From 8892f3f4f6d5f9f21e1aec9f2fbebb4a2b5af16e Mon Sep 17 00:00:00 2001 From: Dominic Evans Date: Wed, 25 Oct 2023 10:26:49 +0100 Subject: [PATCH 1/5] chore(ci): add dependabot to /examples tree As it turns out, dependabot needs explicit entries for all directories containing go.mod files Signed-off-by: Dominic Evans --- .github/dependabot.yml | 60 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 674591b85..b87f347ea 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -25,3 +25,63 @@ updates: golang-org-x: patterns: - "golang.org/x/*" + + - package-ecosystem: gomod + directory: /examples/consumergroup + schedule: + interval: daily + time: "23:00" + labels: + - "dependencies" + commit-message: + prefix: chore + include: "scope" + groups: + golang-org-x: + patterns: + - "golang.org/x/*" + + - package-ecosystem: gomod + directory: /examples/exactly_once + schedule: + interval: daily + time: "23:00" + labels: + - "dependencies" + commit-message: + prefix: chore + include: "scope" + groups: + golang-org-x: + patterns: + - "golang.org/x/*" + + - package-ecosystem: gomod + directory: /examples/interceptors + schedule: + interval: daily + time: "23:00" + labels: + - "dependencies" + commit-message: + prefix: chore + include: "scope" + groups: + golang-org-x: + patterns: + - "golang.org/x/*" + + - package-ecosystem: gomod + directory: /examples/txn_producer + schedule: + interval: daily + time: "23:00" + labels: + - "dependencies" + commit-message: + prefix: chore + include: "scope" + groups: + golang-org-x: + patterns: + - "golang.org/x/*" From 3d56b4ca8d6c4a4076d99754e3217ccfc833fb7b Mon Sep 17 00:00:00 2001 From: Dominic Evans Date: Wed, 25 Oct 2023 10:37:33 +0100 Subject: [PATCH 2/5] chore(ci): ensure gh permissions are explicit As required/recommended by OSSF scorecard, ensure that all workflows follow the principle of least privilege and the permissions required by each workflow job are explicitly defined. Signed-off-by: Dominic Evans --- .github/workflows/apidiff.yml | 4 ++++ .github/workflows/ci.yml | 7 +++++++ .github/workflows/codeql-analysis.yml | 10 +++++++--- .github/workflows/fuzz.yml | 4 ++++ .github/workflows/fvt-main.yml | 4 ++++ .github/workflows/fvt-pr.yml | 4 ++++ .github/workflows/fvt.yml | 4 ++++ .github/workflows/stale.yml | 7 +++++++ 8 files changed, 41 insertions(+), 3 deletions(-) diff --git a/.github/workflows/apidiff.yml b/.github/workflows/apidiff.yml index 2b9fc2639..96a48d782 100644 --- a/.github/workflows/apidiff.yml +++ b/.github/workflows/apidiff.yml @@ -11,6 +11,10 @@ on: - "**" paths-ignore: - '**/*.md' + +permissions: + contents: read # for actions/checkout to fetch code + jobs: apidiff: runs-on: ubuntu-latest diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 684f73bdc..56a612964 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,8 +11,15 @@ on: - "**" paths-ignore: - '**/*.md' + +permissions: + contents: read # for actions/checkout to fetch code + jobs: lint: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: Linting with Go ${{ matrix.go-version }} runs-on: ubuntu-latest strategy: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4ac4379da..27be1ce47 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,14 +13,18 @@ on: - '**/*.md' schedule: - cron: "39 12 * * 1" + +permissions: + contents: read # for actions/checkout to fetch code + jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: - actions: read - contents: read - security-events: write + actions: read # for github/codeql-action to list actions + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action to report security issues strategy: fail-fast: false matrix: diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index ea18a6da6..6648fdcfb 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -11,6 +11,10 @@ on: - "**" paths-ignore: - '**/*.md' + +permissions: + contents: read # for actions/checkout to fetch code + jobs: test: name: Fuzz diff --git a/.github/workflows/fvt-main.yml b/.github/workflows/fvt-main.yml index f3ed6e0a1..c17982b56 100644 --- a/.github/workflows/fvt-main.yml +++ b/.github/workflows/fvt-main.yml @@ -6,6 +6,10 @@ on: - main paths-ignore: - '**/*.md' + +permissions: + contents: read # for actions/checkout to fetch code + jobs: fvt: name: Test with Kafka ${{ matrix.kafka-version }} diff --git a/.github/workflows/fvt-pr.yml b/.github/workflows/fvt-pr.yml index 5f83d6f34..023c5b269 100644 --- a/.github/workflows/fvt-pr.yml +++ b/.github/workflows/fvt-pr.yml @@ -5,6 +5,10 @@ on: - "**" paths-ignore: - '**/*.md' + +permissions: + contents: read # for actions/checkout to fetch code + jobs: fvt: name: Test with Kafka ${{ matrix.kafka-version }} diff --git a/.github/workflows/fvt.yml b/.github/workflows/fvt.yml index d7dad1cb3..0c1f3588c 100644 --- a/.github/workflows/fvt.yml +++ b/.github/workflows/fvt.yml @@ -14,6 +14,10 @@ on: required: false type: string default: 2.13 + +permissions: + contents: read # for actions/checkout to fetch code + jobs: fvt: name: Test with Kafka ${{ inputs.kafka-version }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index a89a5f165..d6c2a2da6 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,8 +4,15 @@ on: schedule: - cron: "0 */2 * * *" workflow_dispatch: + +permissions: + contents: read # for actions/checkout to fetch code + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: - uses: actions/stale@main # make use