sobolevn/git-secret/actions/workflows/release-ci.yml",
+            })

.github/workflows/release.yml

@@ -0,0 +1,45 @@
+name: release
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.head_ref || github.run_id }}
+
+jobs:
+  release-packages:
+    environment:
+      name: artifactory
+      url: https://gitsecret.jfrog.io/artifactory
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        release-type:
+          - apk
+          # - deb
+          # - rpm
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run checks
+      run: SECRETS_RELEASE_TYPE="${{ matrix.release-type }}" make release
+      env:
+        SECRETS_ARTIFACTORY_CREDENTIALS: ${{ secrets.SECRETS_ARTIFACTORY_CREDENTIALS }}
+
+  # github-release:
+  #   runs-on: ubuntu-latest
+  #   needs: ['release-packages']
+  #   steps:
+  #   - uses: actions/checkout@v4
+  #   - run: make changelog
+  #     env:
+  #       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #   - uses: softprops/action-gh-release@v1
+  #     with:
+  #       # Generated above by `make changelog`:
+  #       body_path: CHANGELOG-RELEASE.md
+  #     env:
+  #       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -0,0 +1,89 @@
+name: test
+
+on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - 'docs/**'
+  pull_request:
+    paths-ignore:
+      - 'docs/**'
+  workflow_dispatch:
+
+concurrency: 
+  group: ${{ github.head_ref || github.run_id }}-test
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Shellcheck and Hadolint
+      run: make lint
+
+  docker-ci:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        docker-env:
+          - alma
+          - alpine
+          #- arch           # disable arch testing for now, see #916
+          - debian-gnupg1  # We need to test legacy version of gnupg
+          - debian-gnupg2
+          - fedora
+          - rocky
+          - ubuntu
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run checks
+      run: SECRETS_DOCKER_ENV="${{ matrix.docker-env }}" make docker-ci
+
+  osx-ci:
+    runs-on: macos-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        test-verbose: [0, 1]
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install deps
+      run: brew install gawk gnupg
+    - name: Run checks
+      run: SECRETS_TEST_VERBOSE=${{ matrix.test-verbose }} make test
+
+  freebsd-ci:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run checks
+      id: test
+      uses: vmactions/freebsd-vm@v1
+      with:
+        usesh: true
+        prepare: pkg install -y gnupg bash gmake git gawk
+        run: |
+          which -a bash
+          which -a shell
+          whoami
+          env
+          freebsd-version
+          gmake test
+
+  windows-wsl-ci:
+    runs-on: windows-latest
+    steps:
+    - uses: Vampire/setup-wsl@v3
+      with: 
+        update: 'true'
+        additional-packages: gnupg make man git gawk file
+    - run: git config --global core.autocrlf input
+    - uses: actions/checkout@v4
+    - shell: wsl-bash {0}
+      run: make test

.gitignore

@@ -29,7 +29,7 @@ $RECYCLE.BIN/
 # Linux trash folder which might appear on any partition or disk
 .Trash-*
 
-#####=== OSX ===#####
+#####=== MacOS ===#####
 .DS_Store
 .AppleDouble
 .LSOverride
@@ -126,7 +126,6 @@ _site/
 git-secret
 
 # Temporary packages:
-vendor/
 temp/
 
 # Packaging:
@@ -134,6 +133,9 @@ build/
 *.deb
 *.fpm
 
-# Kithcne files
-Gemfile.lock
-.kitchen/
+# Docs:
+docs/man
+docs/_posts
+docs/_includes/install-*.sh
+docs/_includes/version.txt
+CHANGELOG-RELEASE.md

.kitchen.yml

@@ -1,144 +0,0 @@
----
-driver:
-  name: docker
-  use_sudo: false
-
-provisioner:
-  # name of the host
-  hosts: test-kitchen
-  # use an ansible playbook to provision our server
-  name: ansible_playbook
-  ansible_verbose: false
-  require_ansible_repo: false
-  require_ansible_omnibus: true
-  ansible_version: 2.4.1
-  require_chef_for_busser: false
-  sudo_command: sudo -E -H
-  idempotency_test: false
-  sudo: true
-  ansible_extra_flags: "-e '{ kitchen_testrun: True }'"
-  additional_copy_path:
-    - ".ci/integration/vars"
-    - ".ci/integration/tasks"
-
-transport:
-  max_ssh_sessions: 3
-
-platforms:
-  - name: debian-latest
-    driver_config:
-      run_command: /lib/systemd/systemd
-      dockerfile: .Dockerfiles/debian/latest/Dockerfile
-      platform: debian
-      cap_add:
-        - SYS_ADMIN
-      volume:
-        - /sys/fs/cgroup:/sys/fs/cgroup:ro
-        - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container
-      run_options:
-        tmpfs:
-          - /run
-          - /run/lock
-
-  - name: fedora-latest
-    driver_config:
-      run_command: /lib/systemd/systemd
-      dockerfile: .Dockerfiles/fedora/latest/Dockerfile
-      platform: fedora
-      cap_add:
-        - SYS_ADMIN
-      volume:
-        - /sys/fs/cgroup:/sys/fs/cgroup:ro
-        - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container
-      run_options:
-        tmpfs:
-          - /run
-          - /run/lock
-
-  - name: centos-latest
-    driver_config:
-      run_command: /lib/systemd/systemd
-      dockerfile: .Dockerfiles/centos/latest/Dockerfile
-      platform: centos
-      cap_add:
-        - SYS_ADMIN
-      volume:
-        - /sys/fs/cgroup:/sys/fs/cgroup:ro
-        - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container
-      run_options:
-        tmpfs:
-          - /run
-          - /run/lock
-
-  - name: ubuntu-latest
-    driver_config:
-      run_command: /lib/systemd/systemd
-      dockerfile: .Dockerfiles/ubuntu/latest/Dockerfile
-      platform: ubuntu
-      cap_add:
-        - SYS_ADMIN
-      volume:
-        - /sys/fs/cgroup:/sys/fs/cgroup:ro
-        - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container
-      run_options:
-        tmpfs:
-          - /run
-          - /run/lock
-
-  - name: ubuntu-rolling
-    driver_config:
-      run_command: /lib/systemd/systemd
-      dockerfile: .Dockerfiles/ubuntu/rolling/Dockerfile
-      platform: ubuntu
-      cap_add:
-        - SYS_ADMIN
-      volume:
-        - /sys/fs/cgroup:/sys/fs/cgroup:ro
-        - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container
-      run_options:
-        tmpfs:
-          - /run
-          - /run/lock
-
-  - name: alpine-latest
-    driver_config:
-      run_command: /sbin/init
-      dockerfile: .Dockerfiles/alpine/latest/Dockerfile
-      platform: alpine
-      volume:
-        - /sys/fs/cgroup:/sys/fs/cgroup:ro
-        - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container
-      run_options:
-        tmpfs:
-          - /run
-          - /run/lock
-
-verifier:
-  name: serverspec
-  sudo_path: true
-
-suites:
-  # suites found at /test/integration/$test-name
-  # in container @/tmp/kitchen
-  - name: gnupg1
-    verifier:
-      patterns:
-        - roles/git-secret/.ci/integration/gnupg1/serverspec/*_spec.rb
-    excludes:
-      - centos-latest
-  - name: gnupg2
-    verifier:
-      patterns:
-        - roles/git-secret/.ci/integration/gnupg2/serverspec/*_spec.rb
-    excludes:
-      - ubuntu-latest
-  - name: gnupg-git
-    verifier:
-      patterns:
-        - roles/git-secret/.ci/integration/gnupg-git/serverspec/*_spec.rb
-      bundler_path: '/usr/local/bin'
-      rspec_path: '/usr/local/bin'
-    excludes:
-      - ubuntu-latest
-      - centos-latest
-      - alpine-latest

.travis.yml

@@ -1,120 +0,0 @@
-matrix:
-  fast_finish: true
-  include:
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg1-alpine-latest"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg1-debian-latest"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg1-fedora-latest"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg1-ubuntu-latest"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg1-ubuntu-rolling"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg2-alpine-latest"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg2-debian-latest"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg2-fedora-latest"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg2-centos-latest"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg2-ubuntu-rolling"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg-git-debian-latest"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg-git-fedora-latest"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-    - os: linux
-      env: KITCHEN_REGEXP="gnupg-git-ubuntu-rolling"
-      services: docker
-      sudo: required
-      language: ruby
-      rvm: 2.4
-#    - os: osx
-#      env: GITSECRET_DIST="brew"
-#      sudo: false
-#      language: generic
-
-before_script:
-  - chmod +x ".ci/before_script.sh" && ".ci/before_script.sh"
-
-script:
-  - chmod +x ".ci/script.sh" && ".ci/script.sh"
-
-before_deploy:
-  - chmod +x ".ci/before_deploy.sh" && ".ci/before_deploy.sh"
-
-deploy:
-  - provider: bintray
-    on:
-      branch: master
-      condition: "$GITSECRET_DIST == deb"
-    file: "build/deb_descriptor.json"
-    user: "sobolevn"
-    key: "$BINTRAY_API_KEY"
-    passphrase: "$BINTRAY_GPG_PASS"
-  - provider: bintray
-    on:
-      branch: master
-      condition: "$GITSECRET_DIST == rpm"
-    file: "build/rpm_descriptor.json"
-    user: "sobolevn"
-    key: "$BINTRAY_API_KEY"
-    passphrase: "$BINTRAY_GPG_PASS"
-
-after_deploy:
-  - chmod +x ".ci/after_deploy.sh" && ".ci/after_deploy.sh"
-
-notifications:
-  email:
-    on_success: never
-    on_failure: change

