Initial push (#1)

* Add a dependabot * Remove unused linters * Update deps * Bring in upgrades from dependabot from other repo * Fix registration of zerolog and http * Add safecast * Fix lint issues * Add dist folder to gitignore * go mod tidy * Add workflows and goreleaser * Add contributing, COC, license * Add yamllint config * Get rid of unnecessary -f * Get rid of codeql * Build before analyzing * Add a pre-commit config * Exclude some things from linting * Fix yamllint issues * Add markdownlint configuration * Point at correct artifacts.json * Add DCO * Add NOTICE
authzed · Dec 10, 2024 · 392befb · 392befb
1 parent ddc6da5
commit 392befb
Show file tree

Hide file tree

Showing 24 changed files with 757 additions and 225 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,19 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "."
+    schedule:
+      interval: "monthly"
+    groups:
+      gomod:
+        patterns: ["*"]
+    labels: ["area/dependencies"]
+  - package-ecosystem: "docker"
+    directory: "."
+    schedule:
+      interval: "monthly"
+    groups:
+      docker:
+        patterns: ["*"]
+    labels: ["area/dependencies"]
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -0,0 +1,25 @@
+---
+name: "Build & Test"
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches:
+      - "*"
+  merge_group:
+    types:
+      - "checks_requested"
+jobs:
+  build:
+    name: "Build Binary"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v4"
+      - uses: "authzed/actions/setup-go@main"
+      - uses: "authzed/actions/go-build@main"
+
+  unit:
+    name: "Run Unit Tests"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v4"
+      - uses: "authzed/actions/setup-go@main"
+      - uses: "authzed/actions/go-test@main"
diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml
@@ -0,0 +1,23 @@
+---
+name: "CLA"
+on:  # yamllint disable-line rule:truthy
+  issue_comment:
+    types:
+      - "created"
+  pull_request_target:
+    types:
+      - "opened"
+      - "closed"
+      - "synchronize"
+  merge_group:
+    types:
+      - "checks_requested"
+jobs:
+  cla:
+    name: "Check Signature"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "authzed/actions/cla-check@main"
+        with:
+          github_token: "${{ secrets.GITHUB_TOKEN }}"
+          cla_assistant_token: "${{ secrets.CLA_ASSISTANT_ACCESS_TOKEN }}"
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -0,0 +1,67 @@
+---
+name: "Lint"
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches: ["*"]
+  merge_group:
+    types:
+      - "checks_requested"
+jobs:
+  go-lint:
+    name: "Lint Go"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v4"
+      - uses: "authzed/actions/setup-go@main"
+      - uses: "authzed/actions/gofumpt@main"
+      - uses: "authzed/actions/go-mod-tidy@main"
+      - uses: "authzed/actions/go-generate@main"
+      - uses: "authzed/actions/golangci-lint@main"
+
+  extra-lint:
+    name: "Lint YAML & Markdown"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v4"
+      - uses: "authzed/actions/yaml-lint@main"
+      - uses: "authzed/actions/markdown-lint@main"
+
+  # TODO: where is the build for this happening?
+  trivy-fs:
+    name: "Analyze FS with Trivy"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v4"
+      - uses: "authzed/actions/setup-go@main"
+      # Run the build so that trivy has something to analyze
+      - uses: "authzed/actions/go-build@main"
+      - uses: "aquasecurity/trivy-action@master"
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "table"
+          exit-code: "1"
+          severity: "CRITICAL,HIGH,MEDIUM"
+        env:
+          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
+          TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db"
+
+  trivy-image:
+    name: "Analyze Release Image with Trivy"
+    runs-on: "ubuntu-latest"
+    steps:
+      - uses: "actions/checkout@v4"
+      - uses: "authzed/actions/setup-go@main"
+      - uses: "goreleaser/goreleaser-action@v6"
+        id: "goreleaser"
+        with:
+          distribution: "goreleaser-pro"
+          version: "2.4.8"
+          args: "release --clean --split --snapshot --single-target"
+        env:
+          GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
+      - name: "Obtain container image to scan"
+        run: |
+          echo "IMAGE_NAME=$(jq '.[] | select(.extra.ID == "dockerhub-ko") | .path' dist/linux_amd64_v1/artifacts.json --raw-output)" >> $GITHUB_ENV
+      - name: "run trivy on release image"
+        run: "docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM ${{ env.IMAGE_NAME }} --db-repository public.ecr.aws/aquasecurity/trivy-db --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,30 @@
+---
+name: "release"
+on:  # yamllint disable-line rule:truthy
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+
+jobs:
+  github:
+    runs-on: "macos-latest"
+    steps:
+      - uses: "actions/checkout@v4"
+        with:
+          fetch-depth: 0
+      - uses: "authzed/actions/setup-go@main"
+      - uses: "authzed/actions/docker-login@main"
+        with:
+          quayio_token: "${{ secrets.QUAYIO_PASSWORD }}"
+          github_token: "${{ secrets.GITHUB_TOKEN }}"
+          dockerhub_token: "${{ secrets.DOCKERHUB_ACCESS_TOKEN }}"
+      - uses: "goreleaser/goreleaser-action@v6"
+        with:
+          distribution: "goreleaser-pro"
+          # NOTE: keep in sync with goreleaser version in other job.
+          # github actions don't allow yaml anchors.
+          version: "2.4.8"
+          args: "release --clean"
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+
+dist/
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -8,12 +8,11 @@ linters-settings:
     local-prefixes: "github.com/authzed/thumper"
   gosec:
     excludes:
-      - "G404" # Allow the usage of math/rand
+      - "G404"  # Allow the usage of math/rand
 linters:
   enable:
     - "bidichk"
     - "bodyclose"
-    - "deadcode"
     - "errcheck"
     - "errname"
     - "errorlint"
@@ -23,7 +22,6 @@ linters:
     - "gosec"
     - "gosimple"
     - "govet"
-    - "ifshort"
     - "importas"
     - "ineffassign"
     - "makezero"
@@ -33,12 +31,10 @@ linters:
     - "revive"
     - "rowserrcheck"
     - "staticcheck"
-    - "structcheck"
     - "stylecheck"
     - "tenv"
     - "typecheck"
     - "unconvert"
     - "unused"
-    - "varcheck"
     - "wastedassign"
     - "whitespace"
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,54 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+---
+version: 2
+
+builds:
+  - id: "main-build"
+    env:
+      - "CGO_ENABLED=0"
+    goos:
+      - "linux"
+      - "darwin"
+    goarch:
+      - "amd64"
+      - "arm64"
+    main: "./cmd/thumper/"
+    dir: "."
+
+kos:
+  - &ko-defaults
+    id: "dockerhub-ko"
+    build: "main-build"
+    platforms:
+      - "linux/amd64"
+      - "linux/arm64"
+      - "darwin/amd64"
+      - "darwin/arm64"
+    # TODO: extend this to other repos
+    repository: "authzed/zed"
+    tags:
+      - "latest"
+      - "v{{ .Version }}"
+    sbom: "none"
+  - <<: *ko-defaults
+    id: "ghcr-build"
+    repository: "ghcr.io/authzed/zed"
+  - <<: *ko-defaults
+    id: "quay-build"
+    repository: "quay.io/authzed/zed"
+
+archives:
+  - id: "main-archive"
+    builds:
+      - "main-build"
+
+changelog:
+  use: "github-native"
+  sort: "asc"
+
+checksum:
+  name_template: "checksums.txt"
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
@@ -0,0 +1,3 @@
+---
+line-length: false
+no-hard-tabs: false
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,6 @@
+---
+repos:
+  - repo: "https://github.com/adrienverge/yamllint"
+    rev: "v1.35.1"
+    hooks:
+      - id: "yamllint"
diff --git a/.yamllint b/.yamllint
@@ -0,0 +1,13 @@
+# vim: ft=yaml
+---
+yaml-files:
+  - "*.yaml"
+  - "*.yml"
+  - ".yamllint"
+extends: "default"
+ignore: |
+  scripts
+  schema.yaml
+rules:
+  quoted-strings: "enable"
+  line-length: "disable"
diff --git a/CODE-OF-CONDUCT.md b/CODE-OF-CONDUCT.md
@@ -0,0 +1,24 @@
+# Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+- The use of sexualized language or imagery
+- Personal attacks
+- Trolling or insulting/derogatory comments
+- Public or private harassment
+- Publishing other’s private information, such as physical or electronic addresses, without explicit permission
+- Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct.
+By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project.
+Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the Contributor Covenant, version 1.2.0, available [here](https://www.contributor-covenant.org/version/1/2/0/code-of-conduct.html)