Merge pull request #23 from scribe-security/upstream_scribe_main

Upstream scribe main
scribe-security · Feb 18, 2024 · 71f4321 · 71f4321
2 parents 2f2e89d + 875ac77
commit 71f4321
Show file tree

Hide file tree

Showing 902 changed files with 48,601 additions and 7,839 deletions.
diff --git a/.binny.yaml b/.binny.yaml
@@ -1,74 +1,93 @@
 tools:
+  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
   - name: binny
     version:
-      want: v0.6.2
+      want: v0.6.3
     method: github-release
     with:
       repo: anchore/binny
 
+  # used to produce SBOMs during release
+  - name: syft
+    version:
+      want: latest
+    method: github-release
+    with:
+      repo: anchore/syft
+
+  # used to sign mac binaries at release
   - name: quill
     version:
       want: v0.4.1
     method: github-release
     with:
       repo: anchore/quill
 
+  # used for linting
   - name: golangci-lint
     version:
-      want: v1.55.2
+      want: v1.56.1
     method: github-release
     with:
       repo: golangci/golangci-lint
 
+  # used for showing the changelog at release
   - name: glow
     version:
       want: v1.5.1
     method: github-release
     with:
       repo: charmbracelet/glow
 
+  # used for signing the checksums file at release
   - name: cosign
     version:
-      want: v2.2.1
+      want: v2.2.3
     method: github-release
     with:
       repo: sigstore/cosign
 
+  # used in integration tests to verify JSON schemas
   - name: yajsv
     version:
       want: v1.4.1
     method: github-release
     with:
       repo: neilpa/yajsv
 
+  # used to release all artifacts
   - name: goreleaser
     version:
-      want: v1.22.1
+      want: v1.24.0
     method: github-release
     with:
       repo: goreleaser/goreleaser
 
+  # used for organizing imports during static analysis
   - name: gosimports
     version:
       want: v0.3.8
     method: github-release
     with:
       repo: rinchsan/gosimports
 
+  # used at release to generate the changelog
   - name: chronicle
     version:
       want: v0.8.0
     method: github-release
     with:
       repo: anchore/chronicle
 
+  # used during static analysis for license compliance
   - name: bouncer
     version:
       want: v0.4.0
     method: github-release
     with:
       repo: wagoodman/go-bouncer
 
+  # used for showing benchmark testing
   - name: benchstat
     version:
       want: latest
@@ -81,16 +100,18 @@ tools:
       entrypoint: cmd/benchstat
       module: golang.org/x/perf
 
+  # used for running all local and CI tasks
   - name: task
     version:
-      want: v3.31.0
+      want: v3.34.1
     method: github-release
     with:
       repo: go-task/task
 