CHANGELOG.md

@@ -1,71 +1,351 @@
 # Changelog
 
+## {{Next Version}}
+
+### Misc
+
+- NOTE: Arch instructions now say to install from source. Arch tests removed temporarily (#916)
+- NOTE: there is an issue when repo directory (or a parent dir) contains a space (#135)
+- Improve error messaging when we cannot find git repo (#874)
+- Temporarily disable apk builds on alpine (#881)
+- Have `hide -v` show output from gnupg
+- Documentation updates and fixes
+
+
+## 0.5.0
+
+### Features
+
+- Adds `SECRETS_GPG_ARMOR` env variable to use `gpg --armor`
+  when encrypting files, so secret files are stored
+  in text format rather than binary (#631)
+- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811)
+- `git secret init` now sets `.gitsecret/keys` permission to 0700 (#811)
+- Improve verbose and non-verbose output
+
+### Bugfixes
+
+- Fix adding newlines to `.gitignore` entries (#643)
+- Fix `cat` and `reveal` on named files while in repo subdir (#710)
+- Fix `clean`, `hide`, `reveal` so they only remove marked secret files (#833)
+- Fix for `removeperson` if same email is present multiple times (#638)
+- Correct error message about files missing from .gitignore
+
+### Misc
+
+- Rename `killperson` command to `removeperson` (#684)
+- Improve error messaging decrypting nonexistent files (#706)
+- Improve, expand, correct, and update docs (#699)
+- Update docs for use with CI/CD server (#675)
+- Upgrade bats-core to v1.6.0 (#755)
+- Test, and build RPMS, with Rocky and Alma Linux instead of CentOS (#765)
+- Automate testing code on windows using WSL (#846)
+- Automate testing code on FreeBSD (#455)
+- Improve testing of .gitignore contents (#792)
+- Automate running verbose tests with SECRETS_TEST_VERBOSE=1 (#794)
+- Improve documentation about installing on Windows (#843)
+
+
+## 0.4.0
+
+### Bugfixes
+
+- Escape filenames with special characters before adding to `.gitignore`
+- Better error handling around telling an email twice (#634)
+- Fix for `-P` (#647)
+
+### Misc
+
+- Removed `test-kitchen`
+- Moved from `travis` to GitHub Actions
+- Changed almost all infrastructure code
+- Moved away from Bintray to Artifactory
+- Changes how GitHub Pages work
+- Add security disclaimer for git-secret-killperson
+- Improve documentation about releases
+- Man page improvements
+
+
+## Version 0.3.3
+
+### Bugfixes
+
+- In 'tell', warn about disabled, revoked, expired, or invalid keys (#552, #508, #317, #290, #283, #238)
+- Error if 'tell' is used on an email address with multiple keys (#552)
+- Don't let 'reveal' clobber secret files (#579)
+- Updated test key fixture that had expired (#607)
+
+### Misc
+
+- Improve docs about using gpg with git-secret (#577)
+- Text improvements and More about security in git-secret.7 man page (#603)
+- Reflect changes in ruby bundler during build process
+- Upgrade build process to ansible 2.9
+- Use shellcheck 0.7.1 with CI, not 'latest' (#609)
+- Improve output of `git-secret add`
+
+## Version 0.3.2
+
+### Bugfixes
+
+- Fix mention of version in git-secret add man page (#544)
+
+### Misc
+
+- Update developer docs, especially regarding mac, docker, and test-kitchen (#195)
+- Update man pages to mention version documented (#420)
+
+## Version 0.3.1
+
+### Misc
+
+- Update man pages
+
+## Version 0.3.0
+
+### Features
+
+- Support SECRETS_PINENTRY env var for gnupg --pinentry-mode parameter (#221)
+- Show output from gnupg if 'hide' fails (#516, #202, #317)
+- Add support for Busybox (#478)
+
+### Bugfixes
+
+- Use OSX's mktemp on OSX, even if there's another version in PATH. (#485)
+- Make rsync a build requirement on debian (#500)
+- Use gnupg1, not gnupg2, when tests specify gnupg1 (#241)
+- Note dependencies gawk, bash, and coreutils in linux packages (#493)
+- Handle case of key having no email and a comment (#527)
+- Avoid blank lines from output of 'clean -v'
+
+### Misc
+
+- Improve messaging and logic around deleting tmp files.
+- Add note about secrets and old keys (#499)
+- Transition build process from python 2 to python 3 (#487)
+- Upgrade build process from ansible 2.5 to ansible 2.8
+- Fix build process when installing gnupg2 source deps on Ubuntu
+- Close file descriptor 3 when running gnupg subprocesses (#521)
+- Small optimization in 'hide'
+- Improve code comments
+- Update docs to note that git-secret repos modified by git-secret 0.2.3 and
+  later are not backward compatible with pre-0.2.3 versions of git-secret. (#536)
+
+## Version 0.2.6
+
+### Features
+
+- git-secret is now available in Fedora, link added to README.md. (#315)
+- Support automated testing on windows with Travis CI (#372)
+- Support SECRETS_VERBOSE env var to enable verbosity (#323)
+- Use gpg without --quiet when decrypting in verbose mode (#394)
+- Add -v options to 'tell' and 'reveal', showing gpg output (#320, #395)
+- Change 'init' to never ignore .secret files (#362)
+- 'add' appends filepaths to .gitignore by default (#225)
+- Automate the GitHub release (#411)
+
+### Bugfixes
+
+- Fix 'hide -m' when used as first hide operation (#466)
+- Fix code to respect $TMPDIR when generating tmp files (#451)
+- Be more careful when deleting test files (#360)
+- Use separate directory when testing, instead of using $BATS_TMPDIR directly (#407)
+- Fix 'whoknows -l' and related tests on FreeBSD (#454)
+- Fix git-secret init when used on busybox (#475)
+- Update git-secret.io, fix utils/gh-branch.sh to use 'git all --add' (#344)
+- Fix link to homebrew's git-secret in README.md (#310)
+- Remove diagnostic output from test results (#324)
+- Remove un-needed redirection in 'reveal' (#325)
+- Fix link to current contributors in CONTRIBUTING.md (#331)
+- Fix tests when running from git hooks (#334)
+- Fix typo, remove temp directory in utils/tests.sh (#347)
+- Spelling fixes
+- Fix re: SECRETS_DIR in 'init' and SECRETS_EXTENSION in test_reveal.bats (#364)
+- git-secret will fail if you pass params or filenames that are not understood (#390)
+- Use SECRETS_GPG_COMMAND env var in gpg version check (#389)
+- Add header to git-secret.7 man page, for debian and doc improvement (#386)
+- Respect DESTDIR when installing as per GNU/debian/etc recommendations (#424)
+- Use git check-ignore to test for files ignored by git
+
+### Misc
+
+- Improve docs about hide -m option (#467)
+- Document SECRETS_VERBOSE and improve env var docs (#396)
+- Setting SECRETS_TEST_VERBOSE env var shows debug info during tests (EXPERIMENTAL)
+- Add documentation about how to write tests.
+- Suppress 'cleaning up temp files' messages unless in a verbose mode.
+- Improve git-secret user messaging.
+- Update CHANGELOG.md to mention fix for #281 in v0.2.5 (#311)
+- Add text explaining git-secret Style Guide and Development Philosophy
+- Use Shellcheck on tests/ files, changes for Shellcheck in tests/ (#368)
+- Use Shellcheck on MacOS/osx travis tests (#403)
+- Show commands run by Makefile as per debian upstream recommendations (#386)
+- Upgrade bats-core to v1.1.0, import bats-core into vendor/bats-core (#377)
+- Use gawk to parse emails from gpg output
+- Optimize code that parses keyrings
+- Remove unused code
+
+## Version 0.2.5
+
+### Features
+
+- Add support for FreeBSD (#244)
+- Add -l option to whoknows, which shows key expiration dates (#283)
+- Add -P option (preserve permissions) to reveal and hide (#172)
+- Add -F option (force, changing some errors to warnings) to hide and reveal (#253)
+- Allow user to specify name of secret dir at runtime using SECRETS_DIR env var, and test (#247, #250)
+
+### Bugfixes
+
+- Fix issues with spaces in paths and filenames (#226, #135)
+- Fix issue when 'hide' used in subdir of repo (#230)
+- Fix issues in 'changes' with trailing newlines (#291)
+- Fix 'hide' to only count actually hidden files as hidden (#280)
+- Fixed bugs and improved error messages (#174)
+- Issue error message when unable to hide a secret (#202, #238)
+- Accept gpg key with no name, only an email (#227)
+- Require keys to be specified by email, as documented (#267)
+- Disallow 'git secret tell' or 'killperson' with emails that are not in keyring (also #267)
+
+### Misc
+
+- Added notes about packages and for package maintainers (#281)
+- Improve documentation regarding operation with different versions of GPG (#274, #182)
+- Documentation improvements, error message and text improvements, and typo fixes (#254)
+- git-secret RFC#001 added, documenting a path towards independence from gpg binary formats (#208)
+- Add tests for expired gpg keys, and gpg keys with only emails (#276)
+
+## Version 0.2.4
+
+### Features
+
+- Added `git secret cat` feature (#141)
+
+### Bugfixes
+
+- `git secret hide` and `git secret changes` check for files more carefully (#153, #154)
+
+### Misc
+
+- Documentation and error message improvements (#126, #136, #144, #150)
+- Build and CI fixes (#152, #179, #186, #188, #189)
+- Migrate to `bats-core` bash testing framework
+
 ## Version 0.2.3
+
+### Features
+
 - Added `-m` option to `hide` command, files will only be hidden when modifications are detected (#92)
-- Changed how path mappings file works: colon delimited FSDB (#92)
+- Changed how path mappings file works: colon delimited FSDB in `.gitsecret/paths/mapping.cfg', so git-secret
+  can store checksums of hidden files. Note this means git-secret repos modified by git-secret 0.2.3
+  or later are not backward compatible with pre-0.2.3 versions of git-secret. (#92)
+- `git secret init` now adds `random_seed` to `.gitignore` (#93)
+
+### Bugfixes
+
+- Dropped `git check-ignore`, using `git add --dry-run` instead to check for ignored files (#105,#38)
 - Fixed `gnupg` >= 2.1 CI tests (#6)
+
+### Misc
+
 - Now users can run local CI tests using test-kitchen (#6)
 - Migrated travis ci tests to test-kitchen for Linux platforms.
-- `git secret init` now adds `random_seed` to `.gitignore` (#93)
 - Added more `gpg` version to test matrix (#99)
-- Dropped `git check-ignore`, using `git add --dry-run` instead to check for ignored files (#105,#38)
 - Added CentOS to test matrix (#38,#91)
-- All tested Linux platforms now use latest release of `shellchek`
+- All tested Linux platforms now use latest release of `shellcheck`
 - Added Alpine to test matrix, and apk is now built. (#75)
 
 ## Version 0.2.2
 
+### Features
+
 - Change how the `usage` command works (#48)
 - Now `git-secret` works from any place inside `git-tree` (#56)
-- Added `-d` option to the `hide` coomand: it deletes unencrypted files (#62)
+- Added `-d` option to the `hide` command: it deletes unencrypted files (#62)
 - Added new command `changes` to see the diff between the secret files (#64)
-- Fixed bug when `_user_required` was not working after reimporting keys (#74)
 - Now it is possible to provide multiple emails to the `killperson` command (#73)
 - Now it is possible to provide multiple emails to the `tell` command (#72)
+
+### Bugfixes
+
+- Fixed bug when `_user_required` was not working after re-importing keys (#74)
+- Refactored `hide` and `clean` commands to be shorter
+
+### Misc
+
 - Now every doc in this project refer to `git-secret.io` instead of old `gh-pages` website (#71)
 - Now installation section is removed from main `man` file (#70)
-- Now "See also" section in the `man`s are clickable (#69)
+- Now "See also" sections in the `man` pages are clickable (#69)
 - Added "Manual" section to the manuals (#61)
-- Added `centos` container for `ci` testing (#38)
-- Tests are refactored. Added `clean` command tests, removed a lot of hardcoded things, moved tests execution from `./temp` folder to `/tmp`, added a lot of new check in old tests, and some new test cases (#52)
-- Refactored `hide` and `clean` commands to be shorter
+- Added `CentOS` container for `ci` testing (#38)
+- Tests are refactored. Added `clean` command tests, removed a lot of hard-coded things, moved tests execution from `./temp` folder to `/tmp`, added a lot of new check in old tests, and some new test cases (#52)
 - `shellcheck` is now supported with `make lint`
 
-
 ## Version 0.2.1
 
-- Now everything is tested inside the `docker`-containers and `OSX` images on `travis`.
-- Added autodeploy to `bintray` in `.travis.yml`.
-- Added `.ci/` folder for continuous integration, refactored `utils/` folder.
+### Misc
+
 - Added `CONTRIBUTING.md` and `LICENSE.md`.
 - New brand logo in the `README.md`.
+- Added autodeploy to `bintray` in `.travis.yml`.
+- Now everything is tested inside the `docker`-containers and `OSX` (MacOS) images on `travis`.
+- Added `.ci/` folder for continuous integration, refactored `utils/` folder.
 - Everything is `shellcheck`ed (except `tests/`).
 
 ## Version 0.2.0
 
-- Added `changes` command to see the difference between current version of the hidden files and the commited one
+### Features
+
+- Added `changes` command to see the difference between current version of the hidden files and the committed one
 - Added `-f` option to the `reveal` command to remove prompts
-- Changed the way files were decrypted, now it is a separate function
+
+### Bugfixes
+
 - Some bugs are fixed
+
+### Misc
+
 - New installation instructions
+- Changed the way files were decrypted, now it is a separate function
 
 ## Version 0.1.2
 
+### Features
+
 - Added `-i` option to the `git-secret-add` command, which auto adds unignored files to the `.gitignore`
-- Documentation improved with `Configuration` section
-- Added extra tests: for custom filenames and new features
-- `Makefile` improvements with `.PHONY` and `install` target
+
+### Misc
+
 - `.github` templates added
+- Documentation improved with `Configuration` section
+- `Makefile` improvements with `.PHONY` and `install` target
+- Added extra tests: for custom filenames and new features
 
 ## Version 0.1.1
 
+### Features
+
 - Added `--dry-run` option to the `git secret` command, which prevents any actions.
-- Now `install_full_fixture()` returns a fingerprint
-- Now `uninstall_full_fixture()` receives two args
-- Fixed bug, when tests were failing with `gpg2`
-- New travis strategy: testing both `gpg` and `gpg2`
+
+### Misc
+
 - Removed animation from docs, now using `asciinema.org`
+- `install_full_fixture()` returns a fingerprint
+- `uninstall_full_fixture()` receives two args
+- Fixed bug when tests were failing with `gpg2`
+- New travis strategy: testing both `gpg` and `gpg2`
 
 ## Version 0.1.0
 
-- Initial release
+### Features
+
+- Implementation of git secret add
+- Implementation of git secret clean, with -v option
+- Implementation of git secret hide, with -c 'clean' and -v option
+- Implementation of git secret init
+- Implementation of git secret killperson
+- Implementation of git secret list
+- Implementation of git secret remove, with -c option
+- Implementation of git secret reveal, with -d homedir and -p passphrase options
+- Implementation of git secret tell, with -m email and -d homedir options
+- Implementation of git secret usage

CONTRIBUTING.md

@@ -2,104 +2,216 @@
 
 Your contributions are always welcome!
 
