mirror of
https://github.com/ivuorinen/gibidify.git
synced 2026-01-26 11:34:03 +00:00
Ismo Vuorinen
95b7ef6dd3
* build: update Go 1.25, CI workflows, and build tooling - Upgrade to Go 1.25 - Add benchmark targets to Makefile - Implement parallel gosec execution - Lock tool versions for reproducibility - Add shellcheck directives to scripts - Update CI workflows with improved caching * refactor: migrate from golangci-lint to revive - Replace golangci-lint with revive for linting - Configure comprehensive revive rules - Fix all EditorConfig violations - Add yamllint and yamlfmt support - Remove deprecated .golangci.yml * refactor: rename utils to shared and deduplicate code - Rename utils package to shared - Add shared constants package - Deduplicate constants across packages - Address CodeRabbit review feedback * fix: resolve SonarQube issues and add safety guards - Fix all 73 SonarQube OPEN issues - Add nil guards for resourceMonitor, backpressure, metricsCollector - Implement io.Closer for headerFileReader - Propagate errors from processing helpers - Add metrics and templates packages - Improve error handling across codebase * test: improve test infrastructure and coverage - Add benchmarks for cli, fileproc, metrics - Improve test coverage for cli, fileproc, config - Refactor tests with helper functions - Add shared test constants - Fix test function naming conventions - Reduce cognitive complexity in benchmark tests * docs: update documentation and configuration examples - Update CLAUDE.md with current project state - Refresh README with new features - Add usage and configuration examples - Add SonarQube project configuration - Consolidate config.example.yaml * fix: resolve shellcheck warnings in scripts - Use ./*.go instead of *.go to prevent dash-prefixed filenames from being interpreted as options (SC2035) - Remove unreachable return statement after exit (SC2317) - Remove obsolete gibidiutils/ directory reference * chore(deps): upgrade go dependencies * chore(lint): megalinter fixes * fix: improve test coverage and fix file descriptor leaks - Add defer r.Close() to fix pipe file descriptor leaks in benchmark tests - Refactor TestProcessorConfigureFileTypes with helper functions and assertions - Refactor TestProcessorLogFinalStats with output capture and keyword verification - Use shared constants instead of literal strings (TestFilePNG, FormatMarkdown, etc.) - Reduce cognitive complexity by extracting helper functions * fix: align test comments with function names Remove underscores from test comments to match actual function names: - benchmark/benchmark_test.go (2 fixes) - fileproc/filetypes_config_test.go (4 fixes) - fileproc/filetypes_registry_test.go (6 fixes) - fileproc/processor_test.go (6 fixes) - fileproc/resource_monitor_types_test.go (4 fixes) - fileproc/writer_test.go (3 fixes) * fix: various test improvements and bug fixes - Remove duplicate maxCacheSize check in filetypes_registry_test.go - Shorten long comment in processor_test.go to stay under 120 chars - Remove flaky time.Sleep in collector_test.go, use >= 0 assertion - Close pipe reader in benchmark_test.go to fix file descriptor leak - Use ContinueOnError in flags_test.go to match ResetFlags behavior - Add nil check for p.ui in processor_workers.go before UpdateProgress - Fix resource_monitor_validation_test.go by setting hardMemoryLimitBytes directly * chore(yaml): add missing document start markers Add --- document start to YAML files to satisfy yamllint: - .github/workflows/codeql.yml - .github/workflows/build-test-publish.yml - .github/workflows/security.yml - .github/actions/setup/action.yml * fix: guard nil resourceMonitor and fix test deadlock - Guard resourceMonitor before CreateFileProcessingContext call - Add ui.UpdateProgress on emergency stop and path error returns - Fix potential deadlock in TestProcessFile using wg.Go with defer close
98 lines
2.9 KiB
YAML
98 lines
2.9 KiB
YAML
---
|
|
name: Security Scan
|
|
|
|
on:
|
|
push:
|
|
branches: [main, develop]
|
|
pull_request:
|
|
branches: [main, develop]
|
|
schedule:
|
|
# Run security scan weekly on Sundays at 00:00 UTC
|
|
- cron: "0 0 * * 0"
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
security:
|
|
name: Security Analysis
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
security-events: write
|
|
contents: read
|
|
actions: read
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
|
|
- name: Setup Go
|
|
uses: ./.github/actions/setup
|
|
with:
|
|
token: ${{ github.token }}
|
|
|
|
# Security Scanning with gosec
|
|
- name: Run gosec Security Scanner
|
|
uses: securego/gosec@6be2b51fd78feca86af91f5186b7964d76cb1256 # v2.22.10
|
|
with:
|
|
args: "-fmt sarif -out gosec-results.sarif ./..."
|
|
|
|
- name: Upload gosec results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
|
|
if: always()
|
|
with:
|
|
sarif_file: gosec-results.sarif
|
|
|
|
# Dependency Vulnerability Scanning
|
|
- name: Run govulncheck
|
|
run: |
|
|
go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
govulncheck -json ./... > govulncheck-results.json || true
|
|
|
|
- name: Parse govulncheck results
|
|
run: |
|
|
if [ -s govulncheck-results.json ]; then
|
|
echo "::warning::Vulnerability check completed. Check govulncheck-results.json for details."
|
|
if grep -i -q '"finding"' govulncheck-results.json; then
|
|
echo "::error::Vulnerabilities found in dependencies!"
|
|
cat govulncheck-results.json
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# Makefile Linting
|
|
- name: Run checkmake on Makefile
|
|
run: |
|
|
go install github.com/checkmake/checkmake/cmd/checkmake@latest
|
|
checkmake --config=.checkmake Makefile
|
|
|
|
# Shell Script Formatting Check
|
|
- name: Check shell script formatting
|
|
run: |
|
|
go install mvdan.cc/sh/v3/cmd/shfmt@latest
|
|
shfmt -d .
|
|
|
|
- name: Run YAML linting
|
|
uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
|
|
with:
|
|
file_or_dir: .
|
|
strict: true
|
|
|
|
# Docker Security (if Dockerfile exists)
|
|
- name: Run Docker security scan
|
|
if: hashFiles('Dockerfile') != ''
|
|
run: |
|
|
docker run --rm -v "$PWD":/workspace \
|
|
aquasec/trivy:latest fs --security-checks vuln,config /workspace/Dockerfile || true
|
|
|
|
# Upload artifacts for review
|
|
- name: Upload security scan results
|
|
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
|
|
if: always()
|
|
with:
|
|
name: security-scan-results
|
|
path: |
|
|
gosec-results.sarif
|
|
govulncheck-results.json
|
|
retention-days: 30
|