From df25195f8d641e0a8e65e050a530011b26314392 Mon Sep 17 00:00:00 2001 From: bytemare <3641580+bytemare@users.noreply.github.com> Date: Tue, 30 Apr 2024 21:13:16 +0200 Subject: [PATCH 1/2] update ci Signed-off-by: bytemare <3641580+bytemare@users.noreply.github.com> --- .github/Makefile | 4 +- .github/dependency-review.yml | 27 +++++++ .github/workflows/ci.yml | 137 +++++++++++++--------------------- 3 files changed, 80 insertions(+), 88 deletions(-) create mode 100644 .github/dependency-review.yml diff --git a/.github/Makefile b/.github/Makefile index eb53d90..8a30dba 100644 --- a/.github/Makefile +++ b/.github/Makefile @@ -1,11 +1,9 @@ .PHONY: update update: @echo "Updating dependencies..." - @cd ../ && go get -u + @cd ../ && go get -u ./... @pwd @go mod tidy - @echo "Updating Github Actions pins..." - @$(foreach file, $(wildcard workflows/*.yml), pin-github-action $(file);) .PHONY: update-linters update-linters: diff --git a/.github/dependency-review.yml b/.github/dependency-review.yml new file mode 100644 index 0000000..81ba9c1 --- /dev/null +++ b/.github/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 + with: + egress-policy: block + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 072b49d..b7c346f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,107 +1,74 @@ -name: h2c +name: Scorecard analysis workflow on: - pull_request: - branches: - - main + # Only the default branch is supported. + branch_protection_rule: + schedule: + # Weekly on Saturdays. + - cron: '30 1 * * 6' + push: + branches: [ main ] -permissions: - contents: read +# Declare default permissions as read only. +permissions: read-all jobs: - lint: - name: Lint + analysis: + name: Scorecard analysis runs-on: ubuntu-latest - steps: - - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 github.com:443 proxy.golang.org:443 objects.githubusercontent.com:443 raw.githubusercontent.com:443 + permissions: + # Needed if using Code scanning alerts + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write - - name: Checkout repo - uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f - with: - fetch-depth: 0 - - name: Setup Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 - with: - go-version-file: ./go.mod - - # Linting - - name: Linting - uses: golangci/golangci-lint-action@9d1e0624a798bb64f6c3cea93db47765312263dc - with: - version: latest - args: --config=./.github/.golangci.yml ./... - only-new-issues: true - - test: - name: Test - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - go: [ '1.22', '1.21' ] steps: - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 with: disable-sudo: true egress-policy: block allowed-endpoints: > - github.com:443 proxy.golang.org:443 storage.googleapis.com:443 sum.golang.org:443 + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - - name: Checkout repo + - name: "Checkout code" uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f with: - fetch-depth: 0 - - name: Setup Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 - with: - go-version: ${{ matrix.go }} - - # Test - - name: Run Tests - run: cd .github && make test - - analyze: - name: Analyze - runs-on: ubuntu-latest - steps: - - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.codecov.io:443 api.github.com:443 cli.codecov.io:443 ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443 github.com:443 proxy.golang.org:443 objects.githubusercontent.com:443 scanner.sonarcloud.io:443 sonarcloud.io:443 storage.googleapis.com:443 + persist-credentials: false - - name: Checkout repo - uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f - with: - fetch-depth: 0 - - name: Setup Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 + - name: "Run analysis" + uses: ossf/scorecard-action@fad9a3cc533bb069b1f01f272f1f630895cd690a with: - go-version-file: ./go.mod + results_file: results.sarif + results_format: sarif + # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional. + repo_token: ${{ secrets.SCORECARD_TOKEN }} - # Coverage - - name: Run coverage - run: cd .github && make cover + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. + publish_results: true - # Codecov - - name: Codecov - uses: codecov/codecov-action@1290bddc8851afa46a03b9a73dd9979a415d4c4f - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@552bf3722c16e81001aea7db72d8cedf64eb5f68 with: - file: .github/coverage.out + name: SARIF file + path: results.sarif + retention-days: 5 - # Sonar - - name: SonarCloud Scan - uses: SonarSource/sonarcloud-github-action@6bbd64e0cb2194e04addb429d669a9ee873eeeef - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + # required for Code scanning alerts + - name: "Upload SARIF results to code scanning" + uses: github/codeql-action/upload-sarif@4ebadbc7468649cf79b138f45e20d999351f6ed0 