Update CI (#64)

* Update CI Signed-off-by: bytemare <[email protected]>
bytemare · Jul 7, 2024 · b394e17 · b394e17
1 parent 8592b9b
commit b394e17
Show file tree

Hide file tree

Showing 10 changed files with 104 additions and 287 deletions.
diff --git a/.github/.golangci.yml b/.github/.golangci.yml
@@ -106,6 +106,8 @@ linters-settings:
     #  - io/ioutil.ReadFile
     #  - io.Copy(*bytes.Buffer)
     #  - io.Copy(os.Stdout)
+  exhaustive:
+    default-signifies-exhaustive: true
   funlen:
     lines: 100
     statements: 50
@@ -149,7 +151,9 @@ linters-settings:
   gosimple:
     checks: [ "all" ]
   govet:
-    check-shadowing: true
+    settings:
+      shadow:
+        strict: true
     disable-all: true
     enable:
       - asmdecl
@@ -209,8 +213,6 @@ linters-settings:
   prealloc:
     simple: false
     for-loops: true
-  unused:
-    check-exported: false
   whitespace:
     multi-if: false
     multi-func: false
@@ -231,7 +233,7 @@ issues:
   # But independently from this option we use default exclude patterns,
   # it can be disabled by `exclude-use-default: false`. To list all
   # excluded by default patterns execute `golangci-lint run --help`
-  exclude:
+  #exclude:
     #- "should have a package comment, unless it's in another file for this package"
     #- "do not define dynamic errors, use wrapped static errors instead"
     #- "missing cases in switch of type Group: maxID"

diff --git a/.github/dependency-review.yml b/.github/dependency-review.yml
diff --git a/.github/sonar-project.properties b/.github/sonar-project.properties
@@ -0,0 +1,8 @@
+sonar.organization=bytemare
+sonar.projectKey=crypto
+sonar.sources=.
+sonar.tests=tests/
+sonar.test.exclusions=tests/**
+sonar.verbose=true
+sonar.coverage.exclusions=tests/**
+sonar.go.coverage.reportPaths=coverage.out
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -0,0 +1,36 @@
+name: Code Scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
+    - cron: '4 1 * * *'
+
+permissions: {}
+
+jobs:
+  Lint:
+    permissions:
+      contents: read
+    uses: bytemare/workflows/.github/workflows/golangci-lint.yml@488639cc8162524432d0c8257cd1adf7d05b90c9
+    with:
+      config-path: ./.github/.golangci.yml
+      scope: ./...
+
+  Analyze:
+    permissions:
+      contents: read
+    uses: bytemare/workflows/.github/workflows/scan-go.yml@488639cc8162524432d0c8257cd1adf7d05b90c9
+    with:
+      sonar-configuration: .github/sonar-project.properties
+      coverage-output-file: coverage.out
+    secrets:
+      github: ${{ secrets.GITHUB_TOKEN }}
+      sonar: ${{ secrets.SONAR_TOKEN }}
+      codecov: ${{ secrets.CODECOV_TOKEN }}
+      semgrep: ${{ secrets.SEMGREP_APP_TOKEN }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -10,38 +10,14 @@ on:
   schedule:
     - cron: '31 10 * * 0'
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
-  codeql:
-    name: CodeQL
-    runs-on: ubuntu-latest
+  CodeQL:
     permissions:
       actions: read
       contents: read
       security-events: write
-
-    strategy:
-      fail-fast: false
-
-    steps:
-      - uses: step-security/harden-runner@6d3c2fe731c8f225990c8018cb71c337c0d9dfcd
-        with:
-          disable-sudo: true
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@bd2ebac9380cbba2fb338fab55bf29a2a18fd436
-        with:
-          languages: go
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@bd2ebac9380cbba2fb338fab55bf29a2a18fd436
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@bd2ebac9380cbba2fb338fab55bf29a2a18fd436
+    uses: bytemare/workflows/.github/workflows/codeql.yml@488639cc8162524432d0c8257cd1adf7d05b90c9
+    with:
+      language: go
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -1,74 +1,39 @@
-name: Scorecard analysis workflow
+name: Scorecard Analysis Workflow
+
 on:
-  # Only the default branch is supported.
-  branch_protection_rule:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
   schedule:
     # Weekly on Saturdays.
     - cron: '30 1 * * 6'
-  push:
-    branches: [ main ]
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions: {}
 
 jobs:
   analysis:
-    name: Scorecard analysis
-    runs-on: ubuntu-latest
     permissions:
       # Needed if using Code scanning alerts
       security-events: write
       # Needed for GitHub OIDC token if publish_results is true
       id-token: write
-
-    steps:
-      - uses: step-security/harden-runner@6d3c2fe731c8f225990c8018cb71c337c0d9dfcd
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            api.osv.dev:443
-            api.securityscorecards.dev:443
-            fulcio.sigstore.dev:443
-            github.com:443
-            oss-fuzz-build-logs.storage.googleapis.com:443
-            rekor.sigstore.dev:443
-            tuf-repo-cdn.sigstore.dev:443
-            www.bestpractices.dev:443
-
-      - name: "Checkout code"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@0a8153a7e8d76932ff5903ccdbed894237ef223d
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.
-          repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
-          # Publish the results for public repositories to enable scorecard badges. For more details, see
-          # https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories, `publish_results` will automatically be set to `false`, regardless
-          # of the value entered here.
-          publish_results: true
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@552bf3722c16e81001aea7db72d8cedf64eb5f68
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      # required for Code scanning alerts
-      - name: "Upload SARIF results to code scanning"
-        uses: github/codeql-action/upload-sarif@bd2ebac9380cbba2fb338fab55bf29a2a18fd436
-        with:
-          sarif_file: results.sarif
+      # Needed for nested workflow
+      actions: read
+      attestations: read
+      checks: read
+      contents: read
+      deployments: read
+      issues: read
+      discussions: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+
+    uses: bytemare/workflows/.github/workflows/scorecard.yml@488639cc8162524432d0c8257cd1adf7d05b90c9
+    secrets:
+      token: ${{ secrets.SCORECARD_TOKEN }}