Reusable workflows

.github/workflows/analysis.yml

@@ -0,0 +1,86 @@
+# Copyright 2020 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+
+name: "Analysis"
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '33 23 * * 4'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  scorecards:
+    name: Scorecards
+    uses: wabarc/.github/.github/workflows/reusable-scorecards.yml@main
+    if: |
+      github.event_name == 'pull_request' ||
+      github.ref == 'refs/heads/main'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      actions: read
+      contents: read
+
+  codeql:
+    name: CodeQL
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+    uses: wabarc/.github/.github/workflows/reusable-codeql.yml@main
+    with:
+      language: ${{ matrix.language }}
+
+  nancy:
+    name: Sonatype Nancy
+    uses: wabarc/.github/.github/workflows/reusable-nancy.yml@main
+
+  semgrep:
+    name: Semgrep Scan
+    if: github.actor != 'dependabot[bot]'
+    uses: wabarc/.github/.github/workflows/reusable-semgrep.yml@main
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+
+  fossa:
+    if: github.event_name != 'pull_request'
+    name: FOSSA
+    uses: wabarc/.github/.github/workflows/reusable-fossa.yml@main
+    secrets:
+      fossa-apikey: ${{ secrets.FOSSA_APIKEY }}
+
+  dependency-review:
+    name: Dependency Review
+    uses: wabarc/.github/.github/workflows/reusable-dependency-review.yml@main
+
+  trivy:
+    name: Trivy
+    uses: wabarc/.github/.github/workflows/reusable-trivy.yml@main
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    with:
+      scan-type: 'fs'
+      sarif: 'filesystem.sarif'

.github/workflows/linter.yml

@@ -1,24 +1,48 @@
-name: Lint
+# Copyright 2020 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+#
+name: Linter
 
 on:
   push:
-    branches: [ main ]
+    branches:
+      - '**'
   pull_request:
-    branches: [ main ]
+    branches:
+      - '**'
     types: [ opened, synchronize, reopened ]
 
+permissions:
+  contents: read
+
 jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout default branch
-        uses: actions/checkout@v2
-
-      - name: Lint Code Base
-        uses: github/super-linter@v4
-        env:
-          DEFAULT_BRANCH: 'main'
-          VALIDATE_ALL_CODEBASE: false
-          VALIDATE_JSON: false
-          VALIDATE_ANSIBLE: false
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  super-linter:
+    name: Super Linter
+    uses: wabarc/.github/.github/workflows/reusable-super-linter.yml@main
+
+  golangci:
+    name: golangci-lint
+    uses: wabarc/.github/.github/workflows/reusable-golangci.yml@main
+
+  shellcheck:
+    name: ShellCheck
+    uses: wabarc/.github/.github/workflows/reusable-shellcheck.yml@main
+
+  misspell:
+    name: Misspell
+    uses: wabarc/.github/.github/workflows/reusable-misspell.yml@main
+
+  alex:
+    name: Alex
+    uses: wabarc/.github/.github/workflows/reusable-alex.yml@main
+
+  urlcheck:
+    name: URLCheck
+    uses: wabarc/.github/.github/workflows/reusable-urlcheck.yml@main
+    with:
+      exclude-patterns: '.onion,https://github.com/,https://repo.wabarc.eu.org/,twitter.com'
+
+  goreportcard:
+    name: Go Report Card
+    uses: wabarc/.github/.github/workflows/reusable-goreportcard.yml@main

