[codex] align secrets-sync action and pipeline flags

.github/workflows/ci.yml

@@ -16,9 +16,12 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: go.mod
           cache-dependency-path: go.sum
+      - run: go run golang.org/x/vuln/cmd/govulncheck@v1.3.0 ./...
       - run: go test ./...
       - run: go build -o bin/secretsync ./cmd/secretsync

.github/workflows/release.yml

@@ -37,10 +37,12 @@ jobs:
         with:
           ref: ${{ needs.release-please.outputs.tag_name }}
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: go.mod
           cache-dependency-path: go.sum
+      - run: go run golang.org/x/vuln/cmd/govulncheck@v1.3.0 ./...
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
         with:

.goreleaser.yml

@@ -94,27 +94,22 @@ release:
   prerelease: auto
   mode: replace
   header: |
-    ## secretsync {{ .Tag }}
+    ## SecretSync {{ .Tag }}
 
     ### Installation
 
-    **Docker:**
-    ```bash
-    docker pull jbcom/secretssync:{{ .Version }}
-    ```
+    **Binary:**
+    Download from the assets below for your platform.
 
-    **Helm (OCI):**
+    **Go install:**
     ```bash
-    helm install secretsync oci://registry-1.docker.io/jbcom/secretssync --version {{ .Version }}
+    go install github.com/jbcom/secrets-sync/cmd/secretsync@{{ .Tag }}
     ```
 
-    **Binary:**
-    Download from the assets below for your platform.
-
   footer: |
     ---
     **Full Changelog**: https://github.com/jbcom/secrets-sync/compare/{{ .PreviousTag }}...{{ .Tag }}
 
-# Docker images and Helm charts are built/pushed separately
-# via dedicated workflow jobs for better control
+# Container and chart artifacts are outside this binary release workflow.
+# Keep release notes limited to artifacts built here.
 dockers: []

CONTRIBUTING.md

@@ -206,49 +206,47 @@ secretsync/
 ├── cmd/secretsync/           # CLI application
 │   ├── cmd/           # Cobra commands
 │   └── main.go        # Entry point
-├── pkg/               # Public packages
-│   ├── pipeline/      # Pipeline orchestration
-│   ├── diff/          # Diff computation
-│   └── ...
-├── stores/            # Secret store implementations
-│   ├── vault/         # Vault store
-│   ├── aws/           # AWS Secrets Manager
-│   └── ...
-├── internal/          # Private packages
+├── pkg/
+│   ├── client/        # Vault, AWS, and provider clients
+│   ├── discovery/     # AWS Organizations and Identity Center discovery
+│   ├── driver/        # Supported driver names and validation helpers
+│   ├── pipeline/      # Merge, sync, graph, and execution orchestration
+│   ├── diff/          # Diff computation and masking
+│   └── observability/ # Metrics and request tracking
+├── python/            # Optional gopy binding sources
 ├── docs/              # Documentation
 ├── examples/          # Example configurations
 └── deploy/            # Deployment manifests
 ```
 
-## Adding a New Secret Store
+## Adding a New Secret Backend
 
-To add support for a new secret store:
+To add support for a new backend:
 
-1. **Create store package**
+1. **Create a client package**
    ```bash
-   mkdir -p stores/newstore
+   mkdir -p pkg/client/newbackend
    ```
 
-2. **Implement Store interface**
+2. **Implement the current client shape**
    ```go
-   package newstore
+   package newbackend
 
-   import "github.com/jbcom/secrets-sync/pkg/store"
+   import "github.com/jbcom/secrets-sync/pkg/driver"
 
-   type Store struct {
-       // configuration fields
+   type Client struct {
+       Name string `yaml:"name,omitempty" json:"name,omitempty"`
    }
 
-   func (s *Store) Get(ctx context.Context, key string) ([]byte, error) {
-       // implementation
+   func (c *Client) Validate() error {
+       if c.Name == "" {
+           return driver.ErrPathRequired
+       }
+       return nil
    }
 
-   func (s *Store) Set(ctx context.Context, key string, value []byte) error {
-       // implementation
-   }
-
-   func (s *Store) List(ctx context.Context, prefix string) ([]string, error) {
-       // implementation
+   func (c *Client) Driver() driver.DriverName {
+       return driver.DriverName("newbackend")
    }
    ```
 
@@ -261,9 +259,10 @@ To add support for a new secret store:
    }
    ```
 
-4. **Register store**
-   - Update pipeline config to include new store
-   - Add store initialization logic
+4. **Register the backend**
+   - Add the driver name in `pkg/driver`
+   - Update pipeline config types and validation
+   - Add client initialization logic in the pipeline layer
    - Update documentation
 
 5. **Add examples**

Dockerfile

@@ -5,7 +5,7 @@
 # Tests now run in CI (outside Docker), so this Dockerfile focuses purely
 # on compiling and packaging the runtime image.
 ###
-FROM golang:1.25-trixie AS builder
+FROM golang:1.26.4-trixie AS builder
 
 ARG TARGETOS=linux
 ARG TARGETARCH=amd64
@@ -59,8 +59,6 @@ WORKDIR /app
 RUN mkdir -p /etc/ssl/certs
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /out/secretsync /usr/local/bin/secretsync
-# Keep vss as a symlink for backwards compatibility
-RUN ln -s /usr/local/bin/secretsync /usr/local/bin/vss
 
 # Default command - Viper reads SECRETSYNC_* env vars directly
 ENTRYPOINT ["/usr/local/bin/secretsync"]

Makefile

@@ -40,8 +40,8 @@ python-bindings:
 	@mkdir -p $(PYTHON_OUTPUT)
 	$(GOPY) pkg -output=$(PYTHON_OUTPUT) -vm=$(PYTHON) -name=$(PYTHON_PKG) \
 		-version=$(VERSION) \
-		-author="Extended Data Library" \
-		-email="support@extended-data.dev" \
+		-author="jbcom" \
+		-email="jon@jonbogaty.com" \
 		-url="https://github.com/jbcom/secrets-sync" \
 		-desc="Enterprise-grade secret synchronization pipeline with Python bindings" \
 		./python/secretssync