From bf0339898697e278136fd1277f80f7e433a829f9 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Mar 2024 13:20:32 +0800 Subject: [PATCH 01/10] chore: update lint workflow --- .../commitlint.config.js | 0 .github/workflows/lint.yaml | 49 ++++++++++++------- 2 files changed, 30 insertions(+), 19 deletions(-) rename commitlint.config.js => .github/commitlint.config.js (100%) diff --git a/commitlint.config.js b/.github/commitlint.config.js similarity index 100% rename from commitlint.config.js rename to .github/commitlint.config.js diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 457c055..ad483e4 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,29 +1,40 @@ -name: Lint -on: pull_request +name: lint +on: + pull_request: + branches: + - main +permissions: {} jobs: - golangci-lint: - name: lint + lint-go: + permissions: + contents: read runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Install Go - uses: actions/setup-go@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + - uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0 with: - args: --timeout=180s - # temporarily pin the linter version until - # https://github.com/golangci/golangci-lint/issues/3862 is fixed - version: v1.52.2 - commitlint: + args: --timeout=180s --enable gocritic + lint-commits: + permissions: + contents: read + pull-requests: read runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - name: Lint commit messages - uses: wagoid/commitlint-github-action@v5 + - uses: wagoid/commitlint-github-action@5ce82f5d814d4010519d15f0552aec4f17a1e1fe # v5.4.5 + with: + configFile: .github/commitlint.config.js + lint-actions: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: docker://rhysd/actionlint:latest@sha256:2eb91a78b5a19140be099c7b4262d298c2567f2a9f27e10ed2a4323c5bcface8 + with: + args: -color From 0b81278f10cfd8b288d91a52d5b1ebde7fa9ddbf Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Mar 2024 13:24:21 +0800 Subject: [PATCH 02/10] chore: update build workflow --- .github/workflows/build.yaml | 76 +++++++--------- .github/workflows/release.yaml | 105 ++++++++--------------- .goreleaser.yaml | 75 ++++++++++++++++ .goreleaser.yml | 16 ---- Dockerfile | 6 ++ deploy/lagoon-opensearch-sync/Dockerfile | 3 - 6 files changed, 146 insertions(+), 135 deletions(-) create mode 100644 .goreleaser.yaml delete mode 100644 .goreleaser.yml create mode 100644 Dockerfile delete mode 100644 deploy/lagoon-opensearch-sync/Dockerfile diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 2b64755..01da203 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,68 +1,52 @@ -name: Build -on: pull_request +name: build +on: + pull_request: + branches: + - main +permissions: {} jobs: - build: + build-snapshot: + permissions: + contents: read + packages: write runs-on: ubuntu-latest + strategy: + matrix: + binary: + - lagoon-opensearch-sync steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Install Go - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - - name: Set up environment - run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5 + - run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV" + - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: latest - args: build --snapshot --rm-dist - - name: Tar up binaries - # work around limitations in the upload/download artifact actions - # https://github.com/actions/download-artifact#limitations - run: tar -cvf dist.tar dist - - name: Upload binaries tar file - uses: actions/upload-artifact@v3 - with: - name: dist.tar - path: dist.tar - buildimage: - if: ${{ !startsWith(github.head_ref, 'dependabot/') }} - strategy: - matrix: - binary: - - lagoon-opensearch-sync - needs: build - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Download binaries tar file - uses: actions/download-artifact@v3 - with: - name: dist.tar - - name: Untar binaries - run: tar -xvf dist.tar + args: build --clean --debug --single-target --snapshot - name: Login to GHCR - uses: docker/login-action@v3 + if: github.actor != 'dependabot[bot]' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker metadata - # this id is namespaced per matrix run + - name: Get Docker metadata + if: github.actor != 'dependabot[bot]' id: docker_metadata - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: - images: ghcr.io/${{ github.repository_owner }}/${{ matrix.binary }} + images: ghcr.io/${{ github.repository }}/${{ matrix.binary }} + - run: echo "GITHUB_REPOSITORY_NAME=$(basename ${{ github.repository }})" >> "$GITHUB_ENV" - name: Build and push ${{ matrix.binary }} container