of https://github.com/actions/stale/pull/1033 From 9658e0e01814047ac603fe555b1d49c012c2fe06 Mon Sep 17 00:00:00 2001 From: Dominic Evans Date: Wed, 25 Oct 2023 10:41:09 +0100 Subject: [PATCH 3/5] chore(ci): ensure GH actions are pinned by hash As recommendewd by OSSF scorecard, ensure GitHub Actions are pinned by commit hash rather than just version tag Signed-off-by: Dominic Evans --- .github/workflows/apidiff.yml | 6 +++--- .github/workflows/ci.yml | 10 +++++----- .github/workflows/codeql-analysis.yml | 10 +++++----- .github/workflows/fuzz.yml | 4 ++-- .github/workflows/fvt.yml | 10 +++++----- .github/workflows/stale.yml | 3 ++- 6 files changed, 22 insertions(+), 21 deletions(-) diff --git a/.github/workflows/apidiff.yml b/.github/workflows/apidiff.yml index 96a48d782..fe6fa330f 100644 --- a/.github/workflows/apidiff.yml +++ b/.github/workflows/apidiff.yml @@ -21,7 +21,7 @@ jobs: if: github.base_ref steps: - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.21.x - name: Add GOBIN to PATH @@ -29,7 +29,7 @@ jobs: - name: Install apidiff cmd run: go install golang.org/x/exp/cmd/apidiff@latest - name: Checkout base code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.base_ref }} path: "base" @@ -37,7 +37,7 @@ jobs: run: apidiff -m -w ../baseline.bin . working-directory: "base" - name: Checkout updated code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: "updated" - name: Run apidiff check diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 56a612964..0c98e9701 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,16 +27,16 @@ jobs: matrix: go-version: [1.21.x] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: cache: false # golangci-lint-action has its own cache go-version: ${{ matrix.go-version }} - name: golangci-lint env: GOFLAGS: -tags=functional - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: v1.54.2 test: @@ -50,9 +50,9 @@ jobs: DEBUG: true GOFLAGS: -trimpath steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ matrix.go-version }} - name: Test (Unit) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 27be1ce47..458ac1615 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,16 +31,16 @@ jobs: language: ["go"] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 with: languages: ${{ matrix.language }} - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.21.x - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 6648fdcfb..ef78279ff 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -22,9 +22,9 @@ jobs: env: GOFLAGS: -trimpath steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: 1.21.x - name: Run any fuzzing tests diff --git a/.github/workflows/fvt.yml b/.github/workflows/fvt.yml index 0c1f3588c..4a570bfc0 100644 --- a/.github/workflows/fvt.yml +++ b/.github/workflows/fvt.yml @@ -28,12 +28,12 @@ jobs: KAFKA_VERSION: ${{ inputs.kafka-version }} SCALA_VERSION: ${{ inputs.scala-version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Docker - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 id: buildx - name: Build FVT Docker Image - uses: docker/bake-action@master + uses: docker/bake-action@cff93986225aa60b529e85c83a08f7df996a8d48 # master with: builder: ${{ steps.buildx.outputs.name }} files: docker-compose.yml @@ -42,7 +42,7 @@ jobs: *.cache-from=type=gha,scope=${{ github.workflow }} *.cache-to=type=gha,scope=${{ github.workflow }},mode=max - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ inputs.go-version }} - name: Setup Docker Compose @@ -63,7 +63,7 @@ jobs: if [ -f "fvt-kafka-${{ inputs.kafka-version }}.pcap" ]; then sudo chmod a+r "fvt-kafka-${{ inputs.kafka-version }}.pcap"; fi - name: Upload pcap file if: always() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: fvt-kafka-${{ inputs.kafka-version }}.pcap path: fvt-kafka-${{ inputs.kafka-version }}.pcap diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index d6c2a2da6..cb255c409 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -15,7 +15,8 @@ jobs: pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: - - uses: actions/stale@main # make use of https://github.com/actions/stale/pull/1033 + # pinned to main commit to make use of https://github.com/actions/stale/pull/1033 + - uses: actions/stale@b69b346013879cedbf50c69f572cd85439a41936 # main with: ascending: true days-before-stale: 90 From 8ce03edb58454e4ebbc62371fc945131d15b5615 Mon Sep 17 00:00:00 2001 From: Dominic Evans Date: Wed, 25 Oct 2023 10:56:30 +0100 Subject: [PATCH 4/5] chore(ci): add golangci-lint and gitleaks checks Signed-off-by: Dominic Evans --- .pre-commit-config.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d7271ee2e..1869b8160 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,3 +31,11 @@ repos: language: golang files: \.go$ args: [] + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks + - repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint From 25137dc3cf30e0960fb6d383caa861ab9100230f Mon Sep 17 00:00:00 2001 From: Dominic Evans Date: Wed, 25 Oct 2023 10:57:05 +0100 Subject: [PATCH 5/5] chore(ci): add Dependency Review Actions Ref: https://github.com/actions/dependency-review-action Signed-off-by: Dominic Evans --- .github/workflows/dependency-review.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..0130e6557 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read # for actions/checkout to fetch code + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1