Merge pull request #12 from smallstep/max/ci

Add common CI workflows and linter fixes
smallstep · Nov 29, 2023 · 0bcf8a1 · 0bcf8a1
2 parents 3c4dc22 + 7778f1e
commit 0bcf8a1
Show file tree

Hide file tree

Showing 16 changed files with 234 additions and 123 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE b/.github/PULL_REQUEST_TEMPLATE
@@ -0,0 +1,20 @@
+<!---
+Please provide answers in the spaces below each prompt, where applicable.
+Not every PR requires responses for each prompt.
+Use your discretion.
+-->
+#### Name of feature:
+
+#### Pain or issue this feature alleviates:
+
+#### Why is this important to the project (if not answered above):
+
+#### Is there documentation on how to use this feature? If so, where?
+
+#### In what environments or workflows is this feature supported?
+
+#### In what environments or workflows is this feature explicitly NOT supported (if any)?
+
+#### Supporting links/other PRs/issues:
+
+💔Thank you!
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,3 +9,7 @@ updates:
  directory: "/" # Location of package manifests
  schedule:
  interval: "weekly"
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "weekly"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,23 @@
+name: CI
+
+on:
+ push:
+ tags-ignore:
+ - 'v*'
+ branches:
+ - "master"
+ pull_request:
+ workflow_call:
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: true
+
+jobs:
+ ci:
+ uses: smallstep/workflows/.github/workflows/goCI.yml@main
+ with:
+ only-latest-golang: true
+ run-build: false
+ run-codeql: true
+ secrets: inherit
diff --git a/.github/workflows/code-scan-cron.yml b/.github/workflows/code-scan-cron.yml
@@ -0,0 +1,7 @@
+on:
+ schedule:
+ - cron: '0 0 * * SUN'
+
+jobs:
+ code-scan:
+ uses: smallstep/workflows/.github/workflows/code-scan.yml@main
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,22 @@
+name: Dependabot auto-merge
+on: pull_request
+
+permissions:
+ contents: write
+ pull-requests: write
+
+jobs:
+ dependabot:
+ runs-on: ubuntu-latest
+ if: ${{ github.actor == 'dependabot[bot]' }}
+ steps:
+ - name: Dependabot metadata
+ id: metadata
+ uses: dependabot/[email protected]
+ with:
+ github-token: "${{ secrets.GITHUB_TOKEN }}"
+ - name: Enable auto-merge for Dependabot PRs
+ run: gh pr merge --auto --merge "$PR_URL"
+ env:
+ PR_URL: ${{github.event.pull_request.html_url}}
+ GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,23 @@
-sshutil.code-workspace
-__debug_bin
-/simple
-/hostkey
-/hello
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Go Workspaces
+go.work
+go.work.sum
+
+# Development
+.vscode/
+coverage.cov
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+/vendor
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1 @@
+* @smallstep/core
diff --git a/Makefile b/Makefile
@@ -0,0 +1,47 @@
+PKG?=github.com/smallstep/sshutil
+
+# Set V to 1 for verbose output from the Makefile
+Q=$(if $V,,@)
+PREFIX?=
+SRC=$(shell find . -type f -name '*.go')
+GOOS_OVERRIDE ?=
+OUTPUT_ROOT=output/
+
+# Set shell to bash for `echo -e`
+SHELL := /bin/bash
+
+all: lint test
+
+.PHONY: all
+
+#########################################
+# Bootstrapping
+#########################################
+
+bootstra%:
+ $Q curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $$(go env GOPATH)/bin latest
+ $Q go install golang.org/x/vuln/cmd/govulncheck@latest
+ $Q go install gotest.tools/gotestsum@latest
+
+#########################################
+# Test
+#########################################
+test:
+ $Q $(GOFLAGS) gotestsum -- -coverprofile=coverage.out -short -covermode=atomic ./...
+
+.PHONY: test
+
+#########################################
+# Linting
+#########################################
+
+fmt:
+ $Q goimports -l -w $(SRC)
+
+lint: SHELL:=/bin/bash
+lint:
+ $Q LOG_LEVEL=error golangci-lint run --config <(curl -s https://raw.githubusercontent.com/smallstep/workflows/master/.golangci.yml) --timeout=30m
+ $Q govulncheck ./...
+
+.PHONY: fmt lint
+
diff --git a/example/shutdown/main.go b/example/shutdown/main.go
@@ -1,4 +1,3 @@
-
 package main
 
 import (
@@ -14,19 +13,18 @@ import (
  "go.step.sm/sshutil"
 )
 
-
 func main() {
  server := &sshutil.Server{
- Addr: ":2022",
+ Addr:  ":2022",
  Config: sshutil.DefaultServerConfig(),
- L: log.New(os.Stderr, "", log.LstdFlags),
+ L:  log.New(os.Stderr, "", log.LstdFlags),
  }
  { // scope err
- key, err := sshutil.LoadKeyFromFile("example/server.key")
- if err != nil {
- log.Fatalf("error loading key: %v", err)
- }
- server.Config.AddHostKey(key)
+  key, err := sshutil.LoadKeyFromFile("example/server.key")
+  if err != nil {
+  log.Fatalf("error loading key: %v", err)
+  }
+  server.Config.AddHostKey(key)
  }
 
  // os.Interrupt (syscall.SIGINT) comes from ^C
@@ -37,7 +35,7 @@ func main() {
  done := make(chan error, 1)
  go func() {
  err := server.ListenAndServe()
- done<- err
+ done <- err
  }()
  <-signals
 
