diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..d65d2b2 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,30 @@ +version: 2 +updates: +- package-ecosystem: github-actions + commit-message: + prefix: chore + include: scope + directory: / + schedule: + interval: monthly + groups: + github-actions: + patterns: + - "*" + update-types: + - "minor" + - "patch" +- package-ecosystem: gomod + commit-message: + prefix: chore + include: scope + directory: / + schedule: + interval: monthly + groups: + gomod: + patterns: + - "*" + update-types: + - "minor" + - "patch" diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml new file mode 100644 index 0000000..08389a1 --- /dev/null +++ b/.github/dependency-review-config.yaml @@ -0,0 +1,20 @@ +# https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md +allow-licenses: +- 'Apache-2.0' +- 'BSD-2-Clause' +- 'BSD-2-Clause-FreeBSD' +- 'BSD-3-Clause' +- 'ISC' +- 'MIT' +- 'PostgreSQL' +- 'Python-2.0' +- 'X11' +- 'Zlib' + +allow-dependencies-licenses: +# this action is GPL-3 but it is only used in CI +# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806 +- pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787 +# this package is MPL-2.0 and has a CNCF exception +# https://github.com/cncf/foundation/blob/9b8c9173c2101c1b4aedad3caf2c0128715133f6/license-exceptions/cncf-exceptions-2022-04-12.json#L43C17-L43C47 +- pkg:golang/github.com/go-sql-driver/mysql diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index df4e7e3..324ff80 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -1,37 +1,41 @@ -name: CLI build and test -on: pull_request +name: build +on: + pull_request: + branches: + - main +permissions: {} jobs: - build: + build-snapshot: + permissions: + contents: read + packages: write runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Install Go - uses: actions/setup-go@v2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: - go-version: "^1.17" - - name: Set up environment - run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v2 + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version: stable + - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 + id: goreleaser with: version: latest - args: build --snapshot --rm-dist + args: build --clean --verbose --single-target --snapshot - name: Upload Artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 with: name: lagoon-linter path: dist/* - cli_test: + cli-test: runs-on: ubuntu-latest - needs: build + needs: build-snapshot steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Download lagoon-linter binaries - uses: actions/download-artifact@v2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: lagoon-linter path: ./dist - - name: Run CLI test - run: ./cli-test.sh + - run: ./cli-test.sh diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml new file mode 100644 index 0000000..86d7a9e --- /dev/null +++ b/.github/workflows/dependency-review.yaml @@ -0,0 +1,16 @@ +name: dependency review +on: + pull_request: + branches: + - main +permissions: {} +jobs: + dependency-review: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 + with: + config-file: .github/dependency-review-config.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index a792f98..f198537 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,22 +1,40 @@ -name: Lint -on: pull_request +name: lint +on: + pull_request: + branches: + - main +permissions: {} jobs: - golangci-lint: - name: lint + lint-go: + permissions: + contents: read runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - - name: golangci-lint - uses: golangci/golangci-lint-action@v2.5.2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - version: latest - commitlint: + go-version: stable + - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 + with: + args: --timeout=180s --enable gocritic + lint-commits: + permissions: + contents: read + pull-requests: read runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - - name: Lint commit messages - uses: wagoid/commitlint-github-action@v4.1.9 + - uses: wagoid/commitlint-github-action@7f0a61df502599e1f1f50880aaa7ec1e2c0592f2 # v6.0.1 + with: + configFile: .github/commitlint.config.mjs + lint-actions: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0 + with: + args: -color diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml new file mode 100644 index 0000000..655b3f4 --- /dev/null +++ b/.github/workflows/ossf-analysis.yaml @@ -0,0 +1,31 @@ +name: OSSF scorecard +on: + push: + branches: + - main +permissions: {} +jobs: + ossf-scorecard-analysis: + runs-on: ubuntu-latest + permissions: + contents: read + # Needed if using Code scanning alerts + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Run analysis + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + with: + results_file: results.sarif + results_format: sarif + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. + publish_results: true + - name: Upload SARIF results to code scanning + uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + with: + sarif_file: results.sarif diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a30e96c..3ea2af9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,57 +1,60 @@ -name: Release +name: release on: push: branches: - main +permissions: {} jobs: - tag: + release-tag: + permissions: + # create tag + contents: write runs-on: ubuntu-latest outputs: - new-tag: ${{ steps.bump-tag.outputs.new }} + new-tag: ${{ steps.ccv.outputs.new-tag }} steps: - - name: Checkout - uses: actions/checkout@v2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - - name: Configure Git - run: | - git config --global user.name "$GITHUB_ACTOR" - git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: "^1.17" - - name: Install ccv - run: > - curl -sSL https://github.com/smlx/ccv/releases/download/v0.3.2/ccv_0.3.2_linux_amd64.tar.gz - | sudo tar -xz -C /usr/local/bin ccv - name: Bump tag if necessary - id: bump-tag - run: | - if [ -z $(git tag -l $(ccv)) ]; then - git tag $(ccv) - git push --tags - echo "::set-output name=new::true" - fi - release: - needs: tag - if: needs.tag.outputs.new-tag == 'true' + id: ccv + uses: smlx/ccv@d3de774e9b607b079940a7a86952f44643743336 # v0.9.0 + release-build: + permissions: + # create release + contents: write + # push docker images to registry + packages: write + # required by attest-build-provenance + id-token: write + attestations: write + needs: release-tag + if: needs.release-tag.outputs.new-tag == 'true' runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - - name: Install Go - uses: actions/setup-go@v2 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: - go-version: "^1.17" - - name: Set up environment - run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v2 + go-version: stable + - uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1 + id: sbom + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Move sbom to avoid dirty git + run: mv "$GITHUB_SBOM_PATH" ./sbom.spdx.json + env: + GITHUB_SBOM_PATH: ${{ steps.sbom.outputs.fileName }} + - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 + id: goreleaser with: version: latest - args: release --rm-dist + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_SBOM_PATH: ./sbom.spdx.json + # attest archives + - uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 + with: + subject-path: "dist/*.tar.gz" diff --git a/.github/workflows/tag-to-release.yaml b/.github/workflows/tag-to-release.yaml deleted file mode 100644 index 5fe339d..0000000 --- a/.github/workflows/tag-to-release.yaml +++ /dev/null @@ -1,28 +0,0 @@ -name: Tag to Release -on: - push: - tags: - - v* -jobs: - release: - strategy: - matrix: - os: - - ubuntu-latest - runs-on: ${{ matrix.os }} - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: "^1.17" - - name: Set up environment - run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v2 - with: - version: latest - args: release --rm-dist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index f2fc8eb..292dcf6 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,14 +1,19 @@ -name: Test -on: pull_request +name: test +on: + pull_request: + branches: + - main +permissions: {} jobs: - go-test: + test-go: + permissions: + contents: read runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Install Go - uses: actions/setup-go@v2 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: - go-version: "^1.17" - - name: Run Tests - run: go test -v ./... + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version: stable + - run: go test -v ./... diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7e275b7 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +/dist +/cover.out +/cover.out.raw +/sbom.spdx.json diff --git a/.goreleaser.yml b/.goreleaser.yml index 0c7507f..eb23190 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,8 +1,28 @@ +version: 2 builds: -- dir: cmd/lagoon-linter +- id: lagoon-linter + binary: lagoon-linter + main: ./cmd/lagoon-linter ldflags: - > - -s -w -X main.date={{.Date}} -X "main.goVersion={{.Env.GOVERSION}}" - -X main.shortCommit={{.ShortCommit}} -X main.version={{.Version}} + -s -w + -X "main.commit={{.Commit}}" + -X "main.date={{.Date}}" + -X "main.projectName={{.ProjectName}}" + -X "main.version=v{{.Version}}" env: - CGO_ENABLED=0 + goos: + - linux + - darwin + goarch: + - amd64 + - arm64 + +changelog: + use: github-native + +release: + extra_files: + - glob: "{{ .Env.GITHUB_SBOM_PATH }}" + name_template: "{{ .ProjectName }}.v{{ .Version }}.sbom.spdx.json" diff --git a/README.md b/README.md index 8381b28..e0d660d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,10 @@ # Lagoon Linter +[![coverage](https://raw.githubusercontent.com/uselagoon/lagoon-linter/badges/.badges/main/coverage.svg)](https://github.com/uselagoon/lagoon-linter/actions/workflows/coverage.yaml) +[![Go Report Card](https://goreportcard.com/badge/github.com/uselagoon/lagoon-linter)](https://goreportcard.com/report/github.com/uselagoon/lagoon-linter) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/uselagoon/lagoon-linter/badge)](https://securityscorecards.dev/viewer/?uri=github.com/uselagoon/lagoon-linter) + [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9356/badge)](https://www.bestpractices.dev/projects/9356) + Lint `.lagoon.yml` for validity. ## Profiles diff --git a/cmd/lagoon-linter/main.go b/cmd/lagoon-linter/main.go index a7241ee..1698d8b 100644 --- a/cmd/lagoon-linter/main.go +++ b/cmd/lagoon-linter/main.go @@ -4,7 +4,6 @@ import "github.com/alecthomas/kong" var ( date string - goVersion string shortCommit string version string ) diff --git a/cmd/lagoon-linter/version.go b/cmd/lagoon-linter/version.go index fec2119..7ede479 100644 --- a/cmd/lagoon-linter/version.go +++ b/cmd/lagoon-linter/version.go @@ -1,6 +1,9 @@ package main -import "fmt" +import ( + "fmt" + "runtime" +) // VersionCmd represents the version command. type VersionCmd struct{} @@ -8,6 +11,6 @@ type VersionCmd struct{} // Run the version command to print version information. func (cmd *VersionCmd) Run() error { fmt.Printf("lagoon-linter %v (%v) compiled with %v on %v\n", version, - shortCommit, goVersion, date) + shortCommit, runtime.Version(), date) return nil }