protobom · puerco · Jul 19, 2024 · Jul 3, 2024 · Jul 3, 2024 · Jul 3, 2024
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -13,7 +13,7 @@
     "HISTFILE": "/home/vscode/.zsh_history",
     "HISTSIZE": "1000000",
     "SAVEHIST": "1000000",
-    "ORG_NAME": "bom-squad"
+    "ORG_NAME": "protobom"
   },
   "postCreateCommand": ".devcontainer/post-create.sh",
   "customizations": {

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,3 +1,4 @@
+---
 version: 2
 updates:
   - package-ecosystem: "gomod"
@@ -12,6 +13,11 @@ updates:
       prefix: "chore"
       include: "scope"
     open-pull-requests-limit: 10
+    groups:
+      gomod:
+        update-types:
+          - "patch"
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -24,6 +30,12 @@ updates:
       prefix: "chore"
       include: "scope"
     open-pull-requests-limit: 10
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
+
   - package-ecosystem: "docker"
     directory: "/"
     schedule:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,77 +5,96 @@ on:
     branches:
       - "main"
   pull_request:
-    paths:
-      - "go.*"
-      - "**/*.go"
-      - "Dockerfile"
-      - ".github/workflows/*.yml"
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: 1.21.5
+          go-version: '1.22'
+          check-latest: true
+
       - name: govulncheck
         run: |
           go install golang.org/x/vuln/cmd/govulncheck@latest
           govulncheck ./...
+
   semgrep:
     runs-on: ubuntu-latest
     container:
       image: returntocorp/semgrep
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: dgryski/semgrep-go
           path: rules
+
       - name: semgrep
         run: semgrep scan --error --enable-nosem -f ./rules .
+
   ruleguard:
     runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: dgryski/semgrep-go
           path: rules
-      - uses: actions/setup-go@v5
+
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: 1.21.5
+          go-version: '1.22'
+          check-latest: true
+
       - name: setup-ruleguard
         run: go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@latest
+
       - name: ruleguard
         run: |
           mv rules ../
           go get -u github.com/quasilyte/go-ruleguard/dsl@latest
           ruleguard -c=0 -rules ../rules/ruleguard.rules.go ./...
+
   test:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: 1.21.5
-      - uses: arduino/setup-task@v2
+          go-version: '1.22'
+          check-latest: true
+
+      - uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0
         with:
           version: 3.x
-          repo-token: ${{ secrets.GH_TOKEN }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
       - name: setup-tparse
         run: go install github.com/mfridman/tparse@latest
+
       - name: setup
         run: |
           task setup
           task build
+
       - name: test
         run: ./scripts/test.sh
-      - uses: codecov/codecov-action@v3
+      - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
         with:
           file: ./coverage.txt
           token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -6,18 +6,22 @@ on:
     tags: ["v*"]
   pull_request:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   gitleaks:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+
+      - uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 # v2.3.6
+        if: ${{ env.GITLEAKS_LICENSE != '' }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
-        if: ${{ env.GITLEAKS_LICENSE != '' }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,30 +2,31 @@ name: golangci-lint
 
 on:
   push:
-    tags:
-      - v*
     branches:
       - main
   pull_request:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   golangci:
+    name: lint
+    runs-on: ubuntu-latest
+
     permissions:
       contents: read
       pull-requests: read
-    name: lint
-    runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: 1.21.5
+          go-version: '1.22'
+          check-latest: true
           cache: true
+
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
           args: --timeout=5m
-          version: v1.55.2
+          version: v1.59
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,42 +23,47 @@ on:
         required: false
         default: beta
 
-permissions: write-all
+permissions: {}
+
 jobs:
   release:
+    name: release
     runs-on: ubuntu-latest
+
     env:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
-    name: release
+
+    permissions:
+      contents: write
+      packages: write
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
+
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          cache: true
-          go-version: ">=1.20.6"
-      - uses: actions/cache@v4
-        with:
-          path: |
-            ./dist/*.deb
-            ./dist/*.rpm
-            ./dist/*.apk
-          key: ${{ github.ref }}
+          go-version: '1.22'
+          check-latest: true
+
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Fetch tags
         run: git fetch --force --tags
+
       - name: Bump version and push tag
-        uses: anothrNick/github-tag-action@1.67.0
+        uses: anothrNick/github-tag-action@a2c70ae13a881faf2b4953baaa9e49731997ab36 # 1.67.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           WITH_V: true
@@ -67,17 +72,19 @@ jobs:
           PRERELEASE_SUFFIX: ${{ inputs.prerelease-suffix }}
           VERBOSE: true
           DRY_RUN: false
+
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
           version: latest
           args: release --clean
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
           ORG_NAME: ${{ github.repository_owner }}
+
       - name: Upload assets
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: ${{ github.repository_owner }}
           path: dist/*
diff --git a/.github/workflows/semanticpr.yml b/.github/workflows/semanticpr.yml
@@ -7,14 +7,18 @@ on:
       - edited
       - synchronize
 
-permissions:
-  pull-requests: read
+permissions: {}
 
 jobs:
   main:
     name: validate PR title
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: read
+
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -3,15 +3,18 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   stale:
     runs-on: ubuntu-latest
+
+    permissions:
+      issues: write
+      pull-requests: write
+
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
         with:
           stale-issue-message: "This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days."
           stale-pr-message: "This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days."