Skip to content

[StepSecurity] ci: Harden GitHub Actions (#390) #74

[StepSecurity] ci: Harden GitHub Actions (#390)

[StepSecurity] ci: Harden GitHub Actions (#390) #74

Workflow file for this run

# Copyright 2024 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0
name: Code Style
on:
pull_request:
branches:
- 'main'
push:
branches:
- 'main'
jobs:
gofmt:
name: check gofmt
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit
- name: Check out code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: go.mod
check-latest: true
- uses: chainguard-dev/actions/gofmt@9d943fc9889a0c0795e3c2bd4b949a9b610ac02e # main
with:
args: -s
goimports:
name: check goimports
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit
- name: Check out code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: go.mod
check-latest: true
- uses: chainguard-dev/actions/goimports@9d943fc9889a0c0795e3c2bd4b949a9b610ac02e # main
golangci-lint:
name: golangci-lint
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: go.mod
check-latest: true
- name: install libyara-dev
run: |
sudo add-apt-repository -n -y "deb http://archive.ubuntu.com/ubuntu/ mantic main restricted universe multiverse"
sudo add-apt-repository -n -y "deb http://archive.ubuntu.com/ubuntu/ mantic-updates main restricted universe multiverse"
sudo add-apt-repository -n -y "deb http://archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse"
sudo add-apt-repository -n -y "deb http://security.ubuntu.com/ubuntu mantic-security main restricted universe multiverse"
sudo apt update && sudo apt install libyara-dev -y
- name: golangci-lint
uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v3.7.1
with:
version: v1.58
args: --timeout=5m
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit
- name: Check out code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: go.mod
check-latest: true
- uses: reviewdog/action-misspell@ef8b22c1cca06c8d306fc6be302c3dab0f6ca12f # v1.23.0
if: ${{ always() }}
with:
github_token: ${{ secrets.github_token }}
fail_on_error: true
locale: "US"
exclude: |
**/go.sum
**/third_party/**
**/samples/**
./*.yml
- uses: get-woke/woke-action-reviewdog@d71fd0115146a01c3181439ce714e21a69d75e31 # v0
if: ${{ always() }}
with:
github-token: ${{ secrets.github_token }}
reporter: github-pr-check
level: error
fail-on-error: true