From c29b2b89dd571cc13d526157761fef63ffa4f77d Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Mon, 18 Dec 2023 17:32:20 +0800 Subject: [PATCH 01/10] chore: update dependabot config --- .github/{dependabot.yml => dependabot.yaml} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename .github/{dependabot.yml => dependabot.yaml} (91%) diff --git a/.github/dependabot.yml b/.github/dependabot.yaml similarity index 91% rename from .github/dependabot.yml rename to .github/dependabot.yaml index 97607e05..de791be7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yaml @@ -3,12 +3,12 @@ updates: - package-ecosystem: github-actions directory: / schedule: - interval: daily -- package-ecosystem: gomod + interval: weekly +- package-ecosystem: docker directory: / schedule: interval: daily -- package-ecosystem: docker +- package-ecosystem: gomod directory: / schedule: interval: daily From 94612bc37b8e7bf624f551200280716c8ece2462 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 21 Dec 2023 14:00:00 +0800 Subject: [PATCH 02/10] chore: update dependency-review config --- .github/dependency-review-config.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml index 3705f787..df8f6535 100644 --- a/.github/dependency-review-config.yml +++ b/.github/dependency-review-config.yml @@ -1,5 +1,5 @@ # https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md -allow_licenses: +allow-licenses: - 'Apache-2.0' - 'BSD-2-Clause' - 'BSD-2-Clause-FreeBSD' @@ -10,3 +10,8 @@ allow_licenses: - 'Python-2.0' - 'X11' - 'Zlib' + +# this action is GPL-3 but it is only used in CI +# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806 +allow-dependencies-licenses: > + pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787 From 5edde15480d31dbfc7498efa2ece9aa3c4be1586 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 21 Dec 2023 14:03:19 +0800 Subject: [PATCH 03/10] chore: update build and release workflows --- .github/workflows/build.yaml | 78 ++++++-------- .github/workflows/release.yaml | 107 +++++++------------- .github/workflows/tag-to-release.yaml | 72 ------------- .goreleaser.yaml | 140 ++++++++++++++++++++++++++ .goreleaser.yml | 52 ---------- Dockerfile | 4 + deploy/ssh-portal-api/Dockerfile | 3 - deploy/ssh-portal/Dockerfile | 3 - deploy/ssh-token/Dockerfile | 3 - 9 files changed, 211 insertions(+), 251 deletions(-) delete mode 100644 .github/workflows/tag-to-release.yaml create mode 100644 .goreleaser.yaml delete mode 100644 .goreleaser.yml create mode 100644 Dockerfile delete mode 100644 deploy/ssh-portal-api/Dockerfile delete mode 100644 deploy/ssh-portal/Dockerfile delete mode 100644 deploy/ssh-token/Dockerfile diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index d9c40413..8a0834c4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,68 +1,54 @@ -name: Build -on: pull_request +name: build +on: + pull_request: + branches: + - main +permissions: {} jobs: - build: + build-snapshot: + permissions: + contents: read + packages: write runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Install Go - uses: actions/setup-go@v5 - with: - go-version: stable - - name: Set up environment - run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5 - with: - version: latest - args: build --snapshot --rm-dist - - name: Tar up binaries - # work around limitations in the upload/download artifact actions - # https://github.com/actions/download-artifact#limitations - run: tar -cvf dist.tar dist - - name: Upload binaries tar file - uses: actions/upload-artifact@v4 - with: - name: dist.tar - path: dist.tar - buildimage: - if: ${{ !startsWith(github.head_ref, 'dependabot/') }} strategy: matrix: binary: - - ssh-portal-api - ssh-portal + - ssh-portal-api - ssh-token - needs: build - runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Download binaries tar file - uses: actions/download-artifact@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - name: dist.tar - - name: Untar binaries - run: tar -xvf dist.tar + go-version: stable + - run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV" + - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + with: + version: latest + args: build --clean --debug --single-target --snapshot - name: Login to GHCR - uses: docker/login-action@v3 + if: github.actor != 'dependabot[bot]' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker metadata - # this id is namespaced per matrix run + - name: Get Docker metadata + if: github.actor != 'dependabot[bot]' id: docker_metadata - uses: docker/metadata-action@v5 + uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5.4.0 with: - images: ghcr.io/uselagoon/lagoon-ssh-portal/${{ matrix.binary }} + images: ghcr.io/${{ github.repository }}/${{ matrix.binary }} + - run: echo "GITHUB_REPOSITORY_NAME=$(basename ${{ github.repository }})" >> "$GITHUB_ENV" - name: Build and push ${{ matrix.binary }} container image - id: docker_build - uses: docker/build-push-action@v5 + if: github.actor != 'dependabot[bot]' + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: push: true tags: ${{ steps.docker_metadata.outputs.tags }} labels: ${{ steps.docker_metadata.outputs.labels }} - file: deploy/${{ matrix.binary }}/Dockerfile + file: Dockerfile + build-args: BINARY=${{ matrix.binary }} context: dist/${{ matrix.binary }}_linux_amd64_v1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index eb2862ce..4be6d15f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,25 +1,27 @@ -name: Release +name: release on: push: branches: - main +permissions: {} jobs: - tag: + release-tag: + permissions: + # create tag + contents: write runs-on: ubuntu-latest outputs: new-tag: ${{ steps.bump-tag.outputs.new }} new-tag-version: ${{ steps.bump-tag.outputs.new_tag_version }} steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - name: Configure Git + - name: Configure git run: | git config --global user.name "$GITHUB_ACTOR" git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Install Go - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - name: Install ccv @@ -29,82 +31,43 @@ jobs: - name: Bump tag if necessary id: bump-tag run: | - if [ -z $(git tag -l $(ccv)) ]; then - git tag $(ccv) + if [ -z "$(git tag -l "$(ccv)")" ]; then + git tag "$(ccv)" git push --tags - echo "::set-output name=new::true" - echo "::set-output name=new_tag_version::$(git tag --points-at HEAD)" + echo "new=true" >> "$GITHUB_OUTPUT" + echo "new_tag_version=$(git tag --points-at HEAD)" >> "$GITHUB_OUTPUT" fi - release: - needs: tag - if: needs.tag.outputs.new-tag == 'true' + release-build: + permissions: + # create release + contents: write + # push docker images to regsitry + packages: write + # use OIDC token for signing + id-token: write + needs: release-tag + if: needs.release-tag.outputs.new-tag == 'true' runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - name: Install Go - uses: actions/setup-go@v5 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - - name: Set up environment - run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5 - with: - version: latest - args: release --rm-dist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Tar up binaries - run: tar -cvf dist.tar dist - - name: Upload binaries tar file - uses: actions/upload-artifact@v4 - with: - name: dist.tar - path: dist.tar - releaseimage: - strategy: - matrix: - binary: - - ssh-portal-api - - ssh-portal - - ssh-token - needs: - - tag - - release - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Download binaries tar file - uses: actions/download-artifact@v4 - with: - name: dist.tar - - name: Untar binaries - run: tar -xvf dist.tar - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker metadata - # this id is namespaced per matrix run - id: docker_metadata - uses: docker/metadata-action@v5 - with: - images: ghcr.io/uselagoon/lagoon-ssh-portal/${{ matrix.binary }} - tags: | - ${{ needs.tag.outputs.new-tag-version }} - latest - - name: Build and push ${{ matrix.binary }} container image - id: docker_build - uses: docker/build-push-action@v5 + - name: Set up environment + run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV" + - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + - uses: anchore/sbom-action/download-syft@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1 + - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: - push: true - tags: ${{ steps.docker_metadata.outputs.tags }} - labels: ${{ steps.docker_metadata.outputs.labels }} - file: deploy/${{ matrix.binary }}/Dockerfile - context: dist/${{ matrix.binary }}_linux_amd64_v1 + version: latest + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tag-to-release.yaml