From 0907f2a3378ebd6d4ebfc1cde55cfe2ebd8b5de2 Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Wed, 17 Jan 2024 22:54:56 +0100 Subject: [PATCH 1/6] improve OSSF score (#2125) Signed-off-by: Matthieu MOREL --- .github/workflows/ci-windows-trigger.yml | 7 ++++++- .github/workflows/ci-windows.yml | 8 ++++---- .github/workflows/ci.yml | 9 ++++++--- .github/workflows/codeql.yml | 3 +++ .github/workflows/release-drafter.yml | 6 ++++++ modulegen/_template/ci.yml.tmpl | 9 ++++++--- 6 files changed, 31 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci-windows-trigger.yml b/.github/workflows/ci-windows-trigger.yml index b4d7774870..696549c4f0 100644 --- a/.github/workflows/ci-windows-trigger.yml +++ b/.github/workflows/ci-windows-trigger.yml @@ -4,13 +4,18 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: windows-test-command-trigger: + permissions: + pull-requests: write # for peter-evans/slash-command-dispatch to create PR reaction runs-on: ubuntu-22.04 steps: - name: Trigger windows-test command - uses: peter-evans/slash-command-dispatch@v3 + uses: peter-evans/slash-command-dispatch@f996d7b7aae9059759ac55e978cff76d91853301 # v3.0.2 with: token: ${{ secrets.WINDOWS_WORKERS_TOKEN }} # The command to trigger the pipeline: e.g. /windows-test diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml index f0931d57b0..8bee2b1ab7 100644 --- a/.github/workflows/ci-windows.yml +++ b/.github/workflows/ci-windows.yml @@ -13,7 +13,7 @@ jobs: timeout-minutes: 30 steps: - name: Create pending status - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -27,7 +27,7 @@ jobs: }) - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }} @@ -55,7 +55,7 @@ jobs: gotestsum --format short-verbose --rerun-fails=5 --packages="./..." --junitfile TEST-unit.xml -- -timeout=30m - name: Create success status - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: success() with: github-token: ${{secrets.GITHUB_TOKEN}} @@ -70,7 +70,7 @@ jobs: }) - name: Create failure status - uses: actions/github-script@v7.0.1 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: failure() with: github-token: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 10d3fd4e84..4193748c61 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -138,22 +138,25 @@ jobs: ryuk-disabled: false sonarcloud: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for sonarsource/sonarcloud-github-action to determine which PR to decorate if: ${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }} needs: test-examples runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # Disabling shallow clone is recommended for improving relevancy of reporting fetch-depth: 0 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: sonarcloud - name: Analyze with SonarCloud - uses: sonarsource/sonarcloud-github-action@master + uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0efa608b4e..0d75b54976 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,6 +20,9 @@ on: schedule: - cron: '40 6 * * 5' +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 95016dfde0..29c2b72ee0 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -6,8 +6,14 @@ on: branches: - main +permissions: + contents: read + jobs: update_release_draft: + permissions: + contents: write # for release-drafter/release-drafter to create a github release + pull-requests: write # for release-drafter/release-drafter to add label to PR runs-on: ubuntu-latest steps: - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.19.0 diff --git a/modulegen/_template/ci.yml.tmpl b/modulegen/_template/ci.yml.tmpl index dacf6bb49a..2d605d0d1b 100644 --- a/modulegen/_template/ci.yml.tmpl +++ b/modulegen/_template/ci.yml.tmpl @@ -138,22 +138,25 @@ jobs: ryuk-disabled: false sonarcloud: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for sonarsource/sonarcloud-github-action to determine which PR to decorate if: {{ "${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }}" }} needs: test-examples runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # Disabling shallow clone is recommended for improving relevancy of reporting fetch-depth: 0 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: sonarcloud - name: Analyze with