From 9ab0afd30556d2e038e4ef6d6d92305225cb0026 Mon Sep 17 00:00:00 2001 From: Ryan Parman Date: Mon, 11 Nov 2024 12:46:42 -0700 Subject: [PATCH] test: Add some automated workflows. --- .github/workflows/codeql-analysis.yml | 42 ---------- .github/workflows/dependabot-auto-merge.yml | 36 +++++++++ .github/workflows/dependency-review.yml | 27 ------- .github/workflows/go-dep-submission.yml | 52 +++++++++++++ .github/workflows/golangci-lint.yml | 57 ++++++++++++++ .github/workflows/gosec.yml.bak | 45 +++++++++++ .github/workflows/govulncheck.yml | 50 ++++++++++++ .github/workflows/osv-scanner.yml | 42 ++++++++++ .github/workflows/pr-dep-review.yml | 42 ++++++++++ .../{scorecards.yml => scorecard.yml} | 50 ++++++++---- .github/workflows/trufflehog.yml | 50 ++++++++++++ .github/workflows/update-on-push.yml | 78 +++++++++++++++++++ 12 files changed, 487 insertions(+), 84 deletions(-) delete mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/dependabot-auto-merge.yml delete mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/go-dep-submission.yml create mode 100644 .github/workflows/golangci-lint.yml create mode 100644 .github/workflows/gosec.yml.bak create mode 100644 .github/workflows/govulncheck.yml create mode 100644 .github/workflows/osv-scanner.yml create mode 100644 .github/workflows/pr-dep-review.yml rename .github/workflows/{scorecards.yml => scorecard.yml} (64%) create mode 100644 .github/workflows/trufflehog.yml create mode 100644 .github/workflows/update-on-push.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 65c66c5..0000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: [ main ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ main ] - schedule: - - cron: '15 18 * * 0' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'go' ] - - steps: - - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..e278e1e --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,36 @@ +--- +name: Auto-merge Dependabot Pull Requests +on: pull_request_target + +permissions: + contents: write + issues: write + pull-requests: write + repository-projects: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: ${{ github.actor == 'dependabot[bot]' }} + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2.2.0 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Auto-merge Dependabot PRs for semver-minor updates + if: ${{steps.metadata.outputs.update-type == 'version-update:semver-minor'}} + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + run: | + gh pr merge --auto --squash "${PR_URL}" + + - name: Auto-merge Dependabot PRs for semver-patch updates + if: ${{steps.metadata.outputs.update-type == 'version-update:semver-patch'}} + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + run: | + gh pr merge --auto --squash "${PR_URL}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml deleted file mode 100644 index 5c03af2..0000000 --- a/.github/workflows/dependency-review.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -name: 'Dependency Review' -on: [pull_request] - -permissions: - contents: read - -jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 - with: - egress-policy: audit - - - name: 'Checkout Repository' - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - name: 'Dependency Review' - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 diff --git a/.github/workflows/go-dep-submission.yml b/.github/workflows/go-dep-submission.yml new file mode 100644 index 0000000..d25e9fb --- /dev/null +++ b/.github/workflows/go-dep-submission.yml @@ -0,0 +1,52 @@ +--- +name: Go Dependency Submission +on: + workflow_dispatch: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + go-action-detection: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.deps.dev:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + + - name: Checkout Source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Install Go + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + with: + go-version: ">= 1.22.1" + cache: true + + - name: Run snapshot action + uses: actions/go-dependency-submission@a9f822c0eac4dba3cc95b971659dfbf3036d4bfb # v2.0.1 + with: + # Required: Define the repo path to the go.mod file used by the + # build target + go-mod-path: go.mod diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml new file mode 100644 index 0000000..088d463 --- /dev/null +++ b/.github/workflows/golangci-lint.yml @@ -0,0 +1,57 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Golangci-lint +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + golangci_job: + runs-on: ubuntu-latest + name: Scan for issues + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + + - name: Checkout Source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Install Go + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + with: + go-version: ">= 1.22.1" + cache: true + + - name: golangci-lint + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v3.7.1 + with: + version: latest + only-new-issues: true + install-mode: goinstall diff --git a/.github/workflows/gosec.yml.bak b/.github/workflows/gosec.yml.bak new file mode 100644 index 0000000..8a26114 --- /dev/null +++ b/.github/workflows/gosec.yml.bak @@ -0,0 +1,45 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Gosec +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +# Declare default permissions as read only. +permissions: read-all + +jobs: + gosec_job: + runs-on: ubuntu-latest + name: Scan for vulns + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Checkout Source + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Mark git clone as safe + run: git config --global --add safe.directory "${GITHUB_WORKSPACE}" + + - name: Run Gosec Security Scanner + uses: securego/gosec@55d79496019a560e16e73e1948dee20a1fad631a # v2.18.2 + with: + # args: -fmt sarif -out results.sarif ./... + args: ./... + + # - name: Upload SARIF file + # uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + # with: + # # Path to SARIF file relative to the root of the repository + # sarif_file: results.sarif diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml new file mode 100644 index 0000000..eb80d2a --- /dev/null +++ b/.github/workflows/govulncheck.yml @@ -0,0 +1,50 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Govulncheck +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: read-all + +jobs: + govulncheck_job: + runs-on: ubuntu-latest + name: Scan for vulns + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + vuln.go.dev:443 + + - name: Install Go + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + with: + go-version: ">= 1.22.1" + cache: true + + - id: govulncheck + uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 + with: + go-version-input: ">= 1.21" + check-latest: true diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 0000000..9f094cd --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,42 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: OSV Scanner +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: read-all + +jobs: + osv_scanner_job: + runs-on: ubuntu-latest + name: Scan for vulns + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: false + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + osv-vulnerabilities.storage.googleapis.com:443 + + - name: Checkout Source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Check dependencies for security vulnerabilities + uses: g-rath/check-with-osv-detector@0e8c0f954d8618a3a4671eca1918b30b2d085af3 # main diff --git a/.github/workflows/pr-dep-review.yml b/.github/workflows/pr-dep-review.yml new file mode 100644 index 0000000..3175d11 --- /dev/null +++ b/.github/workflows/pr-dep-review.yml @@ -0,0 +1,42 @@ +--- +name: PR Dependency Review +on: [pull_request] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + name: Scan for issues + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.securityscorecards.dev:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + + - name: Checkout Repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Dependency Review + uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0 + with: + fail-on-severity: low + license-check: true + vulnerability-check: true + comment-summary-in-pr: on-failure + allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, MIT diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecard.yml similarity index 64% rename from .github/workflows/scorecards.yml rename to .github/workflows/scorecard.yml index 287b1e5..543b0b3 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecard.yml @@ -1,8 +1,9 @@ +--- # This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. -name: Scorecard supply-chain security +name: Supply-Chain Security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection @@ -10,44 +11,63 @@ on: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: '20 7 * * 2' + - cron: 40 8 * * 5 push: - branches: ["main"] + branches: [main] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true # Declare default permissions as read only. permissions: read-all jobs: analysis: - name: Scorecard analysis + name: Perform analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write - contents: read - actions: read + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + api.securityscorecards.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + objects.githubusercontent.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - - name: "Checkout code" - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - name: "Run analysis" + - name: Run analysis uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecards on a *private* repository + # - you are installing Scorecard on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_TOKEN }} @@ -62,15 +82,15 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - name: Upload artifact + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@231aa2c8a89117b126725a0e11897209b7118144 # v1.1.39 + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: sarif_file: results.sarif diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml new file mode 100644 index 0000000..18fd6d6 --- /dev/null +++ b/.github/workflows/trufflehog.yml @@ -0,0 +1,50 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: TruffleHog +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +# Declare default permissions as read only. +permissions: read-all + +jobs: + trufflehog_job: + runs-on: ubuntu-latest + name: Scan for secrets + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.cloudflare.com:443 + ghcr.io:443 + github.com:443 + gitlab.com:443 + pkg-containers.githubusercontent.com:443 + + - name: Checkout Source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Check secrets with TruffleHog OSS + uses: trufflesecurity/trufflehog@b715613cb3156d6169b47b3592e35057bd0031bd # v3.83.6 + with: + path: ./ + head: HEAD + extra_args: --only-verified diff --git a/.github/workflows/update-on-push.yml b/.github/workflows/update-on-push.yml new file mode 100644 index 0000000..a89e0b3 --- /dev/null +++ b/.github/workflows/update-on-push.yml @@ -0,0 +1,78 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Auto-update on push +on: + workflow_dispatch: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +# Declare default permissions as read only. +permissions: read-all + +jobs: + update_on_push_job: + runs-on: ubuntu-latest + name: Auto-update on push + permissions: + contents: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 + + - name: Install Node.js + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: "20" + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Checkout Source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Generate Changelog + uses: orhun/git-cliff-action@d3e272c587198684dcdd13f328b4a84d396c8a70 # v4.3.1 + with: + config: cliff.toml + args: --verbose + env: + OUTPUT: CHANGELOG.md + + - name: Remove git-cliff artifacts + run: | + rm -Rf git-cliff* + + - name: Generate artifacts + run: | + # Generate list of authors + ./scripts/generate-contributors.sh + + - name: Git commit if changed + run: | + git config user.name "Northwood Labs (Bot)" + git config user.email "bot@northwood-labs.com" + + set +e + + git add . + git status | grep modified + if [ $? -eq 0 ]; then + git commit -a -m "automation: Updated AUTHORS and CHANGELOG on $(date)." + git push https://${{ secrets.GITHUB_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git main + fi