Merge pull request #37 from jzelinskie/actions

.github: migrate to shared authzed actions

.github/dependabot.yml

@@ -1,14 +1,15 @@
+---
 version: 2
 updates:
-- package-ecosystem: "gomod"
-  directory: "/"
-  schedule:
-    interval: "monthly"
-  labels:
-  - "area/dependencies"
-- package-ecosystem: "docker"
-  directory: "/"
-  schedule:
-    interval: "monthly"
-  labels:
-  - "area/dependencies"
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    labels:
+      - "area/dependencies"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    labels:
+      - "area/dependencies"

.github/labeler.yml

@@ -1,13 +1,14 @@
+---
 area/dependencies:
-- "Dockerfile"
-- "go.mod"
-- "go.sum"
+  - "Dockerfile"
+  - "go.mod"
+  - "go.sum"
 area/tooling:
-- ".github/**/*"
-- "Dockerfile"
+  - ".github/**/*"
+  - "Dockerfile"
 area/docs:
-- "CODE-OF-CONDUCT.md"
-- "CONTRIBUTING.md"
-- "DCO"
-- "LICENSE"
-- "README.md"
+  - "CODE-OF-CONDUCT.md"
+  - "CONTRIBUTING.md"
+  - "DCO"
+  - "LICENSE"
+  - "README.md"

.github/workflows/build-test.yaml

@@ -0,0 +1,38 @@
+---
+name: "Build & Test"
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - "!dependabot/*"
+      - "*"
+  pull_request:
+    branches:
+      - "*"
+jobs:
+  build:
+    name: "Build Binary"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v3"
+      - uses: "actions/setup-go@v3"
+        with:
+          go-version: "^1.17"
+      - uses: "authzed/actions/go-build@main"
+
+  image-build:
+    name: "Build Container Image"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v3"
+      - uses: "authzed/actions/docker-build@main"
+
+  unit:
+    name: "Run Unit Tests"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v3"
+      - uses: "actions/setup-go@v3"
+        with:
+          go-version: "^1.17"
+      - uses: "authzed/action-spicedb@v1"
+      - uses: "authzed/actions/go-test@main"

.github/workflows/cla.yaml

@@ -1,6 +1,6 @@
 ---
-name: "CLA Assistant"
-on:
+name: "CLA"
+on:  # yamllint disable-line rule:truthy
   issue_comment:
     types:
       - "created"
@@ -9,21 +9,9 @@ on:
       - "opened"
       - "closed"
       - "synchronize"
-
 jobs:
-  CLAssistant:
+  cla:
+    name: "Check Signature"
     runs-on: "ubuntu-latest"
     steps:
-      - name: "CLA Assistant"
-        if: "(github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'"
-        uses: "cla-assistant/[email protected]"
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-          PERSONAL_ACCESS_TOKEN: "${{ secrets.CLA_ASSISTANT_ACCESS_TOKEN }}"
-        with:
-          remote-organization-name: "authzed"
-          remote-repository-name: "cla"
-          path-to-signatures: "v1/signatures.json"
-          path-to-document: "https://github.com/authzed/cla/blob/main/v1/icla.md"
-          branch: "main"
-          allowlist: "authzedbot,dependabot[bot]"
+      - uses: "authzed/actions/cla-check@main"

.github/workflows/labeler.yaml

@@ -1,11 +1,12 @@
+---
 name: "Pull Request Labeler"
-on:
-- "pull_request_target"
+on:  # yamllint disable-line rule:truthy
+  - "pull_request_target"
 jobs:
   triage:
     runs-on: "ubuntu-latest"
     steps:
-    - uses: "actions/labeler@v3"
-      with:
-        repo-token: "${{ secrets.GITHUB_TOKEN }}"
-        sync-labels: true
+      - uses: "actions/labeler@v3"
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          sync-labels: true

.github/workflows/lint.yaml

@@ -0,0 +1,45 @@
+---
+name: "Lint"
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - "!dependabot/*"
+      - "main"
+  pull_request:
+    branches: ["*"]
+jobs:
+  go-lint:
+    name: "Lint Go"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v3"
+      - uses: "actions/setup-go@v3"
+        with:
+          go-version: "^1.17"
+      - uses: "authzed/actions/gofumpt@main"
+      - uses: "authzed/actions/go-mod-tidy@main"
+      - uses: "authzed/actions/go-generate@main"
+      - uses: "authzed/actions/golangci-lint@main"
+
+  extra-lint:
+    name: "Lint YAML & Markdown"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v3"
+      - uses: "authzed/actions/yaml-lint@main"
+      - uses: "authzed/actions/markdown-lint@main"
+
+  codeql:
+    name: "Analyze with CodeQL"
+    runs-on: "ubuntu-latest"
+    permissions:
+      actions: "read"
+      contents: "read"
+      security-events: "write"
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go"]
+    steps:
+      - uses: "actions/checkout@v3"
+      - uses: "authzed/actions/codeql@main"

