Use the golangci/golangci-lint image directly as a lint stage that runs
fmt-check and lint, rather than copying the binary into the builder stage.
BuildKit runs lint and test stages in parallel, so formatting and lint
failures surface much faster.
The COPY --from=lint dependency ensures BuildKit always executes the lint
stage (without it, unused stages are silently skipped).
Also add lint to the Makefile check target prereqs to match REPO_POLICIES
(check: test lint fmt-check).
- Add --sign-key flag and MFER_SIGN_KEY env var to gen and freshen commands
- Sign inner message multihash with GPG detached signature
- Include signer fingerprint and public key in outer wrapper
- Add comprehensive tests with temporary GPG keyring
- Increase test timeout to 10s for GPG key generation
Changed the default behavior to exclude dotfiles (files/dirs starting with .)
which is the more common use case. Added --include-dotfiles flag for when
hidden files need to be included in the manifest.