+
+## Getting started
+
+1. Create your own or pick an opened issue from the [tracker](https://github.com/sobolevn/git-secret/issues). Take a look at the [`help-wanted` tag](https://github.com/sobolevn/git-secret/labels/help%20wanted)
+
+2. Fork the git-secret repo and then clone the repository using a command like `git clone https://github.com/${YOUR_NAME}/git-secret.git`
+
+3. Make sure that everything works on the current platform by running `make test`.
+   You can also try the experimental `SECRETS_TEST_VERBOSE=1 make test`, which will
+   show you a lot of debug output while the tests are running.
+   Note that 'experimental' features may change or be removed in a future version of `git-secret`.
+
+4. If you want to test on multiple operating systems just push your PR, GitHub Actions will cover everything else
+
+Basically, our `make` file is the only thing you will need to work with this repo.
+
+
 ## Process
 
 ### Environment
 
-Before starting make sure you have:
+For development of `git-secret` you should have these tools locally:
 
 - git
 - bash
-- bundler
-- docker
 - gawk
-- gnupg (or gnupg2)
-- ruby
-- sha256sum
-- [shellcheck](https://github.com/koalaman/shellcheck)
-- test-kitchen
+- gnupg (or gnupg2), see below if not packaged by your distribution/OS (i.e. MacOS)
+- sha256sum (on freebsd and MacOS `shasum` is used instead)
+- make
 
-Only required if dealing with manuals, `gh-pages` or releases:
+To test `git-secret` you will need:
 
-- ruby, ruby-dev
+- [docker](https://www.docker.com/)
 
-### Getting started
+### Code style
 
-1. Create your own or pick an opened issue from the [tracker][tracker]. Take a look at the [`help-wanted` tag][help-wanted]
-2. Fork and clone your repository: `git clone https://github.com/${YOUR_NAME}/git-secret.git`
-3. Make sure that everything works on the current platform by running `make test`
-4. [Run local CI tests](#running-local-ci-tests) to verify functionality on supported platforms `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`.
+New features and changes should aim to be as clear, concise, simple, and consistent
+
+1. clear: make it as obvious as possible what the code is doing
+
+2. concise: your PR should be as few characters (not just lines) of changes as _reasonable_.
+   However, generally choose clarity over being concise.
+   Clarity and conciseness can be in conflict with each other. But
+   it's more important for the code to be understandable than for it to be small.
+   Therefore favor writing clear code over making shorter diffs in your PRs.
+
+3. simple: this dovetails with the previous two items.
+   git-secret is a security product, so it's best to have the code be easy to understand.
+   This also aids future development and helps minimize bugs.
+
+4. consistent: Write code that is consistent with the surrounding code and the rest of the git-secret code base.
+   Every code base has its own conventions and style that develop and accrete over time.
+
+   Consistency also means that the inputs and outputs of git-secret should be as consistent as reasonable
+   with related Unix and git tools, and follow the 'rule of least surprise',
+   also known as the 'principle of least astonishment': <https://en.wikipedia.org/wiki/Principle_of_least_astonishment>
+
+We wrote this to clarify our thinking about how git-secret should be written.  Of course, these are philosophical goals,
+not necessities for releasing code, so balancing these four ideals _perfectly_ is both unwarranted and impossible.
+
+### Writing PRs
+
+If you're planning a large change to `git-secret` (for example, a lot of lines/characters of diffs, affecting multiple commands,
+changing/adding a lot of behavior, or adding multiple command-line options), it's best to discuss the changes in an Issue first.
+Also it's often best to implement larger or complex changes as a series of planned-out, smaller PRs,
+each making a small set of specific changes. This facilitates discussions of implementation, which often come to light
+only after seeing the actual code used to perform a task.
+
+As mentioned above, we seek to be consistent with surrounding git and Unix tools, so when writing changes to git-secret,
+think about the input, output, and command-line options that similar Unix commands use.
+
+Our favor toward traditional Unix and git command-style inputs and outputs can also mean it's appropriate to
+lean heavily on git and widely-used Unix command features instead of re-implementing them in code.
 
 ### Development Process
 
-1. Firstly, you will need to setup development hooks with `make install-hooks`
-2. Make changes to the files that need to be changed
-3. When making changes to any files inside `src/` you will need to rebuild the binary `git-secret` with `make clean && make build` command
-4. Run [`shellcheck`][shellcheck] against all your changes with `make lint`
-5. Now, add all your files to the commit with `git add --all` and commit changes with `git commit`, make sure you write a good message, which will explain your work
-6. When running `git commit` the tests will run automatically, your commit will be canceled if they fail
-7. Push to your repository, make a pull-request against `develop` branch. Please, make sure you have **one** commit per pull-request, it will be merge into one anyways
+1. Make changes to the git secret files that need to be changed
+
+2. When making changes to any files inside `src/`, for changes to take effect you will need to rebuild the `git-secret` script with `make clean && make build`
+
+3. Run `shellcheck` against all your changes with `make lint`.
+   You should also check your changes for spelling errors using 'aspell -c filename'.
+
+4. Add an entry to CHANGELOG.md, referring to the related issue # if appropriate
+
+5. Change the `man` source file(s) (we write them in markdown) in `man/man1` and `man/man7` to document your changes if appropriate
+
+6. Now, add all your files to the commit with `git add --all` and commit changes with `git commit`.
+   Write a good commit message which explains your work
+
+7. When running `git commit` the tests will run automatically, your commit will be canceled if they fail.
+   You can run the tests manually with `make clean build test`.
+
+8. Push to your repository, and make a pull-request against `master` branch. It's ideal to have one commit per pull-request,
+but don't worry, it's easy to `squash` PRs into a small number of commits when they're merged.
 
 ### Branches
 
-We have three long-live branches: `master`, `develop` and `gh-pages` for static site.
+We have two long-live branches: `master` for the git-secret code and man pages, and `gh-pages` for the static web site.
+The `gh-pages` branch tracks the `master` branch's `docs` folder, and is kept up-to-date using a GitHub Action.
 
-It basically looks like that:
+Development looks like this:
 
-> `your-branch` -> `develop` -> `master`
+> `your-branch` -> `master`
 
-- `master` branch is protected. So only fully tested code goes there. It is also used to create a new `git` tag and a `github` release
-- `develop` is where the development is done and the branch you should send your pull-requests to
+- `master` branch is protected, so only fully tested code goes there. It is also used to create a new `git` tag and a `github` release
 
-### Continuous integration
+By convention, you can name your branches like `issue-###-short-description`, but that's not required.
+The `gh-pages` branch is used for the pages at `git-secret.io`. See 'Release Process' below.
 
-Local CI is done with the help [`test-kitchen`](http://kitchen.ci/). `test-kitchen` handles multiple test-suites on various platforms.
-`bundle exec kitchen list` will output the list of test suites to be run aginst supported platforms.
+### Writing tests
 
-Cloud CI is done with the help of `travis`. `travis` handles multiple environments:
+`git-secret` uses [bats-core](https://github.com/bats-core/bats-core) for testing.
+See the files in tests/ and the `bats-core` documentation for details.
 
-- `Docker`-based jobs or so-called 'integration tests', these tests create a local release, install it with the package manager and then run unit-tests and system checks
-- `OSX` jobs, which handle basic unit-tests on `OSX`
-- Native `travis` jobs, which handle basic unit-tests and stylechecks
-
-### Running local ci-tests
-
-1. Install requied gems with `bundle install`.
-2. Run ci-tests with `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`
+Because the output of many commands can be affected by the SECRETS_VERBOSE environment
+variable (which enables verbosity), it's best not to expect a particular number of lines of
+output from commands.
 
 ### Release process
 
-The release process is defined in the `git`-hooks and `.travis.yml`.
+To create a new release, (you'll first need permission to commit to the repo, of course):
 
-When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) it will trigger two main events.
+Update the content of `CHANGELOG.md` for the release (this should be a matter of changing headers),
+and update the version string in `src/version.sh`.
 
-Firstly, new manuals will be created and added to the current commit with `make build-man` on `pre-commit` hook.
+When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`).
 
-Secondly, after the commit is successfully created it will also trigger `make build-gh-pages` target on `post-commit` hook, which will push new manuals to the [git-secret site][git-secret-site]. And the new `git` tag will be automatically created if the version is changed:
+Then, push your code to GitHub. It will start the CI.
+
+After all the checks have executed, GitHub Actions will test and build releases for specific platforms.
+
+While CI is doing it's building and testing, finish the release on github by pushing the new tag with:
 
 ```bash
-if [[ "$NEWEST_TAG" != "v${SCRIPT_VERSION}" ]]; then
-  git tag -a "v${SCRIPT_VERSION}" -m "version $SCRIPT_VERSION"
-fi
+git push --tags
 ```
 
-#### Travis releases
+and then go to https://github.com/sobolevn/git-secret/releases to see that the new release is created. It might take some time.
 
-When creating a commit inside `master` branch, `travis` on successful build will publish new `deb` and `rpm` packages to [`bintray`][bintray].
+#### GitHub automated releases
 
-If you wish to override a previous release (*be careful*) you will need to add `"override": 1` into `matrixParams`, see `deb-deploy.sh` and `rpm-deploy.sh`
+We use GitHub actions to run the release process.
+We use `artifactory` as an environment for the release.
+You would need to get a review before release would be possible.
+
+It can be reproduced locally with `make release`, but you will need `SECRETS_ARTIFACTORY_CREDENTIALS`.
+
+After packages are released to https://gitsecret.jfrog.io we trigger `release-ci` workflow to test that installation works correctly.
 
 #### Manual releases
 
-Releases to `brew` are made manually.
+Releases to `brew` are made manually, and involve opening a PR on the [Homebrew Core](https://github.com/Homebrew/homebrew-core) repo .
+To get started, see the
+[Homebrew docs about Formulae-related PRs](https://docs.brew.sh/How-To-Open-a-Homebrew-Pull-Request#formulae-related-pull-request)
+and `brew bump-formula-pr --help`
 
-#### Dockerhub releases
+### Downstream Packages
 
-[`Dockerhub`][Dockerhub] contains `Docker` images with different OS'es used for testing. It is updated via a `github` webhook on commit into `master`.
+There are several distributions and packaging systems that may already have git-secret packaged for your distribution (although sometimes their versions are not the most current, and we recommend all users upgrade to 0.2.5 or above).
 