SonarCloud - uses: sonarsource/sonarcloud-github-action@master + uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1 env: GITHUB_TOKEN: {{ "${{ secrets.GITHUB_TOKEN }}" }} SONAR_TOKEN: {{ "${{ secrets.SONAR_TOKEN }}" }} From 1b95b949453b0c0fab88b5d31859a1fa60636064 Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Thu, 18 Jan 2024 13:29:18 +0100 Subject: [PATCH 2/6] Go install gotestsum and golangci-lint (#2127) * Update commons-test.mk * Update ci-test-go.yml * Update ci-windows.yml * Update commons-test.mk --- .github/workflows/ci-test-go.yml | 4 +--- .github/workflows/ci-windows.yml | 4 +--- commons-test.mk | 26 ++++++++++++++++++++++---- 3 files changed, 24 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci-test-go.yml b/.github/workflows/ci-test-go.yml index 6707c871f5..c23b4b0115 100644 --- a/.github/workflows/ci-test-go.yml +++ b/.github/workflows/ci-test-go.yml @@ -104,9 +104,7 @@ jobs: if: ${{ inputs.run-tests }} working-directory: ./${{ inputs.project-directory }} timeout-minutes: 30 - run: | - go install gotest.tools/gotestsum@latest - make test-unit + run: make test-unit - name: Upload SonarCloud files if: ${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' && inputs.run-tests && !inputs.rootless-docker }} diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml index 8bee2b1ab7..9f868aa8f0 100644 --- a/.github/workflows/ci-windows.yml +++ b/.github/workflows/ci-windows.yml @@ -50,9 +50,7 @@ jobs: - name: go test timeout-minutes: 30 - run: | - go install gotest.tools/gotestsum@latest - gotestsum --format short-verbose --rerun-fails=5 --packages="./..." --junitfile TEST-unit.xml -- -timeout=30m + run: make test-unit - name: Create success status uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 diff --git a/commons-test.mk b/commons-test.mk index 6a0606e7d3..e99d62a224 100644 --- a/commons-test.mk +++ b/commons-test.mk @@ -1,4 +1,23 @@ ROOT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +GOBIN= $(GOPATH)/bin + +define go_install + go install $(1) +endef + +$(GOBIN)/golangci-lint: + $(call go_install,github.com/golangci/golangci-lint/cmd/golangci-lint@v1.55.2) + +$(GOBIN)/gotestsum: + $(call go_install,gotest.tools/gotestsum@latest) + +.PHONY: install +install: $(GOBIN)/golangci-lint $(GOBIN)/gotestsum + +.PHONY: clean +clean: + rm $(GOBIN)/golangci-lint + rm $(GOBIN)/gotestsum .PHONY: dependencies-scan dependencies-scan: @@ -6,11 +25,11 @@ dependencies-scan: go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth --skip-update-check .PHONY: lint -lint: +lint: $(GOBIN)/golangci-lint golangci-lint run --out-format=github-actions --path-prefix=. --verbose -c $(ROOT_DIR)/.golangci.yml --fix .PHONY: test-% -test-%: +test-%: $(GOBIN)/gotestsum @echo "Running $* tests..." gotestsum \ --format short-verbose \ @@ -26,8 +45,7 @@ tools: go mod download .PHONY: test-tools -test-tools: - go install gotest.tools/gotestsum@latest +test-tools: $(GOBIN)/gotestsum .PHONY: tools-tidy tools-tidy: From 69a475cff46b61909cfd1542a99e9e5de13e4fae Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Thu, 18 Jan 2024 13:29:33 +0100 Subject: [PATCH 3/6] enable golangci-lint for redis module (#2126) Signed-off-by: Matthieu MOREL --- .github/workflows/ci-test-go.yml | 2 +- modules/redis/redis_test.go | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-test-go.yml b/.github/workflows/ci-test-go.yml index c23b4b0115..3f44249eb5 100644 --- a/.github/workflows/ci-test-go.yml +++ b/.github/workflows/ci-test-go.yml @@ -71,7 +71,7 @@ jobs: - name: golangci-lint # TODO: Remove each example/module once it passes the golangci-lint - if: ${{ inputs.platform == 'ubuntu-latest' && inputs.go-version == '1.20.x' && !contains(fromJSON('["examples/cockroachdb", "examples/toxiproxy", "modules/compose", "modules/redis"]'), inputs.project-directory) }} + if: ${{ inputs.platform == 'ubuntu-latest' && inputs.go-version == '1.20.x' && !contains(fromJSON('["examples/cockroachdb", "examples/toxiproxy", "modules/compose"]'), inputs.project-directory) }} uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3 with: # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version diff --git a/modules/redis/redis_test.go