diff --git a/.buildkite/docker-compose.yml b/.buildkite/docker-compose.yml deleted file mode 100644 index 8a7ea8f..0000000 --- a/.buildkite/docker-compose.yml +++ /dev/null @@ -1,6 +0,0 @@ -version: '3.8' - -services: - ci: - build: - context: ../ \ No newline at end of file diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml deleted file mode 100644 index 2c6661e..0000000 --- a/.buildkite/pipeline.yml +++ /dev/null @@ -1,70 +0,0 @@ -agents: - queue: "public" - -steps: - - name: "go build" - env: - DOCKER_BUILDKIT: 1 - plugins: - - docker-compose#v3.7.0: - run: app - - - name: "Tests" - label: "Tests" - command: "go test -race -v ./..." - env: - DOCKER_BUILDKIT: 1 - plugins: - - docker-compose#v3.9.0: - run: ci - - - name: "go vet" - label: "Tests" - command: "go vet ./..." - env: - DOCKER_BUILDKIT: 1 - plugins: - - docker-compose#v3.9.0: - run: ci - - - name: "staticcheck" - label: "Tests" - command: "go install honnef.co/go/tools/cmd/staticcheck@latest && $(go env GOPATH)/bin/staticcheck ./..." - env: - DOCKER_BUILDKIT: 1 - plugins: - - docker-compose#v3.9.0: - run: ci - - # - name: "Verify dependency licenses" - # command: "go get -v ./... && license_finder" - # env: - # DOCKER_BUILDKIT: 1 - # plugins: - # - docker-compose#v3.9.0: - # run: ci - - - wait - - - block: ":rocket: Release !" - branches: "main" - - - command: script/bump-version.sh - if: build.branch == "main" - label: ":arrow_up_small: Bump & tag version" - - - wait - - - label: ":github: Publishing artifacts" - if: build.branch == "main" - command: script/release.sh - plugins: - - docker#v3.8.0: - image: "golang:1.22.2" - propagate-environment: true - environment: - - "GITHUB_TOKEN" - - "DOCKER_USERNAME" - - "DOCKER_PASSWORD" - volumes: - - "/var/run/docker.sock:/var/run/docker.sock" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..bbad3da --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,55 @@ +name: CI + +on: + push: + branches: [main] + pull_request: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: + go-version-file: go.mod + - run: CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" ./... + + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: + go-version-file: go.mod + - run: go test -race -v ./... + + vet: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: + go-version-file: go.mod + - run: go vet ./... + + staticcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: + go-version-file: go.mod + - run: go install honnef.co/go/tools/cmd/staticcheck@latest + - run: staticcheck ./... diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index cded5f8..fcdf269 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,10 +1,10 @@ -name: "CodeQL" +name: CodeQL on: push: - branches: [ "main" ] + branches: [main] pull_request: - branches: [ "main" ] + branches: [main] jobs: analyze: @@ -18,26 +18,27 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'go' ] + language: [go] steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - uses: actions/setup-go@v3 - with: - go-version: '>=1.18.0' - check-latest: true - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: + go-version-file: go.mod + + - name: Initialize CodeQL + uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..c343b86 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,51 @@ +name: Release + +on: + workflow_dispatch: + +permissions: + contents: write + +jobs: + release: + runs-on: ubuntu-latest + if: github.ref == 'refs/heads/main' + environment: release + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + fetch-depth: 0 + persist-credentials: false + + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 + with: + go-version-file: go.mod + cache: false + + - name: Determine next version + id: version + run: | + go install github.com/caarlos0/svu/v2@latest + echo "tag=$(svu minor)" >> "$GITHUB_OUTPUT" + + - name: Create and push tag + env: + RELEASE_TAG: ${{ steps.version.outputs.tag }} + run: | + git tag "$RELEASE_TAG" + git push origin "$RELEASE_TAG" + + - name: Log in to Docker Hub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6 + with: + version: "~> v2" + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.tag }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..aad5d71 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,34 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: [main] + pull_request: + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 + + - name: Run zizmor + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3 + with: + sarif_file: results.sarif + category: zizmor diff --git a/script/bump-version.sh b/script/bump-version.sh deleted file mode 100755 index 67c579b..0000000 --- a/script/bump-version.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -set -eu - -WORKDIR=$(pwd) - -echo "+++ :construction: Installing 'svu' tool" -curl -L -o /tmp/svu_linux_x86_64.tar.gz https://github.com/caarlos0/svu/releases/download/v1.8.0/svu_1.8.0_linux_amd64.tar.gz -cd /tmp && tar -zxvf svu_linux_x86_64.tar.gz -cd $WORKDIR - -git fetch --tags - -RELEASE_VERSION=$(/tmp/svu minor) - -echo "+++ :boom: Bumping to version $RELEASE_VERSION" - -git config --global --add url."https://${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/" - -buildkite-agent meta-data set "release-version" "$RELEASE_VERSION" - -git tag "$RELEASE_VERSION" -git push origin "$RELEASE_VERSION" - -echo "✅" diff --git a/script/release.sh b/script/release.sh deleted file mode 100755 index d311da4..0000000 --- a/script/release.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash - -set -eu - -WORKDIR=$(pwd) - - -export DEBIAN_FRONTEND=noninteractive - -echo "--- installing docker cli" -apt-get update -apt-get install -y \ - apt-transport-https \ - ca-certificates \ - curl \ - gnupg \ - lsb-release - -curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg - -echo \ - "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \ - $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null - -apt-get update -apt-get install -y docker-ce-cli - -echo "--- installing goreleaser" - -curl -L -o /tmp/goreleaser_Linux_x86_64.tar.gz https://github.com/goreleaser/goreleaser/releases/download/v1.21.2/goreleaser_Linux_x86_64.tar.gz - -cd /tmp && tar -zxvf goreleaser_Linux_x86_64.tar.gz - -echo "--- running goreleaser" - -echo "Login to the docker..." -echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin - -export GORELEASER_CURRENT_TAG=$(buildkite-agent meta-data get "release-version") - -cd $WORKDIR -/tmp/goreleaser release --rm-dist