ivuorinen/gibidify
1
0
Fork 0
mirror of https://github.com/ivuorinen/gibidify.git synced 2026-01-26 11:34:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: update go to 1.25, add permissions and envs (#49)

Browse Source 
* chore(ci): update go to 1.25, add permissions and envs
* fix(ci): update pr-lint.yml
* chore: update go, fix linting
* fix: tests and linting
* fix(lint): lint fixes, renovate should now pass
* fix: updates, security upgrades
* chore: workflow updates, lint
* fix: more lint, checkmake, and other fixes
* fix: more lint, convert scripts to POSIX compliant
* fix: simplify codeql workflow
* tests: increase test coverage, fix found issues
* fix(lint): editorconfig checking, add to linters
* fix(lint): shellcheck, add to linters
* fix(lint): apply cr comment suggestions
* fix(ci): remove step-security/harden-runner
* fix(lint): remove duplication, apply cr fixes
* fix(ci): tests in CI/CD pipeline
* chore(lint): deduplication of strings
* fix(lint): apply cr comment suggestions
* fix(ci): actionlint
* fix(lint): apply cr comment suggestions
* chore: lint, add deps management
This commit is contained in:
Ismo Vuorinen
2025-10-10 12:14:42 +03:00
committed by GitHub
parent 958f5952a0
commit 3f65b813bd
100 changed files with 6997 additions and 1225 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/actions/setup/action.yml vendored Normal file
View File

@@ -0,0 +1,15 @@
name: "Setup Go with Runner Hardening"
description: "Reusable action to set up Go"
inputs:
token:
description: "GitHub token for checkout (optional)"
required: false
default: ""
runs:
using: "composite"
steps:
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: "go.mod"
cache: true

90
.github/workflows/build-test-publish.yml vendored
View File

@@ -9,8 +9,7 @@ on:
release:
types: [created]
permissions:
contents: read
permissions: {}
jobs:
test:
@@ -25,51 +24,60 @@ jobs:
statuses: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Checkout code
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
- name: Setup Go
uses: ./.github/actions/setup
with:
go-version-file: "./go.mod"
cache: true
token: ${{ github.token }}
- name: Install dependencies
run: go mod tidy
- name: Download dependencies
shell: bash
run: go mod download
- name: Run tests
run: go test -json ./... > test-results.json
- name: Generate coverage report
run: go test -coverprofile=coverage.out ./...
- name: Run tests with coverage
shell: bash
run: |
go test -race -covermode=atomic -json -coverprofile=coverage.out ./... | tee test-results.json
- name: Check coverage
id: coverage
if: always()
shell: bash
run: |
if [[ ! -f coverage.out ]]; then
echo "coverage.out is missing; tests likely failed before producing coverage"
exit 1
fi
coverage="$(go tool cover -func=coverage.out | grep total | awk '{print substr($3, 1, length($3)-1)}')"
echo "total_coverage=$coverage" >> "$GITHUB_ENV"
echo "Coverage: $coverage%"
- name: Upload test results
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: test-results
path: test-results.json
- name: Cleanup
run: rm coverage.out
if: always()
shell: bash
run: rm -f coverage.out test-results.json
- name: Fail if coverage is below threshold
if: always()
shell: bash
run: |
if (( $(echo "$total_coverage < 50" | bc -l) )); then
echo "Coverage ($total_coverage%) is below the threshold (50%)"
if [[ -z "${total_coverage:-}" ]]; then
echo "total_coverage is unset; previous step likely failed"
exit 1
fi
awk -v cov="$total_coverage" 'BEGIN{ if (cov < 60) exit 1; else exit 0 }' || {
echo "Coverage ($total_coverage%) is below the threshold (60%)"
exit 1
}
build:
name: Build Binaries
@@ -89,13 +97,13 @@ jobs:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
- name: Setup Go
uses: ./.github/actions/setup
with:
go-version-file: "./go.mod"
token: ${{ github.token }}
- name: Run go mod tidy
run: go mod tidy
- name: Download dependencies
run: go mod download
- name: Build binary for ${{ matrix.goos }}-${{ matrix.goarch }}
run: |
@@ -132,24 +140,24 @@ jobs:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Download Linux binaries
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
- name: Setup Go
uses: ./.github/actions/setup
with:
name: gibidify-linux-amd64
path: .
token: ${{ github.token }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Log in to GitHub Container Registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Build and push multi-arch Docker image
run: |
chmod +x gibidify-linux-amd64
mv gibidify-linux-amd64 gibidify
docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 \
--tag ghcr.io/${{ github.repository }}/gibidify:${{ github.ref_name }} \
--tag ghcr.io/${{ github.repository }}/gibidify:latest \
--push \
--squash .
echo "${{ github.token }}" | docker login ghcr.io \
-u "$(echo "${{ github.actor }}" | tr '[:upper:]' '[:lower:]')" \
--password-stdin
- name: Build and push Docker image
run: |
repo="$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')"
docker buildx build --platform linux/amd64 \
--tag "ghcr.io/${repo}/gibidify:${{ github.ref_name }}" \
--tag "ghcr.io/${repo}/gibidify:latest" \
--push .