b/.github/workflows/tag-to-release.yaml deleted file mode 100644 index 8b7eaa4d..00000000 --- a/.github/workflows/tag-to-release.yaml +++ /dev/null @@ -1,72 +0,0 @@ -name: Tag to Release -on: - push: - tags: - - v* -jobs: - release: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Install Go - uses: actions/setup-go@v5 - with: - go-version: stable - - name: Set up environment - run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5 - with: - version: latest - args: release --rm-dist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Tar up binaries - run: tar -cvf dist.tar dist - - name: Upload binaries tar file - uses: actions/upload-artifact@v4 - with: - name: dist.tar - path: dist.tar - releaseimage: - strategy: - matrix: - binary: - - ssh-portal-api - - ssh-portal - - ssh-token - needs: - - tag - - release - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Download binaries tar file - uses: actions/download-artifact@v4 - with: - name: dist.tar - - name: Untar binaries - run: tar -xvf dist.tar - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker metadata - # this id is namespaced per matrix run - id: docker_metadata - uses: docker/metadata-action@v5 - with: - images: ghcr.io/uselagoon/lagoon-ssh-portal/${{ matrix.binary }} - - name: Build and push ${{ matrix.binary }} container image - id: docker_build - uses: docker/build-push-action@v5 - with: - push: true - tags: ${{ steps.docker_metadata.outputs.tags }} - labels: ${{ steps.docker_metadata.outputs.labels }} - file: deploy/${{ matrix.binary }}/Dockerfile - context: dist/${{ matrix.binary }}_linux_amd64_v1 diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 00000000..e9ca0aad --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,140 @@ +builds: +- &buildDefinition + id: ssh-portal + binary: ssh-portal + main: ./cmd/ssh-portal + ldflags: + - > + -s -w + -X "main.commit={{.Commit}}" + -X "main.date={{.Date}}" + -X "main.goVersion={{.Env.GOVERSION}}" + -X "main.projectName={{.ProjectName}}" + -X "main.version={{.Version}}" + env: + - CGO_ENABLED=0 + goos: + - linux + - darwin + goarch: + - amd64 + - arm64 +- <<: *buildDefinition + id: ssh-portal-api + binary: ssh-portal-api + main: ./cmd/ssh-portal-api +- <<: *buildDefinition + id: ssh-token + binary: ssh-token + main: ./cmd/ssh-token + +changelog: + use: github-native + +sboms: +- artifacts: archive + +signs: +- cmd: cosign + signature: "${artifact}.sig" + certificate: "${artifact}.pem" + args: + - "sign-blob" + - "--output-signature=${signature}" + - "--output-certificate=${certificate}" + - "${artifact}" + - "--yes" + artifacts: checksum + +dockers: +# ssh-portal +- ids: + - ssh-portal + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal:{{ .Version }}-amd64" + use: buildx + build_flag_templates: + - "--build-arg=BINARY=ssh-portal" + - "--platform=linux/amd64" +- ids: + - ssh-portal + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal:{{ .Version }}-arm64v8" + use: buildx + goarch: arm64 + build_flag_templates: + - "--build-arg=BINARY=ssh-portal" + - "--platform=linux/arm64/v8" +# ssh-portal-api +- ids: + - ssh-portal-api + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal-api:{{ .Version }}-amd64" + use: buildx + build_flag_templates: + - "--build-arg=BINARY=ssh-portal-api" + - "--platform=linux/amd64" +- ids: + - ssh-portal-api + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal-api:{{ .Version }}-arm64v8" + use: buildx + goarch: arm64 + build_flag_templates: + - "--build-arg=BINARY=ssh-portal-api" + - "--platform=linux/arm64/v8" +# ssh-token +- ids: + - ssh-token + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-token:{{ .Version }}-amd64" + use: buildx + build_flag_templates: + - "--build-arg=BINARY=ssh-token" + - "--platform=linux/amd64" +- ids: + - ssh-token + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-token:{{ .Version }}-arm64v8" + use: buildx + goarch: arm64 + build_flag_templates: + - "--build-arg=BINARY=ssh-token" + - "--platform=linux/arm64/v8" + +docker_manifests: +# ssh-portal +- name_template: "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal:{{ .Version }}" + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal:{{ .Version }}-amd64" + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal:{{ .Version }}-arm64v8" +- name_template: "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal:latest" + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal:{{ .Version }}-amd64" + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal:{{ .Version }}-arm64v8" +# ssh-portal-api +- name_template: "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal-api:{{ .Version }}" + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal-api:{{ .Version }}-amd64" + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal-api:{{ .Version }}-arm64v8" +- name_template: "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal-api:latest" + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal-api:{{ .Version }}-amd64" + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-portal-api:{{ .Version }}-arm64v8" +# ssh-token +- name_template: "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-token:{{ .Version }}" + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-token:{{ .Version }}-amd64" + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-token:{{ .Version }}-arm64v8" +- name_template: "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-token:latest" + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-token:{{ .Version }}-amd64" + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-token:{{ .Version }}-arm64v8" + +docker_signs: +- args: + - "sign" + - "${artifact}@${digest}" + - "--yes" + artifacts: all + output: true diff --git a/.goreleaser.yml b/.goreleaser.yml deleted file mode 100644 index 986118f2..00000000 --- a/.goreleaser.yml +++ /dev/null @@ -1,52 +0,0 @@ -builds: -- id: ssh-portal-api - dir: cmd/ssh-portal-api - binary: ssh-portal-api - ldflags: - - > - -s -w - -X "main.commit={{.Commit}}" - -X "main.date={{.Date}}" - -X "main.goVersion={{.Env.GOVERSION}}" - -X "main.projectName={{.ProjectName}}" - -X "main.version={{.Version}}" - env: - - CGO_ENABLED=0 - goarch: - - amd64 - goos: - - linux -- id: ssh-portal - dir: cmd/ssh-portal - binary: ssh-portal - ldflags: - - > - -s -w - -X "main.commit={{.Commit}}" - -X "main.date={{.Date}}" - -X "main.goVersion={{.Env.GOVERSION}}" - -X "main.projectName={{.ProjectName}}" - -X "main.version={{.Version}}" - env: - - CGO_ENABLED=0 - goarch: - - amd64 - goos: - - linux -- id: ssh-token - dir: cmd/ssh-token - binary: ssh-token - ldflags: - - > - -s -w - -X "main.commit={{.Commit}}" - -X "main.date={{.Date}}" - -X "main.goVersion={{.Env.GOVERSION}}" - -X "main.projectName={{.ProjectName}}" - -X "main.version={{.Version}}" - env: - - CGO_ENABLED=0 - goarch: - - amd64 - goos: - - linux diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..eef3093a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,4 @@ +FROM alpine:3.19@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 +ARG BINARY=binary-build-arg-not-defined +ENTRYPOINT ["/${BINARY}"] +COPY $BINARY / diff --git a/deploy/ssh-portal-api/Dockerfile b/deploy/ssh-portal-api/Dockerfile deleted file mode 100644 index caf632d4..00000000 --- a/deploy/ssh-portal-api/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.16 -ENTRYPOINT ["/ssh-portal-api"] -COPY ssh-portal-api / diff --git a/deploy/ssh-portal/Dockerfile b/deploy/ssh-portal/Dockerfile deleted file mode 100644 index 4ad43196..00000000 --- a/deploy/ssh-portal/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.16 -ENTRYPOINT ["/ssh-portal"] -COPY ssh-portal / diff --git a/deploy/ssh-token/Dockerfile b/deploy/ssh-token/Dockerfile deleted file mode 100644 index fa5d79ad..00000000 --- a/deploy/ssh-token/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.16 -ENTRYPOINT ["/ssh-token"] -COPY ssh-token / From 5cd7c621a2ec51d08ee31dd8827f5ab870ea664b Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 21 Dec 2023 22:20:47 +0800 Subject: [PATCH 04/10] chore: add codeql and coverage workflows --- .github/workflows/codeql-analysis.yaml | 32 +++++++++++++++++++++++ .github/workflows/coverage.yaml | 35 ++++++++++++-------------- 2 files changed, 48 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/codeql-analysis.yaml diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml new file mode 100644 index 00000000..980097d1 --- /dev/null +++ b/.github/workflows/codeql-analysis.yaml @@ -0,0 +1,32 @@ +name: codeQL +on: + push: + branches: + - main + pull_request: + branches: + - main +permissions: {} +jobs: + analyze: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + language: + - go + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: stable + - name: Initialize CodeQL + uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 + with: + languages: ${{ matrix.language }} + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index 7bfa5321..9af81145 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -1,32 +1,29 @@ -name: Coverage +name: coverage on: push: branches: - main - +permissions: {} jobs: coverage: + permissions: + contents: write runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Configure git - run: | - git config --global user.name "$GITHUB_ACTOR" - git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Set up go - uses: actions/setup-go@v5 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - - name: Install Dependencies - run: sudo apt-get update && sudo apt-get -u install libpcsclite-dev - name: Calculate coverage run: | - go test -v -covermode=count -coverprofile=coverage.out.raw -coverpkg=./... ./... - grep -v mock_ coverage.out.raw > coverage.out - - name: Convert coverage to lcov - uses: jandelgado/gcov2lcov-action@v1 - - name: Coveralls - uses: coverallsapp/github-action@v2 + go test -v -covermode=atomic -coverprofile=cover.out.raw -coverpkg=./... ./... + # remove mocks from coverage calculation + grep -v mock_ cover.out.raw > cover.out + - name: Generage coverage badge + uses: vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787 # v2.8.2 with: - github-token: ${{ secrets.github_token }} + profile: cover.out + local-prefix: github.com/uselagoon/lagoon-ssh-portal + git-token: ${{ secrets.GITHUB_TOKEN }} + # orphan branch for storing badges + git-branch: badges From 8fdb2eabb5bccf20053d2a0163826d0e34e96d77 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 21 Dec 2023 22:25:22 +0800 Subject: [PATCH 05/10] chore: update dependabot-automerge --- .github/workflows/dependabot-automerge.yaml | 29 ++++++++++++++------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index 8f3942a6..ac399982 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -1,17 +1,26 @@ # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request -name: Dependabot auto-merge -on: pull_request - -permissions: - contents: write - pull-requests: write - +name: dependabot auto-merge +on: + pull_request: + branches: + - main +permissions: {} jobs: - dependabot: + dependabot-automerge: + permissions: + contents: write + pull-requests: write runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} + if: github.actor == 'dependabot[bot]' steps: - - name: Enable auto-merge for Dependabot PRs + - name: Fetch dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Auto-merge Dependabot PRs + # don't auto-merge action updates to appease OpenSSF scorecard + if: ${{ ! contains(steps.metadata.outputs.package-ecosystem, 'github-actions') }} run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} From 788b993b98decd42460088d78cdf676b7c6e195f Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 21 Dec 2023 22:25:35 +0800 Subject: [PATCH 06/10] chore: update dependency-review --- ...nfig.yml => dependency-review-config.yaml} | 0 .github/workflows/dependency-review.yaml | 19 ++++++++++--------- 2 files changed, 10 insertions(+), 9 deletions(-) rename .github/{dependency-review-config.yml => dependency-review-config.yaml} (100%) diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yaml similarity index 100% rename from .github/dependency-review-config.yml rename to .github/dependency-review-config.yaml diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 15f0a9de..c1f26b3b 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -1,15 +1,16 @@ -name: 'Dependency Review' +name: dependency review on: -- pull_request -permissions: - contents: read + pull_request: + branches: + - main +permissions: {} jobs: dependency-review: + permissions: + contents: read runs-on: ubuntu-latest steps: - - name: 'Checkout Repository' - uses: actions/checkout@v4 - - name: Dependency Review - uses: actions/dependency-review-action@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4 with: - config-file: '.github/dependency-review-config.yml' + config-file: .github/dependency-review-config.yaml From c80aefe866a1107d016b9639eefd2ff0c0522dc6 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 21 Dec 2023 22:27:31 +0800 Subject: [PATCH 07/10] chore: update lint workflow --- .github/workflows/lint.yaml | 41 +++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 5be57d1c..5a59769c 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,26 +1,37 @@ -name: Lint -on: pull_request +name: lint +on: + pull_request: + branches: + - main +permissions: {} jobs: - golangci-lint: - name: lint + lint-go: + permissions: + contents: read runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Install Go - uses: actions/setup-go@v5 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: args: --timeout=180s - commitlint: + lint-commits: + permissions: + contents: read runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - name: Lint commit messages - uses: wagoid/commitlint-github-action@v5 + - uses: wagoid/commitlint-github-action@0d749a1a91d4770e983a7b8f83d4a3f0e7e0874e # v5.4.4 + lint-actions: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: docker://rhysd/actionlint:latest@sha256:2eb91a78b5a19140be099c7b4262d298c2567f2a9f27e10ed2a4323c5bcface8 + with: + args: -color From ab86227304f607037e1af828b02a6abbdf7a7339 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 21 Dec 2023 22:28:09 +0800 Subject: [PATCH 08/10] chore: add ossf-analysis workflow --- .github/workflows/ossf-analysis.yaml | 31 ++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/ossf-analysis.yaml diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml new file mode 100644 index 00000000..5d8bb04a --- /dev/null +++ b/.github/workflows/ossf-analysis.yaml @@ -0,0 +1,31 @@ +name: OSSF scorecard +on: + push: + branches: + - main +permissions: {} +jobs: + ossf-scorecard-analysis: + runs-on: ubuntu-latest + permissions: + contents: read + # Needed if using Code scanning alerts + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Run analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. + publish_results: true + - name: Upload SARIF results to code scanning + uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11 + with: + sarif_file: results.sarif From 52500a729bbd6d98ec84dd3db393a9bfdb448b0c Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 21 Dec 2023 22:28:31 +0800 Subject: [PATCH 09/10] chore: update test workflow --- .github/workflows/test.yaml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 4ec87137..63fa3768 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,14 +1,19 @@ -name: Test -on: pull_request +name: test +on: + pull_request: + branches: + - main +permissions: {} jobs: - go-test: + test-go: + permissions: + contents: read runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Install Go - uses: actions/setup-go@v5 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ github.event.pull_request.head.sha }} + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - - name: Run Tests - run: go test -v ./... + - run: go test -v ./... From 3cd2533f829fc80b8439cda50e7095a7db0bc6a8 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 21 Dec 2023 22:31:59 +0800 Subject: [PATCH 10/10] chore: update badges in README --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5a59b65b..e378fba9 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,10 @@ # Lagoon SSH services +[![Go Reference](https://pkg.go.dev/badge/github.com/uselagoon/lagoon-ssh-portal.svg)](https://pkg.go.dev/github.com/uselagoon/lagoon-ssh-portal) [![Release](https://github.com/uselagoon/lagoon-ssh-portal/actions/workflows/release.yaml/badge.svg)](https://github.com/uselagoon/lagoon-ssh-portal/actions/workflows/release.yaml) -[![Coverage](https://coveralls.io/repos/github/uselagoon/lagoon-ssh-portal/badge.svg?branch=main)](https://coveralls.io/github/uselagoon/lagoon-ssh-portal?branch=main) +[![coverage](https://raw.githubusercontent.com/uselagoon/lagoon-ssh-portal/badges/.badges/main/coverage.svg)](https://github.com/uselagoon/lagoon-ssh-portal/actions/workflows/coverage.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/uselagoon/lagoon-ssh-portal)](https://goreportcard.com/report/github.com/uselagoon/lagoon-ssh-portal) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/uselagoon/lagoon-ssh-portal/badge)](https://securityscorecards.dev/viewer/?uri=github.com/uselagoon/lagoon-ssh-portal) This repository contains three related SSH services for [Lagoon](https://github.com/uselagoon/lagoon).