From b6c08a404d64e098964ed1321a422b1c90dfee90 Mon Sep 17 00:00:00 2001 From: Dimitrij Drus Date: Fri, 15 May 2026 09:08:19 +0200 Subject: [PATCH 1/5] ci workflow fixed for PRs originating from contributors and hardened --- .github/workflows/ci.yml | 62 ++++++++++++++++++++++++++++++++-------- 1 file changed, 50 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cb49903..4ad63d6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,37 +5,56 @@ on: branches: [ main ] pull_request: branches: [ main ] - workflow_dispatch: + +env: + GO_VERSION: "1.25.0" + GOLANGCI_LINT_VERSION: "v2.9.0" + +permissions: {} jobs: lint-code: name: Run Linters runs-on: ubuntu-latest permissions: + contents: read pull-requests: write + timeout-minutes: 10 steps: + - name: Harden Runner + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + with: + egress-policy: audit - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - fetch-depth: 0 + persist-credentials: false - name: Review code uses: reviewdog/action-golangci-lint@c76cceaaab89abe74e649d2e34c6c9adc26662d2 # v2.10.0 with: - go_version: 1.25.0 - golangci_lint_version: v2.4.0 + go_version: "${{ env.GO_VERSION }}" + golangci_lint_version: "${{ env.GOLANGCI_LINT_VERSION }}" reporter: github-pr-review - fail_on_error: true + fail_level: error check-licenses: name: Check Licenses runs-on: ubuntu-latest + permissions: + contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + with: + egress-policy: audit - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: - go-version: 1.25.0 + go-version: "${{ env.GO_VERSION }}" - name: Get google/go-licenses package run: go install github.com/google/go-licenses@v1.6.0 - name: Check the licenses @@ -45,22 +64,41 @@ jobs: test: name: Run Tests runs-on: ubuntu-latest + permissions: + contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + with: + egress-policy: audit - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: - ref: ${{ github.head_ref }} + persist-credentials: false fetch-depth: 0 - name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: - go-version: 1.25.0 + go-version: "${{ env.GO_VERSION }}" + - name: Install go-junit-report + run: go install github.com/jstemmer/go-junit-report/v2@v2.1.0 - name: Execute tests run: | - go test -v -gcflags=all=-l -cover ./... -coverprofile coverage.out -coverpkg ./... - - name: Upload code coverage report - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6 + set -o pipefail + go test -v -coverprofile=coverage.cov -coverpkg=./... ./... 2>&1 | \ + tee >(go-junit-report -set-exit-code > junit-report.xml) + - name: Upload test results to Codecov + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 + if: always() && !cancelled() + with: + report_type: test_results + files: junit-report.xml + verbose: true + token: ${{ secrets.CODECOV_TOKEN }} + - name: Upload code coverage report to Codecov + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: - files: coverage.out + report_type: coverage + files: coverage.cov verbose: true token: ${{ secrets.CODECOV_TOKEN }} From 0bf98c32c9659d5c16850252f0335b1f78d52060 Mon Sep 17 00:00:00 2001 From: Dimitrij Drus Date: Fri, 15 May 2026 09:08:34 +0200 Subject: [PATCH 2/5] security workflow hardened --- .github/workflows/security.yaml | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index d71f023..74ddf29 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -1,5 +1,8 @@ name: "Security Scan" +env: + GO_VERSION: "1.25.0" + on: push: branches: [main] @@ -8,17 +11,24 @@ on: schedule: - cron: '34 0 * * 6' -permissions: read-all +permissions: {} jobs: trivy-scan: name: Trivy Scan runs-on: ubuntu-24.04 permissions: + contents: read security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + with: + egress-policy: audit - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # master with: @@ -37,14 +47,21 @@ jobs: name: CodeQL Scan runs-on: ubuntu-latest permissions: + contents: read security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + with: + egress-policy: audit - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: - go-version: 1.25.0 + go-version: "${{ env.GO_VERSION }}" - name: Initialize CodeQL uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 with: From 4c186c37cafabe53f71adbaaad543726756c4943 Mon Sep 17 00:00:00 2001 From: Dimitrij Drus Date: Fri, 15 May 2026 09:08:52 +0200 Subject: [PATCH 3/5] empty changelog file added --- CHANGELOG.