.github/workflows/release.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
@@ -52,97 +55,24 @@ jobs:
           - os: dragonfly
             arch: 386
       fail-fast: false
-    runs-on: ubuntu-latest
-    env:
-      GOOS: ${{ matrix.os }}
-      GOARCH: ${{ matrix.arch }}
-      GOARM: ${{ matrix.arm }}
-      GOMIPS: ${{ matrix.mips }}
-      GOMIPS64: ${{ matrix.mips64 }}
-      GOMIPSLE: ${{ matrix.mipsle }}
-    steps:
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
-
-    - name: List checked-out code
-      run: ls -al
-
-    - name: Set up Go 1.x
-      uses: actions/setup-go@v2
-      with:
-        go-version: ^1.16
-
-    - name: Build fat binary
-      id: builder
-      run: |
-        ARGS="${GOOS}-${GOARCH}"
-        if [[ -n "${GOARM}" ]]; then
-          ARGS="${ARGS}v${GOARM}"
-        elif [[ -n "${GOMIPS}" ]]; then
-          ARGS="${ARGS}-${GOMIPS}"
-        elif [[ -n "${GOMIPS64}" ]]; then
-          ARGS="${ARGS}-${GOMIPS64}"
-        elif [[ -n "${GOMIPSLE}" ]]; then
-          ARGS="${ARGS}-${GOMIPSLE}"
-        fi
-        make ${ARGS}
-        echo "args=${ARGS}" >> $GITHUB_OUTPUT
-
-    - name: Archive binary
-      run: make TARGET=${{ steps.builder.outputs.args }} releases
-
-    - name: Upload archived binary
-      uses: actions/upload-artifact@v2
-      with:
-        name: archive-is
-        path: build/package/archive.is*
-
-  checksum:
-    name: Get archived packages checksum
-    runs-on: ubuntu-latest
-    needs: [ build ]
-    outputs:
-      digest: ${{ steps.digest.outputs.result }}
-    steps:
-    - name: Download math result from build job
-      uses: actions/download-artifact@v2
-      with:
-        name: archive-is
-        path: .
-
-    - name: Create all binary digest
-      id: digest
-      run: |
-        digest=$(find archive.is* -type f -exec sha256sum {} +)
-        digest="${digest//$'%'/%25}"
-        digest="${digest//$'\n'/%0A}"
-        echo "result=${digest}" >> $GITHUB_OUTPUT
+    uses: wabarc/.github/.github/workflows/reusable-builder-go.yml@main
+    with:
+      product: archive.is
+      release: true
+      go-version: '^1.20'
+      go-os: ${{ matrix.os }}
+      go-arch: ${{ matrix.arch }}
+      go-arm: ${{ matrix.arm }}
+      go-mips: ${{ matrix.mips }}
+      go-mips64: ${{ matrix.mips64 }}
+      go-mipsle: ${{ matrix.mipsle }}
+      artifact-path: build/package/archive.is*
 
   release:
     name: Create and upload release
-    runs-on: ubuntu-latest
-    needs: [build, checksum]
-    steps:
-    - name: Download math result from build and checksum jobs
-      uses: actions/download-artifact@v2
-      with:
-        name: archive-is
-        path: archive-is # Put files to archive.is directory
-
-    - name: Create Release
-      uses: softprops/action-gh-release@v1
-      if: startsWith(github.ref, 'refs/tags/')
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
-      with:
-        body: |
-          See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/${{ github.sha }}/CHANGELOG.md).
-
-          **Digests in this release:**
-
-          ```
-          ${{ needs.checksum.outputs.digest }}
-          ```
-        draft: true
-        files: |
-          archive-is/*
+    needs: [ build ]
+    permissions:
+      contents: write
+    uses: wabarc/.github/.github/workflows/reusable-releaser-go.yml@main
+    with:
+      product: archive.is

.github/workflows/stale.yml

@@ -1,19 +1,19 @@
+# Copyright 2020 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+#
 name: Stale
 
 on:
   schedule:
     - cron: "0 3 * * 6"
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
 
 jobs:
   stale:
     name: Stale
-    runs-on: ubuntu-latest
-    steps:
-      - name: Mark stale issues and pull requests
-        uses: actions/stale@v4
-        with:
-          repo-token: ${{ github.token }}
-          stale-issue-message: "This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days"
-          stale-pr-message: 'It has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-          days-before-stale: 120
-          days-before-close: 5
+    uses: wabarc/.github/.github/workflows/reusable-stale.yml@main