Fix linter pre-submit (#333)

* Update perms to make reviewdog work * Add test files * Fix sha for shfmt action * Rename linter pre-submit file * run golangci-lint manually * Fix workflows * Reduce permissions * fix lint workflow * fix lint workflow * use sha for setup-go * Add shellcheck job * run yamllint manually * add runs-on * fix untarring githubci-lint * fix untarring githubci-lint * output github actions commands * remove uncessary code * Remove test files * code cleanup * Add golangci-lint checksum check * Actually untar golangci-lint * add debug * Restore correct hash * Checksum the right file * fix dir * Remove unused ldflags * Disable linters generating issues for now * Disable stylecheck for now * Fix trailing spaces * Exit with positive error codes * Update references to reusable actions. * Add Makefile to make running linters easier * remove trailing whitespace * Fix formatting options for yamllint * Fix yamllint issues * Fix tag comments * Add docs on local development. * Update comment * Linters ignore vendor directory * Fix whitespace
slsa-framework · Jul 22, 2022 · 1a55da8 · 1a55da8
1 parent e49ee2a
commit 1a55da8
Show file tree

Hide file tree

Showing 16 changed files with 264 additions and 64 deletions.
diff --git a/.github/actions/compute-sha256/action.yml b/.github/actions/compute-sha256/action.yml
@@ -27,5 +27,5 @@ runs:
         fi
         digest=$(sha256sum "$UNTRUSTED_PATH" | awk '{print $1}')
         echo "computed sha: $digest"
-        
+
         echo "::set-output name=sha256::$digest"
diff --git a/.github/actions/generate-builder/action.yml b/.github/actions/generate-builder/action.yml
@@ -44,15 +44,15 @@ runs:
       shell: bash
       env:
         # Builder.
-        BUILDER_REPOSITORY: slsa-framework/slsa-github-generator  # The repository to download the pre-built builder binary from.
-        BUILDER_RELEASE_BINARY: "${{ inputs.binary }}"            # The name of the pre-built binary in the release assets. This is also used as the final binary name when compiling the builder from source.
+        BUILDER_REPOSITORY: slsa-framework/slsa-github-generator # The repository to download the pre-built builder binary from.
+        BUILDER_RELEASE_BINARY: "${{ inputs.binary }}" # The name of the pre-built binary in the release assets. This is also used as the final binary name when compiling the builder from source.
         # Verifier
         # NOTE: These VERIFIER_* variables are used in the builder-fetch.sh script for verification of builder
         # release binaries when the compile-builder input is false.
-        VERIFIER_REPOSITORY: slsa-framework/slsa-verifier         # The repository to download the pre-built verifier binary from.
-        VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64        # The name of the verifier binary in the release assets.
-        VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21  # The expected hash of the verifier binary.
-        VERIFIER_RELEASE: v1.1.1                                   # The version of the verifier to download.
+        VERIFIER_REPOSITORY: slsa-framework/slsa-verifier # The repository to download the pre-built verifier binary from.
+        VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64 # The name of the verifier binary in the release assets.
+        VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21 # The expected hash of the verifier binary.
+        VERIFIER_RELEASE: v1.1.1 # The version of the verifier to download.
 
         COMPILE_BUILDER: "${{ inputs.compile-builder }}"
         BUILDER_REF: "${{ inputs.ref }}"

diff --git a/.github/actions/rng/action.yml b/.github/actions/rng/action.yml
@@ -29,4 +29,3 @@ runs:
         # -c: the number of bytes displayed per column
         value=$(xxd -p -l "$LENGTH" -c "$LENGTH" /dev/urandom)
         echo "::set-output name=result::$value"
-
diff --git a/.github/actions/secure-download-artifact/action.yml b/.github/actions/secure-download-artifact/action.yml
@@ -22,7 +22,6 @@ runs:
       env:
         UNTRUSTED_PATH: "${{ inputs.path }}"
       run: |
-      
         set -euo pipefail
 
         if [ -e "$UNTRUSTED_PATH" ]; then
@@ -49,14 +48,13 @@ runs:
         SET_EXECUTABLE: "${{ inputs.set-executable }}"
       shell: bash
       run: |
-      
         set -euo pipefail
 
         if ! [[ -f "$UNTRUSTED_PATH" ]]; then
             echo "File $UNTRUSTED_PATH not present"
             exit 5
         fi
-            
+
         echo "expected hash is $UNTRUSTED_EXPECTED_HASH"
         echo "computed hash is $UNTRUSTED_COMPUTED_HASH"
         if [[ "$UNTRUSTED_COMPUTED_HASH" != "$UNTRUSTED_EXPECTED_HASH" ]]; then
@@ -68,4 +66,3 @@ runs:
             echo "Setting $UNTRUSTED_PATH as executable"
             chmod u+x "$UNTRUSTED_PATH"
         fi
-
diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml
@@ -21,8 +21,8 @@ env:
   # Project.
   GENERATED_BINARY_NAME: go-compiled-binary
   # Builder.
-  BUILDER_BINARY: slsa-builder-go-linux-amd64         # Name of the binary in the release assets.
-  BUILDER_DIR: internal/builders/go                   # Source directory if we compile the builder.
+  BUILDER_BINARY: slsa-builder-go-linux-amd64 # Name of the binary in the release assets.
+  BUILDER_DIR: internal/builders/go # Source directory if we compile the builder.
 
