add govulncheck to CI and improve CI actions

Signed-off-by: Andreas Auernhammer <hi@aead.dev>
aead · Sep 18, 2022 · b8653b2 · b8653b2
1 parent 3e4aa6f
commit b8653b2
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 55 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,16 +1,18 @@
-name: "CodeQL Scan"
+name: CodeQL
 on:
-  push:
   pull_request:
-  schedule:
-    - cron: '0 19 * * 0'
+    branches:
+    - main
+  push:
+    branches:
+    - main
 jobs:
-  CodeQL-Build:
-    # CodeQL runs on ubuntu-latest and windows-latest
+  codeql:
+    name: Analysis
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -22,26 +24,15 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
+      uses: github/codeql-action/autobuild@v2
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2
+
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -10,47 +10,40 @@ on:
 
 jobs:
   build:
-    name: Build Go ${{ matrix.go-version }}
+    name: Build ${{ matrix.go-version }}
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [1.16.x, 1.17.x]
+        go-version: [1.19.1]
     steps:
     - name: Set up Go ${{ matrix.go-version }}
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v3
       with:
         go-version: ${{ matrix.go-version }}
-      id: go
-
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
-
-    - name: Build
+      uses: actions/checkout@v3
+    - name: Build and Lint
       env:
         GO111MODULE: on
       run: |
-         curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.42.0
-         $(go env GOPATH)/bin/golangci-lint run --config ./.golangci.yml
+         go build ./...
          go vet ./...
+         curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.48.0
+         $(go env GOPATH)/bin/golangci-lint run --config ./.golangci.yml
   test:
-    name: Test Go ${{ matrix.go-version }} on ${{ matrix.os }}
+    name: Text ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        go-version: [1.17.x]
+        go-version: [1.19.1]
         os: [ubuntu-latest, windows-latest, macos-latest]
     steps:
     - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v3
       with:
         go-version: ${{ matrix.go-version }}
-      id: go
-
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
-
+      uses: actions/checkout@v3
     - name: Test on ${{ matrix.os }}
-      env:
-        GO111MODULE: on
       run: |
-         go test -v ./...
+         go test ./...
diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml
@@ -0,0 +1,26 @@
+ame: VulnCheck
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+jobs:
+  vulncheck:
+    name: Analysis
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19.1
+        check-latest: true
+    - name: Install govulncheck
+      run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      shell: bash
+    - name: Run govulncheck
+      run: govulncheck ./...
+      shell: bash
diff --git a/minisign.go b/minisign.go
@@ -162,7 +162,7 @@ func Verify(publicKey PublicKey, message, signature []byte) bool {
 }
 
 func sign(privateKey PrivateKey, message []byte, trustedComment, untrustedComment string, isHashed bool) []byte {
-	var algorithm = EdDSA
+	algorithm := EdDSA
 	if isHashed {
 		algorithm = HashEdDSA
 	}

diff --git a/private.go b/private.go
@@ -195,9 +195,9 @@ func DecryptKey(password string, privateKey []byte) (PrivateKey, error) {
 }
 
 // encryptKey encrypts the plaintext and returns a ciphertext by:
-//   1. tag        = BLAKE2b-256(EdDSA-const || plaintext)
-//   2. keystream  = Scrypt(password, salt, convert(ops, mem))
-//   3. ciphertext = (plaintext || tag) ⊕ keystream
+//  1. tag        = BLAKE2b-256(EdDSA-const || plaintext)
+//  2. keystream  = Scrypt(password, salt, convert(ops, mem))
+//  3. ciphertext = (plaintext || tag) ⊕ keystream
 //
 // Therefore, decryptKey converts the ops and mem cost parameters
 // to the (N, r, p)-tuple expected by Scrypt.
@@ -233,9 +233,9 @@ func encryptKey(password string, salt []byte, ops, mem uint64, plaintext []byte)
 }
 
 // decryptKey decrypts the ciphertext and returns a plaintext by:
-//   1. keystream        = Scrypt(password, salt, convert(ops, mem))
-//   2. plaintext || tag = ciphertext ⊕ keystream
-//   3. Check that: tag == BLAKE2b-256(EdDSA-const || plaintext)
+//  1. keystream        = Scrypt(password, salt, convert(ops, mem))
+//  2. plaintext || tag = ciphertext ⊕ keystream
+//  3. Check that: tag == BLAKE2b-256(EdDSA-const || plaintext)
 //
 // Therefore, decryptKey converts the ops and mem cost parameters to
 // the (N, r, p)-tuple expected by Scrypt.

diff --git a/public.go b/public.go
@@ -1,3 +1,7 @@
+// Copyright (c) 2021 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
 package minisign
 
 import (
@@ -65,7 +69,7 @@ func (p PublicKey) String() string {
 //
 // It never returns an error.
 func (p PublicKey) MarshalText() ([]byte, error) {
-	var comment = "untrusted comment: minisign public key: " + strings.ToUpper(strconv.FormatUint(p.ID(), 16)) + "\n"
+	comment := "untrusted comment: minisign public key: " + strings.ToUpper(strconv.FormatUint(p.ID(), 16)) + "\n"
 	return []byte(comment + p.String()), nil
 }
 

diff --git a/signature.go b/signature.go
@@ -35,15 +35,16 @@ func SignatureFromFile(file string) (Signature, error) {
 //
 // A signature is generated when signing a message with
 // a private key:
-//   signature = Sign(privateKey, message)
+//
+//	signature = Sign(privateKey, message)
 //
 // The signature of a message can then be verified with the
 // corresponding public key:
-//   if Verify(publicKey, message, signature) {
-//      // => signature is valid
-//      // => message has been signed with correspoding private key
-//   }
 //
+//	if Verify(publicKey, message, signature) {
+//	   // => signature is valid
+//	   // => message has been signed with correspoding private key
+//	}
 type Signature struct {
 	_ [0]func() // enforce named assignment and prevent direct comparison