From d4b9d37eced09bdab3861a0d0fb64490d13969db Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Fri, 20 Feb 2026 02:53:14 -0800
Subject: [PATCH 1/4] add make check target

---
 Makefile | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Makefile b/Makefile
index 223ce8d..2315f89 100644
--- a/Makefile
+++ b/Makefile
@@ -67,3 +67,12 @@ local:
 
 install: vaultik
 	cp ./vaultik $(HOME)/bin/
+
+# Run all checks (formatting, linting, tests) without modifying files
+check:
+	@echo "==> Checking formatting..."
+	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
+	@echo "==> Running linter..."
+	golangci-lint run ./...
+	@echo "==> Running tests..."
+	go test -race -timeout 30s ./...
-- 
2.45.2


From c65170b8df5706b96d303e639526f621fc2ea9fb Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Fri, 20 Feb 2026 02:53:14 -0800
Subject: [PATCH 2/4] add CI workflow for make check

---
 .gitea/workflows/check.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .gitea/workflows/check.yml

diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml
new file mode 100644
index 0000000..54f81c3
--- /dev/null
+++ b/.gitea/workflows/check.yml
@@ -0,0 +1,18 @@
+name: check
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Install golangci-lint
+        run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+      - name: Run checks
+        run: make check
-- 
2.45.2


From 28371476bc5e960e42d030774a82b0483e6dd360 Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Fri, 20 Feb 2026 02:58:35 -0800
Subject: [PATCH 3/4] security: pin CI actions to commit SHAs

---
 .gitea/workflows/check.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml
index 54f81c3..77089f2 100644
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -8,8 +8,8 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version-file: go.mod
       - name: Install golangci-lint
-- 
2.45.2


From 4a7efbae46e3568c7ea51a8a50ac16eb9758bc9b Mon Sep 17 00:00:00 2001
From: clawbot <sneak+clawbot@sneak.cloud>
Date: Fri, 20 Feb 2026 03:10:52 -0800
Subject: [PATCH 4/4] security: pin all go install refs to commit SHAs

---
 .gitea/workflows/check.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml
index 77089f2..3fc7536 100644
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -13,6 +13,6 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
       - name: Run checks
         run: make check
-- 
2.45.2