 ###################################################################
 #                                                                 #

diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml
@@ -19,8 +19,8 @@ permissions:
 
 env:
   # Generator
-  BUILDER_BINARY: slsa-generator-generic-linux-amd64  # Name of the binary in the release assets.
-  BUILDER_DIR: internal/builders/generic              # Source directory if we compile the builder.
+  BUILDER_BINARY: slsa-generator-generic-linux-amd64 # Name of the binary in the release assets.
+  BUILDER_DIR: internal/builders/generic # Source directory if we compile the builder.
 
 on:
   workflow_call:
@@ -36,7 +36,7 @@ on:
         default: false
       attestation-name:
         description: >
-          The artifact name of the signed provenance. 
+          The artifact name of the signed provenance.
           The file must have the intoto.jsonl extension.
 
           Default: attestation.intoto.jsonl

diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml
@@ -0,0 +1,64 @@
+name: Lint
+
+on: [pull_request]
+
+permissions:
+  # Needed to check out the repo.
+  contents: read
+
+jobs:
+  golangci-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # tag=v3.2.0
+        with:
+          go-version: "1.18"
+      - env:
+          GOLANGCI_LINT_VERSION: "1.46.2"
+          GOLANGCI_LINT_CHECKSUM: "242cd4f2d6ac0556e315192e8555784d13da5d1874e51304711570769c4f2b9b"
+        run: |
+          set -euo pipefail
+
+          #Install golangci-lint
+          curl -sSLo golangci-lint.tar.gz "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz"
+          echo "golangci-lint checksum is $(sha256sum golangci-lint.tar.gz | awk '{ print $1 }')"
+          echo "expected checksum is $GOLANGCI_LINT_CHECKSUM"
+          echo "$GOLANGCI_LINT_CHECKSUM golangci-lint.tar.gz" | sha256sum --strict --check --status || exit -2
+          tar xf golangci-lint.tar.gz
+          mv golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint /usr/local/bin
+
+          # Run golangci-lint
+          make golangci-lint
+
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - env:
+          SHELLCHECK_VERSION: "0.8.0"
+        run: |
+          set -euo pipefail
+
+          # Install shellcheck
+          wget -qO- "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" | tar -xJf -
+          mv "shellcheck-v$SHELLCHECK_VERSION/shellcheck" /usr/local/bin
+
+          # Run shellcheck and output github actions commands.
+          # See: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions
+          make shellcheck
+
+  yamllint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - env:
+          YAMLLINT_VERSION: "1.26.3"
+        run: |
+          set -euo pipefail
+
+          # Install yamllint
+          pip install "yamllint==${YAMLLINT_VERSION}"
+
+          # Run yamllint
+          make yamllint
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -35,4 +35,3 @@ jobs:
       go-version: 1.18
       config-file: .github/workflows/configs-go/config-release.yml
       compile-builder: true
-
diff --git a/.golangci.yml b/.golangci.yml
@@ -3,12 +3,12 @@ run:
   concurrency: 2
   deadline: 5m
 issues:
-  include:
-    # revive `package-comments` and `exported` rules.
-    - EXC0012
-    - EXC0013
-    - EXC0014
-    - EXC0015
+  # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): revive `package-comments` and `exported` rules.
+  # include:
+  #   - EXC0012
+  #   - EXC0013
+  #   - EXC0014
+  #   - EXC0015
   # Maximum issues count per one linter.
   # Set to 0 to disable.
   # Default: 50
@@ -27,47 +27,62 @@ linters:
     - deadcode
     - depguard
     - dogsled
-    - errcheck
-    - errorlint
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable errcheck
+    # - errcheck
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable errorlint
+    # - errorlint
     - exhaustive
-    - exportloopref
-    - gci
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable exportloopref
+    # - exportloopref
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable gci
+    # - gci
     - gochecknoinits
     - gocognit
     - goconst
-    - gocritic
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable gocritic
+    # - gocritic
     - gocyclo
     - godot
-    - godox
-    - goerr113
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable godox
+    # - godox
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable goerr113
+    # - goerr113
     - gofmt
     - gofumpt
     - goheader
     - goimports
     - gomodguard
     - goprintffuncname
-    - gosec
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable gosec
+    # - gosec
     - gosimple
-    - govet
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable govet
+    # - govet
     - ineffassign
-    - lll
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable lll
+    # - lll
     - makezero
     - misspell
     - nakedret
-    - nestif
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable nestif
+    # - nestif
     - nolintlint
-    - paralleltest
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable paralleltest
+    # - paralleltest
     - predeclared
     - revive
     - staticcheck
-    - stylecheck
-    - thelper
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable stylecheck
+    # - stylecheck
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable thelper
+    # - thelper
     - typecheck
     - unconvert
     - unused
     - varcheck
     - whitespace
-    - wrapcheck
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable thelper
+    # - wrapcheck
 linters-settings:
   errcheck:
     check-type-assertions: true

diff --git a/.yamllint.yaml b/.yamllint.yaml
@@ -1,6 +1,10 @@
 ---
 extends: default
 