.github/workflows/release.yaml

@@ -1,30 +1,25 @@
+---
 name: "Release"
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     tags:
-    - '*'
+      - "v*"
 jobs:
   docker:
     name: "Publish Container Image"
     runs-on: "ubuntu-latest"
     steps:
-    - uses: "actions/checkout@v2"
-    - uses: "docker/setup-qemu-action@v1"
-    - uses: "docker/setup-buildx-action@v1"
-      with:
-        driver-opts: "image=moby/buildkit:master"
-    - uses: "docker/login-action@v1"
-      with:
-        registry: "quay.io"
-        username: ${{ secrets.QUAYIO_USER }}
-        password: ${{ secrets.QUAYIO_PASSWORD }}
-    - uses: "battila7/get-version-action@v2"
-      id: "get_version"
-    - uses: "docker/build-push-action@v2"
-      with:
-        push: true
-        tags: |
-          quay.io/authzed/prom-authzed-proxy:latest
-          quay.io/authzed/prom-authzed-proxy:${{ steps.get_version.outputs.version }}
-          ghcr.io/authzed/prom-authzed-proxy:latest
-          ghcr.io/authzed/prom-authzed-proxy:${{ steps.get_version.outputs.version }}
+      - uses: "actions/checkout@v3"
+      - uses: "battila7/get-version-action@v2"
+        id: "get_version"
+      - uses: "authzed/actions/docker-login@main"
+      - uses: "authzed/actions/docker-build@main"
+        with:
+          push: "true"
+          tags: |
+            authzed/prom-authzed-proxy:latest
+            authzed/prom-authzed-proxy:${{ steps.get_version.outputs.version }}
+            ghcr.io/authzed/prom-authzed-proxy:latest
+            ghcr.io/authzed/prom-authzed-proxy:${{ steps.get_version.outputs.version }}
+            quay.io/authzed/prom-authzed-proxy:latest
+            quay.io/authzed/prom-authzed-proxy:${{ steps.get_version.outputs.version }}

.golangci.yaml

@@ -0,0 +1,41 @@
+---
+run:
+  timeout: "5m"
+output:
+  sort-results: true
+linters-settings:
+  goimports:
+    local-prefixes: "github.com/authzed/prom-authzed-proxy"
+linters:
+  enable:
+    - "bidichk"
+    - "bodyclose"
+    - "deadcode"
+    - "errcheck"
+    - "errname"
+    - "errorlint"
+    - "gofumpt"
+    - "goimports"
+    - "goprintffuncname"
+    - "gosec"
+    - "gosimple"
+    - "govet"
+    - "ifshort"
+    - "importas"
+    - "ineffassign"
+    - "makezero"
+    - "prealloc"
+    - "predeclared"
+    - "promlinter"
+    - "revive"
+    - "rowserrcheck"
+    - "staticcheck"
+    - "structcheck"
+    - "stylecheck"
+    - "tenv"
+    - "typecheck"
+    - "unconvert"
+    - "unused"
+    - "varcheck"
+    - "wastedassign"
+    - "whitespace"

.markdownlint.yaml

@@ -0,0 +1,3 @@
+---
+line-length: false
+no-hard-tabs: false

.yamllint

@@ -0,0 +1,10 @@
+# vim: ft=yaml
+---
+yaml-files:
+  - "*.yaml"
+  - "*.yml"
+  - ".yamllint"
+extends: "default"
+rules:
+  quoted-strings: "enable"
+  line-length: "disable"

CODE-OF-CONDUCT.md

@@ -1,3 +1,5 @@
+# Code of Conduct
+
 As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
 
 We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
@@ -19,4 +21,4 @@ This code of conduct applies both within project spaces and in public spaces whe
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers.
 
-This Code of Conduct is adapted from the Contributor Covenant, version 1.2.0, available at https://www.contributor-covenant.org/version/1/2/0/code-of-conduct.html
+This Code of Conduct is adapted from the Contributor Covenant, version 1.2.0, available [here](https://www.contributor-covenant.org/version/1/2/0/code-of-conduct.html)

CONTRIBUTING.md

@@ -56,7 +56,7 @@ In order to protect both you and ourselves, all commits will require an explicit
 
 Sign-off commits end with the following line:
 
-```
+```git
 Signed-off-by: Random J Developer <[email protected]>
 ```
 

Dockerfile

@@ -1,14 +1,17 @@
-FROM golang:1.17.7-alpine3.15 AS build
+FROM golang:1.18-alpine3.15 AS builder
 
-WORKDIR /go/src/prom-authzed-proxy
+RUN apk add --no-cache git mercurial subversion
+
+WORKDIR /go/src/app
 
 COPY ./go.mod ./go.sum ./
 RUN go mod download
 
-COPY ./ /go/src/prom-authzed-proxy
-RUN go build .
+COPY . .
+RUN go build ./cmd/...
 
-FROM alpine:3.15
-COPY --from=build /go/src/prom-authzed-proxy/prom-authzed-proxy /usr/local/bin/
+FROM alpine:3.15.0
 CMD ["prom-authzed-proxy"]
 ENTRYPOINT ["prom-authzed-proxy"]
+COPY --from=builder /go/src/app/prom-authzed-proxy /usr/local/bin
+RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf