From 1eb28cfda5b6f202d4abf00b653ea14db1439745 Mon Sep 17 00:00:00 2001 From: Marius Goetze Date: Tue, 16 Apr 2024 12:07:12 +0200 Subject: [PATCH] add greenbone github workflows --- .github/workflows/codeql.yml | 43 ++++++++++++++++++++ .github/workflows/conventional-commits.yml | 16 ++++++++ .github/workflows/dependency-review.yml | 12 ++++++ .github/workflows/go.yml | 7 ++-- .github/workflows/go_legacy.yml | 6 +-- .github/workflows/govulncheck.yml | 19 +++++++++ .github/workflows/linting.yml | 16 ++++++++ .github/workflows/release.yml | 47 +++++++++++----------- 8 files changed, 134 insertions(+), 32 deletions(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/conventional-commits.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/govulncheck.yml create mode 100644 .github/workflows/linting.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..ad03e41d --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,43 @@ +name: "CodeQL" + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '30 5 * * 0' # 5:30h on Sundays + workflow_dispatch: + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version-file: './go.mod' + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: security-and-quality + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml new file mode 100644 index 00000000..85a2b32c --- /dev/null +++ b/.github/workflows/conventional-commits.yml @@ -0,0 +1,16 @@ +name: Conventional Commits + +on: + pull_request: + +permissions: + pull-requests: write + contents: read + +jobs: + conventional-commits: + name: Conventional Commits + runs-on: ubuntu-latest + steps: + - name: Report Conventional Commits + uses: greenbone/actions/conventional-commits@v3 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..36afcc32 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,12 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Dependency Review' + uses: greenbone/actions/dependency-review@v3 diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 95ee8c75..0451f18f 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -2,11 +2,10 @@ name: Go on: push: - paths: - - "**.go" + branches: + - main pull_request: - paths: - - "**.go" + workflow_dispatch: jobs: build: diff --git a/.github/workflows/go_legacy.yml b/.github/workflows/go_legacy.yml index a86368dc..cb97c37a 100644 --- a/.github/workflows/go_legacy.yml +++ b/.github/workflows/go_legacy.yml @@ -2,11 +2,9 @@ name: Go on: push: - paths: - - "**.go" + branches: + - main pull_request: - paths: - - "**.go" jobs: build: diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml new file mode 100644 index 00000000..a8f5eac7 --- /dev/null +++ b/.github/workflows/govulncheck.yml @@ -0,0 +1,19 @@ +name: govulncheck + +# check for vulnerabilities using `govulncheck`, compared to dependabot it only alerts if the affected code is actually called + +on: + pull_request: # make sure there is no vulnerability added with a new feature + schedule: # check if used code of existing dependencies is vulnerable + - cron: '37 4 * * *' # daily 4:37h + workflow_dispatch: # on demand + +jobs: + govulncheck: + runs-on: ubuntu-latest + name: Run govulncheck + steps: + - id: govulncheck + uses: golang/govulncheck-action@v1 + with: + go-version-file: ./go.mod \ No newline at end of file diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml new file mode 100644 index 00000000..05a5f9c5 --- /dev/null +++ b/.github/workflows/linting.yml @@ -0,0 +1,16 @@ +name: Lint + +on: + push: + branches: + - main + pull_request: + +jobs: + lint: + name: lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/go-setup + - uses: golangci/golangci-lint-action@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 739f45c1..2e4d2d33 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,28 +1,27 @@ -name: Publish Go binaries to github release +name: Release +# with pontos on: - release: - types: [created] + pull_request: + types: [closed] + workflow_dispatch: + inputs: + release-type: + type: choice + description: What kind of release do you want to do (pontos --release-type argument)? + options: + - patch + - minor + - major + release-version: + type: string + description: Set an explicit version, that will overwrite release-type. Fails if version is not compliant. jobs: - releases-matrix: - name: Release Go binaries - runs-on: ubuntu-20.04 - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Set up Go - uses: actions/setup-go@v3 - with: - go-version: '^1.21.0' - - - name: Build - run: make dist - - - name: Upload release assets - uses: softprops/action-gh-release@v1 - with: - files: | - dist/csaf_distribution-*.zip - dist/csaf_distribution-*.tar.gz + release: + name: csaf_distribution + uses: greenbone/workflows/.github/workflows/release-3rd-gen.yml@main + with: + release-type: ${{ inputs.release-type }} + release-version: ${{ inputs.release-version }} + secrets: inherit