From 6bea80b9a96105ea87ad8a85f2c01ad7c076aab5 Mon Sep 17 00:00:00 2001
From: Jay Pipes <jaypipes@gmail.com>
Date: Fri, 21 Jul 2023 00:02:06 -0400
Subject: [PATCH] separate linter job in Github Actions

pulls out the golangci-lint job from the main go.yml Github Action and
into its own workflow that follows security best practices like ensuring
read-only permissions and using SHA-specific Action releases.

Signed-off-by: Jay Pipes <jaypipes@gmail.com>
---
 .github/workflows/go.yml   | 13 -------------
 .github/workflows/lint.yml | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 13 deletions(-)
 create mode 100644 .github/workflows/lint.yml

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 72091d51..541e9275 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -8,19 +8,6 @@ on:
 
 # see: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
 jobs:
-  # tier 0: system-independent checks
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v2
-
-    - name: Verify
-      uses: golangci/golangci-lint-action@v2
-      with:
-        version: v1.41.1
-        args: --timeout=15m0s --verbose
-
   # tier-1
   # main development platform, gets features first and it's most tested
   build-ubuntu-2204:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 00000000..12f1a4ca
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,35 @@
+name: lint
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+  pull-requests: read # needed for only-new-issues option below
+
+jobs:
+  fmtcheck:
+    runs-on: ubuntu-latest
+    steps:
+     - name: harden runner
+       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+       with:
+         egress-policy: block
+         disable-sudo: true
+         allowed-endpoints: >
+           github.com:443
+     - name: checkout code
+       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+     - name: setup go
+       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+       with:
+         go-version: 1.19
+     - name: lint
+       uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
+       with:
+         version: v1.53
+         args: --timeout=5m0s --verbose
+         only-new-issues: true