Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(ci): improve ossf scorecard result #2685

Merged
merged 5 commits into from
Oct 25, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,63 @@ updates:
golang-org-x:
patterns:
- "golang.org/x/*"

- package-ecosystem: gomod
directory: /examples/consumergroup
schedule:
interval: daily
time: "23:00"
labels:
- "dependencies"
commit-message:
prefix: chore
include: "scope"
groups:
golang-org-x:
patterns:
- "golang.org/x/*"

- package-ecosystem: gomod
directory: /examples/exactly_once
schedule:
interval: daily
time: "23:00"
labels:
- "dependencies"
commit-message:
prefix: chore
include: "scope"
groups:
golang-org-x:
patterns:
- "golang.org/x/*"

- package-ecosystem: gomod
directory: /examples/interceptors
schedule:
interval: daily
time: "23:00"
labels:
- "dependencies"
commit-message:
prefix: chore
include: "scope"
groups:
golang-org-x:
patterns:
- "golang.org/x/*"

- package-ecosystem: gomod
directory: /examples/txn_producer
schedule:
interval: daily
time: "23:00"
labels:
- "dependencies"
commit-message:
prefix: chore
include: "scope"
groups:
golang-org-x:
patterns:
- "golang.org/x/*"
10 changes: 7 additions & 3 deletions .github/workflows/apidiff.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,29 +11,33 @@ on:
- "**"
paths-ignore:
- '**/*.md'

permissions:
contents: read # for actions/checkout to fetch code

jobs:
apidiff:
runs-on: ubuntu-latest
if: github.base_ref
steps:
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.21.x
- name: Add GOBIN to PATH
run: echo "$(go env GOPATH)/bin" >>$GITHUB_PATH
- name: Install apidiff cmd
run: go install golang.org/x/exp/cmd/apidiff@latest
- name: Checkout base code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ github.base_ref }}
path: "base"
- name: Capture apidiff baseline
run: apidiff -m -w ../baseline.bin .
working-directory: "base"
- name: Checkout updated code
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
path: "updated"
- name: Run apidiff check
Expand Down
17 changes: 12 additions & 5 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,25 +11,32 @@ on:
- "**"
paths-ignore:
- '**/*.md'

permissions:
contents: read # for actions/checkout to fetch code

jobs:
lint:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
name: Linting with Go ${{ matrix.go-version }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
go-version: [1.21.x]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
cache: false # golangci-lint-action has its own cache
go-version: ${{ matrix.go-version }}
- name: golangci-lint
env:
GOFLAGS: -tags=functional
uses: golangci/golangci-lint-action@v3
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
with:
version: v1.54.2
test:
Expand All @@ -43,9 +50,9 @@ jobs:
DEBUG: true
GOFLAGS: -trimpath
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Test (Unit)
Expand Down
20 changes: 12 additions & 8 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,30 +13,34 @@ on:
- '**/*.md'
schedule:
- cron: "39 12 * * 1"

permissions:
contents: read # for actions/checkout to fetch code

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
actions: read # for github/codeql-action to list actions
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action to report security issues
strategy:
fail-fast: false
matrix:
language: ["go"]
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
with:
languages: ${{ matrix.language }}
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.21.x
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
22 changes: 22 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read # for actions/checkout to fetch code

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
8 changes: 6 additions & 2 deletions .github/workflows/fuzz.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,20 @@ on:
- "**"
paths-ignore:
- '**/*.md'

permissions:
contents: read # for actions/checkout to fetch code

jobs:
test:
name: Fuzz
runs-on: ubuntu-latest
env:
GOFLAGS: -trimpath
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.21.x
- name: Run any fuzzing tests
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/fvt-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
- main
paths-ignore:
- '**/*.md'

permissions:
contents: read # for actions/checkout to fetch code

jobs:
fvt:
name: Test with Kafka ${{ matrix.kafka-version }}
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/fvt-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
- "**"
paths-ignore:
- '**/*.md'

permissions:
contents: read # for actions/checkout to fetch code

jobs:
fvt:
name: Test with Kafka ${{ matrix.kafka-version }}
Expand Down
14 changes: 9 additions & 5 deletions .github/workflows/fvt.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ on:
required: false
type: string
default: 2.13

permissions:
contents: read # for actions/checkout to fetch code

jobs:
fvt:
name: Test with Kafka ${{ inputs.kafka-version }}
Expand All @@ -24,12 +28,12 @@ jobs:
KAFKA_VERSION: ${{ inputs.kafka-version }}
SCALA_VERSION: ${{ inputs.scala-version }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Docker
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
id: buildx
- name: Build FVT Docker Image
uses: docker/bake-action@master
uses: docker/bake-action@cff93986225aa60b529e85c83a08f7df996a8d48 # master
with:
builder: ${{ steps.buildx.outputs.name }}
files: docker-compose.yml
Expand All @@ -38,7 +42,7 @@ jobs:
*.cache-from=type=gha,scope=${{ github.workflow }}
*.cache-to=type=gha,scope=${{ github.workflow }},mode=max
- name: Setup Go
uses: actions/setup-go@v4
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ inputs.go-version }}
- name: Setup Docker Compose
Expand All @@ -59,7 +63,7 @@ jobs:
if [ -f "fvt-kafka-${{ inputs.kafka-version }}.pcap" ]; then sudo chmod a+r "fvt-kafka-${{ inputs.kafka-version }}.pcap"; fi
- name: Upload pcap file
if: always()
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: fvt-kafka-${{ inputs.kafka-version }}.pcap
path: fvt-kafka-${{ inputs.kafka-version }}.pcap
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,19 @@ on:
schedule:
- cron: "0 */2 * * *"
workflow_dispatch:

permissions:
contents: read # for actions/checkout to fetch code

jobs:
stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-latest
steps:
- uses: actions/stale@main # make use of https://github.com/actions/stale/pull/1033
# pinned to main commit to make use of https://github.com/actions/stale/pull/1033
- uses: actions/stale@b69b346013879cedbf50c69f572cd85439a41936 # main
with:
ascending: true
days-before-stale: 90
Expand Down
8 changes: 8 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,11 @@ repos:
language: golang
files: \.go$
args: []
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks
- repo: https://github.com/golangci/golangci-lint
rev: v1.52.2
hooks:
- id: golangci-lint
Loading