Add and configure Capslock

Add Capslock (<https://github.com/google/capslock>) as a tool dependency and use it to continuously check (statically) the capabilities used by dependencies. The idea behind doing this is to ensure all potentially dangerous function being used are known and make sense in the context in which they're used. The `capabilities.json` file is included in the commit history because it is needed to do a comparison from one version to the next.
chains-project · Oct 21, 2024 · 689e1f1 · 689e1f1
1 parent 855ebf3
commit 689e1f1
Show file tree

Hide file tree

Showing 6 changed files with 19,068 additions and 2 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -4,6 +4,7 @@ on:
     paths:
     - '**/*.go'
     - .github/workflows/audit.yml
+    - capabilities.json
     - go.mod
     - go.sum
   push:
@@ -16,6 +17,25 @@ on:
 permissions: read-all
 
 jobs:
+  capabilities:
+    name: Capabilities
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Checkout repository
+      uses: actions/[email protected]
+    - name: Install Go
+      uses: actions/[email protected]
+      with:
+        go-version-file: go.mod
+    - name: Verify action checksums
+      env:
+        JOB: ${{ github.job }}
+        WORKFLOW: ${{ github.workflow_ref }}
+      run: |
+        WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5)
+        go run ./cmd/ghasum verify -cache /home/runner/work/_actions -no-evict -offline "$WORKFLOW:$JOB"
+    - name: Audit
+      run: go run tasks.go audit-capabilities
   vulnerabilities:
     name: Vulnerabilities
     runs-on: ubuntu-24.04
@@ -34,4 +54,4 @@ jobs:
         WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5)
         go run ./cmd/ghasum verify -cache /home/runner/work/_actions -no-evict -offline "$WORKFLOW:$JOB"
     - name: Audit
-      run: go run tasks.go audit
+      run: go run tasks.go audit-vulnerabilities