chore: update deps and improve ci

.github/dependabot.yml

@@ -5,30 +5,45 @@ updates:
     directory: /
     schedule:
       interval: weekly
-      time: "06:00"
-      timezone: UTC
+      # offset from the hour to avoid other build jobs
+      time: "06:34"
+      timezone: Etc/UTC
     open-pull-requests-limit: 10
     commit-message:
       prefix: chore
       include: scope
+    groups:
+      gha:
+        patterns:
+          - "*"
   - package-ecosystem: gomod
     directory: /
     schedule:
       interval: weekly
-      time: "06:00"
-      timezone: UTC
+      # offset from the hour to avoid other build jobs
+      time: "06:34"
+      timezone: Etc/UTC
     allow:
       # direct and indirect updates
       - dependency-type: "all"
     commit-message:
       prefix: chore
       include: scope
+    groups:
+      gomod:
+        patterns:
+          - "*"
   - package-ecosystem: docker
     directory: /
     schedule:
       interval: weekly
-      time: "06:00"
-      timezone: UTC
+      # offset from the hour to avoid other build jobs
+      time: "06:34"
+      timezone: Etc/UTC
     commit-message:
       prefix: chore
       include: scope
+    groups:
+      docker:
+        patterns:
+          - "*"

.github/workflows/security_analysis.yml

@@ -4,15 +4,27 @@ name: Security Analysis
 on:
   push:
     branches: [master]
+    paths:
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
   pull_request:
     branches: [master]
+    paths:
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
   schedule:
-    - cron: "0 6 * * *"
+    # 06:12 - offset from the hour to avoid other build jobs
+    - cron: "12 6 * * *"
 
 jobs:
   codeql:
     name: CodeQL
     runs-on: ubuntu-latest
+    permissions:
+      # allow uploading sarif results
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -22,18 +34,38 @@ jobs:
         with:
           languages: go
 
+      # analyzes + uploads sarif
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
 
   govulncheck:
     name: govulncheck
     runs-on: ubuntu-latest
+    permissions:
+      # allow uploading sarif results
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Vulnerability Scan Go Code
-        uses: Templum/govulncheck-action@v1.0.1
+        uses: golang/govulncheck-action@v1
         with:
-           go-version: 1.22
-           vulncheck-version: v1.0.1
+          go-version-file: go.mod
+          repo-checkout: false
+          output-format: sarif
+          output-file: govulncheck.sarif
+
+      - name: Fix govulncheck SARIF output
+        # https://github.com/docker/buildx/blob/d4eca07af8385dca95b4c38535a9bbaa3bfc0fa9/hack/dockerfiles/govulncheck.Dockerfile#L22-L25
+        # Make sure "results" field is defined in SARIF output otherwise GitHub Code Scanning
+        # will fail when uploading report with "Invalid SARIF. Missing 'results' array in run."
+        # Relates to https://github.com/golang/vuln/blob/ffdef74cc44d7eb71931d8d414c478b966812488/internal/sarif/sarif.go#L69
+        run: |
+          cat <<< $(jq '(.runs[] | select(.results == null) | .results) |= []' govulncheck.sarif) > govulncheck.sarif
+
+      - name: Upload Scan SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: govulncheck.sarif
+          category: govulncheck

Makefile

@@ -60,7 +60,7 @@ LDFLAGS=-s -w \
         -X github.com/controlplaneio/badrobot/cmd.commit=$(GIT_SHA)
 
 PACKAGE = none
-BATS_PARALLEL_JOBS := $(shell command -v parallel 2>/dev/null && echo '--jobs 20')
+BATS_PARALLEL_JOBS := $(shell command -v parallel 2>&1 >/dev/null && echo '--jobs 20')
 
 .PHONY: all
 all: help
@@ -83,26 +83,30 @@ test: ## unit and local acceptance tests
 	@echo "+ $@"
 	make test-unit build test-acceptance
 
-test/bin/%:
-	git submodule update --init -- $@
+.PHONY: check-and-reinit-submodules
+check-and-reinit-submodules:
+	@if git submodule status | grep "^[-+]" ; then \
+		git submodule update --init; \
+	fi
 
-.PHONY: bats
-bats: test/bin/bats test/bin/bats-assert test/bin/bats-support ## fetch bats dependencies
+.PHONY: uninit-submodules
+uninit-submodules:
+	git submodule deinit -f .
 
 .PHONY: test-acceptance
-test-acceptance: bats build ## acceptance tests
+test-acceptance: check-and-reinit-submodules build ## acceptance tests
 	@echo "+ $@"
 	bash -xc 'cd test && ./bin/bats/bin/bats $(BATS_PARALLEL_JOBS) .'
 
 .PHONY: test-unit
 test-unit: ## golang unit tests
 	@echo "+ $@"
-	go test -race $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}"
+	CGO_ENABLED=1 go test -race $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}"
 
 .PHONY: test-unit-verbose
 test-unit-verbose: ## golang unit tests (verbose)
 	@echo "+ $@"
-	go test -race -v $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}"
+	CGO_ENABLED=1 go test -race -v $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}"
 
 # ---
 

go.mod

@@ -1,8 +1,8 @@
 module github.com/controlplaneio/badrobot
 
-go 1.22.0
+go 1.23
 
-toolchain go1.22.2
+toolchain go1.23.3
 
 require (
 	github.com/ghodss/yaml v1.0.0
@@ -30,8 +30,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/apimachinery v0.31.3 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.3 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )

go.sum

@@ -102,10 +102,10 @@ k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4=
 k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
-k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 h1:jGnCPejIetjiy2gqaJ5V0NLwTpF4wbQ6cZIItJCSHno=
+k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
+sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.3 h1:sCP7Vv3xx/CWIuTPVN38lUPx0uw0lcLfzaiDa8Ja01A=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.3/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=