Refactor the repository before release

.github/dependabot.yml

@@ -0,0 +1,30 @@
+version: 2
+
+updates:
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: daily
+      time: '04:00'
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "chore(cicd):"
+
+  - package-ecosystem: gomod
+    directory: "/"
+    schedule:
+      interval: daily
+      time: '04:00'
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "chore(go):"
+
+  - package-ecosystem: docker
+    directory: "/.github/go/"
+    schedule:
+      interval: daily
+      time: '04:00'
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "chore(go):"

.github/go/Dockerfile

@@ -0,0 +1 @@
+FROM golang:1.22

.github/goreleaser.yml

@@ -0,0 +1,39 @@
+before:
+  hooks:
+  - go mod download
+
+checksum:
+  name_template: 'checksums.txt'
+
+snapshot:
+  name_template: "{{ .Tag }}-next"
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+      - '^chore'
+
+release:
+  disable: false
+
+sboms:
+  -
+    artifacts: archive
+
+builds:
+  -
+    id: cli
+    dir: .
+    env: [CGO_ENABLED=0]
+    ldflags: [-w -s -extldflags "-static"]
+    goos: [darwin, linux, windows]
+    goarch: [amd64, arm64]
+    binary: misconfig-mapper
+
+archives:
+  -
+    name_template: "misconfig-mapper_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    format: zip

.github/workflows/build.yml

@@ -0,0 +1,43 @@
+name: build
+
+on:
+  pull_request:
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Unshallow
+        run: git fetch --prune --unshallow
+      -
+        id: vars
+        run: |
+          goVersion=$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
+          echo "go_version=${goVersion}" >> $GITHUB_OUTPUT
+          echo "Using Go version ${goVersion}"
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.vars.outputs.go_version }}
+      -
+        name: Install syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+      -
+        name: Build
+        uses: goreleaser/goreleaser-action@v5.0.0
+        with:
+          version: latest
+          args: build --config=.github/goreleaser.yml --clean --snapshot
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Scan dependencies
+        uses: anchore/sbom-action@v0
+        with:
+          dependency-snapshot: true

.github/workflows/lint.yml

@@ -0,0 +1,17 @@
+name: lint
+
+on: pull_request
+
+jobs:
+  golangci:
+    name: go
+    runs-on: ubuntu-latest
+    steps:
+    -
+      uses: actions/checkout@v4
+    -
+      name: golangci-lint
+      uses: reviewdog/action-golangci-lint@master
+      with:
+        github_token: ${{ secrets.github_token }}
+        golangci_lint_flags: "--config=.github/golangci.yml"

.github/workflows/release.yml

@@ -0,0 +1,90 @@
+name: release
+
+on:
+  push:
+    branches: [main, master]
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+
+    outputs:
+      hashes: ${{ steps.hashes.outputs.hashes }}
+      version: ${{ steps.semrel.outputs.version }}
+
+    permissions:
+      contents: write
+      packages: write
+
+    steps:
+    -
+      name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    -
+      id: vars
+      run: |
+        goVersion=$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
+        echo "go_version=${goVersion}" >> $GITHUB_OUTPUT
+        echo "Using Go version ${goVersion}"
+    -
+      name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    -
+      name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        format: 'github'
+        output: 'dependency-results.sbom.json'
+        image-ref: '.'
+        github-pat: ${{ secrets.GH_PRIVATEREPO_TOKEN }}
+    -
+      name: Remove SBOM result
+      run: |
+        rm dependency-results.sbom.json
+    -
+      name: Install syft
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+    -
+      name: Create release tag
+      uses: go-semantic-release/action@v1
+      id: semrel
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    -
+      run: git fetch -a
+      if: steps.semrel.outputs.version != ''
+    -
+      name: Release
+      uses: goreleaser/goreleaser-action@v5.0.0
+      if: steps.semrel.outputs.version != ''
+      with:
+        version: latest
+        args: release --config=.github/goreleaser.yml --clean
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    -
+      name: Generate dist hashes
+      id: hashes
+      if: steps.semrel.outputs.version != ''
+      env:
+        ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
+      run: |
+        checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+        echo "hashes=$(cat $checksum_file | base64 -w0)" >> $GITHUB_OUTPUT
+
+  provenance:
+    needs: [goreleaser]
+    if: needs.goreleaser.outputs.hashes != ''
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"

.github/workflows/securityscan.yml

@@ -0,0 +1,104 @@
+name: security
+
+on:
+  push:
+    branches: [master, main, ]
+  pull_request:
+    branches: [master,main]
+  schedule:
+    - cron: '0 5 * * 6'
+
+jobs:
+
+  codeql:
+
+    name: codeql
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+      contents: read
+
+    steps:
+    -
+      name: Checkout repository
+      uses: actions/checkout@v4
+    -
+      id: vars
+      run: |
+        goVersion=$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
+        echo "go_version=${goVersion}" >> $GITHUB_OUTPUT
+        echo "Using Go version ${goVersion}"
+    -
+      name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    -
+      name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: go
+    -
+      name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+
+  govulncheck:
+
+    name: govulncheck
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+      contents: read
+
+    steps:
+    -
+      name: Checkout repository
+      uses: actions/checkout@v4
+    -
+      id: vars
+      run: |
+        goVersion=$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
+        echo "go_version=${goVersion}" >> $GITHUB_OUTPUT
+        echo "Using Go version ${goVersion}"
+    -
+      name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    -
+      name: check for go vulnerabilities
+      uses: kmulvey/govulncheck-action@main
+      with:
+        packages: ./...
+
+  trivy:
+
+    name: trivy
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+      contents: read
+
+    steps:
+    -
+      uses: actions/checkout@v4
+    -
+      name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        hide-progress: false
+        exit-code: '1'
+        ignore-unfixed: true
+        scan-type: 'fs'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH,MEDIUM'
+    -
+      name: Upload Trivy scan results to GitHub Security tab
+      if: always()
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'

.github/workflows/test.yml

@@ -0,0 +1,31 @@
+name: test
+on: pull_request
+
+jobs:
+  test:
+    name: go
+    runs-on: ubuntu-latest
+    steps:
+    -
+      name: Checkout
+      uses: actions/checkout@v4
+    -
+      name: Unshallow
+      run: git fetch --prune --unshallow
+    -
+      id: vars
+      run: |
+        goVersion=$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
+        echo "go_version=${goVersion}" >> $GITHUB_OUTPUT
+        echo "Using Go version ${goVersion}"
+    -
+      name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    -
+      name: Download Go modules
+      run: go mod download
+    -
+      name: Run Tests
+      run: go test -v ./...

.github/workflows/todo.yml

@@ -0,0 +1,20 @@
+name: todo
+
+on:
+  push:
+    branches: [master,main]
+
+jobs:
+  todo:
+    runs-on: ubuntu-latest
+    steps:
+    -
+      uses: actions/checkout@v4
+    -
+      name: Check Todos
+      uses: ribtoks/tdg-github-action@master
+      with:
+        TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        REPO: ${{ github.repository }}
+        SHA: ${{ github.sha }}
+        REF: ${{ github.ref }}

.gitignore

@@ -2,11 +2,8 @@
 /\~
 ~/.vscode-root
 .vscode
+.idea/
 
 # Binary
 misconfig-mapper
 main
-
-# Release folder
-release
-release.zip