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..e69de29 From a71e63ce014746f62bd4d64776a6bdc8a60958f4 Mon Sep 17 00:00:00 2001 From: Dimitrij Drus Date: Fri, 15 May 2026 09:09:08 +0200 Subject: [PATCH 4/5] renovate config update --- renovate.json | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/renovate.json b/renovate.json index 94436eb..d7ae68b 100644 --- a/renovate.json +++ b/renovate.json @@ -4,6 +4,7 @@ "config:recommended", ":semanticCommitScopeDisabled", ":semanticCommitTypeAll(chore)", + "docker:pinDigests", "helpers:pinGitHubActionDigests", ":pinDevDependencies" ], @@ -13,12 +14,21 @@ "golang" ], "semanticCommitType": "deps" + }, + { + "matchManagers": [ + "github-actions" + ], + "matchFileNames": [ + ".github/workflows/release.yaml" + ], + "matchPackageNames": [ + "slsa-framework/slsa-github-generator" + ], + "pinDigests": false } ], "configMigration": true, - "baseBranchPatterns": [ - "main" - ], "assigneesFromCodeOwners": true, "addLabels": [ "dependency" From 573949283ab08d2f2cad9588e450baa994ce10c3 Mon Sep 17 00:00:00 2001 From: Dimitrij Drus Date: Fri, 15 May 2026 09:09:26 +0200 Subject: [PATCH 5/5] release please bootstrapped --- .github/workflows/please-release.yaml | 34 +++++++++++++++++++++++++++ .release-please-manifest.json | 3 +++ release-please-config.json | 17 ++++++++++++++ 3 files changed, 54 insertions(+) create mode 100644 .github/workflows/please-release.yaml create mode 100644 .release-please-manifest.json create mode 100644 release-please-config.json diff --git a/.github/workflows/please-release.yaml b/.github/workflows/please-release.yaml new file mode 100644 index 0000000..02e1b23 --- /dev/null +++ b/.github/workflows/please-release.yaml @@ -0,0 +1,34 @@ +name: please-release + +on: + push: + branches: + - main + +permissions: {} + +jobs: + create-release: + runs-on: ubuntu-24.04 + permissions: + pull-requests: write + contents: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + with: + egress-policy: audit + - name: Please Release + id: create_release + uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1 + with: + target-branch: ${{ github.ref_name }} + token: ${{ secrets.RELEASE_TOKEN }} + skip-github-pull-request: true + - name: Please Release PR + if: steps.create_release.outputs.release_created == false + uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1 + with: + target-branch: ${{ github.ref_name }} + token: ${{ secrets.GITHUB_TOKEN }} + skip-github-release: true diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 0000000..6d78745 --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1,3 @@ +{ + ".": "0.9.0" +} \ No newline at end of file diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..c4c625c --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,17 @@ +{ + "bump-minor-pre-major": true, + "draft": false, + "release-type": "go", + "changelog-sections": [ + { "type": "feat", "section": "Features", "hidden": false }, + { "type": "refactor", "section": "Code Refactorings", "hidden": true }, + { "type": "perf", "section": "Performance Improvements", "hidden": false }, + { "type": "fix", "section": "Bug Fixes", "hidden": false }, + { "type": "docs", "section": "Documentation", "hidden": false }, + { "type": "deps", "section": "Dependencies", "hidden": false } + ], + "packages": { + ".": {} + }, + "bootstrap-sha": "1bbd17383c654ec6c3885299826543f37f6aac9a" +} \ No newline at end of file