Merge pull request #23 from bytemare/renovate/reconfigure

Update dependencies

.github/Makefile

@@ -1,42 +1,45 @@
-GH_ACTIONS = workflows
-
 .PHONY: update
 update:
 	@echo "Updating dependencies..."
-	@$(shell cd ../ go get -u ../...)
+	@cd ../ && go get -u
 	@pwd
 	@go mod tidy
-	@echo "Updating Github Actions pins..."
-	@$(foreach file, $(wildcard $(GH_ACTIONS)/*.yml), pin-github-action $(file);)
+
+.PHONY: update-linters
+update-linters:
 	@echo "Updating linters..."
-	@go get -u mvdan.cc/gofumpt@latest github.com/daixiang0/gci github.com/segmentio/golines@latest
+	@go install mvdan.cc/gofumpt@latest
+	@go install github.com/daixiang0/gci@latest
+	@go install github.com/segmentio/golines@latest
+	@go install golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment@latest
 	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
 
 .PHONY: fmt
 fmt:
 	@echo "Formatting ..."
 	@go mod tidy
-	@go fmt ./...
-	@golines -m 120 -t 4 -w .
-	@gofumpt -w -extra .
-	@gci write --Section Standard --Section Default --Section "Prefix($(shell go list -m))" ../
+	@go fmt ../...
+	@golines -m 120 -t 4 -w ../
+	@gofumpt -w -extra ../
+	@gci write -s Standard -s Default -s "Prefix($(shell go list -m))" ../
+	@fieldalignment -fix ../...
 
 .PHONY: license
 license:
 	@echo "Checking License headers ..."
-	@if addlicense -check -v -f licence-header.tmpl ../*; then echo "License headers OK"; else return 1; fi;
+	@if addlicense -check -v -skip yaml -f licence-header.tmpl ../*; then echo "License headers OK"; else return 1; fi;
 
 .PHONY: lint
-lint: license
+lint: fmt license
 	@echo "Linting ..."
 	@if golangci-lint run --config=.golangci.yml ../...; then echo "Linting OK"; else return 1; fi;
 
 .PHONY: test
 test:
 	@echo "Running all tests ..."
-	@go test -v ../...
+	@go test -v -vet=all ../...
 
 .PHONY: cover
 cover:
 	@echo "Testing with coverage ..."
-	@go test -v -race -covermode=atomic -coverpkg=../... -coverprofile=../coverage.out ../...
+	@go test -v -race -covermode=atomic -coverpkg=../... -coverprofile=./coverage.out ../...

.github/renovate.json

@@ -1,7 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "github>bytemare/renovate-config",
-    "config:recommended"
+    "github>bytemare/renovate-config"
   ]
 }

.github/workflows/ci.yml

@@ -11,24 +11,26 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        GOVER: [ '1.18' ]
-
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443 github.com:443 proxy.golang.org:443 objects.githubusercontent.com:443 raw.githubusercontent.com:443
+
       - name: Checkout repo
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+        uses: actions/checkout@37b082107ba410260a3aaddf93122e04801ce631
         with:
           fetch-depth: 0
-      - name: Setup Go-${{ matrix.GOVER }}
-        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # pin@v2
+      - name: Setup Go
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
         with:
-          go-version: ${{ matrix.GOVER }}
+          go-version-file: ./go.mod
 
       # Linting
       - name: Linting
-        uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018 # pin@v2
+        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc
         with:
           version: latest
           args: --config=./.github/.golangci.yml ./...
@@ -37,53 +39,76 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        go: [ '1.22', '1.21' ]
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443 proxy.golang.org:443 storage.googleapis.com:443 sum.golang.org:443
+
       - name: Checkout repo
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+        uses: actions/checkout@37b082107ba410260a3aaddf93122e04801ce631
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # pin@v2
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
         with:
-          go-version: '1.18'
+          go-version: ${{ matrix.go }}
 
       # Test
       - name: Run Tests
-        run: (cd .github/ && make test)
+        run: cd .github && make test
 
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.codecov.io:443 api.github.com:443 cli.codecov.io:443 ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443 github.com:443 proxy.golang.org:443 objects.githubusercontent.com:443 scanner.sonarcloud.io:443 sonarcloud.io:443 storage.googleapis.com:443
+
       - name: Checkout repo
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+        uses: actions/checkout@37b082107ba410260a3aaddf93122e04801ce631
         with:
           fetch-depth: 0
       - name: Setup Go
-        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # pin@v2
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
         with:
-          go-version: '1.18'
+          go-version-file: ./go.mod
 
       # Coverage
       - name: Run coverage
-        run: (cd .github/ && make cover)
+        run: cd .github && make cover
 
       # Codecov
       - name: Codecov
-        uses: codecov/codecov-action@29386c70ef20e286228c72b668a06fd0e8399192 # pin@v1
+        uses: codecov/codecov-action@c852ea6812cbd15cfa9f9daeb08f30391c54eb91
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:
           file: .github/coverage.out
 
