diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8fa4bba..5f66d40 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,38 +1,98 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# name: 🚨 CodeQL Analysis on: - pull_request: - paths: - - "**.*" + workflow_call: push: branches: - develop + jobs: analyze: - name: Analyze - runs-on: ubuntu-latest + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories actions: read contents: read - security-events: write strategy: fail-fast: false matrix: - language: ["go"] - + include: + - language: actions + build-mode: none + - language: go + build-mode: autobuild + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - - name: Checkout repository - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality - - name: Autobuild - uses: github/codeql-action/autobuild@v2 + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/mkdocs-develop.yml b/.github/workflows/mkdocs-develop.yml index a121690..03080d0 100644 --- a/.github/workflows/mkdocs-develop.yml +++ b/.github/workflows/mkdocs-develop.yml @@ -1,4 +1,5 @@ name: 📖 Deploy Dev Docs + on: push: paths: @@ -6,6 +7,7 @@ on: - "mkdocs.yml" branches: - develop + jobs: build-documents: name: Test Documentation Build @@ -17,6 +19,7 @@ jobs: uses: actions/checkout@v4.1.6 with: fetch-depth: 0 + - name: Configure Git Credentials run: | git config user.name github-actions[bot] @@ -31,11 +34,14 @@ jobs: path: .cache restore-keys: | mkdocs-material- + - name: Install dependencies run: | python -m pip install --upgrade pip setuptools wheel pip install -r docs/build/requirements.txt + - name: Test Build run: mkdocs build --verbose --strict + - name: Deploy Docs run: mkdocs gh-deploy --force diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml new file mode 100644 index 0000000..7069fe2 --- /dev/null +++ b/.github/workflows/pr-review.yml @@ -0,0 +1,54 @@ +name: 🔍 PR Review + +on: + pull_request: + paths: + - "**.*" + push: + branches: + - develop + +permissions: + id-token: write + packages: write + contents: write + security-events: write + actions: read + +jobs: + codeql: + name: 🚨 CodeQL Analysis + uses: ./.github/workflows/codeql.yml + secrets: inherit + + test-build: + name: 🔨 Test Build + uses: ./.github/workflows/test-build.yml + secrets: inherit + + test-docs: + name: 📙 Test docs + uses: ./.github/workflows/test-docs.yml + secrets: inherit + + verify: + name: 🙏đŸģ Verify + uses: ./.github/workflows/verify.yml + secrets: inherit + + check: + name: ✅ Check + if: always() + needs: + - codeql + - test-build + - test-docs + - verify + + runs-on: ubuntu-latest + + steps: + - name: Require all jobs to succeed + uses: re-actors/alls-green@release/v1 + with: + jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..38b448b --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,32 @@ +name: 🎉 Publish + +on: + push: + tags: + - "*" # Trigger on all tags + +permissions: + id-token: write + packages: write + contents: write + security-events: write + actions: read + +jobs: + release: + name: 🎉 Release + uses: ./.github/workflows/release.yml + secrets: inherit + + publish: + name: 🎉 Publish + if: always() + needs: release + + runs-on: ubuntu-latest + + steps: + - name: Require all jobs to succeed + uses: re-actors/alls-green@release/v1 + with: + jobs: ${{ toJSON(needs) }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index efb0e24..0b14381 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,9 +1,7 @@ name: 🎉 Release on: - push: - tags: - - "*" + workflow_call: jobs: release: @@ -11,9 +9,25 @@ jobs: uses: ./.github/workflows/reusable-build.yml with: goreleaser_config: goreleaser.yml - goreleaser_options: "" + goreleaser_options: "--clean" secrets: inherit permissions: id-token: write # For cosign packages: write # For GHCR contents: write # To upload archives as release assets + + publish: + name: Publish PyPi + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup Node + uses: actions/setup-node@v4 + + + permissions: + id-token: write # For cosign + packages: write # For GHCR + contents: write # To upload archives as release assets diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index c64626b..66b53f0 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -1,4 +1,4 @@ -name: Reusable Build +name: â™ģī¸ Reusable Build on: workflow_call: inputs: @@ -13,7 +13,7 @@ on: type: string env: - GO_VERSION: "1.22" + GO_VERSION: "1.24" jobs: prepare-linux: @@ -36,12 +36,6 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Login to docker.io registry - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Checkout code uses: actions/checkout@v4.1.6 with: @@ -104,12 +98,6 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} if: matrix.os != 'macos-latest' - - name: Login to docker.io registry - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Checkout code uses: actions/checkout@v4.1.6 with: @@ -173,12 +161,6 @@ jobs: - name: Install Syft uses: anchore/sbom-action/download-syft@v0.16.0 - - name: Login to docker.io registry - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to ghcr.io registry uses: docker/login-action@v3 with: @@ -186,6 +168,12 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Login to docker.io registry + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Checkout code