Sanitize response body before logging (#2020) #86
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: lint | |
on: | |
push: | |
branches: [main, master] | |
pull_request: | |
branches: '**' | |
merge_group: | |
types: [checks_requested] | |
jobs: | |
golangci: | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [macos-latest, windows-latest, ubuntu-latest] | |
name: lint | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: './go.mod' | |
check-latest: true | |
cache: false | |
- run: make deps | |
- name: golangci-lint | |
uses: golangci/golangci-lint-action@v6 | |
with: | |
skip-save-cache: true | |
# Run again as a workaround for https://github.com/golangci/golangci-lint-action/issues/362 | |
- name: golangci-lint | |
if: ${{ always() }} | |
run: golangci-lint run | |
govulncheck: | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [macos-latest, windows-latest, ubuntu-latest] | |
name: govulncheck | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
- id: govulncheck | |
uses: golang/govulncheck-action@v1 | |
with: | |
go-version-file: './go.mod' | |
check-latest: true | |
go-package: ./... | |
output-format: json | |
output-file: govulncheck.json | |
# Exclude GO-2024-3166 since we do not believe it applies to go-tuf before v2, and additionally | |
# because we do not believe it applies to our usage since we do not use delegates. | |
- name: Evaluate govulncheck results | |
shell: bash | |
run: | | |
findingCount=$(jq -r '.finding | select ( . != null ) | .osv | select ( . != "GO-2024-3166")' govulncheck.json | wc -l) | |
findingCount=$((findingCount + 0)) | |
if [[ $findingCount -ne 0 ]]; then | |
printf "govulncheck reports %d findings" "$findingCount" | |
jq -r '.finding | select ( . != null )' govulncheck.json | |
exit 1 | |
fi | |
# This job is here as a github status check -- it allows us to move | |
# the merge dependency from being on all the jobs to this single | |
# one. | |
lint_mergeable: | |
runs-on: ubuntu-latest | |
steps: | |
- run: true | |
needs: | |
- golangci | |
- govulncheck |