From af957926700d9fd32f405c775a65accaf246f8a1 Mon Sep 17 00:00:00 2001 From: cpanato Date: Wed, 3 Jul 2024 16:05:24 +0200 Subject: [PATCH] chore: update ci and use best practices Signed-off-by: cpanato --- .github/dependabot.yml | 12 ++++++ .github/workflows/build.yml | 63 +++++++++++++++++++++----------- .github/workflows/gitleaks.yml | 16 +++++--- .github/workflows/lint.yml | 21 ++++++----- .github/workflows/release.yml | 45 +++++++++++++---------- .github/workflows/semanticpr.yml | 10 +++-- .github/workflows/stale.yml | 11 ++++-- .golangci.yaml | 14 +++---- 8 files changed, 121 insertions(+), 71 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 78a7d20..3ee35e1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,3 +1,4 @@ +--- version: 2 updates: - package-ecosystem: "gomod" @@ -12,6 +13,11 @@ updates: prefix: "chore" include: "scope" open-pull-requests-limit: 10 + groups: + gomod: + update-types: + - "patch" + - package-ecosystem: "github-actions" directory: "/" schedule: @@ -24,6 +30,12 @@ updates: prefix: "chore" include: "scope" open-pull-requests-limit: 10 + groups: + actions: + update-types: + - "minor" + - "patch" + - package-ecosystem: "docker" directory: "/" schedule: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 68d6564..8b75260 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,77 +5,96 @@ on: branches: - "main" pull_request: - paths: - - "go.*" - - "**/*.go" - - "Dockerfile" - - ".github/workflows/*.yml" -permissions: - contents: read +permissions: {} jobs: govulncheck: runs-on: ubuntu-latest + steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: - go-version: 1.21.5 + go-version: '1.22' + check-latest: true + - name: govulncheck run: | go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... + semgrep: runs-on: ubuntu-latest container: image: returntocorp/semgrep steps: - - uses: actions/checkout@v4 - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: dgryski/semgrep-go path: rules + - name: semgrep run: semgrep scan --error --enable-nosem -f ./rules . + ruleguard: runs-on: ubuntu-latest + steps: - - uses: actions/checkout@v4 - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: dgryski/semgrep-go path: rules - - uses: actions/setup-go@v5 + + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: - go-version: 1.21.5 + go-version: '1.22' + check-latest: true + - name: setup-ruleguard run: go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@latest + - name: ruleguard run: | mv rules ../ go get -u github.com/quasilyte/go-ruleguard/dsl@latest ruleguard -c=0 -rules ../rules/ruleguard.rules.go ./... + test: runs-on: ubuntu-latest + + permissions: + contents: read + steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: - go-version: 1.21.5 - - uses: arduino/setup-task@v2 + go-version: '1.22' + check-latest: true + + - uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0 with: version: 3.x - repo-token: ${{ secrets.GH_TOKEN }} + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: setup-tparse run: go install github.com/mfridman/tparse@latest + - name: setup run: | task setup task build + - name: test run: ./scripts/test.sh - - uses: codecov/codecov-action@v3 + - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 with: file: ./coverage.txt token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index c92201e..7f00c84 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -6,18 +6,22 @@ on: tags: ["v*"] pull_request: -permissions: - contents: read +permissions: {} jobs: gitleaks: runs-on: ubuntu-latest + + permissions: + contents: read + steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - - uses: gitleaks/gitleaks-action@v2 + + - uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 # v2.3.6 + if: ${{ env.GITLEAKS_LICENSE != '' }} env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} - if: ${{ env.GITLEAKS_LICENSE != '' }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e346f7f..b8304e2 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,30 +2,31 @@ name: golangci-lint on: push: - tags: - - v* branches: - main pull_request: -permissions: - contents: read +permissions: {} jobs: golangci: + name: lint + runs-on: ubuntu-latest + permissions: contents: read pull-requests: read - name: lint - runs-on: ubuntu-latest + steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: - go-version: 1.21.5 + go-version: '1.22' + check-latest: true cache: true + - name: golangci-lint uses: golangci/golangci-lint-action@v3 with: args: --timeout=5m - version: v1.55.2 + version: v1.59 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f13503c..38b6bba 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,42 +23,47 @@ on: required: false default: beta -permissions: write-all +permissions: {} + jobs: release: + name: release runs-on: ubuntu-latest + env: DOCKER_CLI_EXPERIMENTAL: "enabled" - name: release + + permissions: + contents: write + packages: write + steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 + - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 + - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: - cache: true - go-version: ">=1.20.6" - - uses: actions/cache@v4 - with: - path: | - ./dist/*.deb - ./dist/*.rpm - ./dist/*.apk - key: ${{ github.ref }} + go-version: '1.22' + check-latest: true + - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Fetch tags run: git fetch --force --tags + - name: Bump version and push tag - uses: anothrNick/github-tag-action@1.67.0 + uses: anothrNick/github-tag-action@a2c70ae13a881faf2b4953baaa9e49731997ab36 # 1.67.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} WITH_V: true @@ -67,17 +72,19 @@ jobs: PRERELEASE_SUFFIX: ${{ inputs.prerelease-suffix }} VERBOSE: true DRY_RUN: false + - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5 + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 with: version: latest args: release --clean env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} FURY_TOKEN: ${{ secrets.FURY_TOKEN }} ORG_NAME: ${{ github.repository_owner }} + - name: Upload assets - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: ${{ github.repository_owner }} path: dist/* diff --git a/.github/workflows/semanticpr.yml b/.github/workflows/semanticpr.yml index a2a5a54..e66088f 100644 --- a/.github/workflows/semanticpr.yml +++ b/.github/workflows/semanticpr.yml @@ -7,14 +7,18 @@ on: - edited - synchronize -permissions: - pull-requests: read +permissions: {} jobs: main: name: validate PR title runs-on: ubuntu-latest + + permissions: + contents: read + pull-requests: read + steps: - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index e8c5faf..a77e10d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,15 +3,18 @@ on: schedule: - cron: "30 1 * * *" -permissions: - issues: write - pull-requests: write +permissions: {} jobs: stale: runs-on: ubuntu-latest + + permissions: + issues: write + pull-requests: write + steps: - - uses: actions/stale@v9 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: stale-issue-message: "This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days." stale-pr-message: "This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days." diff --git a/.golangci.yaml b/.golangci.yaml index 76239cf..0f9234e 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -15,19 +15,19 @@ linters-settings: sections: - standard - default - - prefix(github.com/bom-squad/sbom-convert) + - prefix(github.com/protobom/sbom-convert) section-separators: - newLine goimports: - local-prefixes: github.com/bom-squad/sbom-convert + local-prefixes: github.com/protobom/sbom-convert goconst: min-len: 2 min-occurrences: 2 gocyclo: min-complexity: 15 - gomnd: + mnd: checks: - argument - case @@ -55,7 +55,7 @@ linters-settings: linters: disable-all: true enable: - #- goimports + # - goimports - bodyclose - depguard - dogsled @@ -69,7 +69,6 @@ linters: - gocritic - gocyclo - gci - - gomnd - goprintffuncname - gosec - gosimple @@ -77,6 +76,7 @@ linters: - ineffassign - lll - misspell + - mnd - nakedret - noctx - nolintlint @@ -119,8 +119,8 @@ issues: - path: _test\.go linters: - gomnd + exclude-dirs: + - cmd/cli/testdata run: timeout: 5m - skip-dirs: - - cmd/cli/testdata