       # Sonar
       - name: SonarCloud Scan
-        uses: SonarSource/sonarcloud-github-action@6bbd64e0cb2194e04addb429d669a9ee873eeeef # pin@master
+        uses: SonarSource/sonarcloud-github-action@6bbd64e0cb2194e04addb429d669a9ee873eeeef
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:
           args: >
-            -Dsonar.projectKey=bytemare_ksf -Dsonar.organization=bytemare-github
-            -Dsonar.go.coverage.reportPaths=coverage.out -Dsonar.sources=.
+            -Dsonar.projectKey=bytemare_ksf
+            -Dsonar.organization=bytemare-github
+            -Dsonar.go.coverage.reportPaths=coverage.out
+            -Dsonar.sources=.
             -Dsonar.verbose=true
-          #-Dsonar.tests=ksf_test.go
-          #-Dsonar.test.exclusions=examples_test.go,tests/**
+            -Dsonar.test.exclusions=tests/**
+            -Dsonar.coverage.exclusions=tests/**
+            -Dsonar.tests=tests/

.github/workflows/codeql.yml

@@ -1,6 +1,9 @@
 name: "CodeQL"
 
 on:
+  push:
+    branches:
+      - main
   pull_request:
     branches:
       - main
@@ -23,17 +26,28 @@ jobs:
       fail-fast: false
 
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            proxy.golang.org:443
+            storage.googleapis.com:443
+            sum.golang.org:443
+
       - name: Checkout repository
-        uses: actions/checkout@7884fcad6b5d53d10323aee724dc68d8b9096a2e # pin@v2
+        uses: actions/checkout@37b082107ba410260a3aaddf93122e04801ce631
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f7b6c0021b777684992d895a563fc3a0e425783a # pin@v1
+        uses: github/codeql-action/init@dbf2b1706b768069fb1bb2dd2d8552be7a9e2a51
         with:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@f7b6c0021b777684992d895a563fc3a0e425783a # pin@v1
+        uses: github/codeql-action/autobuild@dbf2b1706b768069fb1bb2dd2d8552be7a9e2a51
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f7b6c0021b777684992d895a563fc3a0e425783a # pin@v1
+        uses: github/codeql-action/analyze@dbf2b1706b768069fb1bb2dd2d8552be7a9e2a51

.github/workflows/scorecards.yml

@@ -1,39 +1,57 @@
-name: Scorecards supply-chain security
+name: Scorecard analysis workflow
 on:
-  # Only the default branch is supported.
-  branch_protection_rule:
-  schedule:
-    - cron: '44 9 * * 0'
   push:
+    # Only the default branch is supported.
+    branches:
+      - main
+  schedule:
+    # Weekly on Saturdays.
+    - cron: '30 1 * * 6'
+  pull_request:
+    # All branches are supported.
     branches: [ main ]
 
-# Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analysis:
-    name: Scorecards analysis
+    name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
+      # Needed for Code scanning upload
       security-events: write
-      actions: read
-      contents: read
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
 
     steps:
+      - uses: step-security/harden-runner@6c3b1c91e8873ae0c705b0709f957c7a6a5eaf10
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
+
       - name: "Checkout code"
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+        uses: actions/checkout@37b082107ba410260a3aaddf93122e04801ce631
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
+        uses: ossf/scorecard-action@665016c9c2c7c34fe934fb13ebf88bff794f9b1d
         with:
           results_file: results.sarif
           results_format: sarif
           # Read-only PAT token. To create it,
           # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
-          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
           # Publish the results to enable scorecard badges. For more details, see
           # https://github.com/ossf/scorecard-action#publishing-results.
           # For private repositories, `publish_results` will automatically be set to `false`,
@@ -42,14 +60,14 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@79616d2ded92999fceefea2ca2e4bdf6101fa919
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+        uses: github/codeql-action/upload-sarif@dbf2b1706b768069fb1bb2dd2d8552be7a9e2a51
         with:
           sarif_file: results.sarif

.github/workflows/snyk.yml

@@ -14,9 +14,9 @@ jobs:
     name: Snyk
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # pin@master
+      - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
       - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/golang@7968f3f72b7f36280e6380b7c151c6a8d5a61dd0 # pin@master
+        uses: snyk/actions/golang@7968f3f72b7f36280e6380b7c151c6a8d5a61dd0
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:

.gitignore

@@ -13,3 +13,5 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+.idea

go.mod

@@ -1,7 +1,7 @@
 module github.com/bytemare/ksf
 
-go 1.19
+go 1.22.2
 
-require golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
+require golang.org/x/crypto v0.22.0
 
-require golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
+require golang.org/x/sys v0.19.0 // indirect

go.sum

@@ -1,4 +1,4 @@
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
+golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

ksf_test.go → tests/ksf_test.go

@@ -6,7 +6,7 @@
 // LICENSE file in the root directory of this source tree or at
 // https://spdx.org/licenses/MIT.html
 
-package ksf_test
+package tests_test
 
 import (
 	"errors"