AlphaOne1 · AlphaOne1 · Apr 3, 2026 · Apr 2, 2026 · Apr 3, 2026 · Apr 3, 2026
@@ -4,16 +4,16 @@
 name: "CodeQL"
 
 on:
-  push:
-    branches:
-      - master
-  pull_request:
-    branches:
-      - master
-  schedule:
-    - cron: '28 4 * * 2'
+    push:
+        branches:
+          - master
+    pull_request:
+        branches:
+          - master
+    schedule:
+      - cron: '28 4 * * 2'
 
-# Declare default permissions as read only.
+# Declare default permissions as read-only.
 permissions: read-all
 
 jobs:
@@ -62,7 +62,7 @@ jobs:
 
           # Initializes the CodeQL tools for scanning.
           - name: Initialize CodeQL
-            uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+            uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
             with:
                 languages: ${{ matrix.language }}
                 build-mode: ${{ matrix.build-mode }}
@@ -90,6 +90,6 @@ jobs:
                 exit 1
 
           - name: Perform CodeQL Analysis
-            uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+            uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
             with:
                 category: "/language:${{matrix.language}}"
@@ -57,13 +57,13 @@ jobs:
 
           - name: Determine pushed commits
             id: range
+            env:
+                # Use GitHub-provided SHAs to build the range for this push
+                BEFORE: ${{ github.event.before }}
+                AFTER: ${{ github.sha }}
             run: |
                 set -euo pipefail
 
-                # Use GitHub-provided SHAs to build the range for this push
-                BEFORE="${{ github.event.before }}"
-                AFTER="${{ github.sha }}"
-
                 if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
                 then
                     # New branch or force push without previous SHA
@@ -73,6 +73,9 @@ jobs:
                 fi
 
           - name: Check for Signed-off-by
+            env:
+                GH_ACTOR: ${{ github.actor }}
+                GH_NAME: ${{ github.event.pusher.name }}
             run: |
                 set -euo pipefail
                 missing=""
@@ -101,8 +104,8 @@ jobs:
 
                         echo "Committer name:           $committer_name"
                         echo "Committer email:          $committer_email"
-                        echo "github.actor:             ${{ github.actor }}"
-                        echo "github.event.pusher.name: ${{ github.event.pusher.name }}"
+                        echo "github.actor:             $GH_ACTOR"
+                        echo "github.event.pusher.name: $GH_NAME"
                     fi
                 done < shas.txt
 
@@ -145,6 +148,9 @@ jobs:
                     | jq -r '.[].sha' > shas.txt
 
           - name: Check for Signed-off-by
+            env:
+                GH_ACTOR: ${{ github.actor }}
+                GH_NAME: ${{ github.event.pull_request.user.login}}
             run: |
                 set -euo pipefail
                 missing=""
@@ -171,10 +177,10 @@ jobs:
                         echo "Commit $sha missing Signed-off-by"
                         missing="true"
 
-                        echo "Committer name:           $committer_name"
-                        echo "Committer email:          $committer_email"
-                        echo "github.actor:             ${{ github.actor }}"
-                        echo "github.event.pusher.name: ${{ github.event.pusher.name }}"
+                        echo "Committer name:                       $committer_name"
+                        echo "Committer email:                      $committer_email"
+                        echo "github.actor:                         $GH_ACTOR"
+                        echo "github.event.pull_request.user.login: $GH_NAME"
                     fi
                 done < shas.txt
 

@@ -33,23 +33,26 @@ jobs:
 
           - name: Generate source archive
             shell: bash
+            env:
+                TAG_NAME: ${{ github.event.release.tag_name }}
             run: |
                 set -euo pipefail
 
-                TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
+                TAG=`echo "$TAG_NAME" | sed 's/\//-/g'`
                 git archive \
                     --format=tar.gz \
                     --prefix="midgard-src-${TAG}/" \
                     --output="midgard-src-${TAG}.tar.gz" \
-                    "${{ github.event.release.tag_name }}"
+                    "$TAG_NAME"
 
           - name: Upload Release (via GitHub CLI)
             env:
                 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                TAG_NAME: ${{ github.event.release.tag_name }}
             shell: bash
             run: |
                 set -euo pipefail
-                gh release upload "${{ github.event.release.tag_name }}" midgard-src-*.tar.gz --clobber
+                gh release upload "$TAG_NAME" midgard-src-*.tar.gz --clobber
 
     ChecksumReleaseAssets:
         needs: Build
@@ -71,13 +74,14 @@ jobs:
           - name: Download all release assets via GitHub CLI
             env:
                 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                TAG_NAME: ${{ github.event.release.tag_name }}
             run: |
                 set -euo pipefail
 
                 mkdir -p release-assets
                 cd release-assets
                 # gets all assets of the release
-                gh release download "${{ github.event.release.tag_name }}" --clobber
+                gh release download "$TAG_NAME" --clobber
                 echo "Downloaded assets:"
                 ls -lah
 

@@ -5,23 +5,23 @@ name: Scorecard supply-chain security
 on:
     # For Branch-Protection check. Only the default branch is supported. See
     # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-    branch_protection_rule:
-    # To guarantee Maintained check is occasionally updated. See
+    branch_protection_rule: {}
+    # To guarantee Maintained-check is occasionally updated. See
     # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
     schedule:
       - cron: '36 3 * * 2'
     push:
         branches: [ "master" ]
 