@@ -47,7 +45,7 @@ func main() {
  // On first interrupt, attempt a graceful shutdown. Wait until a second
  // interrupt, or until 10 seconds elapse, to forcibly close.
  ctx := context.Background()
- ctx, cancel := context.WithTimeout(ctx, 10 * time.Second)
+ ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
  go func() {
  <-signals
  cancel()
@@ -74,7 +72,7 @@ func main() {
  server.Idle.Wait()
  }
  err := <-done
- if err != sshutil.ErrServerClosed {
+ if err != nil && !errors.Is(err, sshutil.ErrServerClosed) {
  log.Printf("Unexpected error from serve loop: %v", err)
  }
  log.Println("Done.")

diff --git a/go.mod b/go.mod
@@ -1,5 +1,10 @@
 module go.step.sm/sshutil
 
-go 1.14
+go 1.21
 
-require golang.org/x/crypto v0.13.0
+require (
+ golang.org/x/crypto v0.16.0
+ golang.org/x/term v0.15.0
+)
+
+require golang.org/x/sys v0.15.0 // indirect
diff --git a/go.sum b/go.sum
@@ -1,41 +1,6 @@
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
-golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
diff --git a/keys.go b/keys.go
@@ -5,7 +5,7 @@ import (
  "crypto/elliptic"
  "crypto/rand"
  "io"
- "io/ioutil"
+ "os"
 
  "golang.org/x/crypto/ssh"
 )
@@ -32,15 +32,15 @@ func LoadCertFromKeyFileEncOpenSSH(keypath string, pass []byte) (ssh.Signer, err
 // unecrypted path keypath and a public cert component loaded from certpath.
 func LoadCertFromFiles(keypath, certpath string) (ssh.Signer, error) {
  // Read host key from a file, parse using x/crypto/ssh.
- kb, err := ioutil.ReadFile(keypath)
+ kb, err := os.ReadFile(keypath)
  if err != nil {
  return nil, err
  }
  key, err := ssh.ParsePrivateKey(kb)
  if err != nil {
  return nil, err
  }
- cb, err := ioutil.ReadFile(certpath)
+ cb, err := os.ReadFile(certpath)
  if err != nil {
  return nil, err
  }
@@ -49,23 +49,22 @@ func LoadCertFromFiles(keypath, certpath string) (ssh.Signer, error) {
  return nil, err
  }
  cert := pub.(*ssh.Certificate)
- signer, err := ssh.NewCertSigner(cert, key)
- return signer, nil
+ return ssh.NewCertSigner(cert, key)
 }
 
 // LoadCertFromFilesEnc returns an ssh.Signer with private key loaded from the
 // ecrypted key at path keypath and a public cert component loaded from certpath.
 func LoadCertFromFilesEnc(keypath, certpath string, pass []byte) (ssh.Signer, error) {
  // Read host key from a file, parse using x/crypto/ssh.
- kb, err := ioutil.ReadFile(keypath)
+ kb, err := os.ReadFile(keypath)
  if err != nil {
  return nil, err
  }
  key, err := ssh.ParsePrivateKeyWithPassphrase(kb, pass)
  if err != nil {
  return nil, err
  }
- cb, err := ioutil.ReadFile(certpath)
+ cb, err := os.ReadFile(certpath)
  if err != nil {
  return nil, err
  }
@@ -74,16 +73,14 @@ func LoadCertFromFilesEnc(keypath, certpath string, pass []byte) (ssh.Signer, er
  return nil, err
  }
  cert := pub.(*ssh.Certificate)
- signer, err := ssh.NewCertSigner(cert, key)
- return signer, nil
+ return ssh.NewCertSigner(cert, key)
 }
 
-
 // LoadKeyFromFile returns an ssh.Signer from the unencrypted key stored
 // at the given filesystem path.
 func LoadKeyFromFile(path string) (ssh.Signer, error) {
  // Read host key from a file, parse using x/crypto/ssh.
- bytes, err := ioutil.ReadFile(path)
+ bytes, err := os.ReadFile(path)
  if err != nil {
  return nil, err
  }
@@ -98,7 +95,7 @@ func LoadKeyFromFile(path string) (ssh.Signer, error) {
 // given filesystem path, decrypted using pass.
 func LoadKeyFromFileWithPass(path, pass string) (ssh.Signer, error) {
  // Read host key from a file, parse using x/crypto/ssh.
- bytes, err := ioutil.ReadFile(path)
+ bytes, err := os.ReadFile(path)
  if err != nil {
  return nil, err
  }

diff --git a/keys_test.go b/keys_test.go
@@ -18,15 +18,16 @@ type goodReader struct{}
 func (reader goodReader) Read(b []byte) (n int, err error) {
  emptyKey := make([]byte, len(b))
  copy(b, emptyKey)
+ b[0] = byte('A')
  return len(b), nil
 }
 
-func TestGenerateKey_Bad(t *testing.T) {
+func TestGenerateKeyRand_Bad(t *testing.T) {
  s, err := GenerateKeyRand(badReader{})
  if s != nil {
  t.Error("expected nil signer")
  }
- if err != errBadRand {
+ if !errors.Is(err, errBadRand) {
  t.Error("expected error")
  }
 }
@@ -37,7 +38,7 @@ func TestGenerateKeyRand_Okay(t *testing.T) {
  t.Errorf("error generating key %v", err)
  }
  if s == nil {
- t.Error("expected non-nil key")
+ t.Fatal("expected non-nil key")
  }
  if s.PublicKey().Type() != "ecdsa-sha2-nistp256" {
  t.Error("expected 256 bit ecdsa key")