+  # used for triggering a release
   - name: gh
     version:
-      want: v2.39.1
+      want: v2.43.1
     method: github-release
     with:
       repo: cli/cli
diff --git a/.chronicle.yaml b/.chronicle.yaml
@@ -1,2 +1,78 @@
 enforce-v0: true # don't make breaking-change label bump major version before 1.0.
-title: ""
+title: ""
+
+github:
+  host: github.com
+  include-issue-pr-authors: true
+  include-issue-prs: true
+  include-issues-not-planned: false
+  include-prs: true
+  include-issues: true
+  include-unlabeled-issues: true
+  include-unlabeled-prs: true
+  issues-require-linked-prs: false
+  consider-pr-merge-commits: true
+
+  exclude-labels:
+    - duplicate
+    - question
+    - invalid
+    - wontfix
+    - wont-fix
+    - release-ignore
+    - changelog-ignore
+    - ignore
+
+  changes:
+
+    - name: security-fixes
+      title: Security Fixes
+      semver-field: patch
+      labels:
+        - security
+        - vulnerability
+
+    - name: added-feature
+      title: Added Features
+      semver-field: minor
+      labels:
+        - enhancement
+        - feature
+        - minor
+
+    - name: bug-fix
+      title: Bug Fixes
+      semver-field: patch
+      labels:
+        - bug
+        - fix
+        - bug-fix
+        - patch
+
+    - name: breaking-feature
+      title: Breaking Changes
+      semver-field: major
+      labels:
+        - breaking
+        - backwards-incompatible
+        - breaking-change
+        - breaking-feature
+        - major
+        - detected-breaking-change
+
+    - name: removed-feature
+      title: Removed Features
+      semver-field: major
+      labels:
+        - removed
+
+    - name: deprecated-feature
+      title: Deprecated Features
+      semver-field: minor
+      labels:
+        - deprecated
+
+    - name: unknown
+      title: Additional Changes
+      semver-field: ""
+      labels: []
diff --git a/.github/scripts/check_binary_fixture_size.sh b/.github/scripts/check_binary_fixture_size.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# current limit for fixture size
+size=1000
+
+if [ $# -eq 0 ]; then
+  echo "Usage: $0 <directory>"
+  exit 1
+fi
+
+directory="$1"
+
+# Remove trailing slash using parameter expansion
+directory="${directory%/}"
+
+if [ ! -d "$directory" ]; then
+  echo "Directory not found: $directory"
+  exit 1
+fi
+
+found_large_files=0
+while IFS= read -r -d '' file; do
+  if [ $(wc -c < "$file") -gt $size ]; then
+    echo "File $file is greater than ${size} bytes."
+    found_large_files=1
+  fi
+done < <(find "$directory" -type f -print0)
+
+if [ "$found_large_files" -eq 1 ]; then
+  echo "Script failed: Some files are greater than ${size} bytes."
+  exit 1
+else
+  echo "All files in $directory and its subdirectories are ${size} bytes or smaller. Check passed."
+  exit 0
+fi
+
diff --git a/.github/scripts/labeler.py b/.github/scripts/labeler.py
@@ -8,6 +8,12 @@
 
 DRY_RUN = False
 
+JSON_SCHEMA_LABEL = "json-schema"
+
+# note: we can't use "breaking-change" as the label since that might be applied manually by a user. This is a
+# distinct label that we can use to indicate that the label was applied (or removed) by automation.
+BREAKING_CHANGE_LABEL = "detected-breaking-change"
+
 
 def main(changed_files: str | None = None, merge_base_schema_files: str | None = None):
     global DRY_RUN
@@ -67,17 +73,18 @@ def main(changed_files: str | None = None, merge_base_schema_files: str | None =
     # if there is a new or modified schema, we should add the "json-schema" label to the PR...
     if new_schema_files or removed_or_modified_schema_files:
         print("\nAdding json-schema label...")
-        add_label(pr_number, "json-schema")
+        add_label(pr_number, JSON_SCHEMA_LABEL)
+
     else:
-        remove_label(pr_number, "json-schema")
+        remove_label(pr_number, JSON_SCHEMA_LABEL)
 
     # new schema files should be scrutinized, comparing the latest and added versions to see if it's a breaking
     # change (major version bump). Warn about it on the PR via adding a breaking-change label...
     if is_breaking_change(new_schema_files, og_json_schema_files[-1]):
         print("\nBreaking change detected...")
-        add_label(pr_number, "breaking-change")
+        add_label(pr_number, BREAKING_CHANGE_LABEL)
     else:
-        remove_label(pr_number, "breaking-change")
+        remove_label(pr_number, BREAKING_CHANGE_LABEL)
 
     # modifying an existing schema could be a breaking change, we should warn about it on the PR via a comment...
     # removing schema files should never be allowed, we should warn about it on the PR via a comment...
@@ -169,7 +176,8 @@ def filter_to_schema_files(list_of_files: list[str]) -> list[str]:
 
 def list_json_schema_files() -> list[str]:
     # list files in "schema/json" directory matching the pattern of "schema-*.json"
-    return sort_json_schema_files(list(glob.glob("schema/json/schema-*.json")))
+    # special case: always ignore the "latest" schema file
+    return sort_json_schema_files([f for f in glob.glob("schema/json/schema-*.json") if "latest" not in f])
 
 
 def run(command: str,  **kwargs) -> subprocess.CompletedProcess:
@@ -190,7 +198,7 @@ def sort_json_schema_files(files: list[str]) -> list[str]:
     # so that "schema/json/schema-1.2.1.json" comes before "schema/json/schema-1.12.1.json".
     versions = [get_semver(file) for file in files if file]
 
