diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 674591b85..b87f347ea 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -25,3 +25,63 @@ updates: golang-org-x: patterns: - "golang.org/x/*" + + - package-ecosystem: gomod + directory: /examples/consumergroup + schedule: + interval: daily + time: "23:00" + labels: + - "dependencies" + commit-message: + prefix: chore + include: "scope" + groups: + golang-org-x: + patterns: + - "golang.org/x/*" + + - package-ecosystem: gomod + directory: /examples/exactly_once + schedule: + interval: daily + time: "23:00" + labels: + - "dependencies" + commit-message: + prefix: chore + include: "scope" + groups: + golang-org-x: + patterns: + - "golang.org/x/*" + + - package-ecosystem: gomod + directory: /examples/interceptors + schedule: + interval: daily + time: "23:00" + labels: + - "dependencies" + commit-message: + prefix: chore + include: "scope" + groups: + golang-org-x: + patterns: + - "golang.org/x/*" + + - package-ecosystem: gomod + directory: /examples/txn_producer + schedule: + interval: daily + time: "23:00" + labels: + - "dependencies" + commit-message: + prefix: chore + include: "scope" + groups: + golang-org-x: + patterns: + - "golang.org/x/*" diff --git a/.github/workflows/apidiff.yml b/.github/workflows/apidiff.yml index 2b9fc2639..fe6fa330f 100644 --- a/.github/workflows/apidiff.yml +++ b/.github/workflows/apidiff.yml @@ -11,13 +11,17 @@ on: - "**" paths-ignore: - '**/*.md' + +permissions: + contents: read # for actions/checkout to fetch code + jobs: apidiff: runs-on: ubuntu-latest if: github.base_ref steps: - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.21.x - name: Add GOBIN to PATH @@ -25,7 +29,7 @@ jobs: - name: Install apidiff cmd run: go install golang.org/x/exp/cmd/apidiff@latest - name: Checkout base code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.base_ref }} path: "base" @@ -33,7 +37,7 @@ jobs: run: apidiff -m -w ../baseline.bin . working-directory: "base" - name: Checkout updated code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: "updated" - name: Run apidiff check diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 684f73bdc..0c98e9701 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,8 +11,15 @@ on: - "**" paths-ignore: - '**/*.md' + +permissions: + contents: read # for actions/checkout to fetch code + jobs: lint: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: Linting with Go ${{ matrix.go-version }} runs-on: ubuntu-latest strategy: @@ -20,16 +27,16 @@ jobs: matrix: go-version: [1.21.x] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: cache: false # golangci-lint-action has its own cache go-version: ${{ matrix.go-version }} - name: golangci-lint env: GOFLAGS: -tags=functional - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: v1.54.2 test: @@ -43,9 +50,9 @@ jobs: DEBUG: true GOFLAGS: -trimpath steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ matrix.go-version }} - name: Test (Unit) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4ac4379da..458ac1615 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,30 +13,34 @@ on: - '**/*.md' schedule: - cron: "39 12 * * 1" + +permissions: + contents: read # for actions/checkout to fetch code + jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: - actions: read - contents: read - security-events: write + actions: read # for github/codeql-action to list actions + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action to report security issues strategy: fail-fast: false matrix: language: ["go"] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 with: languages: ${{ matrix.language }} - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.21.x - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..0130e6557 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read # for actions/checkout to fetch code + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index ea18a6da6..ef78279ff 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -11,6 +11,10 @@ on: - "**" paths-ignore: - '**/*.md' + +permissions: + contents: read # for actions/checkout to fetch code + jobs: test: name: Fuzz @@ -18,9 +22,9 @@ jobs: env: GOFLAGS: -trimpath steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.21.x - name: Run any fuzzing tests diff --git a/.github/workflows/fvt-main.yml b/.github/workflows/fvt-main.yml index f3ed6e0a1..c17982b56 100644 --- a/.github/workflows/fvt-main.yml +++ b/.github/workflows/fvt-main.yml @@ -6,6 +6,10 @@ on: - main paths-ignore: - '**/*.md' + +permissions: + contents: read # for actions/checkout to fetch code + jobs: fvt: name: Test with Kafka ${{ matrix.kafka-version }} diff --git a/.github/workflows/fvt-pr.yml b/.github/workflows/fvt-pr.yml index 5f83d6f34..023c5b269 100644 --- a/.github/workflows/fvt-pr.yml +++ b/.github/workflows/fvt-pr.yml @@ -5,6 +5,10 @@ on: - "**" paths-ignore: - '**/*.md' + +permissions: + contents: read # for actions/checkout to fetch code + jobs: fvt: name: Test with Kafka ${{ matrix.kafka-version }} diff --git a/.github/workflows/fvt.yml b/.github/workflows/fvt.yml index d7dad1cb3..4a570bfc0 100644 --- a/.github/workflows/fvt.yml +++ b/.github/workflows/fvt.yml @@ -14,6 +14,10 @@ on: required: false type: string default: 2.13 + +permissions: + contents: read # for actions/checkout to fetch code + jobs: fvt: name: Test with Kafka ${{ inputs.kafka-version }} @@ -24,12 +28,12 @@ jobs: KAFKA_VERSION: ${{ inputs.kafka-version }} SCALA_VERSION: ${{ inputs.scala-version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Docker - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 id: buildx - name: Build FVT Docker Image - uses: docker/bake-action@master + uses: docker/bake-action@cff93986225aa60b529e85c83a08f7df996a8d48 # master with: builder: ${{ steps.buildx.outputs.name }} files: docker-compose.yml @@ -38,7 +42,7 @@ jobs: *.cache-from=type=gha,scope=${{ github.workflow }} *.cache-to=type=gha,scope=${{ github.workflow }},mode=max - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ inputs.go-version }} - name: Setup Docker Compose @@ -59,7 +63,7 @@ jobs: if [ -f "fvt-kafka-${{ inputs.kafka-version }}.pcap" ]; then sudo chmod a+r "fvt-kafka-${{ inputs.kafka-version }}.pcap"; fi - name: Upload pcap file if: always() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: fvt-kafka-${{ inputs.kafka-version }}.pcap path: fvt-kafka-${{ inputs.kafka-version }}.pcap diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index a89a5f165..cb255c409 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,11 +4,19 @@ on: schedule: - cron: "0 */2 * * *" workflow_dispatch: + +permissions: + contents: read # for actions/checkout to fetch code + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: - - uses: actions/stale@main # make use of https://github.com/actions/stale/pull/1033 + # pinned to main commit to make use of https://github.com/actions/stale/pull/1033 + - uses: actions/stale@b69b346013879cedbf50c69f572cd85439a41936 # main with: ascending: true days-before-stale: 90 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d7271ee2e..1869b8160 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,3 +31,11 @@ repos: language: golang files: \.go$ args: [] + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks + - repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint