Skip to content

Commit

Permalink
Merge branch 'main' into sast-snyk
Browse files Browse the repository at this point in the history
  • Loading branch information
spencerschrock authored Dec 19, 2023
2 parents 026fe3f + 21bbe80 commit dccaf34
Show file tree
Hide file tree
Showing 299 changed files with 8,380 additions and 2,930 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/depsreview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: 'Dependency Review'
uses: actions/dependency-review-action@fde92acd0840415674c16b39c7d703fc28bc511e
uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4
4 changes: 2 additions & 2 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
fetch-depth: 2 # needed to diff changed files
- id: files
name: Get changed files
uses: tj-actions/changed-files@25ef3926d147cd02fc7e931c1ef50772bbb0d25d #v40.1.1
uses: tj-actions/changed-files@94549999469dbfa032becf298d95c87a14c34394 #v40.2.2
with:
files_ignore: '**.md'
- id: docs_only_check
Expand Down Expand Up @@ -70,7 +70,7 @@ jobs:
steps:
- name: Harden Runner
if: (needs.docs_only_check.outputs.docs_only != 'true')
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/gitlab.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
environment: gitlab
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/goreleaser.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/integration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand All @@ -44,7 +44,7 @@ jobs:
needs: [approve]
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
name: check-linter
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
- uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down Expand Up @@ -95,7 +95,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -143,7 +143,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down Expand Up @@ -172,7 +172,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -221,7 +221,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Cache builds
Expand Down Expand Up @@ -260,7 +260,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -303,7 +303,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install Protoc
Expand Down Expand Up @@ -349,7 +349,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -384,7 +384,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publishimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
COSIGN_EXPERIMENTAL: "true"
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
110 changes: 110 additions & 0 deletions .github/workflows/scdiff.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
name: scdiff PR evaluation
on:
issue_comment:
types: [created]

permissions: read-all

env:
GO_VERSION: 1.21

jobs:
share-link:
if: ${{ (github.event.issue.pull_request) && (contains(github.event.comment.body, '/scdiff generate')) }}
runs-on: [ubuntu-latest]
permissions:
pull-requests: write # to create the PR comment
steps:
- name: share link to workflow run
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `[Here's a link to the scdiff run](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`
})
golden-test:
if: ${{ (github.event.issue.pull_request) && (contains(github.event.comment.body, '/scdiff generate')) }}
runs-on: [ubuntu-latest]
steps:
- name: create file of repos to anlayze
run: |
cat <<EOF > $HOME/repos.txt
https://github.com/airbnb/lottie-web
https://github.com/apache/tomcat
https://github.com/Azure/azure-functions-dotnet-worker
https://github.com/cncf/xds
https://github.com/google/go-cmp
https://github.com/google/highwayhash
https://github.com/googleapis/google-api-php-client
https://github.com/jacoco/jacoco
https://github.com/ossf/scorecard
https://github.com/pallets/jinja
https://github.com/polymer/polymer
https://github.com/rust-random/getrandom
https://github.com/yaml/libyaml
https://gitlab.com/baserow/baserow
https://gitlab.com/cryptsetup/cryptsetup
EOF
- name: configure scdiff
id: config
env:
COMMENT_BODY: ${{ github.event.comment.body }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const allowedAssociations = ["COLLABORATOR", "CONTRIBUTOR", "MEMBER", "OWNER"];
authorAssociation = '${{ github.event.comment.author_association }}'
if (!allowedAssociations.includes(authorAssociation)) {
core.setFailed("You don't have access to run scdiff");
}
const response = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
})
core.setOutput('base', response.data.base.sha)
core.setOutput('head', response.data.head.sha)
checks = '""'
const commentBody = process.env.COMMENT_BODY
const regex = /\/scdiff generate ([^ ]+)/;
const found = commentBody.match(regex);
if (found && found.length == 2) {
checks = found[1]
}
core.exportVariable('SCORECARD_CHECKS', checks)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ steps.config.outputs.base }}
- name: Setup Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: generate before results
env:
GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
GITLAB_AUTH_TOKEN: ${{ secrets.GITLAB_TOKEN }}
run: |
go run cmd/internal/scdiff/main.go generate \
--repos $HOME/repos.txt \
--checks $SCORECARD_CHECKS > $HOME/before.json
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ steps.config.outputs.head }}
- name: generate after results
env:
GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
GITLAB_AUTH_TOKEN: ${{ secrets.GITLAB_TOKEN }}
run: |
go run cmd/internal/scdiff/main.go generate \
--repos $HOME/repos.txt \
--checks $SCORECARD_CHECKS > $HOME/after.json
- name: compare results
run: |
go run cmd/internal/scdiff/main.go compare $HOME/before.json $HOME/after.json
6 changes: 3 additions & 3 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v3.0.18
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v3.0.18
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been open for 60 days with no activity.'
stale-pr-message: 'This pull request is stale because it has been open for 10 days with no activity'
exempt-issue-labels: 'priority,bug,good first issue'
exempt-issue-labels: 'priority,bug,good first issue,backlog,help wanted'
exempt-issue-milestones: 'Structured results'
exempt-pr-labels: 'awaiting-approval,work-in-progress'
days-before-pr-stale: '10'
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Verifier action
id: verifier
uses: kubernetes-sigs/kubebuilder-release-tools@3c3411345eedc489d1022288aa844691e92a9c29 # v0.4.2
uses: kubernetes-sigs/kubebuilder-release-tools@012269a88fa4c034a0acf1ba84c26b195c0dbab4 # v0.4.3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
13 changes: 8 additions & 5 deletions .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ issues:
- funlen
- goconst
- gocyclo
- goerr113
- lll
- wrapcheck
skip-files:
- cron/data/request.pb.go # autogenerated
linters:
Expand Down Expand Up @@ -58,6 +61,7 @@ linters:
- misspell
- nakedret
- nestif
- nolintlint
- predeclared
- staticcheck
- stylecheck
Expand All @@ -71,7 +75,6 @@ linters:
- wrapcheck
disable:
- exhaustruct # initializing every struct makes tests longer without much benefit (spencerschrock)
- paralleltest # need to investigate rate limit issues before re-enabling? (#2527)
- testpackage # tests don't need their own package (spencerschrock)
presets:
- bugs
Expand All @@ -80,10 +83,6 @@ linters-settings:
errcheck:
check-type-assertions: true
check-blank: true
errorlint:
# TODO remove this when project migrates to golang 1.20
# https://golangci-lint.run/usage/linters/#errorlint
errorf-multi: false
exhaustive:
# https://golangci-lint.run/usage/linters/#exhaustive
default-signifies-exhaustive: true
Expand Down Expand Up @@ -156,6 +155,10 @@ linters-settings:
- ptrToRefParam
- typeUnparen
- unnecessaryBlock
nolintlint:
# `//nolint` should mention specific linter such as `//nolint:my-linter`
# Overly broad directives can hide unrelated issues
require-specific: true
wrapcheck:
ignorePackageGlobs:
- github.com/ossf/scorecard/v4/checks/fileparser
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ You must install these tools:
1. [`git`](https://help.github.com/articles/set-up-git/): For source control

1. [`go`](https://golang.org/doc/install): You need go version
[v1.19](https://golang.org/dl/) or higher.
[v1.21](https://golang.org/dl/) or higher.

1. [`docker`](https://docs.docker.com/engine/install/): `v18.9` or higher.

Expand Down
Loading

0 comments on commit dccaf34

Please sign in to comment.