feat(ci): add initial workflows (#12)

* initial workflows * starting to add ci * pre-commit and task file updates * tasks and precommit and actions * remove cosign * pr * go work * adding another package * add homebrew * more sense * getting rid of brew * version * version * version * rename * lint * lint * Update .github/codeql.yaml Co-authored-by: razzle <[email protected]> * change download of uds * revive * install revive * update lint * fix * revert back to tmp * revert back to tmp * revert back to tmp * fix lint * fix lint * fix lint * fix lint * fix lint * reset license * reset readme * mkdir * go * go * go * morphy * go * go * go * autobiuld * simplifying install * build all * go vet * hello world * update .gitignore * switching to test * build * using sha * using sha * using sha * by sha * adding go vet * gosec + govet * make sure I need mkdir * I need mkdir * renovate syft * update grype * updating renovate adding helpers * simplifying renovate * update renovate * update renovate * update package location * Apply suggestions from code review Co-authored-by: razzle <[email protected]> * simplifying command * cleanup * adding commitlint * fork processing enabled * switching to commitlint.yaml * cron * Update .github/actions/install-tools/action.yaml Co-authored-by: razzle <[email protected]> * rename file * update dependabot * replace tasks with make * update makefile * note --------- Co-authored-by: razzle <[email protected]>
AustinAbro321 · Mar 12, 2024 · 663bf59 · 663bf59
1 parent bc3c575
commit 663bf59
Show file tree

Hide file tree

Showing 20 changed files with 762 additions and 0 deletions.
diff --git a/.commitlintrc.yaml b/.commitlintrc.yaml
@@ -0,0 +1 @@
+extends: ["@commitlint/config-conventional"]
diff --git a/.github/actions/install-tools/action.yaml b/.github/actions/install-tools/action.yaml
@@ -0,0 +1,21 @@
+name: install-tools
+description: "Install pipeline tools"
+
+runs:
+  using: composite
+  steps:
+    - uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
+
+    - name: install grype
+      env:
+        # renovate: datasource=github-tags depName=anchore/grype versioning=semver
+        VERSION: v0.74.6
+      run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin $VERSION"
+      shell: bash
+
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      with:
+        go-version: 1.22.x
+        cache-dependency-path: |
+          **/go.sum
+          **/go.mod
diff --git a/.github/codeql.yaml b/.github/codeql.yaml
@@ -0,0 +1,8 @@
+paths-ignore:
+  - "/**/*.md"
+  - "/**/*.jpg"
+  - "/**/*.png"
+  - "/**/*.gif"
+  - "/**/*.svg"
+  - CODEOWNERS
+  - .github/**
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,49 @@
+name: Analyze CodeQL
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "CODEOWNERS"
+  schedule:
+    # https://crontab.guru/#0_2_*_*_5 - at 10:00 A.M. UTC on Friday
+    - cron: "0 10 * * 5"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install tools
+        uses: ./.github/actions/install-tools
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        env:
+          CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
+        with:
+          languages: go
+          config-file: ./.github/codeql.yaml
+
+      - run: make build
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        with:
+          category: "/language:go"
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
@@ -0,0 +1,27 @@
+name: PR Title Check
+
+on:
+  pull_request:
+    branches: [main]
+    types: [opened, edited, synchronize]
+
+jobs:
+  title_check:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+
+      - name: Install commitlint
+        run: npm install --save-dev @commitlint/{config-conventional,cli}
+
+      - name: Lint PR title
+        run: echo "${{ github.event.pull_request.title }}" | npx commitlint
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,14 @@
+name: Dependency Review
+on: pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Dependency Review
+        uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,31 @@
+name: Lint
+on:
+  pull_request:
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "CODEOWNERS"
+
+permissions:
+  contents: read
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Run Revive Action by pulling pre-built image
+        uses: docker://morphy/revive-action@sha256:087d4e61077087755711ab7e9fae3cc899b7bb07ff8f6a30c3dfb240b1620ae8 #v2.5.7
+        with:
+          config: revive.toml
+          path: "./..."
diff --git a/.github/workflows/openssf.yaml b/.github/workflows/openssf.yaml
@@ -0,0 +1,59 @@
+name: Scorecard Supply-chain Security
+on:
+  schedule:
+    # https://crontab.guru/#0_10_*_*_5 - at 10:00 A.M. UTC on Friday
+    - cron: "0 10 * * 5"
+  push:
+    branches: [main]
+
+permissions: read-all
+
+concurrency:
+  group: openssf-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analysis:
+    name: Scorecard Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: Run Analysis
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/scan-cves.yml b/.github/workflows/scan-cves.yml
@@ -0,0 +1,27 @@
+name: Analyze CVEs
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    # https://crontab.guru/#0_10_*_*_* - at 10:00 A.M. UTC every day
+    - cron: "0 10 * * *"
+  pull_request:
+    paths:
+      - "**/go.sum"
+      - "**/go.mod"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install tools
+        uses: ./.github/actions/install-tools
+
+      - name: Check for CVEs in Dependencies
+        # TODO: if this fails we should look at Zarf's .grype.yaml as there may be the same false positive
+        run: "make scan-cves"
diff --git a/.github/workflows/test-unit.yml b/.github/workflows/test-unit.yml
@@ -0,0 +1,31 @@
+name: Unit Tests
+on:
+  pull_request:
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "CODEOWNERS"
+
+permissions:
+  contents: read
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: unit-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-unit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install tools
+        uses: ./.github/actions/install-tools
+
+      - name: Run unit tests
+        run: make test
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+go.work
+cover.out
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,33 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.0.1
+    hooks:
+      - id: check-added-large-files
+        args: ["--maxkb=1024"]
+      - id: check-merge-conflict
+      - id: detect-aws-credentials
+        args:
+          - "--allow-missing-credentials"
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: fix-byte-order-marker
+      - id: trailing-whitespace
+        args: [--markdown-linebreak-ext=md]
+  - repo: https://github.com/sirosen/texthooks
+    rev: 0.6.4
+    hooks:
+      - id: fix-smartquotes
+
+  - repo: local
+    hooks:
+      - id: unit-test
+        name: unit test
+        entry: make test
+        language: system
+        pass_filenames: false
+
+      - id: lint
+        name: go lint
+        entry: make lint
+        language: system
+        pass_filenames: false
diff --git a/Makefile b/Makefile
@@ -0,0 +1,43 @@
+MODULES=$(shell find . -type f -name 'go.mod' -exec dirname {} \; | cut -c 3-)
+
+build:
+	$(MAKE) $(addprefix build-, $(MODULES))
+
+build-%:
+	cd $*; go build .
+
+tidy:
+	$(MAKE) $(addprefix tidy-, $(MODULES))
+
+tidy-%:
+	cd $*; go mod tidy
+
+fmt:
+	$(MAKE) $(addprefix fmt-, $(MODULES))
+
+fmt-%:
+	cd $*; go fmt ./...
+
+vet:
+	$(MAKE) $(addprefix vet-, $(MODULES))
+
+vet-%:
+	cd $*; go vet ./... ;\
+
+test:
+	$(MAKE) $(addprefix test-, $(MODULES))
+
+test-%:
+	cd $*; go test ./... -coverprofile cover.out ;
+
+lint:
+	$(MAKE) $(addprefix lint-, $(MODULES))
+
+lint-%:
+	cd $*; revive -config ../revive.toml ./...
+
+scan:
+	$(MAKE) $(addprefix scan-, $(MODULES))
+
+scan-%:
+	cd $*; syft scan . -o json | grype --fail-on low
diff --git a/README.md b/README.md
@@ -1 +1,3 @@
 # pkg
+
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/pkg/badge)](https://securityscorecards.dev/viewer/?uri=github.com/defenseunicorns/pkg)
diff --git a/helpers/go.mod b/helpers/go.mod
@@ -0,0 +1,11 @@
+module github.com/defenseunicorns/pkg/helpers
+
+go 1.22.0
+
+require github.com/stretchr/testify v1.9.0
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
diff --git a/helpers/go.sum b/helpers/go.sum
@@ -0,0 +1,10 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=