V2 modernize workflows (#1182)

* Modernize workflows * Appease linter * Fix smoke test go version
lestrrat-go · Sep 25, 2024 · c5d7db2 · c5d7db2
1 parent 551d76f
commit c5d7db2
Show file tree

Hide file tree

Showing 16 changed files with 53 additions and 72 deletions.
diff --git a/.github/workflows/assign-issue.yml b/.github/workflows/assign-issue.yml
@@ -8,6 +8,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Auto-assign issue'
-        uses: pozil/auto-assign-issue@v2
+        uses: pozil/auto-assign-issue@c5bca5027e680b9e8411b826d16947afd8c76b32 # v2.0.0
         with:
           assignees: lestrrat
diff --git a/.github/workflows/assign-pr.yml b/.github/workflows/assign-pr.yml
@@ -7,6 +7,6 @@ jobs:
   add-reviews:
     runs-on: ubuntu-latest
     steps:
-      - uses: kentaro-m/[email protected]
+      - uses: kentaro-m/auto-assign-action@f4648c0a9fdb753479e9e75fc251f507ce17bb7e # v2.0.0
         with:
           configuration-path: .github/auto-assign-pr.yml
diff --git a/.github/workflows/autodoc.yml b/.github/workflows/autodoc.yml
@@ -13,7 +13,7 @@ jobs:
     if: github.event.pull_request.merged == true
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Process markdown files
         run: |
           find . -name '*.md' | xargs perl tools/autodoc.pl

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,13 +11,13 @@ jobs:
     strategy:
       matrix:
         go_tags: [ 'stdlib', 'goccy', 'es256k', 'secp256k1-pem', 'asmbase64', 'alltags']
-        go: [ '1.22', '1.21', '1.20' ]
+        go: [ '1.23', '1.22', '1.21' ]
     name: "Test [ Go ${{ matrix.go }} / Tags ${{ matrix.go_tags }} ]"
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |
             ~/go/pkg/mod
@@ -27,20 +27,10 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-go-
       - name: Install Go stable version
-        if: matrix.go != 'tip'
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ matrix.go }}
           check-latest: true
-      - name: Install Go tip
-        if: matrix.go == 'tip'
-        run: |
-          git clone --depth=1 https://go.googlesource.com/go $HOME/gotip
-          cd $HOME/gotip/src
-          ./make.bash
-          echo "::set-env name=GOROOT::$HOME/gotip"
-          echo "::add-path::$HOME/gotip/bin"
-          echo "::add-path::$(go env GOPATH)/bin"
       - name: Install stringer
         run: go install golang.org/x/tools/cmd/stringer@latest
       - name: Install tparse
@@ -52,11 +42,6 @@ jobs:
         run: make tidy
       - name: Test with coverage
         run: make cover-${{ matrix.go_tags }}
-      - name: Upload code coverage to codecov
-        if: matrix.go == '1.19'
-        uses: codecov/codecov-action@v4
-        with:
-          file: ./coverage.out
       - uses: bazelbuild/setup-bazelisk@v3
       - run: bazel run //:gazelle-update-repos
       - name: Check difference between generation code and commit code

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -40,7 +40,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Install tparse
         run: go install github.com/mfridman/[email protected]
       - run: |

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -5,14 +5,11 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: "1.20"
-          check-latest: true
-      - uses: golangci/golangci-lint-action@v6
-        with:
-          version: v1.59
+          go-version-file: "go.mod"
+      - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
       - name: Run go vet
         run: |
           go vet ./...
diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml
@@ -14,16 +14,16 @@ jobs:
     strategy:
       matrix:
         go_tags: [ 'stdlib', 'goccy', 'es256k', 'alltags' ]
-        go: [ '1.22', '1.21', '1.20' ]
+        go: [ '1.22', '1.21' ]
     name: "Smoke [ Go ${{ matrix.go }} / Tags ${{ matrix.go_tags }} ]"
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Check documentation generator
         run: |
           find . -name '*.md' | xargs env AUTODOC_DRYRUN=1 perl tools/autodoc.pl
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.20
         with:
           path: |
             ~/go/pkg/mod
@@ -33,7 +33,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-go-
       - name: Install Go stable version
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: ${{ matrix.go }}
           check-latest: true
@@ -50,6 +50,6 @@ jobs:
         run: make tidy
       - name: Run smoke tests
         run: make smoke-${{ matrix.go_tags }}
-      - uses: bazelbuild/setup-bazelisk@v3
+      - uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0
       - run: bazel build //...
 
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
         with:
           stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 7 days.'
           stale-pr-message: 'This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 14 days.'

diff --git a/.golangci.yml b/.golangci.yml
@@ -60,6 +60,9 @@ issues:
       text: "don't use an underscore in package name"
       linters:
         - revive
+    - linters:
+        - staticcheck
+      text: 'SA1019'
     - path: /*.go
       linters:
         - contextcheck

diff --git a/jwe/jwe_test.go b/jwe/jwe_test.go
@@ -318,12 +318,12 @@ func TestRoundtrip_RSAES_OAEP_AES_GCM(t *testing.T) {
 		110, 97, 116, 105, 111, 110, 46,
 	}
 
-	max := 100
+	iterations := 100
 	if testing.Short() {
-		max = 1
+		iterations = 1
 	}
 
-	for i := 0; i < max; i++ {
+	for i := 0; i < iterations; i++ {
 		encrypted, err := jwe.Encrypt(plaintext, jwe.WithKey(jwa.RSA_OAEP, &rsaPrivKey.PublicKey))
 		if !assert.NoError(t, err, "Encrypt should succeed") {
 			return
@@ -346,12 +346,12 @@ func TestRoundtrip_RSA1_5_A128CBC_HS256(t *testing.T) {
 		112, 114, 111, 115, 112, 101, 114, 46,
 	}
 
-	max := 100
+	iterations := 100
 	if testing.Short() {
-		max = 1
+		iterations = 1
 	}
 
-	for i := 0; i < max; i++ {
+	for i := 0; i < iterations; i++ {
 		encrypted, err := jwe.Encrypt(plaintext, jwe.WithKey(jwa.RSA1_5, &rsaPrivKey.PublicKey), jwe.WithContentEncryption(jwa.A128CBC_HS256))
 		if !assert.NoError(t, err, "Encrypt is successful") {
 			return
@@ -379,12 +379,12 @@ func TestEncode_A128KW_A128CBC_HS256(t *testing.T) {
 		25, 172, 32, 130, 225, 114, 26, 181, 138, 106, 254, 192, 95, 133, 74, 82,
 	}
 
-	max := 100
+	iterations := 100
 	if testing.Short() {
-		max = 1
+		iterations = 1
 	}
 
-	for i := 0; i < max; i++ {
+	for i := 0; i < iterations; i++ {
 		encrypted, err := jwe.Encrypt(plaintext, jwe.WithKey(jwa.A128KW, sharedkey), jwe.WithContentEncryption(jwa.A128CBC_HS256))
 		if !assert.NoError(t, err, "Encrypt is successful") {
 			return

diff --git a/jwk/jwk_test.go b/jwk/jwk_test.go
@@ -887,35 +887,35 @@ func TestPublicKeyOf(t *testing.T) {
 	}{
 		{
 			Key:           rsakey,
-			PublicKeyType: reflect.PtrTo(reflect.TypeOf(rsakey.PublicKey)),
+			PublicKeyType: reflect.PointerTo(reflect.TypeOf(rsakey.PublicKey)),
 		},
 		{
 			Key:           *rsakey,
-			PublicKeyType: reflect.PtrTo(reflect.TypeOf(rsakey.PublicKey)),
+			PublicKeyType: reflect.PointerTo(reflect.TypeOf(rsakey.PublicKey)),
 		},
 		{
 			Key:           rsakey.PublicKey,
-			PublicKeyType: reflect.PtrTo(reflect.TypeOf(rsakey.PublicKey)),
+			PublicKeyType: reflect.PointerTo(reflect.TypeOf(rsakey.PublicKey)),
 		},
 		{
 			Key:           &rsakey.PublicKey,
-			PublicKeyType: reflect.PtrTo(reflect.TypeOf(rsakey.PublicKey)),
+			PublicKeyType: reflect.PointerTo(reflect.TypeOf(rsakey.PublicKey)),
 		},
 		{
 			Key:           ecdsakey,
-			PublicKeyType: reflect.PtrTo(reflect.TypeOf(ecdsakey.PublicKey)),
+			PublicKeyType: reflect.PointerTo(reflect.TypeOf(ecdsakey.PublicKey)),
 		},
 		{
 			Key:           *ecdsakey,
-			PublicKeyType: reflect.PtrTo(reflect.TypeOf(ecdsakey.PublicKey)),
+			PublicKeyType: reflect.PointerTo(reflect.TypeOf(ecdsakey.PublicKey)),
 		},
 		{
 			Key:           ecdsakey.PublicKey,
-			PublicKeyType: reflect.PtrTo(reflect.TypeOf(ecdsakey.PublicKey)),
+			PublicKeyType: reflect.PointerTo(reflect.TypeOf(ecdsakey.PublicKey)),
 		},
 		{
 			Key:           &ecdsakey.PublicKey,
-			PublicKeyType: reflect.PtrTo(reflect.TypeOf(ecdsakey.PublicKey)),
+			PublicKeyType: reflect.PointerTo(reflect.TypeOf(ecdsakey.PublicKey)),
 		},
 		{
 			Key:           octets,
@@ -1636,9 +1636,9 @@ func TestTypedFields(t *testing.T) {
 func TestGH412(t *testing.T) {
 	base := jwk.NewSet()
 
