Skip to content

Commit

Permalink
github actions: update
Browse files Browse the repository at this point in the history 
Enable all gosec checks and silence them in code.
  • Loading branch information
@maruel
maruel committed Jun 20, 2022
1 parent 6c10767 commit 86eb5ae
Show file tree
Hide file tree
Showing 3 changed files with 193 additions and 104 deletions.
279 changes: 175 additions & 104 deletions .github/workflows/test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,24 @@
# that can be found in the LICENSE file.

# References:
# https://developer.github.com/webhooks/event-payloads/
# https://github.com/actions/cache
# https://github.com/actions/checkout
# https://github.com/actions/setup-go
# https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#using-the-github_token-in-a-workflow
# https://help.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions/
# https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions
# https://docs.github.com/en/rest/commits/comments#create-a-commit-comment
# https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# https://docs.github.com/en/actions/learn-github-actions/contexts

on: [push, pull_request]
name: Run tests
jobs:
test_all:
# Runs go test both with code coverage sent to codecov, race detector and
# benchmarks. At the end do a quick check to ensure the tests to not leave
# files in the tree.
test:
name: "test: go${{matrix.gover}}.x/${{matrix.os}}"
runs-on: "${{matrix.os}}"
continue-on-error: true
defaults:
run:
Expand All @@ -24,18 +30,89 @@ jobs:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
# Do not forget to bump every 6 months!
gover: ["1.17"]
runs-on: "${{matrix.os}}"
name: "go${{matrix.gover}}.x on ${{matrix.os}}"
gover: ["1.18"]
env:
PYTHONDONTWRITEBYTECODE: x
steps:
- uses: actions/setup-go@v2
- name: Turn off git core.autocrlf
if: matrix.os == 'windows-latest'
run: git config --global core.autocrlf false
- uses: actions/checkout@v3
with:
go-version: "^${{matrix.gover}}.0"
fetch-depth: 2
- uses: actions/setup-go@v3
with:
go-version: "~${{matrix.gover}}.0"
cache: true
- name: 'go install necessary tools'
if: always()
run: |
go install github.com/maruel/pat/cmd/ba@latest
- name: 'Check: go test -cover'
if: always()
run: go test -timeout=120s -covermode=count -coverprofile coverage.txt -bench=. -benchtime=1x ./...
# Don't send code coverage if anything failed to reduce spam.
- uses: codecov/codecov-action@v2
- name: 'Cleanup'
if: always()
run: rm coverage.txt
- name: 'Check: go test -race'
run: go test -timeout=120s -race -bench=. -benchtime=1x ./...
- name: 'Check: benchmark 📈'
run: ba -against HEAD~1
- name: 'Check: go test -short (CGO_ENABLED=0)'
env:
CGO_ENABLED: 0
run: go test -timeout=120s -short -bench=. -benchtime=1x ./...
- name: 'Check: go test -short (32 bits)'
if: matrix.os != 'macos-latest'
env:
GOARCH: 386
run: go test -timeout=120s -short -bench=. -benchtime=1x ./...
- name: "Check: tree is clean"
if: always()
run: |
# Nothing should have changed in the tree up to that point and no
# unsuspected file was created.
TOUCHED=$(git status --porcelain --ignored)
if ! test -z "$TOUCHED"; then
echo "Oops, something touched these files, please cleanup:"
echo "$TOUCHED"
git diff
false
fi
# Checkout and print debugging information.
# Run linters. This workflow can be merged with the test_all one if desired
# to cut on runtime, at the cost of latency. I dislike waiting for results
# so I prefer to run them in parallel.
lint:
name: "lint: go${{matrix.gover}}.x/${{matrix.os}}"
runs-on: "${{matrix.os}}"
continue-on-error: true
defaults:
run:
shell: bash
strategy:
fail-fast: false
matrix:
# You may want to run only on linux to save on cost. Projects with
# OS-specific code benefits from explicitly linting on macOS and
# Windows.
os: [ubuntu-latest, macos-latest, windows-latest]
# Do not forget to bump every 6 months!
gover: ["1.18"]
env:
PYTHONDONTWRITEBYTECODE: x
steps:
- name: Turn off git core.autocrlf
if: matrix.os == 'windows-latest'
run: git config --global core.autocrlf false
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "~${{matrix.gover}}.0"
cache: true
- name: "Debug"
run: |
echo HOME = $HOME
Expand All @@ -44,54 +121,38 @@ jobs:
echo ""
echo $ ls -l $HOME/go/bin
ls -la $HOME/go/bin
- name: 'Cache: ~/go'
uses: actions/cache@v2
with:
path: ~/go
key: "${{runner.os}}-gopkg-${{hashFiles('go.sum', '.github/workflows/*.yml')}}"

# Fetch the tools before checking out, so they don't modify go.mod/go.sum.
- name: 'go get necessary tools'
run: >
cd ..;
go get -u -v
github.com/gordonklaus/ineffassign
github.com/securego/gosec/cmd/gosec
golang.org/x/lint/golint
golang.org/x/tools/go/analysis/passes/shadow/cmd/shadow
honnef.co/go/tools/cmd/staticcheck
- name: 'go get necessary tools (ubuntu)'
- name: 'go install necessary tools'
if: always()
run: |
go install github.com/gordonklaus/ineffassign@latest
go install github.com/securego/gosec/v2/cmd/gosec@latest
go install golang.org/x/tools/go/analysis/passes/shadow/cmd/shadow@latest
go install honnef.co/go/tools/cmd/staticcheck@latest
- name: 'go install necessary tools (ubuntu)'
if: always() && matrix.os == 'ubuntu-latest'
run: >
cd ..;
go get -u -v
github.com/client9/misspell/cmd/misspell
github.com/google/addlicense
# Now run proper checks.
run: |
go install github.com/client9/misspell/cmd/misspell@latest
go install github.com/google/addlicense@latest
- name: 'Check: go vet'
if: always()
run: go vet -unsafeptr=false ./...
- name: 'Check: go vet shadow; shadowed variables'
if: always()
run: |
SHADOW_TOOL="$(which shadow)"
if [ -f "${SHADOW_TOOL}.exe" ]; then
SHADOW_TOOL="${SHADOW_TOOL}.exe"
fi
go vet -vettool=$SHADOW_TOOL ./...
- name: 'Check: golint'
if: always()
run: golint -set_exit_status ./...
- name: 'Check: inefficient variable assignment'
if: always()
run: ineffassign ./...
- name: 'Check: staticcheck'
if: always()
run: staticcheck ./...
- name: 'Check: gosec (only G104)'
run: gosec -include=G104 -fmt=golint -quiet ./...

- name: 'Check: gosec'
if: always()
run: gosec -fmt=golint -quiet ./...
# The following checks are not dependent on the OS or go build tags. Only
# run them on ubuntu-latest since it's the fastest one.
- name: 'Check: no executable was committed (ubuntu)'
Expand All @@ -101,6 +162,9 @@ jobs:
echo 'Do not commit executables beside shell scripts'
false
fi
- name: 'Check: addlicense; all sources have a license header (ubuntu)'
if: always() && matrix.os == 'ubuntu-latest'
run: addlicense -check .
- name: 'Check: gofmt; code is well formatted (ubuntu)'
if: always() && matrix.os == 'ubuntu-latest'
run: |
Expand All @@ -112,71 +176,54 @@ jobs:
echo "- ${FILE}" >> _gofmt.txt
done
cat _gofmt.txt
echo "## ⚠ gofmt Failed" >> _comments.txt
echo "" >> _comments.txt
cat _gofmt.txt >> _comments.txt
echo "" >> _comments.txt
echo "## ⚠ gofmt Failed" >> ../_comments.txt
echo "" >> ../_comments.txt
cat _gofmt.txt >> ../_comments.txt
echo "" >> ../_comments.txt
false
fi
- name: 'Check: addlicense; all sources have a license header (ubuntu)'
if: always() && matrix.os == 'ubuntu-latest'
run: addlicense -check .
- name: "Check: misspelling; code doesn't contain misspelling (ubuntu)"
if: always() && matrix.os == 'ubuntu-latest'
run: |
ERR=$(misspell .)
if ! test -z "$ERR"; then
echo "$ERR"
echo "## ⚠ misspell Failed" >> _comments.txt
echo "" >> _comments.txt
echo "$ERR" >> _comments.txt
echo "" >> _comments.txt
echo "## ⚠ misspell Failed" >> ../_comments.txt
echo "" >> ../_comments.txt
echo "$ERR" >> ../_comments.txt
echo "" >> ../_comments.txt
false
fi
# Run tests last since it's potentially the slowest step.
- name: 'Check: go test -cover'
run: go test -timeout=40s -covermode=count -coverprofile coverage.txt ./...
# Don't send code coverage if anything failed to reduce spam.
- uses: codecov/codecov-action@v2
- name: 'Cleanup'
run: rm coverage.txt
# Don't run go test -race if anything failed, to speed up the results.
- name: 'Check: go test -race'
run: go test -timeout=60s -race ./...
- name: 'Check: go test -bench .'
run: go test -timeout=40s -bench . -benchtime=100ms -cpu=1 ./...
- name: 'Check: CGO_ENABLED=0 go test -short'
run: CGO_ENABLED=0 go test -timeout=40s -short ./...

