diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml new file mode 100644 index 0000000..b22e2af --- /dev/null +++ b/.github/workflows/golangci-lint.yml @@ -0,0 +1,28 @@ +name: golangci-lint +on: + push: + tags: + - v* + branches: + - main + pull_request: + branches: + - main + paths: + - "**.go" + - "go.mod" + - ".github/workflows/golangci-lint.yml" +permissions: + contents: read + pull-requests: read +jobs: + golangci: + name: lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - name: golangci-lint + uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 + with: + version: latest + args: --timeout=3m diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..1a8fc28 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,124 @@ +# Copyright 2022 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: release +on: + push: + tags: + - v* + branches: + - main + pull_request: + branches: + - main + paths-ignore: + - "**.md" + - "docs/**" + - "docs-site/**" + +permissions: + contents: read # This is required for actions/checkout + + +jobs: + fmt: + uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: fmt + attestations: "git github environment" + command: go fmt ./... + + sast: + needs: [fmt] + uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: sast + attestations: "git github environment" + command: go vet ./... + + unit-test: + needs: [fmt] + uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: unit-test + attestations: "git github environment" + command: go test -v -coverprofile=profile.cov -covermode=atomic ./... + artifact-upload-name: profile.cov + artifact-upload-path: profile.cov + + release: + permissions: + id-token: write + contents: write + packages: write + runs-on: ubuntu-latest + needs: [sast, unit-test] + if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') + + steps: + - name: Checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + with: + go-version: 1.21.x + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + with: + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - name: Login to GitHub Container Registry + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Install Cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + + - name: Install syft + uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0 + + - name: Download GoReleaser + run: go install github.com/goreleaser/goreleaser@v1.23.0 + + - name: Run GoReleaser + uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} + with: + step: "build" + attestations: "github" + command: goreleaser release --clean diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml new file mode 100644 index 0000000..1e0849b --- /dev/null +++ b/.github/workflows/verify-licence.yml @@ -0,0 +1,24 @@ +name: Verify License +on: + workflow_dispatch: + push: + branches: ["main", "release-*"] + pull_request: +permissions: + contents: read + +jobs: + license-check: + name: license boilerplate check + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + with: + go-version: "1.21.x" + - name: Install addlicense + run: go install github.com/google/addlicense@v1.1.1 + - name: Check license headers + run: | + set -e + addlicense --check -l apache -c 'The Witness Contributors' --ignore "chart/**" -v * diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml new file mode 100644 index 0000000..75312a8 --- /dev/null +++ b/.github/workflows/witness.yml @@ -0,0 +1,86 @@ +# Copyright 2023 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +on: + workflow_call: + inputs: + pull_request: + required: true + type: boolean + artifact-download: + required: false + type: string + artifact-upload-name: + required: false + type: string + artifact-upload-path: + required: false + type: string + pre-command: + required: false + type: string + command: + required: true + type: string + step: + required: true + type: string + attestations: + required: true + type: string + +permissions: + contents: read + +jobs: + witness: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + with: + go-version: 1.21.x + + - if: ${{ inputs.artifact-download != '' }} + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + with: + name: ${{ inputs.artifact-download }} + path: /tmp + + - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }} + uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 + with: + step: pre-${{ inputs.step }} + attestations: ${{ inputs.attestations }} + command: /bin/sh -c "${{ inputs.pre-command }}" + - if: ${{ inputs.pre-command != '' && inputs.pull_request == true }} + run: ${{ inputs.pre-command }} + + - if: ${{ inputs.pull_request == false }} + uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 + with: + step: ${{ inputs.step }} + attestations: ${{ inputs.attestations }} + command: /bin/sh -c "${{ inputs.command }}" + - if: ${{ inputs.pull_request == true }} + run: ${{ inputs.command }} + + - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}} + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: ${{ inputs.artifact-upload-name }} + path: ${{ inputs.artifact-upload-path }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..711056e --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,73 @@ +project_name: witness-webhook +builds: + - ldflags: + - "-s -w" + - "-extldflags=-zrelro" + - "-extldflags=-znow" + - "-extldflags -w -X 'github.com/testifysec/witness-webhook/main.Version={{.Tag}}-{{.ShortCommit}}'" + env: + - "CGO_ENABLED=0" + - "GO111MODULE=on" + - "GOFLAGS=-mod=readonly -trimpath" + goos: + - linux + - darwin + goarch: + - amd64 + - arm64 + main: ./ +source: + enabled: true +signs: + - cmd: cosign + args: + - "sign-blob" + - "--output-signature=${signature}" + - "${artifact}" + - "--yes" # needed on cosign 2.0.0+ + artifacts: all +changelog: + use: github + groups: + - title: Features + regexp: "^.*feat[(\\w)]*:+.*$" + order: 0 + - title: 'Bug fixes' + regexp: "^.*fix[(\\w)]*:+.*$" + order: 1 + - title: 'Documentation' + regexp: "^.*docs[(\\w)]*:+.*$" + order: 2 + - title: Others + order: 999 +release: + prerelease: auto + github: + owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}" +kos: + - repository: ghcr.io/testifysec/witness-webhook + tags: + - '{{.Version}}' + bare: true + preserve_import_paths: false + creation_time: '{{.CommitTimestamp}}' + platforms: + - linux/amd64 + - linux/arm64 + sbom: spdx +docker_signs: + - artifacts: manifests + cmd: cosign + args: + - "sign" + - "${artifact}" + - "--yes" # needed on cosign 2.0.0+ +sboms: + - id: archive + cmd: syft + artifacts: archive + args: ["$artifact", "--output", "spdx-json=$document"] + - id: source + cmd: syft + artifacts: source + args: ["$artifact", "--output", "spdx-json=$document"]