with: - args: > - -Dsonar.organization=bytemare-github -Dsonar.projectKey=bytemare_hash2curve -Dsonar.go.coverage.reportPaths=.github/coverage.out -Dsonar.sources=. -Dsonar.test.exclusions=tests/** -Dsonar.coverage.exclusions=tests/** -Dsonar.tests=tests/ -Dsonar.verbose=true + sarif_file: results.sarif From 213dbd59f73ca69ef60427433082fb0d1fdd6aa1 Mon Sep 17 00:00:00 2001 From: bytemare <3641580+bytemare@users.noreply.github.com> Date: Tue, 30 Apr 2024 21:17:24 +0200 Subject: [PATCH 2/2] update ci Signed-off-by: bytemare <3641580+bytemare@users.noreply.github.com> --- .github/workflows/ci.yml | 158 ++++++++++++++++++++++++++------------- 1 file changed, 107 insertions(+), 51 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b7c346f..a307cde 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,26 +1,16 @@ -name: Scorecard analysis workflow +name: h2c on: - # Only the default branch is supported. - branch_protection_rule: - schedule: - # Weekly on Saturdays. - - cron: '30 1 * * 6' - push: - branches: [ main ] + pull_request: + branches: + - main -# Declare default permissions as read only. -permissions: read-all +permissions: + contents: read jobs: - analysis: - name: Scorecard analysis + lint: + name: Lint runs-on: ubuntu-latest - permissions: - # Needed if using Code scanning alerts - security-events: write - # Needed for GitHub OIDC token if publish_results is true - id-token: write - steps: - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 with: @@ -28,47 +18,113 @@ jobs: egress-policy: block allowed-endpoints: > api.github.com:443 - api.osv.dev:443 - api.securityscorecards.dev:443 - fulcio.sigstore.dev:443 github.com:443 - oss-fuzz-build-logs.storage.googleapis.com:443 - rekor.sigstore.dev:443 - tuf-repo-cdn.sigstore.dev:443 - www.bestpractices.dev:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + raw.githubusercontent.com:443 + + - name: Checkout repo + uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f + with: + fetch-depth: 0 + - name: Setup Go + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 + with: + go-version-file: ./go.mod + + # Linting + - name: Linting + uses: golangci/golangci-lint-action@692c9c9dba385536b59da68da5aef1775a6f94ea + with: + version: latest + args: --config=./.github/.golangci.yml ./... + only-new-issues: true + + test: + name: Test + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + go: [ '1.22', '1.21' ] + steps: + - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 - - name: "Checkout code" + - name: Checkout repo uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f with: - persist-credentials: false + fetch-depth: 0 + - name: Setup Go + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 + with: + go-version: ${{ matrix.go }} - - name: "Run analysis" - uses: ossf/scorecard-action@fad9a3cc533bb069b1f01f272f1f630895cd690a + # Test + - name: Run Tests + run: cd .github && make test + + analyze: + name: Analyze + runs-on: ubuntu-latest + steps: + - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.codecov.io:443 + api.github.com:443 + cli.codecov.io:443 + ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + scanner.sonarcloud.io:443 + sonarcloud.io:443 + storage.googleapis.com:443 + + - name: Checkout repo + uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f + with: + fetch-depth: 0 + - name: Setup Go + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 with: - results_file: results.sarif - results_format: sarif - # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional. - repo_token: ${{ secrets.SCORECARD_TOKEN }} + go-version-file: ./go.mod - # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless - # of the value entered here. - publish_results: true + # Coverage + - name: Run coverage + run: cd .github && make cover - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@552bf3722c16e81001aea7db72d8cedf64eb5f68 + # Codecov + - name: Codecov + uses: codecov/codecov-action@1290bddc8851afa46a03b9a73dd9979a415d4c4f + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: - name: SARIF file - path: results.sarif - retention-days: 5 + file: .github/coverage.out - # required for Code scanning alerts - - name: "Upload SARIF results to code scanning" - uses: github/codeql-action/upload-sarif@4ebadbc7468649cf79b138f45e20d999351f6ed0 + # Sonar + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@6bbd64e0cb2194e04addb429d669a9ee873eeeef + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: - sarif_file: results.sarif + args: > + -Dsonar.organization=bytemare-github + -Dsonar.projectKey=bytemare_hash2curve + -Dsonar.go.coverage.reportPaths=.github/coverage.out + -Dsonar.sources=. + -Dsonar.test.exclusions=tests/** + -Dsonar.coverage.exclusions=tests/** + -Dsonar.tests=tests/ + -Dsonar.verbose=true