From a4b92d5c9d396168ed4c82ad14413f4784e8d182 Mon Sep 17 00:00:00 2001 From: Grzegorz Dlugoszewski Date: Mon, 11 Aug 2025 22:42:10 +0200 Subject: [PATCH] Update GitHub actions workflows --- .github/dependabot.yml | 39 ++++++++ .github/workflows/build.yml | 19 ---- .github/workflows/ci.yml | 137 ++++++++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 71 ------------- .github/workflows/codeql.yml | 46 +++++++++ .github/workflows/release-simple.yml | 24 +++++ .github/workflows/release.yml | 60 ++++++++++- .golangci.yml | 119 ++++++++++++++++++++++ 8 files changed, 422 insertions(+), 93 deletions(-) create mode 100644 .github/dependabot.yml delete mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/ci.yml delete mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/release-simple.yml create mode 100644 .golangci.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..a40d8a3 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,39 @@ +version: 2 +updates: + # Go modules + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "09:00" + open-pull-requests-limit: 5 + reviewers: + - "grdl" + assignees: + - "grdl" + commit-message: + prefix: "deps" + include: "scope" + labels: + - "dependencies" + - "go" + + # GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "09:00" + open-pull-requests-limit: 3 + reviewers: + - "grdl" + assignees: + - "grdl" + commit-message: + prefix: "ci" + include: "scope" + labels: + - "dependencies" + - "github-actions" \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 89553cf..0000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: build - -on: - - pull_request - -jobs: - test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: '1.24' - - name: Set up Git - run: git config --global user.email "grdl@example.com" && git config --global user.name "grdl" - - name: Run go test - run: CGO_ENABLED=0 GOOS=linux go test ./... -v diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..fda4101 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,137 @@ +name: CI + +on: + push: + branches: [master, main] + pull_request: + branches: [master, main] + +permissions: + contents: read + security-events: write + +jobs: + test: + name: Test + strategy: + matrix: + go-version: ['1.24'] + os: [ubuntu-latest, windows-latest, macos-latest] + runs-on: ${{ matrix.os }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 2 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: ${{ matrix.go-version }} + cache: true + + - name: Download dependencies + run: go mod download + + - name: Verify dependencies + run: go mod verify + + - name: Set up Git (for tests) + run: | + git config --global user.email "test@example.com" + git config --global user.name "CI Test" + + - name: Run tests with coverage + run: go test -race -coverprofile=coverage.out -covermode=atomic ./... + + - name: Upload coverage to Codecov + if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.24' + uses: codecov/codecov-action@v4 + with: + file: ./coverage.out + flags: unittests + name: codecov-umbrella + fail_ci_if_error: false + + lint: + name: Lint + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.24' + cache: true + + - name: Run golangci-lint + uses: golangci/golangci-lint-action@v6 + with: + version: latest + args: --timeout=5m + + security: + name: Security + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.24' + cache: true + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + build: + name: Build + needs: [test, lint, security] + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.24' + cache: true + + - name: Build binaries + run: | + go build -v -o bin/git-get ./cmd/get + go build -v -o bin/git-list ./cmd/list + + - name: Test binaries + run: | + ./bin/git-get --version + ./bin/git-list --version + + - name: Upload build artifacts + uses: actions/upload-artifact@v4 + with: + name: binaries + path: bin/ + retention-days: 30 \ No newline at end of file diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index d992b13..0000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,71 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '34 21 * * 1' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'go' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed - - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v1 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..c12f745 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,46 @@ +name: "CodeQL Security Analysis" + +on: + push: + branches: [master, main] + pull_request: + branches: [master, main] + schedule: + - cron: '30 2 * * 1' # Run weekly on Mondays at 2:30 AM UTC + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + timeout-minutes: 360 + + strategy: + fail-fast: false + matrix: + include: + - language: go + build-mode: autobuild + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 2 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # Enable additional security-and-quality query pack + queries: +security-and-quality + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" \ No newline at end of file diff --git a/.github/workflows/release-simple.yml b/.github/workflows/release-simple.yml new file mode 100644 index 0000000..c01804e --- /dev/null +++ b/.github/workflows/release-simple.yml @@ -0,0 +1,24 @@ +name: release + +on: + push: + tags: + - '*' + +jobs: + goreleaser: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.24' + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + version: latest + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GORELEASER_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c01804e..5250431 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,20 +1,63 @@ -name: release +name: Release on: push: tags: - - '*' + - 'v*' + +permissions: + contents: write + security-events: write + id-token: write # For SLSA provenance jobs: - goreleaser: + validate: + name: Validate Release runs-on: ubuntu-latest + steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.24' + cache: true + + - name: Run tests + run: go test -race ./... + + - name: Run lints + uses: golangci/golangci-lint-action@v6 + with: + version: latest + + - name: Validate GoReleaser config + uses: goreleaser/goreleaser-action@v6 + with: + version: latest + args: check + + release: + name: GoReleaser + runs-on: ubuntu-latest + needs: validate + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.24' + cache: true + - name: Run GoReleaser uses: goreleaser/goreleaser-action@v6 with: @@ -22,3 +65,14 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GORELEASER_TOKEN }} + + provenance: + name: Generate SLSA Provenance + needs: release + if: startsWith(github.ref, 'refs/tags/') + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.release.outputs.hashes }}" + upload-assets: true + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 0000000..181c5f5 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,119 @@ +run: + timeout: 5m + go: '1.24' + +linters-settings: + errcheck: + check-type-assertions: true + check-blank: true + + govet: + enable-all: true + disable: + - shadow + + gocyclo: + min-complexity: 15 + + dupl: + threshold: 100 + + goconst: + min-len: 3 + min-occurrences: 3 + + lll: + line-length: 120 + + unparam: + check-exported: false + + nakedret: + max-func-lines: 30 + + prealloc: + simple: true + range-loops: true + for-loops: false + + gocritic: + enabled-tags: + - diagnostic + - experimental + - opinionated + - performance + - style + + funlen: + lines: 100 + statements: 50 + + godox: + keywords: + - NOTE + - OPTIMIZE + - HACK + + dogsled: + max-blank-identifiers: 2 + + whitespace: + multi-if: false + multi-func: false + +linters: + disable-all: true + enable: + - bodyclose + - depguard + - dogsled + - dupl + - errcheck + - exportloopref + - funlen + - gochecknoinits + - goconst + - gocritic + - gocyclo + - gofmt + - goimports + - goprintffuncname + - gosec + - gosimple + - govet + - ineffassign + - lll + - misspell + - nakedret + - noctx + - nolintlint + - revive + - staticcheck + - stylecheck + - typecheck + - unconvert + - unparam + - unused + - whitespace + +issues: + exclude-rules: + - path: _test\.go + linters: + - gomnd + - funlen + - goconst + + - path: pkg/git/test/ + linters: + - gomnd + - goconst + + exclude-use-default: false + max-issues-per-linter: 0 + max-same-issues: 0 + +output: + format: colored-line-number + print-issued-lines: true + print-linter-name: true \ No newline at end of file