-[tracker]: https://github.com/sobolevn/git-secret/issues
-[help-wanted]: https://github.com/sobolevn/git-secret/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22
-[shellcheck]: https://github.com/koalaman/shellcheck
-[git-secret-site]: http://git-secret.io
-[bintray]: https://bintray.com/sobolevn
-[Dockerhub]: https://hub.docker.com/r/sobolevn/git-secret/
+### Notes to Downstream Packagers (Those who make packages for specific OSes/distributions)
+
+First of all, thank you for packaging git-secret for your platform! We appreciate it.
+
+We also would like to welcome you to collaborate or discuss any issues, ideas or thoughts you have about
+git-secret by submitting [issue report](https://github.com/sobolevn/git-secret/issues)
+(which can also be feature requests) or
+[pull requests](https://help.github.com/en/articles/creating-a-pull-request)
+via the git repo at
+[git-secret on github](https://github.com/sobolevn/git-secret)
+
+Please let us know if there are any changes you'd like to see to the source,
+packaging, testing, documentation, or other aspect of git-secret.
+We look forward to hearing from you.
+
+
+## About GnuPG
+
+Here are some links to gnupg documentation that might be useful for those working with git-secret:
+
+- [GnuPG PDF Documentation](https://www.gnupg.org/documentation/manuals/gnupg.pdf)
+- [GnuPG doc/DETAILS File](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS)
+
+
+## Financial contributions
+
+We also welcome financial contributions in full transparency on our [open collective](https://opencollective.com/git-secret).
+Anyone can file an expense. If the expense makes sense for the development of the community, it will be "merged" in the ledger of our open collective by the core contributors and the person who filed the expense will be reimbursed.
+
+
+## Credits
+
+### Contributors
+
+Thank you to all the people who have already contributed
+to `git-secret` via commits to our git repository!
+
+[![List of contributors](https://opencollective.com/git-secret/contributors.svg?width=890&button=0)](https://github.com/sobolevn/git-secret/contributors)
+
+
+### Backers
+
+Thank you to all our backers! [[Become a backer](https://opencollective.com/git-secret#backer)]
+
+<object type="image/svg+xml" data="https://opencollective.com/git-secret/tiers/backer.svg?avatarHeight=36&width=600" style="max-width: 100%;"></object>
+
+
+### Sponsors
+
+Thank you to all our sponsors! (please ask your company to also support this open source project by [becoming a sponsor](https://opencollective.com/git-secret#sponsor))
+
+<object type="image/svg+xml" data="https://opencollective.com/git-secret/tiers/sponsor.svg?avatarHeight=36&width=600" style="max-width: 100%;"></object>

Gemfile

@@ -1,7 +0,0 @@
-source 'https://rubygems.org'
-
-gem 'test-kitchen'
-gem 'serverspec'
-gem 'kitchen-ansible'
-gem 'kitchen-docker'
-gem 'kitchen-verifier-serverspec'

Makefile

@@ -1,14 +1,11 @@
-SHELL:=/usr/bin/env bash
+SHELL:=bash
 PREFIX?="/usr"
+DESTDIR?=
 
 #
 # Building:
 #
 
-git-secret: src/version.sh src/_utils/* src/commands/* src/main.sh
-	@cat $^ > "$@"; \
-	chmod +x git-secret; sync
-
 .PHONY: all
 all: build
 
@@ -17,152 +14,164 @@ clean:
 	@rm -f git-secret
 
 .PHONY: build
-build: git-secret
+build:
+	@cat src/version.sh > git-secret
+	@cat src/_utils/*.sh src/commands/*.sh >> git-secret
+	@cat src/main.sh >> git-secret
+	@chmod +x git-secret; sync
 
 .PHONY: install
 install:
-	@chmod +x "./utils/install.sh"; sync; \
-	"./utils/install.sh" "${PREFIX}"
+	"${SHELL}" ./utils/install.sh "${DESTDIR}${PREFIX}"
 
 .PHONY: uninstall
 uninstall:
-	@chmod +x "./utils/uninstall.sh"; sync; \
-	"./utils/uninstall.sh" "${PREFIX}"
+	"${SHELL}" ./utils/uninstall.sh "${DESTDIR}${PREFIX}"
 
 #
-# Testing:
+# Testing and linting:
 #
 
-.PHONY: install-test
-install-test:
-	@if [ ! -d "vendor/bats" ]; then \
-	git clone https://github.com/sstephenson/bats.git vendor/bats; fi
-
+# The $(shell echo $${PWD}) construct is to access *nix paths under windows
+# Under git for windows '$PATH' is set to windows paths, e.g. C:\Something
+# Using a sub-shell we get the raw *nix paths, e.g. /c/Something
 .PHONY: test
-test: install-test clean build
-	@chmod +x "./utils/tests.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats/bin:${PWD}:${PATH}"; \
-	"./utils/tests.sh"
+test: clean build
+	export SECRETS_PROJECT_ROOT="$(shell echo $${PWD})"; \
+	export PATH="$(shell echo $${PWD})/vendor/bats-core/bin:$(shell echo $${PWD}):$(shell echo $${PATH})"; \
+	"${SHELL}" ./utils/tests.sh
+
+# We use this script in CI and you can do this too!
+# What happens here?
+# 1. We pass `SECRETS_DOCKER_ENV` variable into this job
+# 2. Based on it, we select a proper `docker` image to run test on
+# 3. We execute `make test` inside the `docker` container
+.PHONY: docker-ci
+docker-ci: clean
+	@[ -z "${SECRETS_DOCKER_ENV}" ] \
+		&& echo 'SECRETS_DOCKER_ENV is unset' && exit 1 || true
+	docker build \
+		-f ".ci/docker-ci/$${SECRETS_DOCKER_ENV}/Dockerfile" \
+		-t "gitsecret-$${SECRETS_DOCKER_ENV}:latest" .
+	docker run --rm \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		"gitsecret-$${SECRETS_DOCKER_ENV}" \
+		make test
+
+.PHONY: lint-shell
+lint-shell:
+	docker pull koalaman/shellcheck:latest
+	docker run \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		-e SHELLCHECK_OPTS='-s bash -S style -a' \
+		--rm koalaman/shellcheck \
+		$$(find src .ci utils tests docs -type f \
+			-name '*.sh' -o -name '*.bash' -o -name '*.bats')
+
+.PHONY: lint-docker
+lint-docker:
+	docker pull hadolint/hadolint:latest-alpine
+	docker run \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		--rm hadolint/hadolint \
+		hadolint \
+			--ignore=DL3008 --ignore=DL3018 --ignore=DL3041 --ignore=DL3028 \
+			.ci/*/**/Dockerfile
+
+.PHONY: lint
+lint: lint-shell lint-docker
 
 #
-# Manuals:
+# Manuals and docs:
 #
 
-.PHONY: install-ronn
-install-ronn:
-	@if [ ! `gem list ronn -i` == "true" ]; then gem install ronn; fi
-
 .PHONY: clean-man
 clean-man:
-	@find "man/" -type f ! -name "*.ronn" -delete
+	@find "man/" -type f ! -name "*.md" -delete
 
 .PHONY: build-man
-build-man: install-ronn clean-man
-	@ronn --roff --organization="sobolevn" --manual="git-secret" man/*/*.ronn
+build-man: build
+	docker pull msoap/ruby-ronn
+	export GITSECRET_VERSION="$$(./git-secret --version)" && docker run \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		--rm msoap/ruby-ronn \
+		ronn --roff \
+			--organization=sobolevn \
+			--manual="git-secret $${GITSECRET_VERSION}" \
+			man/*/*.md
 
-.PHONY: build-gh-pages
-build-gh-pages:
-	@chmod +x "./utils/gh-branch.sh"; sync; \
-	"./utils/gh-branch.sh"
+.PHONY: build-docs
+build-docs: build-man
+	 "${SHELL}" docs/build.sh
 
-#
-# Development:
-#
+.PHONY: docs
+docs: build-docs
+	docker pull jekyll/jekyll
+	docker run \
+		--volume="$${PWD}/docs:/code" \
+		-w /code \
+		-p 4000:4000 \
+		--rm jekyll/jekyll \
+		jekyll serve --safe --strict_front_matter
 
-.PHONY: install-hooks
-install-hooks:
-	@ln -fs "${PWD}/utils/hooks/pre-commit.sh" "${PWD}/.git/hooks/pre-commit"; \
-	chmod +x "${PWD}/.git/hooks/pre-commit"; sync; \
-	ln -fs "${PWD}/utils/hooks/post-commit.sh" "${PWD}/.git/hooks/post-commit"; \
-	chmod +x "${PWD}/.git/hooks/post-commit"; sync
-
-.PHONY: develop
-develop: clean build install-hooks
-
-.PHONY: lint
-lint:
-	@find src utils -type f -name '*.sh' -print0 | xargs -0 -I {} shellcheck {}
+.PHONY: changelog
+changelog:
+	@[ -z "${GITHUB_REPOSITORY}" ] \
+		&& echo 'GITHUB_REPOSITORY is unset' && exit 1 || true
+	@[ -z "${GITHUB_TOKEN}" ] \
+		&& echo 'GITHUB_TOKEN is unset' && exit 1 || true
+	docker pull githubchangeloggenerator/github-changelog-generator
+	docker run \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		--entrypoint='' \
+		-e GITHUB_REPOSITORY \
+		-e GITHUB_TOKEN \
+		--rm githubchangeloggenerator/github-changelog-generator \
+		sh ".ci/github_release_script.sh"
 
 #
 # Packaging:
 #
 
-.PHONY: install-fpm
-install-fpm:
-	@if [ ! `gem list fpm -i` == "true" ]; then gem install fpm; fi
+.PHONY: build-release
+build-release: clean build-man
+	@[ -z "${SECRETS_RELEASE_TYPE}" ] \
+		&& echo 'SECRETS_RELEASE_TYPE is unset' && exit 1 || true
+	docker build \
+		-f ".ci/releaser/alpine/Dockerfile" \
+		-t "gitsecret-releaser:latest" .
+	docker run \
+		--volume="$${PWD}:/code" \
+		--rm gitsecret-releaser \
+		bash "./utils/$${SECRETS_RELEASE_TYPE}/build.sh"
 
-# .apk:
+.PHONY: release
+release: build-release
+	@[ -z "${SECRETS_ARTIFACTORY_CREDENTIALS}" ] \
+		&& echo 'SECRETS_ARTIFACTORY_CREDENTIALS is unset' && exit 1 || true
+	docker run \
+		--volume="$${PWD}:/code" \
+		-e SECRETS_ARTIFACTORY_CREDENTIALS \
+		-e SECRETS_DEPLOY_DRY_RUN \
+		--rm gitsecret-releaser \
+		bash "./utils/$${SECRETS_RELEASE_TYPE}/deploy.sh"
 
-.PHONY: build-apk
-build-apk: clean build install-fpm
-	@chmod +x "./utils/build-utils.sh"; sync; \
-	chmod +x "./utils/apk/apk-build.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/apk/apk-build.sh"
-
-.PHONY: test-apk-ci
-test-apk-ci: install-test build-apk
-	@chmod +x "./utils/apk/apk-ci.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats/bin:${PATH}"; \
-	"./utils/apk/apk-ci.sh"
-
-.PHONY: deploy-apk
-deploy-apk: build-apk
-	@chmod +x "./utils/apk/apk-deploy.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/apk/apk-deploy.sh"
-
-# .deb:
-
-.PHONY: build-deb
-build-deb: clean build install-fpm
-	@chmod +x "./utils/build-utils.sh"; sync; \
-	chmod +x "./utils/deb/deb-build.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/deb/deb-build.sh"
-
-.PHONY: test-deb-ci
-test-deb-ci: install-test build-deb
-	@chmod +x "./utils/deb/deb-ci.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats/bin:${PATH}"; \
-	"./utils/deb/deb-ci.sh"
-
-.PHONY: deploy-deb
-deploy-deb: build-deb
-	@chmod +x "./utils/deb/deb-deploy.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/deb/deb-deploy.sh"
-
-# .rpm:
-
-.PHONY: build-rpm
-build-rpm: clean build install-fpm
-	@chmod +x "./utils/build-utils.sh"; sync; \
-	chmod +x "./utils/rpm/rpm-build.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/rpm/rpm-build.sh"
-
-.PHONY: test-rpm-ci
-test-rpm-ci: install-test build-rpm
-	@chmod +x "./utils/rpm/rpm-ci.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats/bin:${PATH}"; \
-	"./utils/rpm/rpm-ci.sh"
-
-.PHONY: deploy-rpm
-deploy-rpm: build-rpm
-	@chmod +x "./utils/rpm/rpm-deploy.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	"./utils/rpm/rpm-deploy.sh"
-
-# make:
-
-.PHONY: test-make-ci
-test-make-ci: clean install-test
-	@chmod +x "./utils/make/make-ci.sh"; sync; \
-	export SECRET_PROJECT_ROOT="${PWD}"; \
-	export PATH="${PWD}/vendor/bats/bin:${PATH}"; \
-	"./utils/make/make-ci.sh"
+.PHONY: release-ci
+release-ci:
+	@[ -z "${SECRETS_RELEASE_ENV}" ] \
+		&& echo 'SECRETS_RELEASE_ENV is unset' && exit 1 || true
+	@[ -z "${SECRETS_RELEASE_TYPE}" ] \
+		&& echo 'SECRETS_RELEASE_TYPE is unset' && exit 1 || true
+	docker build \
+		-f ".ci/release-ci/$${SECRETS_RELEASE_ENV}/Dockerfile" \
+		-t "gitsecret-release-$${SECRETS_RELEASE_ENV}:latest" .
+	docker run --rm \
+		--volume="$${PWD}:/code" \
+		-w /code \
+		"gitsecret-release-$${SECRETS_RELEASE_ENV}" \
+		bash -c "set -e; bash "./utils/$${SECRETS_RELEASE_TYPE}/install.sh""

