From 1217c8c1afa36a20d7e8054859c3e424944c09cb Mon Sep 17 00:00:00 2001 From: Ben Doerr Date: Thu, 29 Aug 2024 10:41:39 -0400 Subject: [PATCH] =?UTF-8?q?=F0=9F=91=B7=20ci:=20Adds=20comprehensive=20wor?= =?UTF-8?q?kflows.=20Lint,=20test,=20release,=20etc.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/changelog.json | 24 +++++ .github/dependabot.yml | 28 +++++ .github/labeler.yml | 14 +++ .github/workflows/dependency-review.yml | 32 ++++++ .github/workflows/dependency-update.yml | 44 ++++++++ .github/workflows/gomod.yml | 34 +++++++ .github/workflows/lint.yml | 130 ++++++++++++++++++++++++ .github/workflows/pr-label.yml | 22 ++++ .github/workflows/release.yml | 37 +++++++ .github/workflows/scorecard.yml | 78 ++++++++++++++ .github/workflows/test.yml | 39 +++++++ go.mod | 5 +- go.sum | 8 -- 13 files changed, 483 insertions(+), 12 deletions(-) create mode 100644 .github/changelog.json create mode 100644 .github/dependabot.yml create mode 100644 .github/labeler.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/dependency-update.yml create mode 100644 .github/workflows/gomod.yml create mode 100644 .github/workflows/lint.yml create mode 100644 .github/workflows/pr-label.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 .github/workflows/test.yml diff --git a/.github/changelog.json b/.github/changelog.json new file mode 100644 index 0000000..1a3b8a9 --- /dev/null +++ b/.github/changelog.json @@ -0,0 +1,24 @@ +{ + "categories": [ + { + "title": "## ✨ Features", + "labels": ["enhancement"] + }, + { + "title": "## 🐛 Fixes", + "labels": ["bug"] + }, + { + "title": "## 🎨 Cleanup", + "labels": ["cleanup"] + }, + { + "title": "## 👷 CI/CD", + "labels": ["cicd"] + }, + { + "title": "## 📌 Dependencies", + "labels": ["dependencies"] + } + ] +} diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..03ba63f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,28 @@ +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval +version: 2 +updates: + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + groups: + go: + update-types: + - "major" + - "minor" + - "patch" + commit-message: + prefix: "⬆️ go:" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + groups: + github-actions: + update-types: + - "major" + - "minor" + - "patch" + commit-message: + prefix: "⬆️ gha:" diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..b5fd8b2 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,14 @@ +enhancement: + - head-branch: ["^feature", "feature", "^new", "new"] + +bug: + - head-branch: ["^fix", "fix", "^bug", "bug"] + +cicd: + - head-branch: ["^ci", "ci", "^cicd", "cicd"] + +documentation: + - head-branch: ["^docs", "docs"] + +cleanup: + - head-branch: ["^cleanup", "cleanup", "^chore", "chore"] diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..e266a75 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,32 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: "Dependency Review" +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - name: "Checkout Repository" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: "Dependency Review" + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 + with: + comment-summary-in-pr: always diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml new file mode 100644 index 0000000..d3c8d92 --- /dev/null +++ b/.github/workflows/dependency-update.yml @@ -0,0 +1,44 @@ +name: "Update dependabot unsupported dependencies" + +on: + schedule: + - cron: "5 0 * * 1" + workflow_dispatch: + +permissions: + contents: read + +jobs: + pre-commit: + name: "Pre-commit Dependency Update" + runs-on: ubuntu-latest + + permissions: + contents: read + pull-requests: write + + steps: + - name: "Harden Runner" + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - name: "Checkout Repository" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: "Setup Python" + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 + + - name: "Update .pre-commit-config.yml" + run: | + pip install pre-commit + pre-commit autoupdate --freeze + + - name: "Create new pull-request" + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + if: always() + with: + branch: update/pre-commit-hooks + title: "⬆️ pch: Update pre-commit hook versions" + commit-message: "⬆️ pch: Update pre-commit hook versions" + labels: "dependencies,pre-commit" diff --git a/.github/workflows/gomod.yml b/.github/workflows/gomod.yml new file mode 100644 index 0000000..5a1883d --- /dev/null +++ b/.github/workflows/gomod.yml @@ -0,0 +1,34 @@ +name: Validate gomod dependencies +on: + push: + branches: [main] + pull_request: + branches: [main] + types: [opened, synchronize, reopened] + +permissions: + contents: read + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod + cache: true + + - shell: bash + run: | + go mod tidy && git diff --exit-code + + - shell: bash + run: | + go mod download && go mod verify diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..26d047f --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,130 @@ +name: Lint + +on: + push: + branches: [main] + pull_request: + branches: [main] + types: [opened, synchronize, reopened] + +permissions: + contents: read + +jobs: + golangci-lint: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: golangci-lint + uses: reviewdog/action-golangci-lint@7708105983c614f7a2725e2172908b7709d1c3e4 # v2.6.2 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + go_version_file: go.mod + prettier: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: create package.json + run: | + echo -e '{"devDependencies": {"prettier": "^3.1.0"}}' > package.json + - name: prettier + uses: EPMatt/reviewdog-action-prettier@93fb51ed5da157256e1d8c998fb249837304050c # v1.2.