Merge branch 'main' into http-client

wabarc · Feb 11, 2024 · 6af231b · 6af231b
2 parents d218b5f + da77ae3
commit 6af231b
Show file tree

Hide file tree

Showing 22 changed files with 204 additions and 134 deletions.
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -49,6 +49,7 @@ jobs:
     with:
       language: ${{ matrix.language }}
       config-file: './.github/codeql/codeql-config.yml'
+      egress-policy: audit
 
   nancy:
     name: Sonatype Nancy
@@ -85,3 +86,4 @@ jobs:
     with:
       scan-type: 'fs'
       sarif: 'filesystem.sarif'
+      egress-policy: audit
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
@@ -99,6 +99,7 @@ jobs:
       go-mips64: ${{ matrix.mips64 }}
       go-mipsle: ${{ matrix.mipsle }}
       artifact-path: ./build/binary/wayback*
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -122,6 +123,7 @@ jobs:
       go-arch: ${{ matrix.arch }}
       go-arm: ${{ matrix.arm }}
       artifact-path: build/package/wayback*.deb
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -132,6 +134,7 @@ jobs:
       product: wayback
       params: 'make rpm'
       artifact-path: build/package/wayback*.rpm
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -145,6 +148,7 @@ jobs:
         build/aur/.SRCINFO
         build/aur/PKGBUILD
         build/aur/wayback*.pkg.tar.zst
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -153,8 +157,9 @@ jobs:
     uses: wabarc/.github/.github/workflows/reusable-builder-snap.yml@main
     with:
       product: wayback
-      channel: edge
+      channel: stable
       publish: ${{ github.repository == 'wabarc/wayback' && github.event_name == 'push' }}
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
       snapcraft-token: ${{ secrets.SNAPCRAFT_TOKEN }}
@@ -167,5 +172,6 @@ jobs:
       version: edge
       params: 'make build'
       artifact-path: org.wabarc.wayback-*.x86_64.flatpak
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -54,13 +54,13 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
         with:
-          egress-policy: block
+          egress-policy: audit
           disable-telemetry: true
           allowed-endpoints: >
             ghcr.io:443
             github.com:443
             api.github.com:443
-            pkg-containers.githubusercontent.com:443
+            *.githubusercontent.com
             docker.io:443
             auth.docker.io:443
             index.docker.io:443
@@ -78,9 +78,7 @@ jobs:
 
       - name: Install Cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
-        with:
-          cosign-release: 'v1.13.1'
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
 
       - name: Prepare
         id: prep
@@ -158,14 +156,14 @@ jobs:
             *.cache-from=type=local,src=/tmp/.image-cache/image
             *.cache-to=type=local,dest=/tmp/.image-cache-new/image
 
-      - name: Sign image with a key
+      - name: Siging image
         if: github.event_name != 'pull_request'
         env:
           TAGS: ${{ steps.meta.outputs.tags }}
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSPHARSE}}
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${TAGS}
 
       - name: Check manifest
         if: github.event_name != 'pull_request'
@@ -201,14 +199,14 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
         with:
-          egress-policy: block
+          egress-policy: audit
           disable-telemetry: true
           allowed-endpoints: >
             ghcr.io:443
             github.com:443
             api.github.com:443
             docker.io:443
-            pkg-containers.githubusercontent.com:443
+            *.githubusercontent.com
             auth.docker.io:443
             registry-1.docker.io:443
             production.cloudflare.docker.com:443
@@ -224,9 +222,7 @@ jobs:
 
       - name: Install Cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
-        with:
-          cosign-release: 'v1.13.1'
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
 
       - name: Prepare
         id: prep
@@ -304,7 +300,7 @@ jobs:
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSPHARSE}}
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${TAGS}
 
       - name: Check manifest
         if: github.event_name != 'pull_request'
@@ -331,11 +327,12 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     with:
       scan-type: 'image'
       image-ref: '${{ needs.publish.outputs.image }}:${{ needs.publish.outputs.version }}'
       sarif: 'container-standalone.sarif'
+      egress-policy: 'audit'
 
   trivy-bundle:
     name: Trivy for bundle
@@ -344,8 +341,9 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     with:
       scan-type: 'image'
       image-ref: '${{ needs.allinone.outputs.image }}:${{ needs.allinone.outputs.version }}'
       sarif: 'container-bundle.sarif'
+      egress-policy: 'audit'
diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml
@@ -26,3 +26,5 @@ jobs:
   license:
     name: License Checker
     uses: wabarc/.github/.github/workflows/reusable-license.yml@main
+    with:
+      egress-policy: audit
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -29,6 +29,8 @@ jobs:
   golangci:
     name: golangci-lint
     uses: wabarc/.github/.github/workflows/reusable-golangci.yml@main
+    with:
+      egress-policy: audit
 
   shellcheck:
     name: ShellCheck

diff --git a/.licenserc.yaml b/.licenserc.yaml
@@ -45,3 +45,14 @@ header:
     - 'mkdocs.yml'
 
   comment: on-failure
+
+dependency:
+  files:
+    - go.mod
+  licenses:
+    - name: github.com/multiformats/go-base36
+      version: v0.2.0
+      license: Apache-2.0 OR MIT
+    - name: github.com/multiformats/go-multicodec
+      version: v0.9.0
+      license: Apache-2.0 OR MIT