diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 021195b..31bea9c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -40,11 +40,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -54,16 +54,16 @@ jobs: # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - - uses: actions/setup-go@v4 + - uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0 with: go-version: '1.20.x' # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/pinact.yaml b/.github/workflows/pinact.yaml new file mode 100644 index 0000000..2ae23a3 --- /dev/null +++ b/.github/workflows/pinact.yaml @@ -0,0 +1,32 @@ +name: Pinact + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + paths: + - ".github/workflows/**" + - ".github/actions/**" + +permissions: {} + +jobs: + pinact: + # Only run on pull requests from the same repository + if: github.event.pull_request.head.repo.full_name == github.repository + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Pin actions + uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0 + with: + skip_push: true + verify: true + min_age: 7 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0e2e107..8329752 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,15 +8,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0 with: go-version: 1.20.x - name: Create release - uses: goreleaser/goreleaser-action@v3 + uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # v3.2.0 with: args: release --rm-dist env: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index f947292..a274b5f 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -7,14 +7,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0 with: go-version: "1.20.x" - name: Lint codebase using golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: args: --issues-exit-code=0 --timeout 5m @@ -24,7 +24,7 @@ jobs: - name: Prepare release if: github.ref == 'refs/heads/main' && github.event.type != 'pull_request' - uses: labd/changie-release-action@v0.2.0 + uses: labd/changie-release-action@767b033c5eeef3070b58796aab052c3077873371 # v0.2.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} release-workflow: release.yaml diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..8e6493b --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,32 @@ +name: Zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + paths: + - ".github/workflows/**" + - ".github/actions/**" + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + with: + advanced-security: false + annotations: true + min-severity: high diff --git a/.golangci.yml b/.golangci.yml index 969235e..fd6c13e 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,20 +1,38 @@ +version: "2" linters: - disable-all: true + default: none enable: - - asciicheck - - bodyclose - - contextcheck - - cyclop - - errcheck - - exhaustive - - exportloopref - - forcetypeassert - - goimports - - gosimple - - govet - - ineffassign - - predeclared - - staticcheck - - tenv - - typecheck - - unused + - asciicheck + - bodyclose + - contextcheck + - copyloopvar + - errcheck + - exhaustive + - forcetypeassert + - govet + - ineffassign + - predeclared + - staticcheck + - unused + - usetesting + - whitespace + exclusions: + generated: lax + presets: + - comments + - common-false-positives + - legacy + - std-error-handling + paths: + - third_party$ + - builtin$ + - examples$ +formatters: + enable: + - goimports + exclusions: + generated: lax + paths: + - third_party$ + - builtin$ + - examples$