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + misspell: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: misspell + uses: reviewdog/action-misspell@ef8b22c1cca06c8d306fc6be302c3dab0f6ca12f # v1.23.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + exclude: | + ./.git/* + ./.cache/* + alex: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: alex + uses: reviewdog/action-alex@f95df9e356d97e67e4626f04ad125c4a99a906a9 # v1.13.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + markdownlint: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: markdownlint + uses: reviewdog/action-markdownlint@e9f3ab4fea1433280a4b0eddca17be1340dfea94 # v0.24.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + markdownlint_flags: | + --disable MD033 MD013 -- . + actionlint: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: actionlint + uses: reviewdog/action-actionlint@4f8f9963ca57a41e5fd5b538dd79dbfbd3e0b38a # v1.54.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml new file mode 100644 index 0000000..3302e55 --- /dev/null +++ b/.github/workflows/pr-label.yml @@ -0,0 +1,22 @@ +name: Label Pull Request + +on: + pull_request: + +permissions: + contents: read + +jobs: + label: + runs-on: ubuntu-latest + + permissions: + contents: read + pull-requests: write + + steps: + - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 #v5.0.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..d3c9e92 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,37 @@ +name: Publish release + +on: + push: + tags: + - "v*.*.*" + +permissions: + contents: read + +jobs: + release: + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + deployments: write + + steps: + - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - uses: mikepenz/release-changelog-builder-action@f3fc77b47b74e78971fffecb2102ae6eac9a44d6 # v5 + id: build_changelog + with: + configuration: .github/changelog.json + failOnError: "true" + fetchReviewers: "true" + + - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + if: startsWith(github.ref, 'refs/tags/') + with: + body: ${{steps.build_changelog.outputs.changelog}} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..3978125 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,78 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: "16 12 * * 0" + push: + branches: ["main"] + workflow_dispatch: + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..11bad20 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,39 @@ +name: Test +on: + push: + branches: [main] + pull_request: + branches: [main] + types: [opened, synchronize, reopened] + +permissions: + contents: read + +jobs: + test: + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod + cache: true + + - shell: bash + run: | + go install github.com/jstemmer/go-junit-report@latest + go test -race -v ./... 2>&1 | tee report.txt || true + go-junit-report -set-exit-code < report.txt > report.xml + + - uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4 + with: + paths: report.xml + if: always() diff --git a/go.mod b/go.mod index d55c0ca..63b22cd 100644 --- a/go.mod +++ b/go.mod @@ -5,8 +5,8 @@ go 1.23.0 require ( github.com/alecthomas/kong v0.9.0 github.com/hashicorp/hcl/v2 v2.22.0 - github.com/kr/pretty v0.3.1 github.com/spf13/afero v1.11.0 + github.com/zclconf/go-cty v1.13.0 ) require ( @@ -14,10 +14,7 @@ require ( github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/google/go-cmp v0.6.0 // indirect - github.com/kr/text v0.2.0 // indirect github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 // indirect - github.com/rogpeppe/go-internal v1.9.0 // indirect - github.com/zclconf/go-cty v1.13.0 // indirect golang.org/x/mod v0.17.0 // indirect golang.org/x/sync v0.8.0 // indirect golang.org/x/text v0.17.0 // indirect diff --git a/go.sum b/go.sum index aa9e16f..20d620a 100644 --- a/go.sum +++ b/go.sum @@ -10,7 +10,6 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= @@ -21,15 +20,8 @@ github.com/hashicorp/hcl/v2 v2.22.0 h1:hkZ3nCtqeJsDhPRFz5EA9iwcG1hNWGePOTw6oyul1 github.com/hashicorp/hcl/v2 v2.22.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA= github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM= github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg= -github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= -github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= -github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= -github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM= github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= -github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= -github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= github.com/zclconf/go-cty v1.13.0 h1:It5dfKTTZHe9aeppbNOda3mN7Ag7sg6QkBNm6TkyFa0=