Merge branch 'main' into openldap-module

* main:
  enable golangci-lint for redis module (testcontainers#2126)
  Go install gotestsum and golangci-lint  (testcontainers#2127)
  improve OSSF score (testcontainers#2125)
  chore: run make lint on new modules (testcontainers#2122)
  enable golangci-lint for pulsar (testcontainers#2121)
  lint: enable testifylint (testcontainers#2120)
  chore(deps): bump github.com/nats-io/nats.go in /modules/nats (testcontainers#2094)
  chore(deps): bump golang.org/x/sys from 0.15.0 to 0.16.0 (testcontainers#2104)
  Revert "chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0 (testcontainers#2088)"

.github/workflows/ci-test-go.yml

@@ -71,11 +71,11 @@ jobs:
 
       - name: golangci-lint
         # TODO: Remove each example/module once it passes the golangci-lint
-        if: ${{ inputs.platform == 'ubuntu-latest' && inputs.go-version == '1.20.x' && !contains(fromJSON('["examples/cockroachdb", "examples/toxiproxy", "modules/compose", "modules/pulsar", "modules/redis"]'), inputs.project-directory) }}
+        if: ${{ inputs.platform == 'ubuntu-latest' && inputs.go-version == '1.20.x' && !contains(fromJSON('["examples/cockroachdb", "examples/toxiproxy", "modules/compose"]'), inputs.project-directory) }}
         uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v1.54.1
+          version: v1.55.2
           # Optional: working directory, useful for monorepos
           working-directory: ${{ inputs.project-directory }}
           # Optional: golangci-lint command line arguments.
@@ -104,13 +104,11 @@ jobs:
         if: ${{ inputs.run-tests }}
         working-directory: ./${{ inputs.project-directory }}
         timeout-minutes: 30
-        run: |
-            go install gotest.tools/gotestsum@latest
-            make test-unit
+        run: make test-unit
 
       - name: Upload SonarCloud files
         if: ${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' && inputs.run-tests && !inputs.rootless-docker }}
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
         with:
           name: sonarcloud
           path: |

.github/workflows/ci-windows-trigger.yml

@@ -4,13 +4,18 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   windows-test-command-trigger:
+    permissions:
+      pull-requests: write  # for peter-evans/slash-command-dispatch to create PR reaction
     runs-on: ubuntu-22.04
 
     steps:
       - name: Trigger windows-test command
-        uses: peter-evans/slash-command-dispatch@v3
+        uses: peter-evans/slash-command-dispatch@f996d7b7aae9059759ac55e978cff76d91853301 # v3.0.2
         with:
           token: ${{ secrets.WINDOWS_WORKERS_TOKEN }}
           # The command to trigger the pipeline: e.g. /windows-test

.github/workflows/ci-windows.yml

@@ -13,7 +13,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Create pending status
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -27,7 +27,7 @@ jobs:
             })
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }}
@@ -50,12 +50,10 @@ jobs:
 
       - name: go test
         timeout-minutes: 30
-        run: |
-          go install gotest.tools/gotestsum@latest
-          gotestsum --format short-verbose --rerun-fails=5 --packages="./..."  --junitfile TEST-unit.xml -- -timeout=30m
+        run: make test-unit
 
       - name: Create success status
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: success()
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
@@ -70,7 +68,7 @@ jobs:
             })
 
       - name: Create failure status
-        uses: actions/github-script@v7.0.1
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: failure()
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}

.github/workflows/ci.yml

@@ -138,22 +138,25 @@ jobs:
       ryuk-disabled: false
 
   sonarcloud:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for sonarsource/sonarcloud-github-action to determine which PR to decorate
     if: ${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }}
     needs: test-examples
     runs-on: ubuntu-latest 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           # Disabling shallow clone is recommended for improving relevancy of reporting
           fetch-depth: 0
 
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: sonarcloud
 
       - name: Analyze with SonarCloud
-        uses: sonarsource/sonarcloud-github-action@master
+        uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/codeql.yml

@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '40 6 * * 5'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/release-drafter.yml

@@ -6,8 +6,14 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: write  # for release-drafter/release-drafter to add label to PR
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.19.0

.github/workflows/scorecards.yml

@@ -43,7 +43,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif

.golangci.yml

@@ -6,6 +6,7 @@ linters:
     - gofumpt
     - misspell
     - nonamedreturns
+    - testifylint
 
 linters-settings:
   errorlint:
@@ -23,5 +24,20 @@ linters-settings:
       - standard
       - default
       - prefix(github.com/testcontainers)
+  testifylint:
+    disable:
+      - compares
+      - float-compare
+      - go-require
+    enable:
+      - bool-compare
+      - empty
+      - error-is-as
+      - error-nil
+      - expected-actual
+      - len
+      - require-error
+      - suite-dont-use-pkg
+      - suite-extra-assert-call
 run:
   timeout: 5m

commons-test.mk

@@ -1,16 +1,35 @@
 ROOT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+GOBIN= $(GOPATH)/bin
+
+define go_install
+    go install $(1)
+endef
+
+$(GOBIN)/golangci-lint:
+	$(call go_install,github.com/golangci/golangci-lint/cmd/golangci-lint@v1.55.2)
+
+$(GOBIN)/gotestsum:
+	$(call go_install,gotest.tools/gotestsum@latest)
+
+.PHONY: install
+install: $(GOBIN)/golangci-lint $(GOBIN)/gotestsum
+
+.PHONY: clean
+clean:
+	rm $(GOBIN)/golangci-lint
+	rm $(GOBIN)/gotestsum
 
 .PHONY: dependencies-scan
 dependencies-scan:
 	@echo ">> Scanning dependencies in $(CURDIR)..."
 	go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth --skip-update-check
 
 .PHONY: lint
-lint:
+lint: $(GOBIN)/golangci-lint
 	golangci-lint run --out-format=github-actions --path-prefix=. --verbose -c $(ROOT_DIR)/.golangci.yml --fix
 
 .PHONY: test-%
-test-%:
+test-%: $(GOBIN)/gotestsum
 	@echo "Running $* tests..."
 	gotestsum \
 		--format short-verbose \
@@ -26,8 +45,7 @@ tools:
 	go mod download
 
 .PHONY: test-tools
-test-tools:
-	go install gotest.tools/gotestsum@latest
+test-tools: $(GOBIN)/gotestsum
 
 .PHONY: tools-tidy
 tools-tidy:

docker_auth_test.go

@@ -29,14 +29,14 @@ func TestGetDockerConfig(t *testing.T) {
 	// Verify that the default docker config file exists before any test in this suite runs.
 	// Then, we can safely run the tests that rely on it.
 	defaultCfg, err := dockercfg.LoadDefaultConfig()
-	require.Nil(t, err)
+	require.NoError(t, err)
 	require.NotEmpty(t, defaultCfg)
 
 	t.Run("without DOCKER_CONFIG env var retrieves default", func(t *testing.T) {
 		t.Setenv("DOCKER_CONFIG", "")
 
 		cfg, err := getDockerConfig()
-		require.Nil(t, err)
+		require.NoError(t, err)
 		require.NotEmpty(t, cfg)
 
 		assert.Equal(t, defaultCfg, cfg)
@@ -46,18 +46,18 @@ func TestGetDockerConfig(t *testing.T) {
 		t.Setenv("DOCKER_CONFIG", filepath.Join(testDockerConfigDirPath, "non-existing"))
 
 		cfg, err := getDockerConfig()
-		require.NotNil(t, err)
+		require.Error(t, err)
 		require.Empty(t, cfg)
 	})
 
 	t.Run("with DOCKER_CONFIG env var", func(t *testing.T) {
 		t.Setenv("DOCKER_CONFIG", testDockerConfigDirPath)
 
 		cfg, err := getDockerConfig()
-		require.Nil(t, err)
+		require.NoError(t, err)
 		require.NotEmpty(t, cfg)
 
-		assert.Equal(t, 3, len(cfg.AuthConfigs))
+		assert.Len(t, cfg.AuthConfigs, 3)
 
 		authCfgs := cfg.AuthConfigs
 
@@ -82,10 +82,10 @@ func TestGetDockerConfig(t *testing.T) {
 		t.Setenv("DOCKER_CONFIG", testDockerConfigDirPath)
 
 		cfg, err := getDockerConfig()
-		require.Nil(t, err)
+		require.NoError(t, err)
 		require.NotEmpty(t, cfg)
 
-		assert.Equal(t, 1, len(cfg.AuthConfigs))
+		assert.Len(t, cfg.AuthConfigs, 1)
 
 		authCfgs := cfg.AuthConfigs
 
@@ -108,7 +108,7 @@ func TestGetDockerConfig(t *testing.T) {
 		}`)
 
 		registry, cfg, err := DockerImageAuth(context.Background(), exampleAuth+"/my/image:latest")
-		require.Nil(t, err)
+		require.NoError(t, err)
 		require.NotEmpty(t, cfg)
 
 		assert.Equal(t, exampleAuth, registry)
@@ -130,7 +130,7 @@ func TestGetDockerConfig(t *testing.T) {
 		}`)
 
 		registry, cfg, err := DockerImageAuth(context.Background(), imageReg+imagePath)
-		require.Nil(t, err)
+		require.NoError(t, err)
 		require.NotEmpty(t, cfg)
 
 		assert.Equal(t, imageReg, registry)
@@ -277,14 +277,14 @@ func TestCreateContainerFromPrivateRegistry(t *testing.T) {
 		ContainerRequest: req,
 		Started:          true,
 	})
-	require.Nil(t, err)
+	require.NoError(t, err)
 	terminateContainerOnEnd(t, ctx, redisContainer)
 }
 
 func prepareLocalRegistryWithAuth(t *testing.T) {
 	ctx := context.Background()
 	wd, err := os.Getwd()
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	// copyDirectoryToContainer {
 	req := ContainerRequest{
 		Image:        "registry:2",
@@ -316,13 +316,13 @@ func prepareLocalRegistryWithAuth(t *testing.T) {
 	}
 
 	registryC, err := GenericContainer(ctx, genContainerReq)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 
 	t.Cleanup(func() {
 		removeImageFromLocalCache(t, "localhost:5001/redis:5.0-alpine")
 	})
 	t.Cleanup(func() {
-		assert.NoError(t, registryC.Terminate(context.Background()))
+		require.NoError(t, registryC.Terminate(context.Background()))
 	})
 
 	_, cancel := context.WithCancel(context.Background())