From d502657fb3d9997939da0669032dae4a420a5834 Mon Sep 17 00:00:00 2001 From: Ryan Parman Date: Mon, 11 Nov 2024 14:46:02 -0700 Subject: [PATCH] test: Add some automated workflows. --- .github/workflows/dependabot-auto-merge.yml | 36 ++++++++ .github/workflows/go-dep-submission.yml | 52 +++++++++++ .github/workflows/golangci-lint.yml | 57 ++++++++++++ .github/workflows/gosec.yml.bak | 45 ++++++++++ .github/workflows/govulncheck.yml | 50 +++++++++++ .github/workflows/osv-scanner.yml | 42 +++++++++ .github/workflows/pr-dep-review.yml | 42 +++++++++ .github/workflows/scorecard.yml | 96 +++++++++++++++++++++ .github/workflows/trufflehog.yml | 50 +++++++++++ .github/workflows/update-on-push.yml | 78 +++++++++++++++++ 10 files changed, 548 insertions(+) create mode 100644 .github/workflows/dependabot-auto-merge.yml create mode 100644 .github/workflows/go-dep-submission.yml create mode 100644 .github/workflows/golangci-lint.yml create mode 100644 .github/workflows/gosec.yml.bak create mode 100644 .github/workflows/govulncheck.yml create mode 100644 .github/workflows/osv-scanner.yml create mode 100644 .github/workflows/pr-dep-review.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 .github/workflows/trufflehog.yml create mode 100644 .github/workflows/update-on-push.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..e278e1e --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,36 @@ +--- +name: Auto-merge Dependabot Pull Requests +on: pull_request_target + +permissions: + contents: write + issues: write + pull-requests: write + repository-projects: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: ${{ github.actor == 'dependabot[bot]' }} + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2.2.0 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Auto-merge Dependabot PRs for semver-minor updates + if: ${{steps.metadata.outputs.update-type == 'version-update:semver-minor'}} + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + run: | + gh pr merge --auto --squash "${PR_URL}" + + - name: Auto-merge Dependabot PRs for semver-patch updates + if: ${{steps.metadata.outputs.update-type == 'version-update:semver-patch'}} + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + run: | + gh pr merge --auto --squash "${PR_URL}" diff --git a/.github/workflows/go-dep-submission.yml b/.github/workflows/go-dep-submission.yml new file mode 100644 index 0000000..d25e9fb --- /dev/null +++ b/.github/workflows/go-dep-submission.yml @@ -0,0 +1,52 @@ +--- +name: Go Dependency Submission +on: + workflow_dispatch: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + go-action-detection: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.deps.dev:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + + - name: Checkout Source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Install Go + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + with: + go-version: ">= 1.22.1" + cache: true + + - name: Run snapshot action + uses: actions/go-dependency-submission@a9f822c0eac4dba3cc95b971659dfbf3036d4bfb # v2.0.1 + with: + # Required: Define the repo path to the go.mod file used by the + # build target + go-mod-path: go.mod diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml new file mode 100644 index 0000000..088d463 --- /dev/null +++ b/.github/workflows/golangci-lint.yml @@ -0,0 +1,57 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Golangci-lint +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + golangci_job: + runs-on: ubuntu-latest + name: Scan for issues + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + + - name: Checkout Source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Install Go + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + with: + go-version: ">= 1.22.1" + cache: true + + - name: golangci-lint + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v3.7.1 + with: + version: latest + only-new-issues: true + install-mode: goinstall diff --git a/.github/workflows/gosec.yml.bak b/.github/workflows/gosec.yml.bak new file mode 100644 index 0000000..8a26114 --- /dev/null +++ b/.github/workflows/gosec.yml.bak @@ -0,0 +1,45 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Gosec +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +# Declare default permissions as read only. +permissions: read-all + +jobs: + gosec_job: + runs-on: ubuntu-latest + name: Scan for vulns + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Checkout Source + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Mark git clone as safe + run: git config --global --add safe.directory "${GITHUB_WORKSPACE}" + + - name: Run Gosec Security Scanner + uses: securego/gosec@55d79496019a560e16e73e1948dee20a1fad631a # v2.18.2 + with: + # args: -fmt sarif -out results.sarif ./... + args: ./... + + # - name: Upload SARIF file + # uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + # with: + # # Path to SARIF file relative to the root of the repository + # sarif_file: results.sarif diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml new file mode 100644 index 0000000..eb80d2a --- /dev/null +++ b/.github/workflows/govulncheck.yml @@ -0,0 +1,50 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Govulncheck +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: read-all + +jobs: + govulncheck_job: + runs-on: ubuntu-latest + name: Scan for vulns + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + vuln.go.dev:443 + + - name: Install Go + uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + with: + go-version: ">= 1.22.1" + cache: true + + - id: govulncheck + uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 + with: + go-version-input: ">= 1.21" + check-latest: true diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 0000000..9f094cd --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,42 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: OSV Scanner +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: read-all + +jobs: + osv_scanner_job: + runs-on: ubuntu-latest + name: Scan for vulns + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: false + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + osv-vulnerabilities.storage.googleapis.com:443 + + - name: Checkout Source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Check dependencies for security vulnerabilities + uses: g-rath/check-with-osv-detector@0e8c0f954d8618a3a4671eca1918b30b2d085af3 # main diff --git a/.github/workflows/pr-dep-review.yml b/.github/workflows/pr-dep-review.yml new file mode 100644 index 0000000..3175d11 --- /dev/null +++ b/.github/workflows/pr-dep-review.yml @@ -0,0 +1,42 @@ +--- +name: PR Dependency Review +on: [pull_request] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + name: Scan for issues + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.securityscorecards.dev:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + + - name: Checkout Repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Dependency Review + uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0 + with: + fail-on-severity: low + license-check: true + vulnerability-check: true + comment-summary-in-pr: on-failure + allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, MIT diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..543b0b3 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,96 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Supply-Chain Security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: 40 8 * * 5 + push: + branches: [main] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Perform analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + api.securityscorecards.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + objects.githubusercontent.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: Upload artifact + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 + with: + sarif_file: results.sarif diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml new file mode 100644 index 0000000..18fd6d6 --- /dev/null +++ b/.github/workflows/trufflehog.yml @@ -0,0 +1,50 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: TruffleHog +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +# Declare default permissions as read only. +permissions: read-all + +jobs: + trufflehog_job: + runs-on: ubuntu-latest + name: Scan for secrets + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.cloudflare.com:443 + ghcr.io:443 + github.com:443 + gitlab.com:443 + pkg-containers.githubusercontent.com:443 + + - name: Checkout Source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Check secrets with TruffleHog OSS + uses: trufflesecurity/trufflehog@b715613cb3156d6169b47b3592e35057bd0031bd # v3.83.6 + with: + path: ./ + head: HEAD + extra_args: --only-verified diff --git a/.github/workflows/update-on-push.yml b/.github/workflows/update-on-push.yml new file mode 100644 index 0000000..a89e0b3 --- /dev/null +++ b/.github/workflows/update-on-push.yml @@ -0,0 +1,78 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Auto-update on push +on: + workflow_dispatch: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +# Declare default permissions as read only. +permissions: read-all + +jobs: + update_on_push_job: + runs-on: ubuntu-latest + name: Auto-update on push + permissions: + contents: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 + + - name: Install Node.js + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: "20" + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Checkout Source + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Generate Changelog + uses: orhun/git-cliff-action@d3e272c587198684dcdd13f328b4a84d396c8a70 # v4.3.1 + with: + config: cliff.toml + args: --verbose + env: + OUTPUT: CHANGELOG.md + + - name: Remove git-cliff artifacts + run: | + rm -Rf git-cliff* + + - name: Generate artifacts + run: | + # Generate list of authors + ./scripts/generate-contributors.sh + + - name: Git commit if changed + run: | + git config user.name "Northwood Labs (Bot)" + git config user.email "bot@northwood-labs.com" + + set +e + + git add . + git status | grep modified + if [ $? -eq 0 ]; then + git commit -a -m "automation: Updated AUTHORS and CHANGELOG on $(date)." + git push https://${{ secrets.GITHUB_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git main + fi