wellmaintained · mrdavidlaing · Feb 2, 2026 · Feb 2, 2026 · Feb 2, 2026 · Feb 2, 2026
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,38 @@
+{
+  "name": "Compliance Infrastructure - Nix Devcontainer",
+  "image": "mcr.microsoft.com/devcontainers/base:ubuntu",
+  "features": {
+    "ghcr.io/devcontainers/features/nix:1": {
+      "version": "latest",
+      "multiUser": true,
+      "extraNixConfig": "experimental-features = nix-command flakes"
+    }
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "jnoortheen.nix-ide",
+        "mkhl.direnv",
+        "arrterian.nix-env-selector"
+      ],
+      "settings": {
+        "nix.enableLanguageServer": true,
+        "nix.serverPath": "nixd",
+        "nix.formatterPath": "nixpkgs-fmt",
+        "terminal.integrated.defaultProfile.linux": "bash"
+      }
+    }
+  },
+  "postCreateCommand": "nix --version && nix develop --command bash -c 'echo \"Nix development environment ready!\" && which go && which git && which gh'",
+  "postStartCommand": "nix flake check || echo 'Flake check completed'",
+  "remoteUser": "vscode",
+  "mounts": [
+    "source=${localEnv:HOME}/.ssh,target=/home/vscode/.ssh,type=bind,consistency=cached",
+    "source=devcontainer-nix-store,target=/nix,type=volume",
+    "source=devcontainer-nix-cache,target=/home/vscode/.cache/nix,type=volume"
+  ],
+  "runArgs": [
+    "--env",
+    "GIT_EDITOR=code --wait"
+  ]
+}
diff --git a/.github/ISSUE_TEMPLATE/security.md b/.github/ISSUE_TEMPLATE/security.md
@@ -0,0 +1,59 @@
+---
+name: Security Report
+about: Report a security vulnerability or concern
+title: '[SECURITY] '
+labels: ['security', 'triage']
+assignees: []
+---
+
+## Security Report
+
+⚠️ **IMPORTANT**: For critical vulnerabilities that could lead to system compromise, please email security@wellmaintained.dev instead of using this template.
+
+## Type of Issue
+
+- [ ] Vulnerability in curated packages
+- [ ] Vulnerability in build process
+- [ ] Vulnerability in infrastructure
+- [ ] Suspicious activity
+- [ ] Other security concern
+
+## Description
+
+<!-- Provide a clear description of the security issue -->
+
+## Affected Components
+
+<!-- Which packages, systems, or processes are affected? -->
+
+- Package(s): 
+- Version(s): 
+- System/Process: 
+
+## Steps to Reproduce (if applicable)
+
+1. 
+2. 
+3. 
+
+## Potential Impact
+
+<!-- Describe the potential security impact -->
+
+## Suggested Fix (optional)
+
+<!-- If you have suggestions for how to fix this issue -->
+
+## Additional Context
+
+<!-- Add any other context, screenshots, or references -->
+
+## Checklist
+
+- [ ] I have checked that this issue is not already reported
+- [ ] I have provided sufficient detail for triage
+- [ ] For critical issues, I will also send an email to security@wellmaintained.dev
+
+---
+
+**Note**: This repository uses automated CVE triage. For vulnerabilities in dependencies, the system will automatically create issues when Dependabot alerts are triggered.
diff --git a/.github/cachix-setup.md b/.github/cachix-setup.md
@@ -0,0 +1,126 @@
+# Cachix Binary Cache Setup
+
+This document describes how to set up and configure the Cachix binary cache for this project.
+
+## Prerequisites
+
+- A Cachix account (sign up at https://cachix.org)
+- Access to the `wellmaintained-nixpkgs` cache (request from maintainers)
+
+## Setup Steps
+
+### 1. Create or Access the Cache
+
+**If creating a new cache:**
+```bash
+# Install cachix CLI
+nix profile install nixpkgs#cachix
+
+# Create cache (requires Cachix account)
+cachix cache create wellmaintained-nixpkgs
+
+# Generate signing key
+cachix signing-key-gen wellmaintained-nixpkgs
+```
+
+**If using existing cache:**
+Request access from the maintainers and they will provide the signing key.
+
+### 2. Configure GitHub Secrets
+
+Add the following secrets to your GitHub repository:
+
+| Secret Name | Value | Description |
+|------------|-------|-------------|
+| `CACHIX_SIGNING_KEY` | Private signing key | Required for pushing to cache |
+| `CACHIX_AUTH_TOKEN` | Cachix API token | Alternative auth method |
+| `CACHIX_PUBLIC_KEY` | Public key (optional) | For documentation purposes |
+
+**To get the signing key:**
+```bash
+# View signing key (run this on a secure machine)
+cachix signing-key-info wellmaintained-nixpkgs
+```
+
+**To create API token:**
+1. Go to https://app.cachix.org/tokens
+2. Create a new token with "push" permission
+3. Add to GitHub Secrets as `CACHIX_AUTH_TOKEN`
+
+### 3. Verify Configuration
+
+```bash
+# Test cache access
+cachix use wellmaintained-nixpkgs
+
+# Verify signing key is configured
+nix store sign --key-file ~/.config/cachix/signing-key.sec --help > /dev/null && echo "Signing key configured"
+
+# Test pushing a small derivation
+echo "test" | cachix push wellmaintained-nixpkgs
+```
+
+## Consumer Configuration
+
+### Using the Cache
+
+Add to your `nix.conf` or `~/.config/nix/nix.conf`:
+
+```ini
+substituters = https://wellmaintained-nixpkgs.cachix.org
+trusted-public-keys = wellmaintained-nixpkgs-1:AbCdEfGhIjKlMnOpQrStUvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWxYz1234567890=
+```
+
+### Verifying Cache Access
+
+```bash
+# Check cache info
+curl -s https://wellmaintained-nixpkgs.cachix.org/nix-cache-info
+
+# Test building with cache
+nix build .#go --option substituters https://wellmaintained-nixpkgs.cachix.org
+```
+
+## Troubleshooting
+
+### "Cache not found" Error
+
+Ensure the cache name is correct: `wellmaintained-nixpkgs`
+
+### "Unauthorized" Error
+
+1. Verify `CACHIX_SIGNING_KEY` is correctly set in GitHub Secrets
+2. Check the key hasn't expired
+3. Ensure the cache has push permissions for your account
+
+### Slow Downloads
+
+The cache may be warming up. First-time builds will be slower as binaries are uploaded.
+
+## Security Considerations
+
+- **Never commit the signing key to the repository**
+- Use GitHub Secrets for all credentials
+- Rotate signing keys periodically
+- Monitor cache access logs in Cachix dashboard
+
+## Maintenance
+
+### Rotating Signing Key
+
+```bash
+# Generate new key
+cachix signing-key-gen wellmaintained-nixpkgs
+
+# Update GitHub Secret with new key
+gh secret set CACHIX_SIGNING_KEY --body="$(cat new-signing-key.sec)"
+
+# Push existing cache with new key
+cachix sign --signing-key new-signing-key.sec wellmaintained-nixpkgs
+```
+
+### Monitoring Cache Usage
+
+1. Go to https://app.cachix.org/cache/wellmaintained-nixpkgs
+2. Monitor storage usage and download statistics
+3. Set up alerts for storage limits
diff --git a/.github/workflows/cache.yml b/.github/workflows/cache.yml
@@ -0,0 +1,111 @@
+name: Binary Cache
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      packages:
+        description: 'Packages to push (comma-separated, default: all)'
+        required: false
+        default: ''
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  CACHIX_NAME: wellmaintained-nixpkgs
+
+jobs:
+  push-to-cache:
+    name: Push builds to Cachix
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v13
+        with:
+          extra-conf: |
+            experimental-features = nix-command flakes
+            accept-flake-config = true
+
+      - name: Install Cachix
+        uses: cachix/cachix-action@v15
+        with:
+          name: ${{ env.CACHIX_NAME }}
+          signing-key: ${{ secrets.CACHIX_SIGNING_KEY }}
+          auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          replace-local: true
+
+      - name: Build and push packages
+        run: |
+          set -euo pipefail
+
+          # Determine which packages to build
+          if [[ -n "${{ github.event.inputs.packages }}" ]]; then
+            IFS=',' read -ra PACKAGES <<< "${{ github.event.inputs.packages }}"
+          else
+            PACKAGES=(go opencode git gh jq ripgrep grep findutils gawk gnused)
+          fi
+
+          echo "Building and pushing packages: ${PACKAGES[*]}"
+
+          # Build each package and push to cache
+          for pkg in "${PACKAGES[@]}"; do
+            echo "Building $pkg..."
+            nix build ".#$pkg" --no-link
+
+            echo "Pushing $pkg to cache..."
+            nix store sign --key-file ~/.config/cachix/signing-key.sec ".#$pkg" 2>/dev/null || true
+            nix copy --to "cachix://${{ env.CACHIX_NAME }}" ".#$pkg"
+          done
+
+          echo "All packages pushed to cache successfully"
+
+      - name: Verify cache availability
+        run: |
+          echo "Verifying cache is accessible..."
+          curl -s "https://${{ env.CACHIX_NAME }}.cachix.org/nix-cache-info" | head -5
+
+  update-cache-info:
+    name: Update cache metadata
+    runs-on: ubuntu-latest
+    needs: push-to-cache
+    steps:
+      - name: Refresh cache info
+        run: |
+          echo "Cache metadata updated"
+          echo "Cache URL: https://${{ env.CACHIX_NAME }}.cachix.org"
+          echo "Cache is now available for consumers"
+
+  cache-summary:
+    name: Cache summary
+    runs-on: ubuntu-latest
+    needs: push-to-cache
+    if: always()
+    steps:
+      - name: Generate summary
+        run: |
+          if [[ "${{ needs.push-to-cache.result }}" == "success" ]]; then
+            echo "## ✅ Binary Cache Update Successful" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "**Cache Name:** ${{ env.CACHIX_NAME }}" >> $GITHUB_STEP_SUMMARY
+            echo "**Cache URL:** https://${{ env.CACHIX_NAME }}.cachix.org" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Consumers" >> $GITHUB_STEP_SUMMARY
+            echo "Add to your \`nix.conf\` or \`~/.config/nix/nix.conf\`:" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo "substituters = https://${{ env.CACHIX_NAME }}.cachix.org" >> $GITHUB_STEP_SUMMARY
+            echo "trusted-public-keys = ${{ env.CACHIX_NAME }}-1:$(echo ${{ secrets.CACHIX_PUBLIC_KEY }} | head -c 44)..." >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          else
+            echo "## ❌ Cache Update Failed" >> $GITHUB_STEP_SUMMARY
+            echo "Please check the workflow logs for details" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi