diff --git a/.github/workflows/go-dep-submission.yml b/.github/workflows/go-dep-submission.yml index 23d2acb4..1da06bab 100644 --- a/.github/workflows/go-dep-submission.yml +++ b/.github/workflows/go-dep-submission.yml @@ -5,13 +5,14 @@ on: branches: - main -# The API requires write permission on the repository to submit dependencies permissions: - contents: write + contents: read jobs: go-action-detection: runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000..909f7bb8 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,107 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Tests +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: + contents: read + +jobs: + examples: + runs-on: ubuntu-latest + name: Examples + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Checkout Source + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + + - name: Install Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: '>= 1.21' + cache: true + + - name: Run example tests + run: | + make examples + + unit: + runs-on: ubuntu-latest + name: Unit + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Checkout Source + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + + - name: Install Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: '>= 1.21' + cache: true + + - name: Run unit tests + run: | + make unit + + acc: + runs-on: ubuntu-latest + name: Acceptance (${{ matrix.terraform_version }}) + + strategy: + fail-fast: false + matrix: + terraform_version: + - '1.1' + - '1.2' + - '1.3' + - '1.4' + - '1.5' + - '1.6' + + steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - name: Checkout Source + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + + - name: Install Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: '>= 1.21' + cache: true + + - name: Install Terraform + uses: hashicorp/setup-terraform@v2 + with: + terraform_version: ${{ matrix.terraform_version }} + terraform_wrapper: false + + - name: Run acceptance tests + run: | + make acc diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1d835096..b18c97a5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -97,6 +97,13 @@ repos: language: system stages: [commit, push] + - id: actionlint + name: Actionlint + description: Lint GitHub Actions workflows + entry: bash -c 'actionlint' + language: system + stages: [commit, push] + - id: unconvert name: 'Go: unconvert (current GOOS/GOARCH)' description: Analyzes Go packages to identify unnecessary type conversions. @@ -110,3 +117,17 @@ repos: entry: bash -c 'smrcptr -skip-std=true --constructor=true ./...' language: system stages: [commit, push] + + - id: govulncheck + name: 'Go: Vulnerability check' + description: Check for Go security vulnerabilities. (https://go.dev/blog/vuln) + entry: bash -c 'govulncheck -test ./...' + language: system + stages: [commit, push] + + - id: osvscanner + name: OSV Scanner + description: Check for security vulnerabilities. (https://osv.dev) + entry: bash -c 'osv-scanner -r .' + language: system + stages: [commit, push] diff --git a/Makefile b/Makefile index 90cc2087..a174a33a 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,7 @@ current_dir := $(dir $(mkfile_path)) # Global stuff. GO=$(shell which go) -HOMEBREW_PACKAGES=bash bats-core coreutils findutils git git-lfs go grep jq librsvg nodejs pre-commit python@3.11 tfschema trufflesecurity/trufflehog/trufflehog +HOMEBREW_PACKAGES=bash bats-core coreutils findutils git git-lfs go grep jq librsvg nodejs pre-commit python@3.11 shellcheck tfschema trufflesecurity/trufflehog/trufflehog # Determine the operating system and CPU arch. OS=$(shell uname -o | tr '[:upper:]' '[:lower:]') @@ -66,6 +66,7 @@ install-tools-go: $(GO) install github.com/nikolaydubina/go-cover-treemap@latest $(GO) install github.com/orlangure/gocovsh@latest $(GO) install github.com/pelletier/go-toml/v2/cmd/tomljson@latest + $(GO) install github.com/rhysd/actionlint/cmd/actionlint@latest $(GO) install github.com/securego/gosec/v2/cmd/gosec@latest $(GO) install github.com/trufflesecurity/driftwood@latest $(GO) install golang.org/x/perf/cmd/benchstat@latest @@ -210,32 +211,6 @@ binsize: #------------------------------------------------------------------------------- # Linting -.PHONY: vuln -## vuln: [lint]* Checks for known security vulnerabilities. -vuln: - @ $(ECHO) " " - @ $(ECHO) "\033[1;33m=====> Running govulncheck (https://go.dev/blog/vuln)...\033[0m" - govulncheck ./... - - @ $(ECHO) " " - @ $(ECHO) "\033[1;33m=====> Running govulncheck -test (https://go.dev/blog/vuln)...\033[0m" - govulncheck -test ./... - - @ $(ECHO) " " - @ $(ECHO) "\033[1;33m=====> Running osv-scanner (https://osv.dev)...\033[0m" - osv-scanner -r . - - @ $(ECHO) " " - @ $(ECHO) "\033[1;33m=====> Running gosec (https://github.com/securego/gosec)...\033[0m" - gosec -terse -tests ./... - -.PHONY: secrets -## secrets: [lint]* Checks for verifiable secrets. -secrets: - @ $(ECHO) " " - @ $(ECHO) "\033[1;33m=====> Running TruffleHog...\033[0m" - trufflehog git file://. --json --only-verified --concurrency=$(nproc) 2>/dev/null | jq '.' - .PHONY: pre-commit ## pre-commit: [lint]* Runs `pre-commit` against all files. pre-commit: @@ -265,16 +240,9 @@ license: @ - licensei header @ $(ECHO) " " -.PHONY: unconvert -## unconvert: [lint]* Identify unnecessary type conversions. All GOOS/GOARCH matches. -unconvert: - @ $(ECHO) " " - @ $(ECHO) "\033[1;33m=====> Running unconvert (all GOOS/GOARCH)...\033[0m" - unconvert -all -fastmath -tests -v ./... - .PHONY: lint ## lint: [lint]* Runs ALL linting/validation tasks. -lint: vuln license unconvert pre-commit +lint: license pre-commit #------------------------------------------------------------------------------- # Testing @@ -307,7 +275,7 @@ list-tests: @ $(ECHO) " " @ $(ECHO) "\033[1;33m=====> Fuzzing tests...\033[0m" - @ cat ./corefunc/*_test.go | ggrep "func Fuzz" | gsed 's/func\s//g' | gsed -r 's/\(.*//g' | gsed -r 's/Fuzz/make fuzz NAME=/g' + @ $(ECHO) "make fuzz" @ $(ECHO) " " @ $(ECHO) "\033[1;33m=====> BATS tests...\033[0m" @@ -358,11 +326,13 @@ examples: gotestsum --format testname -- -run=Example$(NAME) -count=1 -parallel=$(shell nproc) -timeout 30s -coverpkg=./corefunc/... -coverprofile=__coverage.out -v ./corefunc/... .PHONY: fuzz -## fuzz: [test]* Runs the fuzzer for 10 minutes. Set NAME= (without 'Fuzz') to run a specific test by name +## fuzz: [test]* Runs the fuzzer for 1 minute per test. fuzz: @ $(ECHO) " " @ $(ECHO) "\033[1;33m=====> Running the fuzzer (https://go.dev/doc/tutorial/fuzz)...\033[0m" - $(GO) test -run='^$$' -fuzz=Fuzz$(NAME) -fuzztime 10m -parallel=$(shell nproc) -v ./corefunc/... + $(GO) test -run='^$$' -fuzz=FuzzEnvEnsure -fuzztime 1m -v ./corefunc + $(GO) test -run='^$$' -fuzz=FuzzStrIterativeReplace -fuzztime 1m -v ./corefunc + $(GO) test -run='^$$' -fuzz=FuzzTruncateLabel -fuzztime 1m -v ./corefunc .PHONY: quickbench ## quickbench: [test]* Runs the benchmarks with minimal data for a quick check