feat: initial release of tmignore

Rust CLI that excludes developer dependency directories and arbitrary
paths from macOS Time Machine backups using sticky exclusions.

- 40 built-in dependency patterns (node_modules, target, vendor, etc.)
- Built-in exclude paths for toolchains, Homebrew, Nix, Docker, Xcode
- Configurable via ~/.config/tmignore/config.toml
- LaunchAgent service for automatic background runs
- CI/CD with code signing, notarization, and Homebrew tap

Author: wassimk

.github/workflows/release.yml

@@ -0,0 +1,106 @@
+name: release
+
+on:
+  release:
+    types: [created]
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    name: Release - ${{ matrix.platform.release_for }}
+    strategy:
+      matrix:
+        platform:
+          - release_for: macOS-x86_64
+            os: macOS-latest
+            target: x86_64-apple-darwin
+            bin: tmignore
+            name: tmignore-Darwin-x86_64.tar.gz
+
+          - release_for: macOS-aarch64
+            os: macOS-latest
+            target: aarch64-apple-darwin
+            bin: tmignore
+            name: tmignore-Darwin-aarch64.tar.gz
+
+    runs-on: ${{ matrix.platform.os }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build binary
+        uses: houseabsolute/actions-rust-cross@v0
+        with:
+          target: ${{ matrix.platform.target }}
+          args: "--locked --release"
+          strip: true
+
+      - name: Import code signing certificate
+        env:
+          APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        run: |
+          CERTIFICATE_PATH=$RUNNER_TEMP/certificate.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 32)
+
+          echo -n "$APPLE_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+      - name: Sign binary
+        run: |
+          codesign --force --options runtime \
+            --sign "Developer ID Application: Wassim Metallaoui (${{ secrets.APPLE_TEAM_ID }})" \
+            target/${{ matrix.platform.target }}/release/${{ matrix.platform.bin }}
+
+      - name: Notarize binary
+        continue-on-error: true
+        timeout-minutes: 15
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          ZIP_PATH=$RUNNER_TEMP/${{ matrix.platform.bin }}-notarize.zip
+          ditto -c -k target/${{ matrix.platform.target }}/release/${{ matrix.platform.bin }} "$ZIP_PATH"
+          xcrun notarytool submit "$ZIP_PATH" \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_ID_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait
+
+      - name: Archive binary
+        shell: bash
+        run: |
+          cd target/${{ matrix.platform.target }}/release
+          tar czvf ../../../${{ matrix.platform.name }} ${{ matrix.platform.bin }}
+          cd -
+
+      - name: Generate SHA-256
+        shell: bash
+        run: |
+          shasum -a 256 ${{ matrix.platform.name }} > ${{ matrix.platform.name }}-sha.txt
+
+      - name: Publish release artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: tmignore-${{ matrix.platform.target }}
+          path: "tmignore-*"
+
+      - name: Publish GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: "tmignore*"
+
+      - name: Clean up keychain
+        if: always()
+        run: security delete-keychain $RUNNER_TEMP/signing.keychain-db

.github/workflows/update-homebrew.yml

@@ -0,0 +1,106 @@
+name: update-homebrew
+
+on:
+  workflow_run:
+    workflows: [release]
+    types: [completed]
+
+jobs:
+  update-formula:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Get release version
+        id: version
+        run: |
+          TAG=$(gh release view --repo wassimk/tmignore --json tagName -q '.tagName')
+          VERSION="${TAG#v}"
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Download SHA-256 checksums
+        run: |
+          gh release download "${{ steps.version.outputs.tag }}" \
+            --repo wassimk/tmignore \
+            --pattern '*-sha.txt' \
+            --dir checksums
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Parse checksums
+        id: shas
+        run: |
+          for file in checksums/*-sha.txt; do
+            SHA=$(awk '{print $1}' "$file")
+            NAME=$(basename "$file" -sha.txt)
+
+            case "$NAME" in
+              tmignore-Darwin-aarch64.tar.gz) echo "darwin_arm64=$SHA" >> "$GITHUB_OUTPUT" ;;
+              tmignore-Darwin-x86_64.tar.gz)  echo "darwin_x86_64=$SHA" >> "$GITHUB_OUTPUT" ;;
+            esac
+          done
+
+      - name: Checkout homebrew-tap
+        uses: actions/checkout@v4
+        with:
+          repository: wassimk/homebrew-tap
+          token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+
+      - name: Update formula
+        run: |
+          cat > Formula/tmignore.rb << 'RUBY'
+          class Tmignore < Formula
+            desc "Exclude developer dependency directories and arbitrary paths from macOS backups"
+            homepage "https://github.com/wassimk/tmignore"
+            version "${{ steps.version.outputs.version }}"
+            license "MIT"
+
+            depends_on :macos
+
+            if Hardware::CPU.arm?
+              url "https://github.com/wassimk/tmignore/releases/download/v#{version}/tmignore-Darwin-aarch64.tar.gz"
+              sha256 "${{ steps.shas.outputs.darwin_arm64 }}"
+            elsif Hardware::CPU.intel?
+              url "https://github.com/wassimk/tmignore/releases/download/v#{version}/tmignore-Darwin-x86_64.tar.gz"
+              sha256 "${{ steps.shas.outputs.darwin_x86_64 }}"
+            end
+
+            def install
+              bin.install "tmignore"
+            end
+
+            def caveats
+              <<~EOS
+                To start tmignore as a background service (runs every 24 hours):
+                  tmignore install
+
+                To remove the background service:
+                  tmignore uninstall
+
+                To generate a config file:
+                  tmignore init
+
+                Config: ~/.config/tmignore/config.toml
+              EOS
+            end
+
+            test do
+              assert_match version.to_s, shell_output("#{bin}/tmignore --version")
+            end
+          end
+          RUBY
+
+      - name: Remove leading whitespace from formula
+        run: sed -i 's/^          //' Formula/tmignore.rb
+
+      - name: Commit and push
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add Formula/tmignore.rb
+          git diff --cached --quiet && echo "No changes to commit" && exit 0
+          git commit -m "feat: update tmignore to ${{ steps.version.outputs.version }}"
+          git push

.gitignore

@@ -0,0 +1 @@
+/target