sigstore · cmurphy · Nov 20, 2025
@@ -26,7 +26,10 @@ updates:
     - "cloud-sql-proxy"
 
 - package-ecosystem: gomod
-  directory: "/"
+  directories:
+    - "/"
+    - "/tools/*"
+    - "/hack/"
   schedule:
     interval: weekly
   open-pull-requests-limit: 10

@@ -40,7 +40,7 @@ jobs:
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KO_DOCKER_REPO: registry.local:5000/knative
-      KOCACHE: ~/ko
+      KOCACHE: /home/runner/ko
 
     steps:
     - uses: chainguard-dev/actions/setup-mirror@3e8a2a226fad9e1ecbf2d359b8a7697554a4ac6d # v1.5.10
@@ -203,7 +203,7 @@ jobs:
 
     - name: Verify both Fulcio certs are there
       run: |
-        go run ./cmd/ctlog/verifyfulcio/main.go \
+        go run ./tools/ctlog/cmd/ctlog/verifyfulcio/main.go \
         --ctlog-url ${CTLOG_URL} \
         --log-prefix sigstorescaffolding \
         --fulcio ${FULCIO_URL} \
@@ -232,7 +232,7 @@ jobs:
 
     - name: Verify that only new Fulcio cert is there
       run: |
-        go run ./cmd/ctlog/verifyfulcio/main.go \
+        go run ./tools/ctlog/cmd/ctlog/verifyfulcio/main.go \
         --ctlog-url ${CTLOG_URL} \
         --log-prefix sigstorescaffolding \
         --fulcio ${NEW_FULCIO_URL}

@@ -39,11 +39,11 @@ jobs:
           filters: |
             gocode:
               - 'pkg/**'
-              - 'cmd/**'
+              - 'tools/**'
 
       - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: 'go.work'
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

@@ -5,7 +5,7 @@ on:
     branches:
       - main
     paths:
-    - 'cmd/create-tink-keyset/**'
+    - 'tools/create-tink-keyset/cmd/create-tink-keyset/**'
 
 permissions:
   contents: read
@@ -23,9 +23,9 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: 'go.work'
           check-latest: true
 
       - name: Create Tink Keyset build
         id: create-tink-keyset-test
-        run: go build ./cmd/create-tink-keyset
+        run: go build ./tools/create-tink-keyset/cmd/create-tink-keyset
@@ -40,7 +40,7 @@ jobs:
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KO_DOCKER_REPO: registry.local:5000/knative
-      KOCACHE: ~/ko
+      KOCACHE: /home/runner/ko
 
     steps:
     - name: Check out our repo

@@ -6,12 +6,12 @@ on:
     branches:
       - main
     paths:
-    - 'cmd/prober/**'
+    - 'tools/prober/cmd/prober/**'
   pull_request:
     branches:
       - main
     paths:
-    - 'cmd/prober/**'
+    - 'tools/prober/cmd/prober/**'
 
 permissions:
   contents: read
@@ -40,11 +40,11 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: 'go.work'
           check-latest: true
 
       - name: Build prober test
-        run: go build ./cmd/prober
+        run: go build ./tools/prober/cmd/prober
 
       - name: Get test OIDC token
         uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main

@@ -30,7 +30,7 @@ jobs:
 
     - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
       with:
-        go-version-file: ./src/github.com/${{ github.repository }}/go.mod
+        go-version-file: ./src/github.com/${{ github.repository }}/go.work
         check-latest: true
 
     - name: Install ko

@@ -37,13 +37,15 @@ jobs:
     steps:
     - name: Checkout the current action
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      path: ./src/github.com/sigstore/scaffolding
       with:
         persist-credentials: false
     - name: Test running the action
-      uses: ./actions/setup
+      uses: ./src/github.com/sigstore/scaffolding/actions/setup
       with:
         k8s-version: ${{ matrix.k8s-version }}
         version: ${{ matrix.release-version }}
+        working-directory: ./src/github.com/sigstore/scaffolding
 
     # Install cosign
     - name: Install cosign

@@ -33,7 +33,7 @@ jobs:
     env:
       RELEASE_VERSION: "v0.7.22"
       KO_DOCKER_REPO: registry.local:5000/knative
-      KOCACHE: ~/ko
+      KOCACHE: /home/runner/ko
 
     steps:
     - uses: chainguard-dev/actions/setup-mirror@3e8a2a226fad9e1ecbf2d359b8a7697554a4ac6d # v1.5.10

@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: 'go.work'
           check-latest: true
           cache: true
 
