diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e4a3fa9..c6773ba 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,10 +16,10 @@ jobs: - go-cli-github - another-binary steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: stable - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 @@ -29,7 +29,7 @@ jobs: args: build --clean --verbose --single-target --snapshot - name: Login to GHCR if: github.actor != 'dependabot[bot]' - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -43,7 +43,7 @@ jobs: - run: echo "GITHUB_REPOSITORY_NAME=$(basename ${{ github.repository }})" >> "$GITHUB_ENV" - name: Build and push ${{ matrix.binary }} container image if: github.actor != 'dependabot[bot]' - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: push: true tags: ${{ steps.docker_metadata.outputs.tags }} @@ -56,7 +56,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - id: ccv diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index 1ce55c8..9459885 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -10,17 +10,15 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: stable - name: Calculate coverage run: | - go test -v -covermode=atomic -coverprofile=cover.out.raw -coverpkg=./... ./... - # remove generated code from coverage calculation - grep -Ev 'internal/mock|_enumer.go' cover.out.raw > cover.out + go test -v -covermode=atomic -coverprofile=cover.out -coverpkg=./... ./... - name: Generage coverage badge - uses: vladopajic/go-test-coverage@1079cd4e58dda229c04ffdb6324fc3756b8542ff # v2.10.1 + uses: vladopajic/go-test-coverage@c7fe52e0f48e0fbed8c1812824c5346218443c70 # v2.10.2 with: profile: cover.out local-prefix: github.com/${{ github.repository }} diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index df319e8..1e54a33 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -15,7 +15,7 @@ jobs: steps: - name: Fetch dependabot metadata id: metadata - uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0 + uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Enable auto-merge for Dependabot PRs # these still need approval before merge diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 2c706e1..0d1b7fd 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -10,7 +10,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 with: config-file: .github/dependency-review-config.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 578f92f..a191afb 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -10,11 +10,11 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: stable - - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 + - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: args: --timeout=180s --enable gocritic lint-commits: @@ -23,10 +23,10 @@ jobs: pull-requests: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - - uses: wagoid/commitlint-github-action@7f0a61df502599e1f1f50880aaa7ec1e2c0592f2 # v6.0.1 + - uses: wagoid/commitlint-github-action@3d28780bbf0365e29b144e272b2121204d5be5f3 # v6.1.2 with: configFile: .github/commitlint.config.mjs lint-actions: @@ -34,7 +34,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0 with: args: -color diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml index 0d6d3c5..b4941aa 100644 --- a/.github/workflows/ossf-analysis.yaml +++ b/.github/workflows/ossf-analysis.yaml @@ -14,9 +14,9 @@ jobs: # Needed for GitHub OIDC token if publish_results is true id-token: write steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Run analysis - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif @@ -26,6 +26,6 @@ jobs: # of the value entered here. publish_results: true - name: Upload SARIF results to code scanning - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 + uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10 with: sarif_file: results.sarif diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2d7d6c6..20805c7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -13,7 +13,7 @@ jobs: outputs: new-tag: ${{ steps.ccv.outputs.new-tag }} steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - name: Bump tag if necessary @@ -32,14 +32,14 @@ jobs: if: needs.release-tag.outputs.new-tag == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: stable - name: Login to GHCR - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -61,7 +61,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_SBOM_PATH: ./sbom.spdx.json # attest archives - - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 with: subject-path: "dist/*.tar.gz" # parse artifacts to the format required