-    versions = sorted(versions, key=lambda s: [int(u) for u in s.split('.')])
+    versions = sorted(versions, key=lambda s: [int(u) for u in s.split('.') if "." in s])
 
     return [f"schema/json/schema-{version}.json" for version in versions]
 

diff --git a/.github/scripts/labeler_test.py b/.github/scripts/labeler_test.py
@@ -60,6 +60,11 @@ def test_sort_json_schema_files(self):
         expected_sorted_files = ["schema/json/schema-1.2.1.json", "schema/json/schema-1.12.1.json"]
         self.assertEqual(labeler.sort_json_schema_files(files), expected_sorted_files)
 
+        # ensure that "latest" doesn't cause a problem and is ultimately ignored
+        files = ["schema/json/schema-1.12.1.json", "schema/json/schema-_bogus.json"]
+        expected_sorted_files = ["schema/json/schema-_bogus.json", "schema/json/schema-1.12.1.json"]
+        self.assertEqual(labeler.sort_json_schema_files(files), expected_sorted_files)
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/.github/workflows/benchmark-testing.yaml b/.github/workflows/benchmark-testing.yaml
@@ -23,7 +23,7 @@ jobs:
         uses: ./.github/actions/bootstrap
 
       - name: Restore base benchmark result
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 #v4.0.0
         with:
           path: test/results/benchmark-main.txt
           # use base sha for PR or new commit hash for main push in benchmark result key
@@ -39,13 +39,13 @@ jobs:
           OUTPUT="${OUTPUT//$'\r'/'%0D'}" # URL encode all '\r' characters
           echo "result=$OUTPUT" >> $GITHUB_OUTPUT
 
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: benchmark-test-results
           path: test/results/**/*
 
       - name: Update PR benchmark results comment
-        uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd #v2.8.0
+        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 #v2.9.0
         continue-on-error: true
         with:
           header: benchmark

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -20,7 +20,7 @@ permissions:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04-4core-16gb
 
     permissions:
       security-events: write
@@ -39,13 +39,13 @@ jobs:
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
 
     - name: Install Go
-      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
+      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5.0.0
       with:
         go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 #v2.22.8
+      uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 #v3.24.3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 #v2.22.8
+      uses: github/codeql-action/autobuild@379614612a29c9e28f31f39a59013eb8012a51f0 #v3.24.3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 #v2.22.8
+      uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 #v3.24.3
diff --git a/.github/workflows/dependabot-automation.yaml b/.github/workflows/dependabot-automation.yaml
@@ -0,0 +1,10 @@
+name: Dependabot Automation
+on:
+  pull_request:
+
+permissions:
+  pull-requests: write
+
+jobs:
+  run:
+    uses: anchore/workflows/.github/workflows/dependabot-automation.yaml@main
diff --git a/.github/workflows/labeler.yaml → .github/workflows/detect-schema-changes.yaml b/.github/workflows/labeler.yaml → .github/workflows/detect-schema-changes.yaml
@@ -40,15 +40,15 @@ jobs:
 
       - name: Delete existing comment
         if: ${{ hashFiles( env.CI_COMMENT_FILE ) == '' }}
-        uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd #v2.8.0
+        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 #v2.9.0
         with:
           header: ${{ env.COMMENT_HEADER }}
           hide: true
           hide_classify: "OUTDATED"
 
       - name: Add comment
         if: ${{ hashFiles( env.CI_COMMENT_FILE ) != '' }}
-        uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd #v2.8.0
+        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 #v2.9.0
         with:
           header: ${{ env.COMMENT_HEADER }}
           path: ${{ env.CI_COMMENT_FILE }}