@@ -42,37 +42,62 @@ jobs:
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
 
+  detect-modules:
+    runs-on: ubuntu-latest
+    outputs:
+      modules: ${{ steps.set-modules.outputs.modules }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: 'go.work'
+          check-latest: true
+      - id: set-modules
+        run: echo "modules=$(go list -m -json | jq -s 'del(.[] | select(.Path == "github.com/sigstore/scaffolding/hack"))' | jq -c '[.[].Dir]')" >> $GITHUB_OUTPUT
+
   golangci:
     name: lint
+    needs: detect-modules
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        modules: ${{ fromJSON(needs.detect-modules.outputs.modules) }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: 'go.work'
           check-latest: true
 
       - name: golangci-lint
         uses: golangci/golangci-lint-action@e7fa5ac41e1cf5b7d48e45e42232ce7ada589601 # v9.1.0
         with:
           version: v2.4
+          working-directory: ${{ matrix.modules }}
 
   unit-test:
     name: run unit tests
+    needs: detect-modules
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        modules: ${{ fromJSON(needs.detect-modules.outputs.modules) }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: 'go.work'
           check-latest: true
 
       - name: run unit tests
         run: |
-          go test $(go list ./... | grep -v third_party/)
+          cd ${{ matrix.modules }}
+          go test ./...
@@ -5,7 +5,6 @@ release-*.yaml
 testrelease.yaml
 kind.yaml
 .vscode/*
-prober
 /cloudsqlproxy
 /createcertchain
 /createcerts

@@ -1,11 +1,11 @@
 ---
 defaultBaseImage: gcr.io/distroless/static-debian12:nonroot
 baseImageOverrides:
-  github.com/sigstore/scaffolding/cmd/cloudsqlproxy: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.19.0-alpine
+  github.com/sigstore/scaffolding/tools/cloudsqlproxy/cmd/cloudsqlproxy: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.19.0-alpine
 
 builds:
   - id: ctlog-createctconfig
-    dir: .
+    dir: ./tools/ctlog/
     main: ./cmd/ctlog/createctconfig
     env:
       - CGO_ENABLED=0
@@ -20,7 +20,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: ctlog-managectroots
-    dir: .
+    dir: ./tools/ctlog/
     main: ./cmd/ctlog/managectroots
     env:
       - CGO_ENABLED=0
@@ -35,7 +35,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: ctlog-verifyfulcio
-    dir: .
+    dir: ./tools/ctlog/
     main: ./cmd/ctlog/verifyfulcio
     env:
       - CGO_ENABLED=0
@@ -50,7 +50,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: fulcio-createcerts
-    dir: .
+    dir: ./tools/fulcio/
     main: ./cmd/fulcio/createcerts
     env:
       - CGO_ENABLED=0
@@ -65,7 +65,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: tuf-createsecret
-    dir: .
+    dir: ./tools/tuf/
     main: ./cmd/tuf/createsecret
     env:
       - CGO_ENABLED=0
@@ -80,7 +80,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: tuf-server
-    dir: .
+    dir: ./tools/tuf/
     main: ./cmd/tuf/server
     env:
       - CGO_ENABLED=0
@@ -95,7 +95,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: trillian-createtree
-    dir: .
+    dir: ./tools/trillian/
     main: ./cmd/trillian/createtree
     env:
       - CGO_ENABLED=0
@@ -110,7 +110,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: trillian-createdb
-    dir: .
+    dir: ./tools/trillian/
     main: ./cmd/trillian/createdb
     env:
       - CGO_ENABLED=0
@@ -125,7 +125,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: trillian-updatetree
-    dir: .
+    dir: ./tools/trillian/
     main: ./cmd/trillian/updatetree
     env:
       - CGO_ENABLED=0
@@ -140,7 +140,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: cloudsqlproxy
-    dir: .
+    dir: ./tools/cloudsqlproxy/
     main: ./cmd/cloudsqlproxy
     env:
       - CGO_ENABLED=0
@@ -155,7 +155,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: getoidctoken
-    dir: .
+    dir: ./tools/getoidctoken/
     main: ./cmd/getoidctoken
     env:
       - CGO_ENABLED=0
@@ -170,7 +170,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: prober
-    dir: .
+    dir: ./tools/prober/
     main: ./cmd/prober
     env:
       - CGO_ENABLED=0
@@ -185,7 +185,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: rekor-createsecret
-    dir: .
+    dir: ./tools/rekor/
     main: ./cmd/rekor/rekor-createsecret
     env:
       - CGO_ENABLED=0