+ignore: |
+  node_modules/
+  vendor/
+
 rules:
   comments:
     # prettier formats comments one space from content

diff --git a/Makefile b/Makefile
@@ -0,0 +1,82 @@
+SHELL := /bin/bash
+OUTPUT_FORMAT = $(shell if [ "${GITHUB_ACTIONS}" == "true" ]; then echo "github"; else echo ""; fi)
+
+.PHONY: help
+help: ## Shows all targets and help from the Makefile (this message).
+	@echo "slsa-github-generator Makefile"
+	@echo "Usage: make [COMMAND]"
+	@echo ""
+	@grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \
+		awk 'BEGIN {FS = "(:.*?|)## ?"}; { \
+			if (length($$1) > 0) { \
+				printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2; \
+			} else { \
+				if (length($$2) > 0) { \
+					printf "%s\n", $$2; \
+				} \
+			} \
+		}'
+
+## Testing
+#####################################################################
+
+unit-test: ## Runs all unit tests.
+	# Run unit tests for the detect-workflow action.
+	cd .github/actions/detect-workflow
+	go mod vendor
+	go test -mod=vendor -v ./...
+	# Run unit tests for the main package.
+	cd -
+	go mod vendor
+	go test -mod=vendor -v ./...
+
+
+## Linters
+#####################################################################
+
+lint: ## Run all linters.
+lint: golangci-lint shellcheck yamllint
+
+golangci-lint: ## Runs the golangci-lint linter.
+	@set -e;\
+		extraargs=""; \
+		if [ "$(OUTPUT_FORMAT)" == "github" ]; then \
+			extraargs="--out-format github-actions"; \
+		fi; \
+		golangci-lint run -c .golangci.yml ./... $$extraargs
+
+shellcheck: ## Runs the shellcheck linter.
+	@set -e;\
+		FILES=$$(find . -type f -not -iwholename '*/.git/*' -not -iwholename '*/vendor/*' -not -iwholename '*/node_modules/*' -exec bash -c 'file "$$1" | cut -d':' -f2 | grep --quiet shell' _ {} \; -print); \
+		if [ "$(OUTPUT_FORMAT)" == "github" ]; then \
+			echo -n $$FILES | xargs shellcheck -f json --external-sources | jq -c '.[]' | while IFS="" read -r p || [ -n "$$p" ]; do \
+				LEVEL=$$(echo "$$p" | jq -c '.level // empty' | tr -d '"'); \
+				FILE=$$(echo "$$p" | jq -c '.file // empty' | tr -d '"'); \
+				LINE=$$(echo "$$p" | jq -c '.line // empty' | tr -d '"'); \
+				ENDLINE=$$(echo "$$p" | jq -c '.endLine // empty' | tr -d '"'); \
+				COL=$$(echo "$$p" | jq -c '.column // empty' | tr -d '"'); \
+				ENDCOL=$$(echo "$$p" | jq -c '.endColumn // empty' | tr -d '"'); \
+				MESSAGE=$$(echo "$$p" | jq -c '.message // empty' | tr -d '"'); \
+				case $$LEVEL in \
+				"info") \
+					echo "::notice file=$${FILE},line=$${LINE},endLine=$${ENDLINE},col=$${COL},endColumn=$${ENDCOL}::$${MESSAGE}"; \
+					;; \
+				"warning") \
+					echo "::warning file=$${FILE},line=$${LINE},endLine=$${ENDLINE},col=$${COL},endColumn=$${ENDCOL}::$${MESSAGE}"; \
+					;; \
+				"error") \
+					echo "::error file=$${FILE},line=$${LINE},endLine=$${ENDLINE},col=$${COL},endColumn=$${ENDCOL}::$${MESSAGE}"; \
+					;; \
+				esac; \
+			done; \
+		else \
+			echo -n $$FILES | xargs shellcheck --external-sources; \
+		fi
+
+yamllint: ## Runs the yamllint linter.
+	@set -e;\
+		extraargs=""; \
+		if [ "$(OUTPUT_FORMAT)" == "github" ]; then \
+			extraargs="-f github"; \
+		fi; \
+		yamllint -c .yamllint.yaml . $$extraargs
Original file line number	Diff line number	Diff line change
Expand Up		@@ -29,4 +29,3 @@ runs:
		# -c: the number of bytes displayed per column
		value=$(xxd -p -l "$LENGTH" -c "$LENGTH" /dev/urandom)
		echo "::set-output name=result::$value"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -35,4 +35,3 @@ jobs:
		go-version: 1.18
		config-file: .github/workflows/configs-go/config-release.yml
		compile-builder: true