-# Declare default permissions as read only.
+# Declare default permissions as read-only.
 permissions: read-all
 
 jobs:
     analysis:
         name: Scorecard analysis
         runs-on: ubuntu-latest
         permissions:
-            # Needed to upload the results to code-scanning dashboard.
+            # Needed to upload the results to the code-scanning dashboard.
             security-events: write
             # Needed to publish results and get a badge (see publish_results below).
             id-token: write
@@ -72,6 +72,6 @@ jobs:
           # Upload the results to GitHub's code scanning dashboard (optional).
           # Commenting out will disable upload of results to your repo's Code Scanning dashboard
           - name: "Upload to code-scanning"
-            uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+            uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
             with:
                 sarif_file: results.sarif
@@ -38,7 +38,7 @@ jobs:
                 args: --timeout=5m --output.sarif.path=golangci-lint-results.sarif --output.text.path=stdout
 
           - name: Upload golangci-lint results to GitHub Security tab
-            uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+            uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
             with:
                 sarif_file: golangci-lint-results.sarif
 
@@ -66,7 +66,7 @@ jobs:
                 severity: 'CRITICAL,HIGH'
 
           - name: Upload Trivy scan results to GitHub Security tab
-            uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+            uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
             with:
                 sarif_file: 'trivy-results.sarif'
 
@@ -106,6 +106,6 @@ jobs:
 
           - name: Upload govulncheck results to Security tab
             if: ${{ steps.printSarif.outputs.hasResults == 'true' }}
-            uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+            uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
             with:
                 sarif_file: govulncheck-results.sarif
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -133,3 +133,28 @@ flag as follows:
 ```shell
 git config --global alias.ci 'commit -s'
 ```
+
+Trust & Compliance
+------------------
+
+<!-- not yet
+*midgard* is built with security in mind. For a detailed justification of its
+security design and threat model, please refer to the
+[Security Assurance Case](SECURITY_ASSURANCE.md).
+-->
+
+### Dependency Management
+
+Especially when deciding to include new library dependencies, it is suggested to
+first check if the desired functionality is already available in the standard
+library or to be implemented with minimal effort. So far, the only selected
+dependencies are the [htpasswd parser](https://github.com/tg123/go-htpasswd) and
+the [Google UUID](https://github.com/google/uuid) library.
+
+Dependencies are also checked by the linter and must be registered there.
+Dependency updates are generally tracked by dependabot.
+
+Concerning the validity of obtained artifacts, *midgard* relies on the
+well-established Go module management. It downloads the exact version from
+`go.mod` via [git](https://git-scm.org) from the original sources and validates
+the check sums stored in the `go.sum` file.
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
@@ -58,3 +58,15 @@ stated.
 The BDFL may alternatively decide to move to a Steering Committee governance
 model, in which case this document must be replaced with a new description of
 roles and responsibilities.
+
+
+Access to Sensitive Resources
+-----------------------------
+
+The following project members have access to sensitive resources (GitHub
+Secrets, Repository Settings, Release Keys):
+
+* Alexander Adam (@AlphaOne1) - BDFL / Primary Maintainer
+
+Currently, no other contributors have administrative access to the
+build infrastructure or cryptographic keys.
diff --git a/README.md b/README.md
@@ -5,6 +5,18 @@
 <!-- markdownlint-disable MD013 MD033 MD041 -->
 <p align="center">
     <img src="midgard_logo.svg" width="25%" alt="Logo"><br>
+    <a href="https://github.com/AlphaOne1/midgard/blob/HEAD/go.mod"
+       rel="external noopener noreferrer"
+       target="_blank">
+        <img src="https://img.shields.io/github/go-mod/go-version/AlphaOne1/midgard"
+             alt="Go Version">
+    </a>
+    <a href="https://github.com/AlphaOne1/midgard/releases"
+       rel="external noopener noreferrer"
+       target="_blank">
+        <img src="https://img.shields.io/github/v/release/AlphaOne1/midgard"
+             alt="Latest Release">
+    </a>
     <a href="https://github.com/AlphaOne1/midgard/actions/workflows/test.yml"
        rel="external noopener noreferrer"
        target="_blank">
@@ -86,6 +98,29 @@ midgard
 *midgard* is a collection of Golang http middlewares and helper functionality
 to use them more elegantly.
 
+
+Installation
+------------
+
+To install *midgard*, you can use the following command:
+
+```bash
+$ go get github.com/AlphaOne1/midgard
+```
+
+Builds are secured with SLSA Level 3 provenance via slsa-framework/slsa-github-generator.
+The downloaded source archive together with the provenance file `multiple.intoto.jsonl`
+can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier/)
+(replace the `<VERSION>` with the one you actually downloaded):
+
+```bash
+$ slsa-verifier verify-artifact midgard-src-v<VERSION>.tar.gz \
+    --provenance-path multiple.intoto.jsonl                   \
+    --source-uri github.com/AlphaOne1/midgard                 \
+    --source-tag v<VERSION>
+```
+
+
 Usage
 -----