update compliance and ci (#26)

Signed-off-by: bytemare <[email protected]>

.github/CONTRIBUTING.md

@@ -30,6 +30,10 @@ Please note that changes that are purely cosmetic and do not add anything substa
 
 This project tries to be as Go idiomatic as possible. Conventions from [Effective Go](https://golang.org/doc/effective_go) apply here. Tests use a very opinionated linting configuration that you can use before committing to your changes.
 
+### Governance Model
+
+This project follows the [Benevolent Dictator Governance Model](http://oss-watch.ac.uk/resources/benevolentdictatorgovernancemodel) where the project owner and lead makes all final decisions.
+
 ### Licence
 
 By contributing to this project, you agree that your contributions will be licensed under the project's [License](https://github.com/bytemare/voprf/blob/main/LICENSE).

.github/ISSUE_TEMPLATE/bug-report.md

@@ -16,7 +16,7 @@ A clear and concise description of what the bug is.
 
 ### Your setup
 
-**What version/commit of voprf are you using?**
+**What version/commit of the project are you using?**
 
 **What version of go are you using?**
 <pre>
@@ -30,7 +30,7 @@ $ go env
 
 </pre></details>
 
-**If relevant, what voprf parameters are you using?**
+**If relevant, what parameters or arguments are you using?**
 
 ### Reproducing
 

.github/ISSUE_TEMPLATE/enhancement.md

@@ -0,0 +1,24 @@
+---
+name: "📈 Enhancement"
+about: Request or discuss improvements
+title: "[Enhancement]"
+labels: enhancement
+assignees: bytemare
+
+---
+
+<!--
+Please answer these questions before submitting your issue. Thanks!
+-->
+
+### Describe the feature
+
+A clear and concise description of what the enhancement is and what problem it solves. 
+
+**Expected behaviour**
+
+A clear and concise description of what you expected to happen.
+
+**Additional context**
+
+Add any other context about the problem here.

.github/Makefile

@@ -1,10 +1,8 @@
 .PHONY: update
 update:
 	@echo "Updating dependencies..."
-	@cd ../ && go get -u
+	@cd ../ && go get -u ./...
 	@go mod tidy
-	@echo "Updating Github Actions pins..."
-	@$(foreach file, $(wildcard workflows/*.yml), pin-github-action $(file);)
 
 .PHONY: update-linters
 update-linters:
@@ -39,7 +37,7 @@ lint: fmt license
 .PHONY: test
 test:
 	@echo "Running all tests ..."
-	@go test -v -vet=all ../tests
+	@go test -v -vet=all ../...
 
 .PHONY: vectors
 vectors:

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -8,6 +8,8 @@
 <!--- If suggesting a new feature or change, please discuss it in an issue first -->
 <!--- If fixing a bug, there should be an issue describing it with steps to reproduce -->
 <!--- Please link to the issue here: -->
+<!--- Put `closes #XXXX` in your comment to auto-close the issue that your PR fixes (if such). -->
+<!--- You can skip this if you're fixing a typo or adding an app to the Showcase. -->
 
 ### Motivation and Context
 <!--- Why is this change required? What problem does it solve? -->
@@ -26,9 +28,9 @@
 ### Checklist:
 <!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
 <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
+- [ ] I have read the **CONTRIBUTING** document.
 - [ ] My code follows the code style of this project.
 - [ ] My change requires a change to the documentation.
 - [ ] I have updated the documentation accordingly.
-- [ ] I have read the **CONTRIBUTING** document.
 - [ ] I have added tests to cover my changes.
 - [ ] All new and existing tests passed.