for image attestation @@ -78,12 +78,12 @@ jobs: env: ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}} # attest images - - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 with: subject-digest: ${{steps.image_metadata_go_cli_github.outputs.digest}} subject-name: ${{steps.image_metadata_go_cli_github.outputs.name}} push-to-registry: true - - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 with: subject-digest: ${{steps.image_metadata_another_binary.outputs.digest}} subject-name: ${{steps.image_metadata_another_binary.outputs.name}} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index bcf70ee..ba1cdc7 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -10,10 +10,10 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: stable - run: go test -v ./... diff --git a/.gitignore b/.gitignore index 7e275b7..6ee2014 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ /dist /cover.out -/cover.out.raw /sbom.spdx.json diff --git a/Dockerfile b/Dockerfile index 7308bb7..b5ce05b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.20@sha256:77726ef6b57ddf65bb551896826ec38bc3e53f75cdde31354fbffb4f25238ebd +FROM alpine:3.20@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d ARG BINARY=binary-build-arg-not-defined ENV BINARY=${BINARY} ENTRYPOINT ["sh", "-c"] diff --git a/Makefile b/Makefile index 4655e5c..aacc1ca 100644 --- a/Makefile +++ b/Makefile @@ -27,6 +27,5 @@ fuzz: mod-tidy generate .PHONY: cover cover: mod-tidy generate - go test -v -covermode=atomic -coverprofile=cover.out.raw -coverpkg=./... ./... - grep -Ev 'internal/mock|_enumer.go' cover.out.raw > cover.out + go test -v -covermode=atomic -coverprofile=cover.out -coverpkg=./... ./... go tool cover -html=cover.out diff --git a/README.md b/README.md index a91bb47..0237036 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ It also automatically builds and tests your code using [GitHub Actions](https:// * Static code analysis using [CodeQL](https://codeql.github.com/) and [Go Report Card](https://goreportcard.com/). * Coverage analysis using the [go-test-coverage action](https://github.com/vladopajic/go-test-coverage). * Security analysis using [OpenSSF](https://securityscorecards.dev). -* Signed binary artifacts using [Sigstore](https://www.sigstore.dev/)'s [cosign](https://github.com/sigstore/cosign). +* Signed binary artifacts using [artifact attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). ## How to use @@ -115,18 +115,3 @@ Issues are welcome. PRs are also welcome, but keep in mind that this is a very opinionated template, so not all changes will be accepted. PRs also need to ensure that test coverage remains high, and best practices are followed. - -## How to verify binary signatures - -1. Download the three `checksums` files. They should end in `_checksums.txt`, `_checksums.txt.pem`, and `_checksums.txt.sig`. -2. Verify using [cosign](https://github.com/sigstore/cosign). For example: - - ```bash - cosign verify-blob \ - --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/smlx/go-cli-github/.github/workflows/release.yaml@refs/heads/main \ - --signature ./go-cli-github_0.13.0_checksums.txt.sig \ - --cert ./go-cli-github_0.13.0_checksums.txt.pem \ - ./go-cli-github_0.13.0_checksums.txt - Verified OK - ``` diff --git a/go.mod b/go.mod index 71d083c..571d686 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/smlx/go-cli-github go 1.22.2 require ( - github.com/alecthomas/assert/v2 v2.10.0 - github.com/alecthomas/kong v0.9.0 + github.com/alecthomas/assert/v2 v2.11.0 + github.com/alecthomas/kong v1.2.1 ) require ( diff --git a/go.sum b/go.sum index 1967d39..276c3db 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ -github.com/alecthomas/assert/v2 v2.10.0 h1:jjRCHsj6hBJhkmhznrCzoNpbA3zqy0fYiUcYZP/GkPY= -github.com/alecthomas/assert/v2 v2.10.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k= -github.com/alecthomas/kong v0.9.0 h1:G5diXxc85KvoV2f0ZRVuMsi45IrBgx9zDNGNj165aPA= -github.com/alecthomas/kong v0.9.0/go.mod h1:Y47y5gKfHp1hDc7CH7OeXgLIpp+Q2m1Ni0L5s3bI8Os= +github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0= +github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k= +github.com/alecthomas/kong v1.2.1 h1:E8jH4Tsgv6wCRX2nGrdPyHDUCSG83WH2qE4XLACD33Q= +github.com/alecthomas/kong v1.2.1/go.mod h1:rKTSFhbdp3Ryefn8x5MOEprnRFQ7nlmMC01GKhehhBM= github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc= github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4= github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=