b/modules/redis/redis_test.go index ec7d7be735..86d123dd8e 100644 --- a/modules/redis/redis_test.go +++ b/modules/redis/redis_test.go @@ -127,7 +127,9 @@ func assertSetsGets(t *testing.T, ctx context.Context, redisContainer *RedisCont require.NoError(t, err) client := redis.NewClient(options) - defer flushRedis(ctx, *client) + defer func(t *testing.T, ctx context.Context, client *redis.Client) { + require.NoError(t, flushRedis(ctx, *client)) + }(t, ctx, client) t.Log("pinging redis") pong, err := client.Ping(ctx).Result() From 90a6ffe246fb9bf1f42d737d89066e6cff2a0e95 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jan 2024 14:03:08 +0100 Subject: [PATCH 4/6] chore(deps): bump github.com/neo4j/neo4j-go-driver/v5 in /modules/neo4j (#2098) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [github.com/neo4j/neo4j-go-driver/v5](https://github.com/neo4j/neo4j-go-driver) from 5.15.0 to 5.16.0. - [Release notes](https://github.com/neo4j/neo4j-go-driver/releases) - [Commits](https://github.com/neo4j/neo4j-go-driver/compare/v5.15.0...v5.16.0) --- updated-dependencies: - dependency-name: github.com/neo4j/neo4j-go-driver/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Manuel de la Peña --- modules/neo4j/go.mod | 2 +- modules/neo4j/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/neo4j/go.mod b/modules/neo4j/go.mod index a18b9b16ab..f8a193ecba 100644 --- a/modules/neo4j/go.mod +++ b/modules/neo4j/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/docker/go-connections v0.5.0 - github.com/neo4j/neo4j-go-driver/v5 v5.15.0 + github.com/neo4j/neo4j-go-driver/v5 v5.16.0 github.com/testcontainers/testcontainers-go v0.27.0 ) diff --git a/modules/neo4j/go.sum b/modules/neo4j/go.sum index 5f0473f3a1..db5809267b 100644 --- a/modules/neo4j/go.sum +++ b/modules/neo4j/go.sum @@ -74,8 +74,8 @@ github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= -github.com/neo4j/neo4j-go-driver/v5 v5.15.0 h1:oqJZB1p2DE153RjfFbVGQiSDXqMCMEQnrZW+ZI86o58= -github.com/neo4j/neo4j-go-driver/v5 v5.15.0/go.mod h1:Vff8OwT7QpLm7L2yYr85XNWe9Rbqlbeb9asNXJTHO4k= +github.com/neo4j/neo4j-go-driver/v5 v5.16.0 h1:m3ZTjqulwob5HBysu5QdSvFB1+6x8xC9I3hC7yzcN6A= +github.com/neo4j/neo4j-go-driver/v5 v5.16.0/go.mod h1:Vff8OwT7QpLm7L2yYr85XNWe9Rbqlbeb9asNXJTHO4k= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI= From d8f0c469b44f9ab605e5ef2fadac0aa4924c6007 Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Thu, 18 Jan 2024 23:34:56 +0100 Subject: [PATCH 5/6] enable golangci-lint for examples (#2128) Signed-off-by: Matthieu MOREL --- .github/workflows/ci-test-go.yml | 2 +- examples/cockroachdb/cockroachdb_test.go | 36 +++++++++--------------- 2 files changed, 14 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci-test-go.yml b/.github/workflows/ci-test-go.yml index 3f44249eb5..97cbdee663 100644 --- a/.github/workflows/ci-test-go.yml +++ b/.github/workflows/ci-test-go.yml @@ -71,7 +71,7 @@ jobs: - name: golangci-lint # TODO: Remove each example/module once it passes the golangci-lint - if: ${{ inputs.platform == 'ubuntu-latest' && inputs.go-version == '1.20.x' && !contains(fromJSON('["examples/cockroachdb", "examples/toxiproxy", "modules/compose"]'), inputs.project-directory) }} + if: ${{ inputs.platform == 'ubuntu-latest' && inputs.go-version == '1.20.x' && !contains(fromJSON('["modules/compose"]'), inputs.project-directory) }} uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3 with: # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version diff --git a/examples/cockroachdb/cockroachdb_test.go b/examples/cockroachdb/cockroachdb_test.go index 38706d9737..50e9c1e0ad 100644 --- a/examples/cockroachdb/cockroachdb_test.go +++ b/examples/cockroachdb/cockroachdb_test.go @@ -8,6 +8,7 @@ import ( "github.com/google/uuid" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) // Task represents a unit of work to complete. We're going to be using this in @@ -16,12 +17,12 @@ import ( type task struct { ID string `json:"id"` Description string `json:"description"` - DateDue *time.Time `json:"date_due,string"` - DateCreated time.Time `json:"date_created,string"` + DateDue *time.Time `json:"date_due"` + DateCreated time.Time `json:"date_created"` DateUpdated