chore(release): prepare for v0.5.0 (#295)

## [0.5.0] - 2026-03-12

### 🚀 Features

- *(client)* Add API key authentication for /authz endpoint (#294)

### ⚙️ Miscellaneous Tasks

- *(deps)* Update golang:1.25.5 docker digest to 3a01526 (#271)
- *(deps)* Update pre-commit hook alessandrojcm/commitlint-pre-commit-hook to v9.24.0 (#273)
- *(deps)* Update dependency go to v1.25.6 (#274)
- *(deps)* Update golang docker tag to v1.25.6 (#275)
- Remove GitLab CI configuration
- Add code coverage integration
- *(deps)* Update dependency go to v1.25.7 (#279)
- *(deps)* Update dependency go to v1.26.0 (#280)
- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.9.0 (#281)
- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.10.0 (#282)
- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.10.1 (#283)
- *(deps)* Update dependency go to v1.26.1 (#286)
- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.11.1 (#288)
- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.11.2 (#290)
- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.11.3 (#292)

<!-- generated by git-cliff -->

---

**Note:** Please use **Squash Merge** when merging this PR.

Reviewed-on: #295
Co-authored-by: Unbound Releaser <releaser@unbound.se>
Co-committed-by: Unbound Releaser <releaser@unbound.se>

.gitea/workflows/ci.yaml

@@ -17,6 +17,61 @@ jobs:
       - name: Run tests
         run: go test -race -coverprofile=coverage.txt ./...
 
+      - name: Check coverage
+        uses: vladopajic/go-test-coverage@v2
+        with:
+          config: ./.testcoverage.yml
+
+      # Download baseline coverage from main branch (for PRs)
+      - name: Download baseline coverage
+        if: gitea.event_name == 'pull_request'
+        uses: actions/download-artifact@v3
+        with:
+          name: coverage-baseline
+          path: ./baseline
+        continue-on-error: true
+
+      # Compare coverage against baseline (for PRs)
+      - name: Compare coverage
+        if: gitea.event_name == 'pull_request'
+        run: |
+          CURRENT=$(go tool cover -func=coverage.txt | grep "^total:" | awk '{print $NF}' | tr -d '%')
+          if [ -f ./baseline/coverage.txt ]; then
+            BASE=$(go tool cover -func=./baseline/coverage.txt | grep "^total:" | awk '{print $NF}' | tr -d '%')
+            echo "Base coverage: ${BASE}%"
+            echo "Current coverage: ${CURRENT}%"
+            if [ "$(echo "$CURRENT < $BASE" | bc -l)" -eq 1 ]; then
+              echo "::error::Coverage decreased from ${BASE}% to ${CURRENT}%"
+              exit 1
+            fi
+            echo "Coverage maintained or improved: ${BASE}% -> ${CURRENT}%"
+          else
+            echo "No baseline coverage found, skipping comparison"
+            echo "Current coverage: ${CURRENT}%"
+          fi
+
+      # Upload coverage as baseline (only on main)
+      - name: Upload coverage baseline
+        if: gitea.ref == 'refs/heads/main'
+        uses: actions/upload-artifact@v3
+        with:
+          name: coverage-baseline
+          path: coverage.txt
+          retention-days: 90
+
+      # Post coverage to PR comment
+      - name: Post coverage comment
+        if: gitea.event_name == 'pull_request'
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_URL: ${{ gitea.server_url }}
+        run: |
+          COVERAGE=$(go tool cover -func=coverage.txt | grep "^total:" | awk '{print $NF}')
+          curl -X POST "${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/issues/${{ gitea.event.pull_request.number }}/comments" \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"body\": \"## Coverage Report\n\nTotal coverage: **${COVERAGE}**\"}"
+
   vulnerabilities:
     runs-on: ubuntu-latest
     steps:

.gitlab-ci.yml

@@ -1,38 +0,0 @@
-include:
-- template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
-- project: unboundsoftware/ci-templates
-  file: Defaults.gitlab-ci.yml
-- project: unboundsoftware/ci-templates
-  file: Release.gitlab-ci.yml
-- project: unboundsoftware/ci-templates
-  file: Pre-Commit-Go.gitlab-ci.yml
-
-image: amd64/golang:1.25.5@sha256:ad03ba93327b8a6143b49373790b5d92c28067bdb814418509466122ee9c9e63
-
-stages:
-- deps
-- test
-
-deps:
-  stage: deps
-  script:
-  - go mod download
-
-test:
-  stage: test
-  dependencies:
-  - deps
-  script:
-  - CGO_ENABLED=1 go test -mod=readonly -race -coverprofile=coverage.txt -covermode=atomic -coverpkg=$(go list ./... | tr '\n' , | sed 's/,$//') ./...
-  - go tool cover -html=coverage.txt -o coverage.html
-  - go tool cover -func=coverage.txt
-  - curl -Os https://uploader.codecov.io/latest/linux/codecov
-  - chmod +x codecov
-  - ./codecov -t ${CODECOV_TOKEN} -R $CI_PROJECT_DIR -C $CI_COMMIT_SHA -r $CI_PROJECT_PATH
-
-vulnerabilities:
-  stage: test
-  image: amd64/golang:1.25.5@sha256:ad03ba93327b8a6143b49373790b5d92c28067bdb814418509466122ee9c9e63
-  script:
-  - go install golang.org/x/vuln/cmd/govulncheck@latest
-  - govulncheck ./...

.pre-commit-config.yaml

@@ -11,7 +11,7 @@ repos:
     - --allow-multiple-documents
   - id: check-added-large-files
 - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
-  rev: v9.23.0
+  rev: v9.24.0
   hooks:
   - id: commitlint
     stages: [ commit-msg ]
@@ -30,7 +30,7 @@ repos:
   - id: go-test
   - id: gofumpt
 - repo: https://github.com/golangci/golangci-lint
-  rev: v2.8.0
+  rev: v2.11.3
   hooks:
   - id: golangci-lint-full
 - repo: https://github.com/gitleaks/gitleaks

.testcoverage.yml

@@ -0,0 +1,13 @@
+# Coverage configuration for go-test-coverage
+# https://github.com/vladopajic/go-test-coverage
+
+profile: coverage.txt
+
+threshold:
+  file: 0
+  package: 0
+  total: 0
+
+exclude:
+  paths:
+    - _test\.go$

.version

@@ -1,3 +1,3 @@
 {
-  "version": "v0.4.1"
+  "version": "v0.5.0"
 }

CHANGELOG.md

@@ -2,6 +2,30 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.5.0] - 2026-03-12
+
+### 🚀 Features
+
+- *(client)* Add API key authentication for /authz endpoint (#294)
+
+### ⚙️ Miscellaneous Tasks
+
+- *(deps)* Update golang:1.25.5 docker digest to 3a01526 (#271)
+- *(deps)* Update pre-commit hook alessandrojcm/commitlint-pre-commit-hook to v9.24.0 (#273)
+- *(deps)* Update dependency go to v1.25.6 (#274)
+- *(deps)* Update golang docker tag to v1.25.6 (#275)
+- Remove GitLab CI configuration
+- Add code coverage integration
+- *(deps)* Update dependency go to v1.25.7 (#279)
+- *(deps)* Update dependency go to v1.26.0 (#280)
+- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.9.0 (#281)
+- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.10.0 (#282)
+- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.10.1 (#283)
+- *(deps)* Update dependency go to v1.26.1 (#286)
+- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.11.1 (#288)
+- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.11.2 (#290)
+- *(deps)* Update pre-commit hook golangci/golangci-lint to v2.11.3 (#292)
+
 ## [0.4.1] - 2026-01-09
 
 ### ⚙️ Miscellaneous Tasks

client.go

@@ -28,6 +28,7 @@ type PrivilegeHandler struct {
 	*sync.RWMutex
 	client     *http.Client
 	baseURL    string
+	apiKey     string
 	privileges map[string]map[string]*CompanyPrivileges
 }
 