39
.github/workflows/codeql.yml vendored Normal file
View File

@@ -0,0 +1,39 @@
name: CodeQL Analysis
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
permissions: {}
jobs:
analyze:
name: Analyze Code
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup Go
uses: ./.github/actions/setup
with:
token: ${{ github.token }}
- name: Initialize CodeQL
uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
with:
languages: go
- name: Autobuild
uses: github/codeql-action/autobuild@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7

11
.github/workflows/pr-lint.yml vendored
View File

@@ -9,7 +9,7 @@ on:
pull_request:
branches: [master, main]
permissions: read-all
permissions: {}
jobs:
Linter:
@@ -21,7 +21,12 @@ jobs:
pull-requests: write
statuses: write
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup Go
uses: ./.github/actions/setup
with:
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ github.token }}
- uses: ivuorinen/actions/pr-lint@dc895c40ffdce61ab057fb992f4e00f1efdcbcbf # 25.10.7

86
.github/workflows/security.yml vendored
View File

@@ -7,45 +7,37 @@ on:
branches: [main, develop]
schedule:
# Run security scan weekly on Sundays at 00:00 UTC
- cron: '0 0 * * 0'
- cron: "0 0 * * 0"
permissions:
security-events: write
contents: read
actions: read
permissions: {}
jobs:
security:
name: Security Analysis
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
uses: ./.github/actions/setup
with:
go-version: '1.23'
- name: Cache Go modules
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
token: ${{ github.token }}
# Security Scanning with gosec
- name: Run gosec Security Scanner
uses: securego/gosec@15d5c61e866bc2e2e8389376a31f1e5e09bde7d8 # v2.22.9
with:
args: '-fmt sarif -out gosec-results.sarif ./...'
args: "-fmt sarif -out gosec-results.sarif ./..."
- name: Upload gosec results to GitHub Security tab
uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3
uses: github/codeql-action/upload-sarif@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
if: always()
with:
sarif_file: gosec-results.sarif
@@ -60,24 +52,17 @@ jobs:
run: |
if [ -s govulncheck-results.json ]; then
echo "::warning::Vulnerability check completed. Check govulncheck-results.json for details."
if grep -q '"finding"' govulncheck-results.json; then
if grep -i -q '"finding"' govulncheck-results.json; then
echo "::error::Vulnerabilities found in dependencies!"
cat govulncheck-results.json
exit 1
fi
fi
# Additional Security Linting
- name: Run security-focused golangci-lint
run: |
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
golangci-lint run --enable=gosec,gocritic,bodyclose,rowserrcheck,misspell,unconvert,unparam,unused \
--timeout=5m
# Makefile Linting
- name: Run checkmake on Makefile
run: |
go install github.com/mrtazz/checkmake/cmd/checkmake@latest
go install github.com/checkmake/checkmake/cmd/checkmake@latest
checkmake --config=.checkmake Makefile
# Shell Script Formatting Check
@@ -86,27 +71,11 @@ jobs:
go install mvdan.cc/sh/v3/cmd/shfmt@latest
shfmt -d .
# YAML Linting
- name: Run YAML linting
run: |
go install github.com/excilsploft/yamllint@latest
yamllint -c .yamllint .
# Secrets Detection (basic patterns)
- name: Run secrets detection
run: |
echo "Scanning for potential secrets..."
# Look for common secret patterns
git log --all --full-history -- . | grep -i -E "(password|secret|key|token|api_key)" || true
find . -type f -name "*.go" -exec grep -H -i -E "(password|secret|key|token|api_key)\s*[:=]" {} \; || true
# Check for hardcoded IPs and URLs
- name: Check for hardcoded network addresses
run: |
echo "Scanning for hardcoded network addresses..."
find . -type f -name "*.go" -exec grep -H -E "([0-9]{1,3}\.){3}[0-9]{1,3}" {} \; || true
find . -type f -name "*.go" -exec grep -H -E "https?://[^/\s]+" {} \; | \
grep -v "example.com|localhost|127.0.0.1" || true
uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
with:
file_or_dir: .
strict: true
# Docker Security (if Dockerfile exists)
- name: Run Docker security scan
@@ -115,24 +84,9 @@ jobs:
docker run --rm -v "$PWD":/workspace \
aquasec/trivy:latest fs --security-checks vuln,config /workspace/Dockerfile || true
# SAST with CodeQL (if available)
- name: Initialize CodeQL
if: github.event_name != 'schedule'
uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3
with:
languages: go
- name: Autobuild
if: github.event_name != 'schedule'
uses: github/codeql-action/autobuild@df559355d593797519d70b90fc8edd5db049e7a2 # v3
- name: Perform CodeQL Analysis
if: github.event_name != 'schedule'
uses: github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2 # v3
# Upload artifacts for review
- name: Upload security scan results
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: always()
with:
name: security-scan-results