image - id: docker_build - uses: docker/build-push-action@v5 + if: github.actor != 'dependabot[bot]' + uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0 with: push: true tags: ${{ steps.docker_metadata.outputs.tags }} labels: ${{ steps.docker_metadata.outputs.labels }} - file: deploy/${{ matrix.binary }}/Dockerfile + file: Dockerfile + build-args: BINARY=${{ matrix.binary }} context: dist/${{ matrix.binary }}_linux_amd64_v1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5ccadd1..dcdf56e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,25 +1,27 @@ -name: Release +name: release on: push: branches: - main +permissions: {} jobs: - tag: + release-tag: + permissions: + # create tag + contents: write runs-on: ubuntu-latest outputs: new-tag: ${{ steps.bump-tag.outputs.new }} new-tag-version: ${{ steps.bump-tag.outputs.new_tag_version }} steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - name: Configure Git + - name: Configure git run: | git config --global user.name "$GITHUB_ACTOR" git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Install Go - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - name: Install ccv @@ -29,80 +31,43 @@ jobs: - name: Bump tag if necessary id: bump-tag run: | - if [ -z $(git tag -l $(ccv)) ]; then - git tag $(ccv) + if [ -z "$(git tag -l "$(ccv)")" ]; then + git tag "$(ccv)" git push --tags - echo "::set-output name=new::true" - echo "::set-output name=new_tag_version::$(git tag --points-at HEAD)" + echo "new=true" >> "$GITHUB_OUTPUT" + echo "new_tag_version=$(git tag --points-at HEAD)" >> "$GITHUB_OUTPUT" fi - release: - needs: tag - if: needs.tag.outputs.new-tag == 'true' + release-build: + permissions: + # create release + contents: write + # push docker images to regsitry + packages: write + # use OIDC token for signing + id-token: write + needs: release-tag + if: needs.release-tag.outputs.new-tag == 'true' runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - name: Install Go - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - - name: Set up environment - run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5 - with: - version: latest - args: release --rm-dist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Tar up binaries - run: tar -cvf dist.tar dist - - name: Upload binaries tar file - uses: actions/upload-artifact@v3 - with: - name: dist.tar - path: dist.tar - releaseimage: - strategy: - matrix: - binary: - - lagoon-opensearch-sync - needs: - - tag - - release - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Download binaries tar file - uses: actions/download-artifact@v3 - with: - name: dist.tar - - name: Untar binaries - run: tar -xvf dist.tar - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker metadata - # this id is namespaced per matrix run - id: docker_metadata - uses: docker/metadata-action@v5 - with: - images: ghcr.io/${{ github.repository_owner }}/${{ matrix.binary }} - tags: | - ${{ needs.tag.outputs.new-tag-version }} - latest - - name: Build and push ${{ matrix.binary }} container image - id: docker_build - uses: docker/build-push-action@v5 + - name: Set up environment + run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV" + - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 + - uses: anchore/sbom-action/download-syft@9fece9e20048ca9590af301449208b2b8861333b # v0.15.9 + - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: - push: true - tags: ${{ steps.docker_metadata.outputs.tags }} - labels: ${{ steps.docker_metadata.outputs.labels }} - file: deploy/${{ matrix.binary }}/Dockerfile - context: dist/${{ matrix.binary }}_linux_amd64_v1 + version: latest + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..8721c54 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,75 @@ +builds: +- id: lagoon-opensearch-sync + binary: lagoon-opensearch-sync + main: ./cmd/lagoon-opensearch-sync + ldflags: + - > + -s -w + -X "main.commit={{.Commit}}" + -X "main.date={{.Date}}" + -X "main.goVersion={{.Env.GOVERSION}}" + -X "main.projectName={{.ProjectName}}" + -X "main.version=v{{.Version}}" + env: + - CGO_ENABLED=0 + goos: + - linux + - darwin + goarch: + - amd64 + - arm64 + +changelog: + use: github-native + +sboms: +- artifacts: archive + +signs: +- cmd: cosign + signature: "${artifact}.sig" + certificate: "${artifact}.pem" + args: + - "sign-blob" + - "--output-signature=${signature}" + - "--output-certificate=${certificate}" + - "${artifact}" + - "--yes" + artifacts: checksum + +dockers: +- ids: + - lagoon-opensearch-sync + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/lagoon-opensearch-sync:v{{ .Version }}-amd64" + use: buildx + build_flag_templates: + - "--build-arg=BINARY=lagoon-opensearch-sync" + - "--platform=linux/amd64" +- ids: + - lagoon-opensearch-sync + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/lagoon-opensearch-sync:v{{ .Version }}-arm64v8" + use: buildx + goarch: arm64 + build_flag_templates: + - "--build-arg=BINARY=lagoon-opensearch-sync" + - "--platform=linux/arm64/v8" + +docker_manifests: +- name_template: "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/lagoon-opensearch-sync:v{{ .Version }}" + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/lagoon-opensearch-sync:v{{ .Version }}-amd64" + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/lagoon-opensearch-sync:v{{ .Version }}-arm64v8" +- name_template: "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/lagoon-opensearch-sync:latest" + image_templates: + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/lagoon-opensearch-sync:v{{ .Version }}-amd64" + - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/lagoon-opensearch-sync:v{{ .Version }}-arm64v8" + +docker_signs: +- args: + - "sign" + - "${artifact}@${digest}" + - "--yes" + artifacts: all + output: true diff --git a/.goreleaser.yml b/.goreleaser.yml deleted file mode 100644 index 9aba934..0000000 --- a/.goreleaser.yml +++ /dev/null @@ -1,16 +0,0 @@ -builds: -- main: ./cmd/lagoon-opensearch-sync - ldflags: - - > - -s -w - -X "main.commit={{.Commit}}" - -X "main.date={{.Date}}" - -X "main.goVersion={{.Env.GOVERSION}}" - -X "main.projectName={{.ProjectName}}" - -X "main.version={{.Version}}" - env: - - CGO_ENABLED=0 - goarch: - - amd64 - goos: - - linux diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..ce4d1a9 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,6 @@ +FROM alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b +ARG BINARY=binary-build-arg-not-defined +ENV BINARY=${BINARY} +ENTRYPOINT ["sh", "-c"] +CMD ["exec /${BINARY}"] +COPY ${BINARY} / diff --git a/deploy/lagoon-opensearch-sync/Dockerfile b/deploy/lagoon-opensearch-sync/Dockerfile deleted file mode 100644 index 6e12d31..0000000 --- a/deploy/lagoon-opensearch-sync/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM alpine:3.16 -ENTRYPOINT ["/lagoon-opensearch-sync"] -COPY lagoon-opensearch-sync / From cb87d6e1065766e2f06c97d97acf827d36734d81 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Mar 2024 13:25:47 +0800 Subject: [PATCH 03/10] chore: update codeql workflow --- .github/workflows/codeql-analysis.yaml | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 9e43633..003e6d0 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -1,5 +1,4 @@ -name: "CodeQL" - +name: codeQL on: push: branches: @@ -7,28 +6,27 @@ on: pull_request: branches: - main - schedule: - - cron: '44 10 * * 5' - +permissions: {} jobs: analyze: - name: Analyze - runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write + runs-on: ubuntu-latest strategy: fail-fast: false matrix: language: - go steps: - - name: Checkout repository - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: stable - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 with: languages: ${{ matrix.language }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 From edb6dacbd6638dbcaa84714c0cf5fc4a01070489 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Mar 2024 13:27:22 +0800 Subject: [PATCH 04/10] chore: add dependency-review workflow --- .github/dependency-review-config.yaml | 17 +++++++++++++++++ .github/workflows/dependency-review.yaml | 16 ++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 .github/dependency-review-config.yaml create mode 100644 .github/workflows/dependency-review.yaml diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml new file mode 100644 index 0000000..df8f653 --- /dev/null +++ b/.github/dependency-review-config.yaml @@ -0,0 +1,17 @@ +# https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md +allow-licenses: +- 'Apache-2.0' +- 'BSD-2-Clause' +- 'BSD-2-Clause-FreeBSD' +- 'BSD-3-Clause' +- 'ISC' +- 'MIT' +- 'PostgreSQL' +- 'Python-2.0' +- 'X11' +- 'Zlib' + +# this action is GPL-3 but it is only used in CI +# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806 +allow-dependencies-licenses: > + pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787 diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml new file mode 100644 index 0000000..1d2323f --- /dev/null +++ b/.github/workflows/dependency-review.yaml @@ -0,0 +1,16 @@ +name: dependency review +on: + pull_request: + branches: + - main +permissions: {} +jobs: + dependency-review: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 + with: + config-file: .github/dependency-review-config.yaml From 1ce0493d01d4bdc9abc4fe17658a2927616876b7 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Mar 2024 13:39:14 +0800 Subject: [PATCH 05/10] chore: update dependabot workflow --- .github/{dependabot.yml => dependabot.yaml} | 18 +++++++++++--- .github/workflows/dependabot-automerge.yaml | 27 +++++++++++++-------- 2 files changed, 32 insertions(+), 13 deletions(-) rename .github/{dependabot.yml => dependabot.yaml} (56%) diff --git a/.github/dependabot.yml b/.github/dependabot.yaml similarity index 56% rename from .github/dependabot.yml rename to .github/dependabot.yaml index 3fc2879..040c007 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yaml @@ -1,14 +1,26 @@ version: 2 updates: -- package-ecosystem: docker +- package-ecosystem: github-actions directory: / schedule: - interval: daily -- package-ecosystem: github-actions + interval: weekly + groups: + github-actions: + patterns: + - "*" +- package-ecosystem: docker directory: / schedule: interval: daily + groups: + docker: + patterns: + - "*" - package-ecosystem: gomod directory: / schedule: interval: daily + groups: + gomod: + patterns: + - "*" diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index 8f3942a..7e85010 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -1,17 +1,24 @@ # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request -name: Dependabot auto-merge -on: pull_request - -permissions: - contents: write - pull-requests: write - +name: dependabot auto-merge +on: + pull_request: + branches: + - main +permissions: {} jobs: - dependabot: + dependabot-automerge: + permissions: + contents: write + pull-requests: write runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} + if: github.actor == 'dependabot[bot]' steps: - - name: Enable auto-merge for Dependabot PRs + - name: Fetch dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Enable auto-merge for Dependabot PRs # these still need approval before merge run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} From aeaeb50687511443e9ac1ac528582d4027a9dc4c Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Mar 2024 13:39:54 +0800 Subject: [PATCH 06/10] chore: add coverage workflow --- .github/workflows/coverage.yaml | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index 227a8e2..cd89166 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -1,30 +1,29 @@ -name: Coverage +name: coverage on: push: branches: - main - +permissions: {} jobs: coverage: + permissions: + contents: write runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Configure git - run: | - git config --global user.name "$GITHUB_ACTOR" - git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Set up go - uses: actions/setup-go@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - name: Calculate coverage run: | - go test -v -covermode=count -coverprofile=coverage.out.raw -coverpkg=./... ./... - grep -v mock_ coverage.out.raw > coverage.out - - name: Convert coverage to lcov - uses: jandelgado/gcov2lcov-action@v1 - - name: Coveralls - uses: coverallsapp/github-action@v2 + go test -v -covermode=atomic -coverprofile=cover.out.raw -coverpkg=./... ./... + # remove generated code from coverage calculation + grep -Ev 'internal/mock|_enumer.go' cover.out.raw > cover.out + - name: Generage coverage badge + uses: vladopajic/go-test-coverage@97ecc524075d8ece0e1a406edec1c191e2dd3277 # v2.8.3 with: - github-token: ${{ secrets.github_token }} + profile: cover.out + local-prefix: github.com/smlx/go-cli-github + git-token: ${{ secrets.GITHUB_TOKEN }} + # orphan branch for storing badges + git-branch: badges From f078b350a372994aba4bda45bc0118b6fb5dc997 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Mar 2024 13:41:01 +0800 Subject: [PATCH 07/10] chore: update test workflow --- .github/workflows/test.yaml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 4d2a307..63fa376 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,16 +1,19 @@ -name: Test -on: pull_request +name: test +on: + pull_request: + branches: + - main +permissions: {} jobs: - go-test: + test-go: + permissions: + contents: read runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.event.pull_request.head.sha }} - - name: Install Go - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - - name: Run Tests - run: go test -v ./... + - run: go test -v ./... From 2f187b9a30224dde9b536944117006f8d15806fd Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Mar 