@@ -41,6 +42,13 @@ func WithBaseURL(url string) OptsFunc {
 	}
 }
 
+// WithAPIKey sets an API key used as a Bearer token when fetching privileges
+func WithAPIKey(key string) OptsFunc {
+	return func(handler *PrivilegeHandler) {
+		handler.apiKey = key
+	}
+}
+
 // New creates a new PrivilegeHandler. Pass OptsFuncs to configure.
 func New(opts ...OptsFunc) *PrivilegeHandler {
 	handler := &PrivilegeHandler{
@@ -57,7 +65,16 @@ func New(opts ...OptsFunc) *PrivilegeHandler {
 
 // Fetch the initial set of privileges from an authz-service
 func (h *PrivilegeHandler) Fetch() error {
-	resp, err := h.client.Get(fmt.Sprintf("%s/authz", h.baseURL))
+	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/authz", h.baseURL), nil)
+	if err != nil {
+		return err
+	}
+
+	if h.apiKey != "" {
+		req.Header.Set("Authorization", "Bearer "+h.apiKey)
+	}
+
+	resp, err := h.client.Do(req)
 	if err != nil {
 		return err
 	}
@@ -87,13 +104,14 @@ func (h *PrivilegeHandler) Setup() []goamqp.Setup {
 
 // Process privilege-related events and update the internal state
 func (h *PrivilegeHandler) Process(msg interface{}, _ goamqp.Headers) (interface{}, error) {
+	h.Lock()
+	defer h.Unlock()
+
 	switch ev := msg.(type) {
 	case *UserAdded:
 		if priv, exists := h.privileges[ev.Email]; exists {
 			priv[ev.CompanyID] = &CompanyPrivileges{}
 		} else {
-			h.Lock()
-			defer h.Unlock()
 			h.privileges[ev.Email] = map[string]*CompanyPrivileges{
 				ev.CompanyID: {},
 			}
@@ -101,19 +119,13 @@ func (h *PrivilegeHandler) Process(msg interface{}, _ goamqp.Headers) (interface
 		return nil, nil
 	case *UserRemoved:
 		if priv, exists := h.privileges[ev.Email]; exists {
-			h.Lock()
-			defer h.Unlock()
 			delete(priv, ev.CompanyID)
 		}
 		return nil, nil
 	case *PrivilegeAdded:
-		h.Lock()
-		defer h.Unlock()
 		h.setPrivileges(ev.Email, ev.CompanyID, ev.Privilege, true)
 		return nil, nil
 	case *PrivilegeRemoved:
-		h.Lock()
-		defer h.Unlock()
 		h.setPrivileges(ev.Email, ev.CompanyID, ev.Privilege, false)
 		return nil, nil
 	default:

client_test.go

@@ -251,6 +251,39 @@ func TestPrivilegeHandler_IsAllowed_Return_True_If_Privilege_Exists(t *testing.T
 	assert.True(t, result)
 }
 
+func TestPrivilegeHandler_Fetch_Sends_Authorization_Header_When_APIKey_Set(t *testing.T) {
+	var receivedAuth string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAuth = r.Header.Get("Authorization")
+		_, _ = w.Write([]byte("{}"))
+	}))
+	defer server.Close()
+
+	handler := New(
+		WithBaseURL(server.URL),
+		WithAPIKey("my-secret-key"),
+	)
+
+	err := handler.Fetch()
+	assert.NoError(t, err)
+	assert.Equal(t, "Bearer my-secret-key", receivedAuth)
+}
+
+func TestPrivilegeHandler_Fetch_No_Authorization_Header_Without_APIKey(t *testing.T) {
+	var receivedAuth string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAuth = r.Header.Get("Authorization")
+		_, _ = w.Write([]byte("{}"))
+	}))
+	defer server.Close()
+
+	handler := New(WithBaseURL(server.URL))
+
+	err := handler.Fetch()
+	assert.NoError(t, err)
+	assert.Empty(t, receivedAuth)
+}
+
 func TestPrivilegeHandler_Fetch_Error_Response(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(500)

go.mod

@@ -2,7 +2,7 @@ module gitea.unbound.se/shiny/authz_client
 
 go 1.22.12
 
-toolchain go1.25.5
+toolchain go1.26.1
 
 require (
 	github.com/sparetimecoders/goamqp v0.3.3