update ci and deps (#55)

Signed-off-by: bytemare <[email protected]>
bytemare · Apr 30, 2024 · 4ef5e74 · 4ef5e74
1 parent afedf39
commit 4ef5e74
Show file tree

Hide file tree

Showing 15 changed files with 183 additions and 47 deletions.
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -23,10 +23,14 @@ Please note that changes that are purely cosmetic and do not add anything substa
 
 This project tries to be as Go idiomatic as possible. Conventions from [Effective Go](https://golang.org/doc/effective_go) apply here. Tests use a very opinionated linting configuration that you can use before committing to your changes.
 
+### Governance Model
+
+This project follows the [Benevolent Dictator Governance Model](http://oss-watch.ac.uk/resources/benevolentdictatorgovernancemodel) where the project owner and lead makes all final decisions.
+
 ### Licence
 
 By contributing to this project, you agree that your contributions will be licensed under the project's [License](https://github.com/bytemare/crypto/blob/main/LICENSE).
 
-All contributions (including pull requests) must agree to the [Developer Certificate of Origin (DCO) version 1.1](http://developercertificate.org). It states that the contributor has the right to submit the patch for inclusion into the project. Simply submitting a contribution implies this agreement, however, please include the "Signed-off-by" git tag in every commit (this tag is a conventional way to confirm that you agree to the DCO).
+All contributions (including pull requests) must agree to the [Developer Certificate of Origin (DCO) version 1.1](https://developercertificate.org). It states that the contributor has the right to submit the patch for inclusion into the project. Simply submitting a contribution implies this agreement, however, please include the "Signed-off-by" git tag in every commit (this tag is a conventional way to confirm that you agree to the DCO).
 
 Thanks! :heart:
diff --git a/.github/ISSUE_TEMPLATE/enhancement.md b/.github/ISSUE_TEMPLATE/enhancement.md
@@ -0,0 +1,24 @@
+---
+name: "📈 Enhancement"
+about: Request or discuss improvements
+title: "[Enhancement]"
+labels: enhancement
+assignees: bytemare
+
+---
+
+<!--
+Please answer these questions before submitting your issue. Thanks!
+-->
+
+### Describe the feature
+
+A clear and concise description of what the enhancement is and what problem it solves. 
+
+**Expected behaviour**
+
+A clear and concise description of what you expected to happen.
+
+**Additional context**
+
+Add any other context about the problem here.
diff --git a/.github/Makefile b/.github/Makefile
@@ -1,18 +1,18 @@
 .PHONY: update
 update:
 	@echo "Updating dependencies..."
-	@cd ../ && go get -u
+	@cd ../ && go get -u ./...
 	@go mod tidy
 	@echo "Updating Github Actions pins..."
 	@$(foreach file, $(wildcard workflows/*.yml), pin-github-action $(file);)
 
 .PHONY: update-linters
 update-linters:
 	@echo "Updating linters..."
-	@go install golang.org/x/tools/cmd/goimports@latest
 	@go install mvdan.cc/gofumpt@latest
 	@go install github.com/daixiang0/gci@latest
 	@go install github.com/segmentio/golines@latest
+	@go install golang.org/x/tools/cmd/goimports@latest
 	@go install golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment@latest
 	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
 

diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md
@@ -8,6 +8,8 @@
 <!--- If suggesting a new feature or change, please discuss it in an issue first -->
 <!--- If fixing a bug, there should be an issue describing it with steps to reproduce -->
 <!--- Please link to the issue here: -->
+<!--- Put `closes #XXXX` in your comment to auto-close the issue that your PR fixes (if such). -->
+<!--- You can skip this if you're fixing a typo or adding an app to the Showcase. -->
 
 ### Motivation and Context
 <!--- Why is this change required? What problem does it solve? -->
@@ -26,9 +28,9 @@
 ### Checklist:
 <!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
 <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
+- [ ] I have read the **CONTRIBUTING** document.
 - [ ] My code follows the code style of this project.
 - [ ] My change requires a change to the documentation.
 - [ ] I have updated the documentation accordingly.
-- [ ] I have read the **CONTRIBUTING** document.
 - [ ] I have added tests to cover my changes.
 - [ ] All new and existing tests passed.
diff --git a/SECURITY.md → .github/SECURITY.md b/SECURITY.md → .github/SECURITY.md
diff --git a/.github/dependency-review.yml b/.github/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: block
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,6 +12,17 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            proxy.golang.org:443
+            raw.githubusercontent.com:443
+
       - name: Checkout repo
         uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
         with:
@@ -35,8 +46,18 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: [ '1.21', '1.20' ]
+        go: [ '1.22', '1.21' ]
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            proxy.golang.org:443
+            storage.googleapis.com:443
+            sum.golang.org:443
+
       - name: Checkout repo
         uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
         with:
@@ -54,6 +75,22 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.codecov.io:443
+            api.github.com:443
+            cli.codecov.io:443
+            ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            proxy.golang.org:443
+            scanner.sonarcloud.io:443
+            sonarcloud.io:443
+            storage.googleapis.com:443
+
       - name: Checkout repo
         uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
         with:
@@ -70,6 +107,8 @@ jobs:
       # Codecov
       - name: Codecov
         uses: codecov/codecov-action@1290bddc8851afa46a03b9a73dd9979a415d4c4f
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:
           file: .github/coverage.out
 
@@ -86,5 +125,6 @@ jobs:
             -Dsonar.go.coverage.reportPaths=.github/coverage.out
             -Dsonar.sources=.
             -Dsonar.test.exclusions=tests/**
+            -Dsonar.coverage.exclusions=tests/**
             -Dsonar.tests=tests/
             -Dsonar.verbose=true
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,6 +1,9 @@
 name: "CodeQL"
 
 on:
+  push:
+    branches:
+      - main
   pull_request:
     branches:
       - main
@@ -23,17 +26,22 @@ jobs:
       fail-fast: false
 
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
+        uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@231aa2c8a89117b126725a0e11897209b7118144 # pin@master
+        uses: github/codeql-action/init@231aa2c8a89117b126725a0e11897209b7118144
         with:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@231aa2c8a89117b126725a0e11897209b7118144 # pin@master
+        uses: github/codeql-action/autobuild@231aa2c8a89117b126725a0e11897209b7118144
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@231aa2c8a89117b126725a0e11897209b7118144 # pin@master
+        uses: github/codeql-action/analyze@231aa2c8a89117b126725a0e11897209b7118144
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -1,9 +1,10 @@
-name: Scorecards supply-chain security
+name: Scorecard analysis workflow
 on:
   # Only the default branch is supported.
   branch_protection_rule:
   schedule:
-    - cron: '44 9 * * 0'
+    # Weekly on Saturdays.
+    - cron: '30 1 * * 6'
   push:
     branches: [ main ]
 
@@ -12,15 +13,30 @@ permissions: read-all
 
 jobs:
   analysis:
-    name: Scorecards analysis
+    name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
+      # Needed if using Code scanning alerts
       security-events: write
-      actions: read
-      contents: read
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
 
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
+
       - name: "Checkout code"
         uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
         with:
@@ -31,25 +47,28 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-          # Read-only PAT token. To create it,
-          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
-          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
-          # Publish the results to enable scorecard badges. For more details, see
+          # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
           # https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories, `publish_results` will automatically be set to `false`,
-          # regardless of the value entered here.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
           publish_results: true
 
-      # Upload the results as artifacts (optional).
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
       - name: "Upload artifact"
         uses: actions/upload-artifact@552bf3722c16e81001aea7db72d8cedf64eb5f68
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # pin@master
+      # required for Code scanning alerts
+      - name: "Upload SARIF results to code scanning"
+        uses: github/codeql-action/upload-sarif@4ebadbc7468649cf79b138f45e20d999351f6ed0
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -17,9 +17,18 @@ jobs:
     name: Snyk
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.snyk.io:443
+            github.com:443
+            proxy.golang.org:443
+
       - uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
       - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/golang@3e2680e8df93a24b52d119b1305fb7cedc60ceae # pin@master
+        uses: snyk/actions/golang@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:

diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,5 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+.idea
diff --git a/README.md b/README.md
@@ -29,8 +29,9 @@ The following table indexes supported groups with hash-to-curve capability and l
 
 ## Prime-order group interface
 
-This package defines an interface to the group and its scalars and elements, but exposes a type that handles that for
-you. You don't need to instantiate or implement anything.
+This package exposes types that can handle different implementations under the hood, internally using an interface
+to the group and its scalars and elements, but you don't need to instantiate or implement anything. Just use the type in
+the top package.
 
 ### Group interface
 
@@ -105,7 +106,7 @@ You can find the documentation and usage examples in [the package doc](https://p
 
 ## Versioning
 
-[SemVer](http://semver.org) is used for versioning. For the versions available, see the [tags on the repository](https://github.com/bytemare/crypto/tags).
+[SemVer](https://semver.org) is used for versioning. For the versions available, see the [tags on the repository](https://github.com/bytemare/crypto/tags).
 
 ## Contributing
 

diff --git a/go.mod b/go.mod
@@ -1,17 +1,17 @@
 module github.com/bytemare/crypto
 
-go 1.21
+go 1.22.2
 
 require (
 	filippo.io/edwards25519 v1.1.0
 	filippo.io/nistec v0.0.3
-	github.com/bytemare/hash2curve v0.2.4
-	github.com/bytemare/secp256k1 v0.1.1
+	github.com/bytemare/hash2curve v0.3.0
+	github.com/bytemare/secp256k1 v0.1.2
 	github.com/gtank/ristretto255 v0.1.2
 )
 
 require (
-	github.com/bytemare/hash v0.2.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	github.com/bytemare/hash v0.3.0 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
 )
Original file line number	Diff line number	Diff line change
Expand Up		@@ -13,3 +13,5 @@

		# Dependency directories (remove the comment below to include it)
		# vendor/

		.idea