.github/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: block
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1

.github/renovate.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "github>bytemare/renovate-config"
   ]
 }

.github/workflows/ci.yml

@@ -12,18 +12,29 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            proxy.golang.org:443
+            raw.githubusercontent.com:443
+
       - name: Checkout repo
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # pin@master
+        uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # pin@master
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
         with:
           go-version-file: ./go.mod
 
       # Linting
       - name: Linting
-        uses: golangci/golangci-lint-action@2e6adf08a9d304f4ac29fc9cb609dcd6a6e05c40 # pin@master
+        uses: golangci/golangci-lint-action@692c9c9dba385536b59da68da5aef1775a6f94ea
         with:
           version: latest
           args: --config=./.github/.golangci.yml ./...
@@ -35,14 +46,24 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: [ '1.21', '1.20' ]
+        go: [ '1.22', '1.21' ]
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            proxy.golang.org:443
+            storage.googleapis.com:443
+            sum.golang.org:443
+
       - name: Checkout repo
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # pin@master
+        uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # pin@master
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
         with:
           go-version: ${{ matrix.go }}
 
@@ -54,12 +75,28 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.codecov.io:443
+            api.github.com:443
+            cli.codecov.io:443
+            ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            proxy.golang.org:443
+            scanner.sonarcloud.io:443
+            sonarcloud.io:443
+            storage.googleapis.com:443
+
       - name: Checkout repo
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # pin@master
+        uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # pin@master
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
         with:
           go-version-file: ./go.mod
 
@@ -69,15 +106,15 @@ jobs:
 
       # Codecov
       - name: Codecov
-        uses: codecov/codecov-action@bbeaa140357942e4e8d8e15f1cd2f4e612f64c59 # pin@master
+        uses: codecov/codecov-action@1290bddc8851afa46a03b9a73dd9979a415d4c4f
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:
           file: .github/coverage.out
 
       # Sonar
       - name: SonarCloud Scan
-        uses: SonarSource/sonarcloud-github-action@db501078e936e4b4c8773d1bb949ba9ddb7b6b6a # pin@master
+        uses: SonarSource/sonarcloud-github-action@6bbd64e0cb2194e04addb429d669a9ee873eeeef
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/codeql.yml

@@ -21,21 +21,26 @@ jobs:
 
     strategy:
       fail-fast: false
-      matrix:
-        go: [ '1.21', '1.20' ]
 
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443 github.com:443 objects.githubusercontent.com:443 proxy.golang.org:443 storage.googleapis.com:443 sum.golang.org:443 uploads.github.com:443
+
       - name: Checkout repository
-        uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # pin@master
+        uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@6f5223db54afb6bccb7b88162896588caa1f611b # pin@master
+        uses: github/codeql-action/init@4ebadbc7468649cf79b138f45e20d999351f6ed0
         with:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@6f5223db54afb6bccb7b88162896588caa1f611b # pin@master
+        uses: github/codeql-action/autobuild@4ebadbc7468649cf79b138f45e20d999351f6ed0
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@6f5223db54afb6bccb7b88162896588caa1f611b # pin@master
+        uses: github/codeql-action/analyze@4ebadbc7468649cf79b138f45e20d999351f6ed0

.github/workflows/scorecards.yml

@@ -1,55 +1,74 @@
-name: Scorecards supply-chain security
+name: Scorecard analysis workflow
 on:
+  # Only the default branch is supported.
+  branch_protection_rule:
   schedule:
-    - cron: '16 23 * * 2'
+    # Weekly on Saturdays.
+    - cron: '30 1 * * 6'
   push:
-    branches: [ "main" ]
+    branches: [ main ]
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analysis:
-    name: Scorecards analysis
+    name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
+      # Needed if using Code scanning alerts
       security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
+      # Needed for GitHub OIDC token if publish_results is true
       id-token: write
+
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
+
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # pin@master
+        uses: actions/checkout@8459bc0c7e3759cdf591f513d9f141a95fef0a8f
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@342acf350cd07e41a36da9be2b107614dd1661a3 # pin@master
+        uses: ossf/scorecard-action@fad9a3cc533bb069b1f01f272f1f630895cd690a
         with:
           results_file: results.sarif
           results_format: sarif
+          # (Optional) fine-grained personal access token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional.
           repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
           publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # pin@master
+        uses: actions/upload-artifact@552bf3722c16e81001aea7db72d8cedf64eb5f68
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@6f5223db54afb6bccb7b88162896588caa1f611b # pin@master
+      # required for Code scanning alerts
+      - name: "Upload SARIF results to code scanning"
+        uses: github/codeql-action/upload-sarif@4ebadbc7468649cf79b138f45e20d999351f6ed0
         with:
           sarif_file: results.sarif

.gitignore

@@ -13,3 +13,5 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+.idea