-	const max = 5
+	const iterations = 5
 	kids := make(map[string]struct{})
-	for i := 0; i < max; i++ {
+	for i := 0; i < iterations; i++ {
 		k, err := jwxtest.GenerateRsaJwk()
 		if !assert.NoError(t, err, `jwxttest.GenerateRsaJwk() should succeed`) {
 			return
@@ -1650,7 +1650,7 @@ func TestGH412(t *testing.T) {
 		kids[kid] = struct{}{}
 	}
 
-	for i := 0; i < max; i++ {
+	for i := 0; i < iterations; i++ {
 		idx := i
 		currentKid := "key-" + strconv.Itoa(i)
 		t.Run(fmt.Sprintf("Remove at position %d", i), func(t *testing.T) {
@@ -1659,7 +1659,7 @@ func TestGH412(t *testing.T) {
 				return
 			}
 
-			if !assert.Equal(t, max, set.Len(), `set.Len should be %d`, max) {
+			if !assert.Equal(t, iterations, set.Len(), `set.Len should be %d`, iterations) {
 				return
 			}
 
@@ -1673,7 +1673,7 @@ func TestGH412(t *testing.T) {
 			}
 			t.Logf("deleted key %s", k.KeyID())
 
-			if !assert.Equal(t, max-1, set.Len(), `set.Len should be %d`, max-1) {
+			if !assert.Equal(t, iterations-1, set.Len(), `set.Len should be %d`, iterations-1) {
 				return
 			}
 

diff --git a/jws/jws.go b/jws/jws.go
@@ -345,6 +345,7 @@ func Verify(buf []byte, options ...VerifyOption) ([]byte, error) {
 		case identKeyUsed{}:
 			keyUsed = option.Value()
 		case identContext{}:
+			//nolint:fatcontext
 			ctx = option.Value().(context.Context)
 		case identValidateKey{}:
 			validateKey = option.Value().(bool)

diff --git a/jwt/jwt_test.go b/jwt/jwt_test.go
@@ -595,10 +595,10 @@ func TestGH52(t *testing.T) {
 	if !assert.NoError(t, err) {
 		return
 	}
-	const max = 100
+	const iterations = 100
 	var wg sync.WaitGroup
-	wg.Add(max)
-	for i := 0; i < max; i++ {
+	wg.Add(iterations)
+	for i := 0; i < iterations; i++ {
 		// Do not use t.Run here as it will clutter up the outpuA
 		go func(t *testing.T, priv *ecdsa.PrivateKey, i int) {
 			defer wg.Done()

diff --git a/jwt/validate.go b/jwt/validate.go
@@ -65,6 +65,7 @@ func Validate(t Token, options ...ValidateOption) error {
 		case identTruncation{}:
 			trunc = o.Value().(time.Duration)
 		case identContext{}:
+			//nolint:fatcontext
 			ctx = o.Value().(context.Context)
 		case identResetValidators{}:
 			resetValidators = o.Value().(bool)

diff --git a/jwx_test.go b/jwx_test.go
@@ -128,16 +128,10 @@ func TestJoseCompatibility(t *testing.T) {
 				Name:     "RSA Private Key with Private Parameters",
 				Raw:      rsa.PrivateKey{},
 				Template: `{"alg": "RS256", "x-jwx": 1234}`,
-				VerifyKey: func(ctx context.Context, t *testing.T, key jwk.Key) bool {
-					m, err := key.AsMap(ctx)
-					if !assert.NoError(t, err, `key.AsMap() should succeed`) {
-						return false
-					}
-
-					if !assert.Equal(t, float64(1234), m["x-jwx"], `private parameters should match`) {
-						return false
-					}
-
+				VerifyKey: func(_ context.Context, t *testing.T, key jwk.Key) bool {
+					v, ok := key.Get(`x-jwx`)
+					require.True(t, ok, `key.Get should succeed`)
+					require.Equal(t, float64(1234), v, `private parameters should match`)
 					return true
 				},
 			},