diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..8d2b1f50 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,28 @@ +version: 2 + +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore" + + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore" + ignore: + - dependency-name: "*" + update-types: + - "version-update:semver-major" + - "version-update:semver-minor" + + - package-ecosystem: docker + directory: / + schedule: + interval: daily + commit-message: + prefix: "chore" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cb95c7b1..2861efc3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,49 +18,30 @@ permissions: name: release on: [push, pull_request] jobs: - test: - strategy: - matrix: - go-version: [ 1.19.x ] - os: [ ubuntu-latest ] - runs-on: ${{ matrix.os }} - steps: - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.go-version }} - - name: Checkout code - uses: actions/checkout@v2 - - uses: actions/cache@v2 - with: - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - name: Format Unix - run: test -z $(go fmt ./...) - - name: Install GoKart - run: go install github.com/praetorian-inc/gokart@latest + fmt: + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: fmt + attestations: "git github environment" + command: go fmt ./... - - name: Static Analysis - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: static-analysis - attestations: "github sarif" - command: gokart scan . -o sarif-results.json -s + sast: + needs: [fmt] + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: sast + attestations: "git github environment" + command: go vet ./... - - name: Test - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: "test" - attestations: "github" - command: go test -v -coverprofile=profile.cov -covermode=atomic ./... - - - name: Send coverage - env: - COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - GO111MODULE=off go get github.com/mattn/goveralls - $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github + unit-test: + needs: [fmt] + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: unit-test + attestations: "git github environment" + command: go test -v -coverprofile=profile.cov -covermode=atomic ./... + artifact-upload-name: profile.cov + artifact-upload-path: profile.cov diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml new file mode 100644 index 00000000..3a21372e --- /dev/null +++ b/.github/workflows/witness.yml @@ -0,0 +1,80 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +on: + workflow_call: + inputs: + pull_request: + required: true + type: boolean + artifact-download: + required: false + type: string + artifact-upload-name: + required: false + type: string + artifact-upload-path: + required: false + type: string + pre-command: + required: false + type: string + command: + required: true + type: string + step: + required: true + type: string + attestations: + required: true + type: string + +jobs: + witness: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v4 + with: + go-version: 1.21.x + + - if: ${{ inputs.artifact-download != '' }} + uses: actions/download-artifact@v3 + with: + name: ${{ inputs.artifact-download }} + path: /tmp + + - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }} + uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 + with: + step: pre-${{ inputs.step }} + attestations: ${{ inputs.attestations }} + command: /bin/sh -c "${{ inputs.pre-command }}" + - if: ${{ inputs.pre-command != '' && inputs.pull_request == true }} + run: ${{ inputs.pre-command }} + + - if: ${{ inputs.pull_request == false }} + uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 + with: + step: ${{ inputs.step }} + attestations: ${{ inputs.attestations }} + command: /bin/sh -c "${{ inputs.command }}" + - if: ${{ inputs.pull_request == true }} + run: ${{ inputs.command }} + + - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}} + uses: actions/upload-artifact@v3 + with: + name: ${{ inputs.artifact-upload-name }} + path: ${{ inputs.artifact-upload-path }}