time.Time `json:"date_updated"` } -func initCockroachDB(ctx context.Context, db sql.DB) error { +func initCockroachDB(ctx context.Context, db *sql.DB) error { // Actual SQL for initializing the database should probably live elsewhere const query = `CREATE DATABASE projectmanagement; CREATE TABLE projectmanagement.task( @@ -31,11 +32,10 @@ func initCockroachDB(ctx context.Context, db sql.DB) error { date_created timestamp with time zone not null, date_updated timestamp with time zone not null);` _, err := db.ExecContext(ctx, query) - return err } -func truncateCockroachDB(ctx context.Context, db sql.DB) error { +func truncateCockroachDB(ctx context.Context, db *sql.DB) error { const query = `TRUNCATE projectmanagement.task` _, err := db.ExecContext(ctx, query) return err @@ -49,9 +49,7 @@ func TestIntegrationDBInsertSelect(t *testing.T) { ctx := context.Background() cdbContainer, err := startContainer(ctx) - if err != nil { - t.Fatal(err) - } + require.NoError(t, err) t.Cleanup(func() { if err := cdbContainer.Terminate(ctx); err != nil { t.Fatalf("failed to terminate container: %s", err) @@ -59,16 +57,13 @@ func TestIntegrationDBInsertSelect(t *testing.T) { }) db, err := sql.Open("pgx", cdbContainer.URI+"/projectmanagement") - if err != nil { - t.Fatal(err) - } + require.NoError(t, err) defer db.Close() - err = initCockroachDB(ctx, *db) - if err != nil { - t.Fatal(err) - } - defer truncateCockroachDB(ctx, *db) + require.NoError(t, initCockroachDB(ctx, db)) + defer func(t *testing.T, ctx context.Context, db *sql.DB) { + require.NoError(t, truncateCockroachDB(ctx, db)) + }(t, ctx, db) now := time.Now() @@ -84,9 +79,7 @@ func TestIntegrationDBInsertSelect(t *testing.T) { tsk.DateDue, tsk.DateCreated, tsk.DateUpdated) - if err != nil { - t.Fatal(err) - } + require.NoError(t, err) // Select data savedTsk := task{ID: tsk.ID} @@ -95,10 +88,7 @@ func TestIntegrationDBInsertSelect(t *testing.T) { where id = $1` row := db.QueryRowContext(ctx, findQuery, tsk.ID) err = row.Scan(&savedTsk.Description, &savedTsk.DateDue, &savedTsk.DateCreated, &savedTsk.DateUpdated) - if err != nil { - t.Fatal(err) - } - + require.NoError(t, err) assert.Equal(t, tsk.ID, savedTsk.ID) assert.Equal(t, tsk.Description, savedTsk.Description) assert.Equal(t, tsk.DateDue, savedTsk.DateDue) From e52d1b1648568f5365d579ff7fd0371d563648d8 Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Thu, 18 Jan 2024 23:35:09 +0100 Subject: [PATCH 6/6] pin Docker images version (#2129) Signed-off-by: Matthieu MOREL --- docs/features/build_from_dockerfile.md | 2 +- modules/redis/testdata/Dockerfile | 2 +- testdata/Dockerfile | 2 +- wait/testdata/Dockerfile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/features/build_from_dockerfile.md b/docs/features/build_from_dockerfile.md index dd2628dfc8..19ad060d2e 100644 --- a/docs/features/build_from_dockerfile.md +++ b/docs/features/build_from_dockerfile.md @@ -17,7 +17,7 @@ image will be built with a random name and tag. If your Dockerfile expects build args: ```Dockerfile -FROM alpine +FROM alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 ARG FOO diff --git a/modules/redis/testdata/Dockerfile b/modules/redis/testdata/Dockerfile index bf302c6240..7157611a13 100644 --- a/modules/redis/testdata/Dockerfile +++ b/modules/redis/testdata/Dockerfile @@ -1 +1 @@ -FROM docker.io/redis:5.0-alpine \ No newline at end of file +FROM docker.io/redis:5.0-alpine@sha256:1a3c609295332f1ce603948142a132656c92a08149d7096e203058533c415b8c diff --git a/testdata/Dockerfile b/testdata/Dockerfile index bf302c6240..7157611a13 100644 --- a/testdata/Dockerfile +++ b/testdata/Dockerfile @@ -1 +1 @@ -FROM docker.io/redis:5.0-alpine \ No newline at end of file +FROM docker.io/redis:5.0-alpine@sha256:1a3c609295332f1ce603948142a132656c92a08149d7096e203058533c415b8c diff --git a/wait/testdata/Dockerfile b/wait/testdata/Dockerfile index 512f09c8fc..ad92401796 100644 --- a/wait/testdata/Dockerfile +++ b/wait/testdata/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.18-alpine as builder +FROM golang:1.18-alpine@sha256:77f25981bd57e60a510165f3be89c901aec90453fd0f1c5a45691f6cb1528807 as builder WORKDIR /app COPY . . RUN mkdir -p dist