uses: actions/checkout@v4.1.6 with: @@ -215,7 +203,7 @@ jobs: mv artifacts/linux-dist/linux_arm64/build-linux_linux_arm64/* output/build-linux_arm64/ mv artifacts/linux-dist/linux_amd64/build-linux_linux_amd64_v1/* output/build-linux_amd64/ mv artifacts/windows-latest-dist/windows_amd64/build-windows_windows_amd64_v1/* output/build-windows_amd64/ - mv artifacts/macos-latest-dist/darwin_arm64/build-macos_darwin_arm64/* output/build-darwin_arm64/ + mv artifacts/macos-latest-dist/darwin_arm64/build-macos_darwin_arm64_v8.0/* output/build-darwin_arm64/ shell: bash - name: View Output @@ -227,7 +215,8 @@ jobs: with: distribution: goreleaser-pro version: latest - args: release -f=.goreleaser/goreleaser-publish.yml ${{ inputs.goreleaser_options}} + args: release -f=.goreleaser/goreleaser-publish.yml ${{ inputs.goreleaser_options }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} + COSIGN_EXPERIMENTAL: "true" diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml index c9818b2..7ac58f8 100644 --- a/.github/workflows/test-build.yml +++ b/.github/workflows/test-build.yml @@ -1,24 +1,19 @@ -name: 🔨 Build Test +name: 🔨 Test Build + on: - pull_request: - paths: - - "**.*" - - "main.go" - - "go.mod" - - "Dockerfile" - push: - branches: - - develop + workflow_call: + concurrency: group: ${{ github.ref }} cancel-in-progress: true + jobs: build: - name: Test Build + name: 🔨 Reusable Go Build uses: ./.github/workflows/reusable-build.yml with: goreleaser_config: goreleaser.yml - goreleaser_options: "--snapshot" + goreleaser_options: "--clean --snapshot" secrets: inherit permissions: id-token: write # For cosign diff --git a/.github/workflows/test-docs.yml b/.github/workflows/test-docs.yml index 86b4b37..2e3ecd2 100644 --- a/.github/workflows/test-docs.yml +++ b/.github/workflows/test-docs.yml @@ -1,9 +1,7 @@ name: 📙 Test docs on: - pull_request: - paths: - - "docs/**" - - "mkdocs.yml" + workflow_call: + jobs: build-documents: name: Test Documentation Build @@ -15,6 +13,7 @@ jobs: uses: actions/checkout@v4.1.6 with: fetch-depth: 0 + - name: Configure Git Credentials run: | git config user.name github-actions[bot] @@ -29,9 +28,11 @@ jobs: path: .cache restore-keys: | mkdocs-material- + - name: Install dependencies run: | python -m pip install --upgrade pip setuptools wheel pip install -r docs/build/requirements.txt + - name: Test Build run: mkdocs build --verbose --strict diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 97e9b2c..454c783 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -1,12 +1,7 @@ name: 🙏đŸģ Verify on: - pull_request: - paths: - - "**.*" - push: - branches: - - develop + workflow_call: jobs: verify: @@ -15,9 +10,11 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v3 + with: + fetch-depth: 0 - - name: Install Dependences - run: sudo apt install libpcap-dev + - name: Install Dependencies + run: sudo apt-get update && sudo apt-get install -y libpcap-dev - name: Godel Verify run: ./godelw verify diff --git a/.gitignore b/.gitignore index a84a139..d64430f 100644 --- a/.gitignore +++ b/.gitignore @@ -35,4 +35,4 @@ go.work.sum /site # Don't ignore vendors -!vendor/** \ No newline at end of file +!vendor/** diff --git a/Dockerfile.builder b/Dockerfile.builder index 0de64f1..569ccb9 100644 --- a/Dockerfile.builder +++ b/Dockerfile.builder @@ -1,5 +1,5 @@ # Dockerfile used for the compilation of the statically compiled binary -FROM golang:1.22.4-alpine3.20 as base +FROM golang:1.24.2-alpine3.20 as base ARG GORELEASER_VERSION="v2.0.1" ARG CLI_NAME="codeanalyze" diff --git a/go.mod b/go.mod index 7e8fbc9..a5d8b5c 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,8 @@ module github.com/Method-Security/codeanalyze -go 1.22 +go 1.24 -toolchain go1.22.4 +toolchain go1.24.2 require ( github.com/Method-Security/pkg v0.0.2 diff --git a/godel/config/godel.properties b/godel/config/godel.properties index 20d452e..8807995 100644 --- a/godel/config/godel.properties +++ b/godel/config/godel.properties @@ -1,2 +1,2 @@ -distributionURL=https://github.com/palantir/godel/releases/download/v2.109.0/godel-2.109.0.tgz +distributionURL=https://github.com/palantir/godel/releases/download/v2.127.0/godel-2.127.0.tgz distributionSHA256= diff --git a/godelw b/godelw index 3826ad9..576dd2d 100755 --- a/godelw +++ b/godelw @@ -3,11 +3,11 @@ set -euo pipefail # Version and checksums for godel. Values are populated by the godel "dist" task. -VERSION=2.109.0 -DARWIN_AMD64_CHECKSUM=4acc8002b8a4ed666ce75d9e2a23d58e78ae3ef960c22c7588414ab09d71ad85 -DARWIN_ARM64_CHECKSUM=d4bd42f50fc5f1c8f1fb751f19790683236e71dac3098fe8eb3e01c37b0606b0 -LINUX_AMD64_CHECKSUM=89ea803a20ed7996f1a6ff7f21f60270b6d34d4b98e316aa6280c51e72550177 -LINUX_ARM64_CHECKSUM=f4a4386a157eda73b3d8d9e8eb39a7b9760906176c8b26a701dd9f7608140e73 +VERSION=2.127.0 +DARWIN_AMD64_CHECKSUM=3e82d02d9e415c76992a2d9793e765172c180dc3570bd3a3becef903d37d88df +DARWIN_ARM64_CHECKSUM=bc715f6ea47ce0815e78890a1b85971ede98cd654533ff1e90e458fe09eedaa0 +LINUX_AMD64_CHECKSUM=1b7e8561d1f3cd98bbea098a06be096aed886a832a525cd993faade33411e736 +LINUX_ARM64_CHECKSUM=83d2bfab3f39d6795bfa9ed0d336552ec3f0ae321acdc35e3f9dd72a96a8c919 # Downloads file at URL to destination path using wget or curl. Prints an error and exits if wget or curl is not present. function download {