method-security
diff --git a/‎.github/dependabot.yml‎
Lines changed: 7 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 36 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 19 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/workflows/reusable-build.yml‎
Lines changed: 68 additions & 0 deletions b/‎.github/workflows/reusable-build.yml‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎.github/workflows/test-build.yml‎
Lines changed: 19 additions & 0 deletions b/‎.github/workflows/test-build.yml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/workflows/verify.yml‎
Lines changed: 18 additions & 0 deletions b/‎.github/workflows/verify.yml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 35 additions & 0 deletions b/‎.gitignore‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 29 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 29 additions & 0 deletions
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    vendor: true
+    directory: "/"
+    schedule:
+      interval: "weekly"
@@ -0,0 +1,36 @@
+name: 🚨 CodeQL Analysis
+
+on:
+  pull_request:
+  push:
+    branches:
+      - develop
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
@@ -0,0 +1,19 @@
+name: 🎉 Release
+
+on:
+  push:
+    tags:
+      - "*" # Trigger on all tags
+
+jobs:
+  release:
+    name: Release
+    uses: ./.github/workflows/reusable-build.yml
+    with:
+      goreleaser_config: goreleaser.yml
+      goreleaser_options: "--clean"
+    secrets: inherit
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: write # To upload archives as release assets
@@ -0,0 +1,68 @@
+name: Reusable Build
+on:
+  workflow_call:
+    inputs:
+      goreleaser_config:
+        description: "file path to GoReleaser config"
+        required: true
+        type: string
+      goreleaser_options:
+        description: "GoReleaser options separated by spaces"
+        default: ""
+        required: false
+        type: string
+
+env:
+  GO_VERSION: "1.22"
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install cosign
+        uses: sigstore/[email protected]
+
+      - name: Install Syft
+        uses: anchore/sbom-action/[email protected]
+
+      - name: Login to ghcr.io registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Checkout code
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
+
+      # Create tmp dir for GoReleaser
+      - name: "create tmp dir"
+        run: |
+          mkdir tmp
+
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: v2.0.0
+          args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TMPDIR: "tmp"
@@ -0,0 +1,19 @@
+name: 🔨 Build Test
+on:
+  pull_request:
+  push:
+    branches:
+      - develop
+
+jobs:
+  build:
+    name: Test Build
+    uses: ./.github/workflows/reusable-build.yml
+    with:
+      goreleaser_config: goreleaser.yml
+      goreleaser_options: "--clean --snapshot"
+    secrets: inherit
+    permissions:
+      id-token: write # For cosign
+      packages: write # For GHCR
+      contents: read # Not required for public repositories, but for clarity
@@ -0,0 +1,18 @@
+name: 🙏🏻 Verify
+
+on:
+  pull_request:
+    paths:
+      - "**.*"
+  push:
+    branches:
+      - develop
+jobs:
+  verify:
+    name: Verify
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Godel Verify
+        run: ./godelw verify
@@ -0,0 +1,35 @@
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Go workspace file
+go.work
+go.work.sum
+
+# Godel
+/conjure/build
+/out/
+
+# Goreleaser
+/dist
+/artifacts
+/output
+
+# Env Files
+.env/
+!.env/example.env
+
+# Don't ignore vendors
+!vendor/**
@@ -0,0 +1,29 @@
+FROM alpine:3.20
+
+ARG CLI_NAME="codeanalyzevcs"
+
+
+RUN apk update && apk add --no-cache bash ca-certificates
+
+# Setup Method Directory Structure
+RUN \
+  mkdir -p /opt/method/${CLI_NAME}/ && \
+  mkdir -p /opt/method/${CLI_NAME}/var/data && \
+  mkdir -p /opt/method/${CLI_NAME}/var/data/tmp && \
+  mkdir -p /opt/method/${CLI_NAME}/var/conf && \
+  mkdir -p /opt/method/${CLI_NAME}/var/log && \
+  mkdir -p /opt/method/${CLI_NAME}/service/bin && \
+  mkdir -p /mnt/output
+
+COPY ${CLI_NAME} /opt/method/${CLI_NAME}/service/bin/${CLI_NAME}
+
+RUN \
+  adduser --disabled-password --gecos '' method && \
+  chown -R method:method /opt/method/${CLI_NAME}/ && \
+  chown -R method:method /mnt/output
+
+USER method
+
+WORKDIR /opt/method/${CLI_NAME}/
+
+ENV PATH="/opt/method/${CLI_NAME}/service/bin:${PATH}"