README.md

@@ -1,27 +1,40 @@
 # git-secret
 
-[![Build Status](https://img.shields.io/travis/sobolevn/git-secret/master.svg)](https://travis-ci.org/sobolevn/git-secret) [![Homebrew](https://img.shields.io/homebrew/v/git-secret.svg)](http://braumeister.org/formula/git-secret) [![Bintray deb](https://img.shields.io/bintray/v/sobolevn/deb/git-secret.svg)](https://bintray.com/sobolevn/deb/git-secret/view) [![Dockerhub](https://img.shields.io/docker/pulls/sobolevn/git-secret.svg)](https://hub.docker.com/r/sobolevn/git-secret/)
 
-[![git-secret](https://raw.githubusercontent.com/sobolevn/git-secret/gh-pages/images/git-secret-big.png)](http://git-secret.io/)
+[![test](https://github.com/sobolevn/git-secret/actions/workflows/test.yml/badge.svg?branch=master&event=push)](https://github.com/sobolevn/git-secret/actions/workflows/test.yml)
+[![release-ci](https://github.com/sobolevn/git-secret/actions/workflows/release-ci.yml/badge.svg)](https://github.com/sobolevn/git-secret/actions/workflows/release-ci.yml)
+[![Homebrew](https://img.shields.io/homebrew/v/git-secret.svg)](https://formulae.brew.sh/formula/git-secret)
+[![Supporters](https://img.shields.io/opencollective/all/git-secret.svg?color=gold&label=supporters)](https://opencollective.com/git-secret)
+
+[![git-secret](https://raw.githubusercontent.com/sobolevn/git-secret/gh-pages/images/git-secret-big.png)](https://git-secret.io/)
 
 
 ## What is `git-secret`?
 
-`git-secret` is a bash tool to store your private data inside a git repo. How’s that? Basically, it just encrypts, using `gpg`, the tracked files with the public keys of all the users that you trust. So everyone of them can decrypt these files using only their personal secret key. Why deal with all this private-public keys stuff? Well, to make it easier for everyone to manage access rights. There are no passwords that change. When someone is out - just delete their public key, re-encrypt the files, and they won’t be able to decrypt secrets anymore.
+`git-secret` is a bash tool which stores private data inside a git repo.
+`git-secret` encrypts files with permitted users' public keys,
+allowing users you trust to access encrypted data using pgp and their secret keys.
+
+With `git-secret`, changes to access rights are simplified, and private-public key issues are handled for you.
+
+When someone's permission is revoked, secrets do not need to be changed with `git-secret` -
+just remove their key from the repo's keyring using `git secret removeperson their@email.com`,
+re-encrypt the files, and they won't be able to decrypt secrets anymore.
+If you think the user might have copied the secrets or keys when they had access, then
+you should also change the secrets.
 
 
 ## Preview
 
-[![git-secret terminal preview](https://asciinema.org/a/41811.png)](https://asciinema.org/a/41811?autoplay=1)
+[![git-secret terminal preview](git-secret.gif)](https://asciinema.org/a/41811?autoplay=1)
 
 
 ## Installation
 
-`git-secret` supports `brew`, just type: `brew install git-secret`
+`git-secret` [supports `brew`](https://formulae.brew.sh/formula/git-secret), just type: `brew install git-secret`
 
 It also supports `apt` and `yum`. You can also use `make` if you want to.
-
-See the [installation section](http://git-secret.io/installation) for the details.
+See the [installation section](https://sobolevn.me/git-secret/installation) for the details.
 
 ### Requirements
 
@@ -31,12 +44,13 @@ See the [installation section](http://git-secret.io/installation) for the detail
 - `gawk` since `4.0.2`
 - `git` since `1.8.3.1`
 - `gpg` since `gnupg 1.4` to `gnupg 2.X`
-- `sha256sum` since `8.21`
+- `sha256sum` since `8.21` (on freebsd and MacOS `shasum` is used instead)
 
 
 ## Contributing
 
-Do you want to help the project? Find an [issue](https://github.com/sobolevn/git-secret/issues) and send a PR. It is more than welcomed! See [CONTRIBUTING.md](CONTRIBUTING.md) on how to do that.
+Do you want to help the project? Find an [issue](https://github.com/sobolevn/git-secret/issues)
+and send a PR. It is more than welcomed! See [CONTRIBUTING.md](CONTRIBUTING.md) on how to do that.
 
 ### Security
 
@@ -49,12 +63,54 @@ If your secret file holds more data than just a single password these
 precautions should not be necessary, but could be followed for greater
 security.
 
-If you found any security related issues, please do not enclose it in public. Send an email to `security@wemake.services`
+If you found any security related issues, please do not disclose it in public. Send an email to `mail@sobolevn.me`
 
 
 ## Changelog
 
-`git-secret` uses semver. See [CHANGELOG.md](CHANGELOG.md).
+`git-secret` uses [semver](https://semver.org/). See [CHANGELOG.md](CHANGELOG.md).
+
+
+## Packagers
+
+Thanks to all the people and groups who package `git-secret` for easier install on particular OSes and distributions!
+
+[![Packaging status](https://repology.org/badge/vertical-allrepos/git-secret.svg)](https://repology.org/project/git-secret/versions)
+
+Here are some packagings of `git-secret` that we're aware of:
+
+- https://formulae.brew.sh/formula/git-secret
+- https://packages.ubuntu.com/bionic/git-secret
+- https://src.fedoraproject.org/rpms/git-secret
+- https://aur.archlinux.org/packages/git-secret/
+- https://pkgs.alpinelinux.org/package/edge/testing/x86/git-secret
+- https://packages.debian.org/sid/git-secret
+- https://github.com/void-linux/void-packages/blob/master/srcpkgs/git-secret/template
+
+Such packages are considered 'downstream' because the git-secret code 'flows' from the `git-secret` [repository](https://git-secret.io/installation)
+to the various rpm/deb/dpkg/etc packages that are created for specific OSes and distributions.
+
+We have also added notes specifically for packagers in [CONTRIBUTING.md](CONTRIBUTING.md).
+
+
+## Sponsors
+
+Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/git-secret#sponsor)]
+
+[![Sponsors](https://opencollective.com/git-secret/tiers/sponsor.svg?width=890)](https://opencollective.com/git-secret)
+
+
+## Backers
+
+Thanks to all our backers!
+
+[![Backers](https://opencollective.com/git-secret/tiers/backer.svg?width=890&avatarHeight=36)](https://opencollective.com/git-secret)
+
+
+## Contributors
+
+This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
+<a href="https://github.com/sobolevn/git-secret/graphs/contributors"><img src="https://opencollective.com/git-secret/contributors.svg?width=890" /></a>
 
 
 ## License

RFC/RFC001.md

@@ -0,0 +1,142 @@
+# RFC 0001 - A stable and forwards compatible public key storage format
+
+**Feature Name:** Stable public key storage
+
+**Status:** Final
+
+**Type:** Enhancement
+
+**Related components:** Core
+
+**Start Date:** 2018-06-14
+
+**Author:** Simon Massey
+
+**GitHub issues:** 
+
+* #136 GnuPG2 2.2 vs 2.1 conflicts in keybox format
+
+## Summary
+
+A new internal public key storage format that avoids forwards compatibility issues between GPG releases. This proposal will keep forwards compatibility with older versions of git-secret. 
+
+## Motivation
+
+GPG maintains backwards compatibility but not forwards compatibility. Running a new GPG version can and will upgrade the keyring storage files in a way that is not recognized by older versions of GPG. This is not normally a problem for typical GPG usage. Users will upgrade and rarely downgrade. It is a problem for git-secret as the keyring storage is committed to git and shared between users. Someone using an older version of GPG can no longer open the upgraded keyring file. 
+
+## Approach
+
+git-secret will move away from using the keyring format as shared storage of public keys. Instead, it will store public keys as exported keys in ASCII armor format. The public key export format is stable and forwards compatible. GPG users will typically be running different GPG or PGP versions and are able to exchange keys successfully. Bugs that affect git-secret's ability to use exported public keys will likely affect typical GPG key exchange usage. Such bugs are likely to be caught and fixed by the wider open source community. 
+
+git-secret may need to store and process meta-data about keys to make it efficient to work with keys that are stored within individual files. It will use the machine-readable ["colon listings format"](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS) for this purpose. 
+
+It is anticipated that `bash` and `gawk` will be sufficient to work efficiently with the new file formats. 
+
+## Design
+
+The new storage format will be implemented as follows: 
+
+1. Keys will be stored in `~/.gitsecret/keys` in `gpg  --armor --export` format. The use of ASCII armor rather than binary format is to make debugging of key related issues easier. The filename of the key will be `<keyid>.pub.gpg` (using Field 5 the "64-bit keyid" of the colon listings format)
+1. Key meta data will be stored alongside the key file in the `gpg --keyid-format long --with-colons` format. The file name will be `<keyid>.pub.cln`
+1. A folder `~/.gitsecret/cache` will be added to `.gitignore`. At this location, a public keyring will be maintained on a per user bases and won't be shared between users. This is simply a "keyring cache" of the keys used to encrypt files. 
+
+git-secret-tell will: 
+
+1. Scan the set of `*.pub.cln` files to find all currently told identities. If the given identity is in the list do nothing. 
+1. If the given identity isn't listed run `gpg  --armor --export` against the users `$HOME` keyring to create the  `<key-id>.pub.gpg`. 
+1. Run `--keyid-format long --with-colons` of the exported key to create the `<key-id>.pub.cln`. 
+
+Note that the additional steps to ensure that older versions of git-secret know about the newly told identity will be outlined below. 
+
+git-secret-hide will: 
+
+1. Extract the list of "64-bit keyid"s who are told from the `*.pub.cln` files. Note that multiple identities can be listed against each key. 
+1. Checked this against the list of "64-bit keyid"s in the "keyring cache" at `~/.gitsecret/cache`. 
+1. Import any missing keys into the "keyring cache". It is anticipated that `gawk` will be sufficient to perform this calculation. 
+1. Run the current logic using the "keyring cache". 
+
+Note that the additional steps to ensure that older versions of git-secret know about the newly told user will be outlined below. 
+
+git-secret-whoknows will:
+
+1. The list of identities will be loaded by parsing the `.pub.cln` files. Note that multiple identities can be listed against each key. 
+
+git-secret-usage will:
+
+1. Document the git-secret-migrate command discussed in the next section. 
+
+git-secret-reveal will:
+
+* Be unchanged.  
+
+git-secret-remove will:
+
+* Be unchanged. 
+
+git-secret-list will:
+
+* Be unchanged. 
+
+git-secret-killperson will:
+
+1. Remove the key from the keyring cache.
+1. Delete both `<key-id>.pub.gpg` and `<key-id>.pub.cln` files.
+
+git-secret-init will:
+
+1. Add `~/.gitsecret/cache` into `.gitignore`.
+1. Run any current logic using the ignored "keyring cache".
+
+git-secret-clean will:
+
+* Be unchanged. 
+
+git-secret-changes will:
+
+1. Show differences the `<key-id>.pub.gpg` and `<key-id>.pub.cln` files in `~/.gitsecret/keys`.
+
+git-secret-add will:
+
+* Be unchanged. 
+
+A new command git-secret-migrate will:
+
+1. Create the folder `~/.gitsecret/cache` and add it to the `.gitignore` file. 
+1. Extract all keys from the old keyring generating `<key-id>.pub.gpg` and `<key-id>.pub.cln` files in `~/.gitsecret/keys`
+
+## Version Compatibility
+
+Backwards compatibility will the old keyring storage approach will be maintained as follows:
+
+1. For each changed command a guard will be added that checks for the existence of `.gitsecret/cache`.
+1. If the folder exists it proceeds as normal.
+1. If it does not exist it will report that the repo was initialized by an older version of git-secret and tell the user to run git-secret-migrate
+
+Forwards compatibility with older versions of git-secret will be maintained as follows. 
+
+git-secret-hide will:
+
+1. Have a guard that will check for the existence of the old keyring. If it exists it will check it for any new public keys and extract them into the new format prior to running. 
+
+git-secret-tell will:
+
+1. Will check for the existence of the old keyring. If it exists it will load the new public key into it. 
+
+git-secret-killperson
+
+1. Will check for the existence of the old keyring. If it exists it will delete the user from it. 
+
+
+## Drawbacks
+
+To maintain forward compatibility the approach requires the existing logic to kept working for a period of time. We can give a deprecated warning if the forwards compatibility logic is running. The warning can be suppressed using a command-line flag. 
+
+## Alternatives
+
+What other designs have been considered? Unknown. 
+
+What is the impact of not doing this? Team members are locked out of secrets when only one other team member upgrades GPG. This can go undetected until the victims needs the secrets in a hurry for production support. Bad things then happen. 
+
+## Unresolved questions
+
+What parts of the design are still to be done? None. 