2024 13:41:28 +0800 Subject: [PATCH 08/10] chore: add ossf workflow --- .github/workflows/ossf-analysis.yaml | 31 ++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/ossf-analysis.yaml diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml new file mode 100644 index 0000000..9a69f2a --- /dev/null +++ b/.github/workflows/ossf-analysis.yaml @@ -0,0 +1,31 @@ +name: OSSF scorecard +on: + push: + branches: + - main +permissions: {} +jobs: + ossf-scorecard-analysis: + runs-on: ubuntu-latest + permissions: + contents: read + # Needed if using Code scanning alerts + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Run analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. + publish_results: true + - name: Upload SARIF results to code scanning + uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 + with: + sarif_file: results.sarif From 0f88553162f3d16959abbad414e6cd43216d744c Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Mar 2024 14:06:42 +0800 Subject: [PATCH 09/10] chore: update badges in README --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f713624..78a5065 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,11 @@ # Lagoon Opensearch Sync +[![Go Reference](https://pkg.go.dev/badge/github.com/uselagoon/lagoon-opensearch-sync.svg)](https://pkg.go.dev/github.com/uselagoon/lagoon-opensearch-sync) [![Release](https://github.com/uselagoon/lagoon-opensearch-sync/actions/workflows/release.yaml/badge.svg)](https://github.com/uselagoon/lagoon-opensearch-sync/actions/workflows/release.yaml) -[![Coverage](https://coveralls.io/repos/github/uselagoon/lagoon-opensearch-sync/badge.svg?branch=main)](https://coveralls.io/github/uselagoon/lagoon-opensearch-sync?branch=main) +[![coverage](https://raw.githubusercontent.com/uselagoon/lagoon-opensearch-sync/badges/.badges/main/coverage.svg)](https://github.com/uselagoon/lagoon-opensearch-sync/actions/workflows/coverage.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/uselagoon/lagoon-opensearch-sync)](https://goreportcard.com/report/github.com/uselagoon/lagoon-opensearch-sync) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/uselagoon/lagoon-opensearch-sync/badge)](https://securityscorecards.dev/viewer/?uri=github.com/uselagoon/lagoon-opensearch-sync) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8659/badge)](https://www.bestpractices.dev/projects/8659) This tool/service synchronises Opensearch with Lagoon. This means that it sets up the required roles and permissions based on Lagoon groups and projects. From 19a052a696e1f023729cab7b91eca443effb62b1 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Mar 2024 14:08:37 +0800 Subject: [PATCH 10/10] chore: remove deprecated tag-to-release workflow --- .github/workflows/tag-to-release.yaml | 73 --------------------------- 1 file changed, 73 deletions(-) delete mode 100644 .github/workflows/tag-to-release.yaml diff --git a/.github/workflows/tag-to-release.yaml b/.github/workflows/tag-to-release.yaml deleted file mode 100644 index 1dca3c2..0000000 --- a/.github/workflows/tag-to-release.yaml +++ /dev/null @@ -1,73 +0,0 @@ -name: Tag to Release -on: - push: - tags: - - v* -jobs: - release: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version: stable - - name: Set up environment - run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5 - with: - version: latest - args: release --rm-dist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Tar up binaries - run: tar -cvf dist.tar dist - - name: Upload binaries tar file - uses: actions/upload-artifact@v3 - with: - name: dist.tar - path: dist.tar - releaseimage: - strategy: - matrix: - binary: - - lagoon-opensearch-sync - needs: - - tag - - release - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Download binaries tar file - uses: actions/download-artifact@v3 - with: - name: dist.tar - - name: Untar binaries - run: tar -xvf dist.tar - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker metadata - # this id is namespaced per matrix run - id: docker_metadata - uses: docker/metadata-action@v5 - with: - images: ghcr.io/${{ github.repository_owner }}/${{ matrix.binary }} - tags: | - ${{ needs.tag.outputs.new-tag-version }} - latest - - name: Build and push ${{ matrix.binary }} container image - id: docker_build - uses: docker/build-push-action@v5 - with: - push: true - tags: ${{ steps.docker_metadata.outputs.tags }} - labels: ${{ steps.docker_metadata.outputs.labels }} - file: deploy/${{ matrix.binary }}/Dockerfile - context: dist/${{ matrix.binary }}_linux_amd64_v1