- name: "Check: tree is clean"
- name: 'Send comments'
if: failure()
run: |
# Nothing should have changed in the tree up to that point and no
# unsuspected file was created.
TOUCHED=$(git status --porcelain --ignored)
if ! test -z "$TOUCHED"; then
echo "Oops, something touched these files, please cleanup:"
echo "$TOUCHED"
git diff
false
if [ -f ../_comments.txt ]; then
URL="${{github.event.issue.pull_request.url}}"
if test -z "$URL"; then
URL="${{github.api_url}}/repos/${{github.repository}}/commits/${{github.sha}}/comments"
fi
echo "Sending $(cat ../_comments.txt|wc -l) lines of comments to ${URL}"
curl -sS --request POST \
--header "Authorization: Bearer ${{secrets.GITHUB_TOKEN}}" \
--header "Content-Type: application/json" \
--data "$(cat ../_comments.txt | jq -R --slurp '{body: .}')" \
"${URL}" > /dev/null
rm ../_comments.txt
fi
- name: "Check: go generate doesn't modify files"
if: always()
run: |
go generate ./...
# TODO(maruel): Due to https://github.com/golang/go/issues/40276, ignore
# go.mod/go.sum modifications. Remove once a new Go toolchain fixes
# this.
git checkout HEAD -- go.mod go.sum
# Also test for untracked files.
# Also test for untracked files. go generate should not generate ignored
# files either.
TOUCHED=$(git status --porcelain --ignored)
if ! test -z "$TOUCHED"; then
echo "go generate created these files, please fix:"
echo "$TOUCHED"
false
fi
- name: "Check: go mod tidy doesn't modify files"
if: always()
run: |
go mod tidy
TOUCHED=$(git status --porcelain --ignored)
Expand Down Expand Up @@ -216,32 +263,56 @@ jobs:
go test -short ./...
- name: 'Send comments'
if: failure() && github.event_name == 'pull_request'
run: |
if [ -f _comments.txt ]; then
URL=$(cat ${GITHUB_EVENT_PATH} | jq -r .pull_request.comments_url)
echo "Sending $(cat _comments.txt|wc -l) lines of comments to ${URL}"
PAYLOAD=$(echo '{}' | jq --arg body "$(cat _comments.txt)" '.body = $body')
curl -sS --request POST \
--header "Authorization: Bearer ${{secrets.GITHUB_TOKEN}}" \
--header "Content-Type: application/json" \
--data "${PAYLOAD}" "${URL}" > /dev/null
fi
test_short:
# Ensure tests pass on oldest supported Go version.
old:
name: "test: go${{matrix.gover}}/${{matrix.os}}"
runs-on: "${{matrix.os}}"
continue-on-error: true
defaults:
run:
shell: bash
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest]
gover: ['1.13.15']
runs-on: "${{matrix.os}}"
name: "go${{matrix.gover}} on ${{matrix.os}} (quick)"
env:
PYTHONDONTWRITEBYTECODE: x
steps:
- uses: actions/setup-go@v2
- name: Turn off git core.autocrlf
if: matrix.os == 'windows-latest'
run: git config --global core.autocrlf false
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "${{matrix.gover}}"
- uses: actions/checkout@v2
go-version: "=${{matrix.gover}}"
- name: 'Check: go test'
run: go test -timeout=40s ./...
run: go test -timeout=120s -bench=. -benchtime=1x ./...


codeql:
name: "codeql: go${{matrix.gover}}.x/${{matrix.os}}"
runs-on: "${{matrix.os}}"
continue-on-error: true
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest]
# Do not forget to bump every 6 months!
gover: ["1.18"]
permissions:
security-events: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "~${{matrix.gover}}.0"
cache: true
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: go
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
Loading

0 comments on commit 86eb5ae

Please sign in to comment.