docs/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+group :jekyll_plugins do
+  gem "jekyll", ">= 3.6.3"
+  gem "jekyll-seo-tag", "~> 2.8.0"
+end

docs/Gemfile.lock

@@ -0,0 +1,81 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    bigdecimal (3.1.8)
+    colorator (1.1.0)
+    concurrent-ruby (1.3.4)
+    em-websocket (0.5.3)
+      eventmachine (>= 0.12.9)
+      http_parser.rb (~> 0)
+    eventmachine (1.2.7)
+    ffi (1.17.0-x86_64-linux-gnu)
+    ffi (1.17.0-x86_64-linux-musl)
+    forwardable-extended (2.6.0)
+    google-protobuf (4.28.1-x86_64-linux)
+      bigdecimal
+      rake (>= 13)
+    http_parser.rb (0.8.0)
+    i18n (1.14.6)
+      concurrent-ruby (~> 1.0)
+    jekyll (4.3.4)
+      addressable (~> 2.4)
+      colorator (~> 1.0)
+      em-websocket (~> 0.5)
+      i18n (~> 1.0)
+      jekyll-sass-converter (>= 2.0, < 4.0)
+      jekyll-watch (~> 2.0)
+      kramdown (~> 2.3, >= 2.3.1)
+      kramdown-parser-gfm (~> 1.0)
+      liquid (~> 4.0)
+      mercenary (>= 0.3.6, < 0.5)
+      pathutil (~> 0.9)
+      rouge (>= 3.0, < 5.0)
+      safe_yaml (~> 1.0)
+      terminal-table (>= 1.8, < 4.0)
+      webrick (~> 1.7)
+    jekyll-sass-converter (3.0.0)
+      sass-embedded (~> 1.54)
+    jekyll-seo-tag (2.8.0)
+      jekyll (>= 3.8, < 5.0)
+    jekyll-watch (2.2.1)
+      listen (~> 3.0)
+    kramdown (2.4.0)
+      rexml
+    kramdown-parser-gfm (1.1.0)
+      kramdown (~> 2.0)
+    liquid (4.0.4)
+    listen (3.9.0)
+      rb-fsevent (~> 0.10, >= 0.10.3)
+      rb-inotify (~> 0.9, >= 0.9.10)
+    mercenary (0.4.0)
+    pathutil (0.16.2)
+      forwardable-extended (~> 2.6)
+    public_suffix (6.0.1)
+    rake (13.2.1)
+    rb-fsevent (0.11.2)
+    rb-inotify (0.11.1)
+      ffi (~> 1.0)
+    rexml (3.3.7)
+    rouge (4.4.0)
+    safe_yaml (1.0.5)
+    sass-embedded (1.78.0-x86_64-linux-gnu)
+      google-protobuf (~> 4.27)
+    sass-embedded (1.78.0-x86_64-linux-musl)
+      google-protobuf (~> 4.27)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
+    unicode-display_width (2.6.0)
+    webrick (1.8.1)
+
+PLATFORMS
+  x86_64-linux
+  x86_64-linux-musl
+
+DEPENDENCIES
+  jekyll (>= 3.6.3)
+  jekyll-seo-tag (~> 2.8.0)
+
+BUNDLED WITH
+   2.2.2

docs/_config.yml

@@ -0,0 +1,17 @@
+# Site settings
+title: git-secret
+email: mail@sobolevn.me
+description: Shell scripts to encrypt your private data inside a git repository.
+baseurl: "/git-secret" # the subpath of your site, e.g. /blog
+url: "https://sobolevn.me" # the base hostname & protocol for your site
+
+# GitHub links:
+github_username: sobolevn
+github_changelog: "https://github.com/sobolevn/git-secret/blob/master/CHANGELOG.md"
+
+# Seo settings:
+plugins:
+  - jekyll-seo-tag
+
+# Build settings
+markdown: kramdown

docs/_includes/favicons.html

@@ -0,0 +1,33 @@
+<link rel="apple-touch-icon" sizes="57x57"
+    href="/images/favicons/apple-icon-57x57.png">
+<link rel="apple-touch-icon" sizes="60x60"
+    href="/images/favicons/apple-icon-60x60.png">
+<link rel="apple-touch-icon" sizes="72x72"
+    href="/images/favicons/apple-icon-72x72.png">
+<link rel="apple-touch-icon" sizes="76x76"
+    href="/images/favicons/apple-icon-76x76.png">
+<link rel="apple-touch-icon" sizes="114x114"
+    href="/images/favicons/apple-icon-114x114.png">
+<link rel="apple-touch-icon" sizes="120x120"
+    href="/images/favicons/apple-icon-120x120.png">
+<link rel="apple-touch-icon" sizes="144x144"
+    href="/images/favicons/apple-icon-144x144.png">
+<link rel="apple-touch-icon" sizes="152x152"
+    href="/images/favicons/apple-icon-152x152.png">
+<link rel="apple-touch-icon" sizes="180x180"
+    href="/images/favicons/apple-icon-180x180.png">
+<link rel="icon" type="image/png" sizes="192x192"
+    href="/images/favicons/android-icon-192x192.png">
+<link rel="icon" type="image/png" sizes="32x32"
+    href="/images/favicons/favicon-32x32.png">
+<link rel="icon" type="image/png" sizes="96x96"
+    href="/images/favicons/favicon-96x96.png">
+<link rel="icon" type="image/png" sizes="16x16"
+    href="/images/favicons/favicon-16x16.png">
+
+<link rel="manifest" href="/images/favicons/manifest.json">
+
+<meta name="msapplication-TileColor" content="#ffffff">
+<meta name="msapplication-TileImage"
+    content="/images/favicons/ms-icon-144x144.png">
+<meta name="theme-color" content="#ffffff">

docs/_includes/footer.html

@@ -0,0 +1,38 @@
+<footer class="site-footer">
+
+  <div class="wrapper">
+
+    <h2 class="footer-heading">{{ site.title }}</h2>
+
+    <div class="footer-col-wrapper">
+      <div class="footer-col footer-col-1">
+        <ul class="contact-list">
+          <li><a href="http://wemake.services">wemake.services</a></li>
+          <li><a href="mailto:{{ site.email }}">{{ site.email }}</a></li>
+        </ul>
+      </div>
+
+      <div class="footer-col footer-col-2">
+        <ul class="social-media-list">
+          {% if site.github_username %}
+          <li>
+            {% include icon-github.html username=site.github_username %}
+          </li>
+          {% endif %}
+
+          {% if site.twitter_username %}
+          <li>
+            {% include icon-twitter.html username=site.twitter_username %}
+          </li>
+          {% endif %}
+        </ul>
+      </div>
+
+      <div class="footer-col footer-col-3">
+        <p>{{ site.description }}</p>
+      </div>
+    </div>
+
+  </div>
+
+</footer>

docs/_includes/head.html

@@ -0,0 +1,18 @@
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+
+  <title>{% if page.title %}{{ page.title }}{% else %}{{ site.title }}{% endif %}</title>
+  <meta name="description" content="{% if page.excerpt %}{{ page.excerpt | strip_html | strip_newlines | truncate: 160 }}{% else %}{{ site.description }}{% endif %}">
+
+  <link rel="stylesheet" href="{{ "/css/main.css" | prepend: site.baseurl }}">
+  <link rel="canonical"
+    href="{{ page.url | replace:'index.html','' | prepend: site.baseurl | prepend: site.url }}">
+  <link rel="alternate" type="application/rss+xml" title="{{ site.title }}"
+    href="{{ "/feed.xml" | prepend: site.baseurl | prepend: site.url }}">
+
+  {% include favicons.html %}
+
+  {% seo %}
+</head>

docs/_includes/header.html

@@ -0,0 +1,38 @@
+<header class="site-header">
+
+  <div class="wrapper">
+
+    <a class="site-title" href="{{ site.baseurl }}/">
+      {{ site.title }} v{% include version.txt %}
+    </a>
+
+    <div class="site-nav">
+      <a href="#" class="menu-icon">
+        <svg viewBox="0 0 18 15">
+          <path fill="#424242" d="M18,1.484c0,0.82-0.665,1.484-1.484,1.484H1.484C0.665,2.969,0,2.304,0,1.484l0,0C0,0.665,0.665,0,1.484,0 h15.031C17.335,0,18,0.665,18,1.484L18,1.484z"/>
+          <path fill="#424242" d="M18,7.516C18,8.335,17.335,9,16.516,9H1.484C0.665,9,0,8.335,0,7.516l0,0c0-0.82,0.665-1.484,1.484-1.484 h15.031C17.335,6.031,18,6.696,18,7.516L18,7.516z"/>
+          <path fill="#424242" d="M18,13.516C18,14.335,17.335,15,16.516,15H1.484C0.665,15,0,14.335,0,13.516l0,0 c0-0.82,0.665-1.484,1.484-1.484h15.031C17.335,12.031,18,12.696,18,13.516L18,13.516z"/>
+        </svg>
+      </a>
+
+      <div class="trigger">
+        <!-- Place this tag where you want the button to render. -->
+        <a class="github-button" href="https://github.com/sobolevn/git-secret" data-icon="octicon-star" data-size="large" data-show-count="true" aria-label="Star git-secret on GitHub">
+          Star
+        </a>
+      </div>
+    </div>
+
+  </div>
+
+  <nav class="site-navigation">
+    <a href="{{ "/installation" | prepend: site.baseurl }}">Installation</a>
+    <a href="{{ "/#commands" | prepend: site.baseurl }}">Commands</a>
+    <a href="{{ "/plugins" | prepend: site.baseurl }}">External plugins</a>
+    <a href="{{ site.github_changelog }}">Changelog</a>
+  </nav>
+
+</header>
+
+<!-- Required for GitHub buttons. -->
+<script async defer src="https://buttons.github.io/buttons.js"></script>

docs/_includes/icon-github.html

@@ -0,0 +1,4 @@
+<a href="https://github.com/{{ include.username }}">
+    <span class="icon icon--github">{% include icon-github.svg %}</span>
+    <span class="username">{{ include.username }}</span>
+</a>

docs/_includes/icon-github.svg

@@ -0,0 +1 @@
+<svg viewBox="0 0 16 16"><path fill="#828282" d="M7.999,0.431c-4.285,0-7.76,3.474-7.76,7.761 c0,3.428,2.223,6.337,5.307,7.363c0.388,0.071,0.53-0.168,0.53-0.374c0-0.184-0.007-0.672-0.01-1.32 c-2.159,0.469-2.614-1.04-2.614-1.04c-0.353-0.896-0.862-1.135-0.862-1.135c-0.705-0.481,0.053-0.472,0.053-0.472 c0.779,0.055,1.189,0.8,1.189,0.8c0.692,1.186,1.816,0.843,2.258,0.645c0.071-0.502,0.271-0.843,0.493-1.037 C4.86,11.425,3.049,10.76,3.049,7.786c0-0.847,0.302-1.54,0.799-2.082C3.768,5.507,3.501,4.718,3.924,3.65 c0,0,0.652-0.209,2.134,0.796C6.677,4.273,7.34,4.187,8,4.184c0.659,0.003,1.323,0.089,1.943,0.261 c1.482-1.004,2.132-0.796,2.132-0.796c0.423,1.068,0.157,1.857,0.077,2.054c0.497,0.542,0.798,1.235,0.798,2.082 c0,2.981-1.814,3.637-3.543,3.829c0.279,0.24,0.527,0.713,0.527,1.437c0,1.037-0.01,1.874-0.01,2.129 c0,0.208,0.14,0.449,0.534,0.373c3.081-1.028,5.302-3.935,5.302-7.362C15.76,3.906,12.285,0.431,7.999,0.431z"/></svg>

docs/_includes/icon-twitter.html

@@ -0,0 +1,4 @@
+<a href="https://twitter.com/{{ include.username }}">
+    <span class="icon icon--twitter">{% include icon-twitter.svg %}</span>
+    <span class="username">{{ include.username }}</span>
+</a>

docs/_includes/icon-twitter.svg

@@ -0,0 +1 @@
+<svg viewBox="0 0 16 16"><path fill="#828282" d="M15.969,3.058c-0.586,0.26-1.217,0.436-1.878,0.515c0.675-0.405,1.194-1.045,1.438-1.809c-0.632,0.375-1.332,0.647-2.076,0.793c-0.596-0.636-1.446-1.033-2.387-1.033c-1.806,0-3.27,1.464-3.27,3.27 c0,0.256,0.029,0.506,0.085,0.745C5.163,5.404,2.753,4.102,1.14,2.124C0.859,2.607,0.698,3.168,0.698,3.767 c0,1.134,0.577,2.135,1.455,2.722C1.616,6.472,1.112,6.325,0.671,6.08c0,0.014,0,0.027,0,0.041c0,1.584,1.127,2.906,2.623,3.206 C3.02,9.402,2.731,9.442,2.433,9.442c-0.211,0-0.416-0.021-0.615-0.059c0.416,1.299,1.624,2.245,3.055,2.271 c-1.119,0.877-2.529,1.4-4.061,1.4c-0.264,0-0.524-0.015-0.78-0.046c1.447,0.928,3.166,1.469,5.013,1.469 c6.015,0,9.304-4.983,9.304-9.304c0-0.142-0.003-0.283-0.009-0.423C14.976,4.29,15.531,3.714,15.969,3.058z"/></svg>

docs/_includes/why.md

@@ -0,0 +1,49 @@
+
+## Intro
+
+There's a well known issue with deploying and configuring software on servers: 
+generally you have to store your private data 
+(such as database passwords, application secret-keys, OAuth secret keys, etc) 
+outside of the git repository. 
+
+If you do choose to store these secrets unencrypted in your git repo, 
+even if the repository is private, it is a security risk to copy 
+the secrets everywhere you check out your repo.
+
+What are some drawbacks of storing secrets separately from your git repo?
+
+1. These files are not version controlled. 
+Filenames, locations, and passwords change from time to time,
+or new information appears, and other information is removed. 
+When secrets are stored separately from your repo,
+you can not tell for sure which version of the configuration file was used with each commit
+or deploy.
+
+2. When building the automated deployment system there will be one extra step: 
+download and place these secret-configuration files where they need to be. 
+This also means you have to maintain extra secure servers where all your secrets are stored.
+
+
+### How does `git-secret` solve these problems?
+
+1. `git-secret` encrypts files and stores them inside your `git` repository, providing a history of changes for every commit.
+2. `git-secret` doesn't require any extra deploy operations other than providing the appropriate
+private key (to allow decryption), and using `git secret reveal`
+to decrypt all the secret files.
+
+### What is `git-secret`?
+
+`git-secret` is a bash tool to store your private data inside a `git` repo. 
+
+How's that? Basically, it uses `gpg` to encrypt files with the 
+public keys of the users that you trust, and which you have specified with
+`git secret tell email@address.id`.
+Then these users can decrypt these files using their personal secret key. 
+
+Why deal with all this private/public key stuff? 
+To make it easier to manage access rights. 
+When you want to remove someone's access, use `git secret removeperson email@address.id`
+to delete their public key from your repo's git-secret keyring, and reencrypt the files. 
+Then they won't be able to decrypt secrets anymore.
+
+[![git-secret terminal preview](https://raw.githubusercontent.com/sobolevn/git-secret/master/git-secret.gif)](https://asciinema.org/a/41811?autoplay=1)

docs/_layouts/default.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+
+  {% include head.html %}
+
+  <body>
+
+    {% include header.html %}
+
+    <div class="page-content">
+      <div class="wrapper">
+        {{ content }}
+      </div>
+    </div>
+
+    {% include footer.html %}
+
+    <!-- Place this tag in your head or just before your close body tag. -->
+    <script async defer src="https://buttons.github.io/buttons.js"></script>
+  </body>
+
+</html>

docs/_layouts/page.html

@@ -0,0 +1,14 @@
+---
+layout: default
+---
+<article class="post">
+
+  <header class="post-header">
+    <h1 class="post-title">{{ page.title }}</h1>
+  </header>
+
+  <div class="post-content">
+    {{ content }}
+  </div>
+
+</article>

docs/_layouts/post.html

@@ -0,0 +1,30 @@
+---
+layout: default
+---
+<article class="post" itemscope itemtype="http://schema.org/BlogPosting">
+
+  <header class="post-header">
+    <h1 class="post-title" itemprop="name headline">
+        {{ page.title }}
+    </h1>
+
+    <p class="post-meta">
+        <time datetime="{{ page.date | date_to_xmlschema }}" itemprop="datePublished">
+            {{ page.date | date: "%b %-d, %Y" }}
+        </time>
+
+        {% if page.author %}
+            • <span itemprop="author" itemscope itemtype="http://schema.org/Person">
+                <span itemprop="name">
+                    {{ page.author }}
+                </span>
+            </span>
+        {% endif %}
+    </p>
+  </header>
+
+  <div class="post-content" itemprop="articleBody">
+    {{ content }}
+  </div>
+
+</article>

docs/_sass/_base.scss

@@ -0,0 +1,206 @@
+/**
+ * Reset some basic elements
+ */
+body, h1, h2, h3, h4, h5, h6,
+p, blockquote, pre, hr,
+dl, dd, ol, ul, figure {
+    margin: 0;
+    padding: 0;
+}
+
+
+
+/**
+ * Basic styling
+ */
+body {
+    font: $base-font-weight #{$base-font-size}/#{$base-line-height} $base-font-family;
+    color: $text-color;
+    background-color: $background-color;
+    -webkit-text-size-adjust: 100%;
+    -webkit-font-feature-settings: "kern" 1;
+    -moz-font-feature-settings: "kern" 1;
+    -o-font-feature-settings: "kern" 1;
+    font-feature-settings: "kern" 1;
+    font-kerning: normal;
+}
+
+
+
+/**
+ * Set `margin-bottom` to maintain vertical rhythm
+ */
+h1, h2, h3, h4, h5, h6,
+p, blockquote, pre,
+ul, ol, dl, figure,
+%vertical-rhythm {
+    margin-bottom: $spacing-unit / 2;
+}
+
+
+
+/**
+ * Images
+ */
+img {
+    max-width: 100%;
+    vertical-align: middle;
+}
+
+
+
+/**
+ * Figures
+ */
+figure > img {
+    display: block;
+}
+
+figcaption {
+    font-size: $small-font-size;
+}
+
+
+
+/**
+ * Lists
+ */
+ul, ol {
+    margin-left: $spacing-unit;
+}
+
+li {
+    > ul,
+    > ol {
+         margin-bottom: 0;
+    }
+}
+
+
+
+/**
+ * Headings
+ */
+h1, h2, h3, h4, h5, h6 {
+    font-weight: $base-font-weight;
+}
+
+
+
+/**
+ * Links
+ */
+a {
+    color: $brand-color;
+    text-decoration: none;
+
+    &:visited {
+        color: darken($brand-color, 15%);
+    }
+
+    &:hover {
+        color: $text-color;
+        text-decoration: underline;
+    }
+}
+
+
+
+/**
+ * Blockquotes
+ */
+blockquote {
+    color: $purple-color;
+    border-left: 4px solid $purple-color-light;
+    padding-left: $spacing-unit / 2;
+    font-size: 18px;
+    letter-spacing: -1px;
+    font-style: italic;
+
+    > :last-child {
+        margin-bottom: 0;
+    }
+}
+
+
+
+/**
+ * Code formatting
+ */
+pre,
+code {
+    font-size: 15px;
+    border: 1px solid $purple-color-light;
+    border-radius: 3px;
+    background-color: #eef;
+}
+
+code {
+    padding: 1px 5px;
+}
+
+pre {
+    padding: 8px 12px;
+    overflow-x: auto;
+
+    > code {
+        border: 0;
+        padding-right: 0;
+        padding-left: 0;
+    }
+}
+
+
+
+/**
+ * Wrapper
+ */
+.wrapper {
+    max-width: -webkit-calc(#{$content-width} - (#{$spacing-unit} * 2));
+    max-width:         calc(#{$content-width} - (#{$spacing-unit} * 2));
+    margin-right: auto;
+    margin-left: auto;
+    padding-right: $spacing-unit;
+    padding-left: $spacing-unit;
+    @extend %clearfix;
+
+    @include media-query($on-laptop) {
+        max-width: -webkit-calc(#{$content-width} - (#{$spacing-unit}));
+        max-width:         calc(#{$content-width} - (#{$spacing-unit}));
+        padding-right: $spacing-unit / 2;
+        padding-left: $spacing-unit / 2;
+    }
+}
+
+
+
+/**
+ * Clearfix
+ */
+%clearfix {
+
+    &:after {
+        content: "";
+        display: table;
+        clear: both;
+    }
+}
+
+
+
+/**
+ * Icons
+ */
+.icon {
+
+    > svg {
+        display: inline-block;
+        width: 16px;
+        height: 16px;
+        vertical-align: middle;
+
+        path {
+            fill: $purple-color;
+        }
+    }
+}

docs/_sass/_layout.scss

@@ -0,0 +1,276 @@
+/**
+ * Site header
+ */
+.site-header {
+    border-top: 5px solid $purple-color-dark;
+    border-bottom: 1px solid $purple-color-light;
+    min-height: 56px;
+
+    // Positioning context for the mobile navigation icon
+    position: relative;
+}
+
+.site-title {
+    font-size: 26px;
+    font-weight: 300;
+    line-height: 56px;
+    letter-spacing: -1px;
+    margin-bottom: 0;
+    float: left;
+
+    &,
+    &:visited {
+        color: $purple-color-dark;
+    }
+}
+
+.site-nav {
+    @extend %clearfix;
+    float: right;
+    line-height: 56px;
+
+    .menu-icon {
+        display: none;
+    }
+
+    .page-link {
+        color: $text-color;
+        line-height: $base-line-height;
+
+        // Gaps between nav items, but not on the last one
+        &:not(:last-child) {
+            margin-right: 20px;
+        }
+    }
+
+    @include media-query($on-palm) {
+        position: absolute;
+        top: 9px;
+        right: $spacing-unit / 2;
+        background-color: $background-color;
+        border: 1px solid $purple-color-light;
+        border-radius: 5px;
+        text-align: right;
+
+        .menu-icon {
+            display: block;
+            float: right;
+            width: 36px;
+            height: 26px;
+            line-height: 0;
+            padding-top: 10px;
+            text-align: center;
+
+            > svg {
+                width: 18px;
+                height: 15px;
+
+                path {
+                    fill: $purple-color-dark;
+                }
+            }
+        }
+
+        .trigger {
+            clear: both;
+            display: none;
+        }
+
+        &:hover .trigger, &:active .trigger {
+            display: block;
+            padding-bottom: 5px;
+        }
+
+        .page-link {
+            display: block;
+            padding: 5px 10px;
+
+            &:not(:last-child) {
+                margin-right: 0;
+            }
+            margin-left: 20px;
+        }
+    }
+
+    .trigger {
+        padding-top: 13px;
+    }
+}
+
+
+
+/**
+ * Site footer
+ */
+.site-footer {
+    border-top: 1px solid $purple-color-light;
+    padding: $spacing-unit 0;
+}
+
+.footer-heading {
+    font-size: 18px;
+    margin-bottom: $spacing-unit / 2;
+}
+
+.contact-list,
+.social-media-list {
+    list-style: none;
+    margin-left: 0;
+}
+
+.footer-col-wrapper {
+    font-size: 15px;
+    color: $grey-color;
+    margin-left: -$spacing-unit / 2;
+    @extend %clearfix;
+}
+
+.footer-col {
+    float: left;
+    margin-bottom: $spacing-unit / 2;
+    padding-left: $spacing-unit / 2;
+}
+
+.footer-col-1 {
+    width: -webkit-calc(35% - (#{$spacing-unit} / 2));
+    width:         calc(35% - (#{$spacing-unit} / 2));
+}
+
+.footer-col-2 {
+    width: -webkit-calc(20% - (#{$spacing-unit} / 2));
+    width:         calc(20% - (#{$spacing-unit} / 2));
+}
+
+.footer-col-3 {
+    width: -webkit-calc(45% - (#{$spacing-unit} / 2));
+    width:         calc(45% - (#{$spacing-unit} / 2));
+}
+
+@include media-query($on-laptop) {
+    .footer-col-1,
+    .footer-col-2 {
+        width: -webkit-calc(50% - (#{$spacing-unit} / 2));
+        width:         calc(50% - (#{$spacing-unit} / 2));
+    }
+
+    .footer-col-3 {
+        width: -webkit-calc(100% - (#{$spacing-unit} / 2));
+        width:         calc(100% - (#{$spacing-unit} / 2));
+    }
+}
+
+@include media-query($on-palm) {
+    .footer-col {
+        float: none;
+        width: -webkit-calc(100% - (#{$spacing-unit} / 2));
+        width:         calc(100% - (#{$spacing-unit} / 2));
+    }
+}
+
+
+
+/**
+ * Page content
+ */
+.page-content {
+    padding: $spacing-unit 0;
+}
+
+.page-heading {
+    font-size: 20px;
+}
+
+.post-list {
+    li {
+        margin-bottom: 10px;
+    }
+}
+
+.post-meta {
+    font-size: $small-font-size;
+    color: $grey-color;
+}
+
+.post-link {
+    display: block;
+    font-size: 24px;
+}
+
+
+
+/**
+ * Posts
+ */
+.post-header {
+    margin-bottom: $spacing-unit;
+}
+
+.post-title {
+    font-size: 42px;
+    letter-spacing: -1px;
+    line-height: 1;
+
+    @include media-query($on-laptop) {
+        font-size: 36px;
+    }
+}
+
+.post-content {
+    margin-bottom: $spacing-unit;
+
+    h2 {
+        font-size: 32px;
+
+        @include media-query($on-laptop) {
+            font-size: 28px;
+        }
+    }
+
+    h3 {
+        font-size: 26px;
+
+        @include media-query($on-laptop) {
+            font-size: 22px;
+        }
+    }
+
+    h4 {
+        font-size: 20px;
+
+        @include media-query($on-laptop) {
+            font-size: 18px;
+        }
+    }
+}
+
+
+/**
+ * Navigation
+ */
+.site-navigation {
+    @extend .wrapper;
+
+    display: flex;
+    justify-content: space-between;
+    flex-wrap: wrap;
+
+    a {
+        color: $purple-color-dark;
+
+        @include media-query($on-laptop) {
+            flex-basis: 100%;
+            text-align: center;
+        }
+    }
+}
+
+
+/**
+ * Homepage
+ */
+ .home {
+    .home-logo-image {
+        margin-top: 50px;
+        margin-bottom: 70px;
+    }
+ }

docs/_sass/_syntax-highlighting.scss

@@ -0,0 +1,71 @@
+/**
+ * Syntax highlighting styles
+ */
+.highlight {
+    background: #fff;
+    @extend %vertical-rhythm;
+
+    .highlighter-rouge & {
+      background: #eef;
+    }
+
+    .c     { color: #998; font-style: italic } // Comment
+    .err   { color: #a61717; background-color: #e3d2d2 } // Error
+    .k     { font-weight: bold } // Keyword
+    .o     { font-weight: bold } // Operator
+    .cm    { color: #998; font-style: italic } // Comment.Multiline
+    .cp    { color: #999; font-weight: bold } // Comment.Preproc
+    .c1    { color: #998; font-style: italic } // Comment.Single
+    .cs    { color: #999; font-weight: bold; font-style: italic } // Comment.Special
+    .gd    { color: #000; background-color: #fdd } // Generic.Deleted
+    .gd .x { color: #000; background-color: #faa } // Generic.Deleted.Specific
+    .ge    { font-style: italic } // Generic.Emph
+    .gr    { color: #a00 } // Generic.Error
+    .gh    { color: #999 } // Generic.Heading
+    .gi    { color: #000; background-color: #dfd } // Generic.Inserted
+    .gi .x { color: #000; background-color: #afa } // Generic.Inserted.Specific
+    .go    { color: #888 } // Generic.Output
+    .gp    { color: #555 } // Generic.Prompt
+    .gs    { font-weight: bold } // Generic.Strong
+    .gu    { color: #aaa } // Generic.Subheading
+    .gt    { color: #a00 } // Generic.Traceback
+    .kc    { font-weight: bold } // Keyword.Constant
+    .kd    { font-weight: bold } // Keyword.Declaration
+    .kp    { font-weight: bold } // Keyword.Pseudo
+    .kr    { font-weight: bold } // Keyword.Reserved
+    .kt    { color: #458; font-weight: bold } // Keyword.Type
+    .m     { color: #099 } // Literal.Number
+    .s     { color: #d14 } // Literal.String
+    .na    { color: #008080 } // Name.Attribute
+    .nb    { color: #0086B3 } // Name.Builtin
+    .nc    { color: #458; font-weight: bold } // Name.Class
+    .no    { color: #008080 } // Name.Constant
+    .ni    { color: #800080 } // Name.Entity
+    .ne    { color: #900; font-weight: bold } // Name.Exception
+    .nf    { color: #900; font-weight: bold } // Name.Function
+    .nn    { color: #555 } // Name.Namespace
+    .nt    { color: #000080 } // Name.Tag
+    .nv    { color: #008080 } // Name.Variable
+    .ow    { font-weight: bold } // Operator.Word
+    .w     { color: #bbb } // Text.Whitespace
+    .mf    { color: #099 } // Literal.Number.Float
+    .mh    { color: #099 } // Literal.Number.Hex
+    .mi    { color: #099 } // Literal.Number.Integer
+    .mo    { color: #099 } // Literal.Number.Oct
+    .sb    { color: #d14 } // Literal.String.Backtick
+    .sc    { color: #d14 } // Literal.String.Char
+    .sd    { color: #d14 } // Literal.String.Doc
+    .s2    { color: #d14 } // Literal.String.Double
+    .se    { color: #d14 } // Literal.String.Escape
+    .sh    { color: #d14 } // Literal.String.Heredoc
+    .si    { color: #d14 } // Literal.String.Interpol
+    .sx    { color: #d14 } // Literal.String.Other
+    .sr    { color: #009926 } // Literal.String.Regex
+    .s1    { color: #d14 } // Literal.String.Single
+    .ss    { color: #990073 } // Literal.String.Symbol
+    .bp    { color: #999 } // Name.Builtin.Pseudo
+    .vc    { color: #008080 } // Name.Variable.Class
+    .vg    { color: #008080 } // Name.Variable.Global
+    .vi    { color: #008080 } // Name.Variable.Instance
+    .il    { color: #099 } // Literal.Number.Integer.Long
+}

docs/build.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+# Should be called from the root folder, not inside `docs/` folder
+# See `make build-docs`
+
+set -e
+
+MAN_LOCATION='man/man1'
+MAN7_LOCATION='man/man7'
+POSTS_LOCATION='docs/_posts'
+
+
+function checkout_manuals {
+  cp -r man/ docs/man
+}
+
+
+function copy_to_posts {
+  # Cleaning old files:
+  rm -f "$POSTS_LOCATION/*.md"
+  rm -rf "$POSTS_LOCATION"
+  mkdir -p "$POSTS_LOCATION"
+
+  # Moving new command files:
+  local timestamp
+  local current_date
+
+  timestamp=$(date "+%Y-%m-%d %H:%M:%S %z")
+  current_date=$(date "+%Y-%m-%d")
+
+  # Creating command reference:
+  for com in "$MAN_LOCATION"/git-secret-*.1.md; do
+    local short_name
+    short_name=$(echo "$com" | sed -n "s|$MAN_LOCATION/\(.*\)\.1\.md|\1|p")
+    local command_header="---
+layout: post
+title: '${short_name}'
+date: ${timestamp}
+permalink: ${short_name}
+categories: command
+---"
+
+    local post_filename="$POSTS_LOCATION/${current_date}-${short_name}.md"
+    echo "$command_header" > "$post_filename"
+    cat "$com" >> "$post_filename"
+  done
+
+  # Creating main usage file:
+  local usage_header="---
+layout: post
+title: 'git-secret'
+date: ${timestamp}
+permalink: git-secret
+categories: usage
+---"
+  local usage_filename="$POSTS_LOCATION/${current_date}-git-secret.md"
+  echo "$usage_header" > "$usage_filename"
+  cat "$MAN7_LOCATION/git-secret.7.md" >> "$usage_filename"
+}
+
+
+function copy_install_scripts {
+  # We test these scripts using `release-ci`,
+  # so, installation instructions will always be up-to-date:
+  cp utils/deb/install.sh docs/_includes/install-deb.sh
+  cp utils/rpm/install.sh docs/_includes/install-rpm.sh
+  cp utils/apk/install.sh docs/_includes/install-apk.sh
+}
+
+
+function copy_version {
+   ./git-secret --version > docs/_includes/version.txt
+}
+
+
+checkout_manuals
+copy_to_posts
+copy_install_scripts
+copy_version

docs/css/main.scss

@@ -0,0 +1,58 @@
+---
+# Only the main Sass file needs front matter (the dashes are enough)
+---
+@charset "utf-8";
+
+
+
+// Our variables
+$base-font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+$base-font-size:   16px;
+$base-font-weight: 400;
+$small-font-size:  $base-font-size * 0.875;
+$base-line-height: 1.5;
+
+$spacing-unit:     30px;
+
+$text-color:       #111;
+$background-color: #fdfdfd;
+
+$grey-color:       #828282;
+$grey-color-light: lighten($grey-color, 40%);
+$grey-color-dark:  darken($grey-color, 25%);
+
+$purple-color:       rgb(238, 81, 59);
+$purple-color-light: lighten($purple-color, 40%);
+$purple-color-dark:  darken($purple-color, 25%);
+
+$brand-color:      $purple-color;
+
+// Width of the content area
+$content-width:    800px;
+
+$on-palm:          600px;
+$on-laptop:        800px;
+
+
+
+// Use media queries like this:
+// @include media-query($on-palm) {
+//     .wrapper {
+//         padding-right: $spacing-unit / 2;
+//         padding-left: $spacing-unit / 2;
+//     }
+// }
+@mixin media-query($device) {
+    @media screen and (max-width: $device) {
+        @content;
+    }
+}
+
+
+
+// Import partials from `sass_dir` (defaults to `_sass`)
+@import
+        "base",
+        "layout",
+        "syntax-highlighting"
+;

docs/feed.xml

@@ -0,0 +1,30 @@
+---
+layout: null
+---
+<?xml version="1.0" encoding="UTF-8"?>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+  <channel>
+    <title>{{ site.title | xml_escape }}</title>
+    <description>{{ site.description | xml_escape }}</description>
+    <link>{{ site.url }}{{ site.baseurl }}/</link>
+    <atom:link href="{{ "/feed.xml" | prepend: site.baseurl | prepend: site.url }}" rel="self" type="application/rss+xml"/>
+    <pubDate>{{ site.time | date_to_rfc822 }}</pubDate>
+    <lastBuildDate>{{ site.time | date_to_rfc822 }}</lastBuildDate>
+    <generator>Jekyll v{{ jekyll.version }}</generator>
+    {% for post in site.posts limit:10 %}
+      <item>
+        <title>{{ post.title | xml_escape }}</title>
+        <description>{{ post.content | xml_escape }}</description>
+        <pubDate>{{ post.date | date_to_rfc822 }}</pubDate>
+        <link>{{ post.url | prepend: site.baseurl | prepend: site.url }}</link>
+        <guid isPermaLink="true">{{ post.url | prepend: site.baseurl | prepend: site.url }}</guid>
+        {% for tag in post.tags %}
+        <category>{{ tag | xml_escape }}</category>
+        {% endfor %}
+        {% for cat in post.categories %}
+        <category>{{ cat | xml_escape }}</category>
+        {% endfor %}
+      </item>
+    {% endfor %}
+  </channel>
+</rss>