diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml deleted file mode 100644 index 4ff26a4a..00000000 --- a/.github/workflows/golangci-lint.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Golangci-lint -on: - push: - branches: - - master - pull_request: - -jobs: - golangci-lint: - name: lint - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: '1.21' - - - name: golangci-lint - uses: golangci/golangci-lint-action@v3 - with: - version: v1.56.2 diff --git a/.github/workflows/secure.yml b/.github/workflows/secure.yml new file mode 100644 index 00000000..c58331a8 --- /dev/null +++ b/.github/workflows/secure.yml @@ -0,0 +1,73 @@ +name: Secure + +on: push + +jobs: + # Sample GitHub Actions: + # https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file + # + # CLI Reference: + # https://semgrep.dev/docs/cli-reference + semgrep: + runs-on: ubuntu-24.04 + container: + image: semgrep/semgrep + permissions: + contents: read + security-events: write + steps: + - uses: actions/checkout@v4 + - run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING + env: + SEMGREP_RULES: >- + p/command-injection + p/comment + p/cwe-top-25 + p/default + p/gitlab + p/gitleaks + p/golang + p/gosec + p/insecure-transport + p/owasp-top-ten + p/r2c-best-practices + p/r2c-bug-scan + p/r2c-security-audit + p/secrets + p/security-audit + p/sql-injection + p/xss + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep.sarif + if: always() + + # Samples GitHub Actions: + # https://github.com/aquasecurity/trivy-action + trivy: + runs-on: ubuntu-24.04 + permissions: + contents: read + security-events: write + steps: + - uses: actions/checkout@v4 + - uses: aquasecurity/trivy-action@master + with: + scan-type: fs + format: sarif + output: trivy.sarif + exit-code: 0 # Change this after all events have resolved. + severity: MEDIUM,CRITICAL,HIGH + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy.sarif + if: always() + + # Samples GitHub Actions: + # https://github.com/golang/govulncheck-action + govulncheck: + runs-on: ubuntu-24.04 + steps: + - uses: golang/govulncheck-action@v1 + with: + go-version-file: go.mod diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml deleted file mode 100644 index 7079236b..00000000 --- a/.github/workflows/unit-tests.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Unit Tests -on: - push: - branches: - - master - pull_request: - -jobs: - unit-test: - runs-on: ubuntu-latest - strategy: - fail-fast: false - - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: '1.21' - - - name: Run test - run: make test diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml new file mode 100644 index 00000000..97da0b9d --- /dev/null +++ b/.github/workflows/verify.yml @@ -0,0 +1,34 @@ +name: Verify + +on: push + +jobs: + tests: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.21' + - run: make test + + golangci-lint: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.21' + - uses: golangci/golangci-lint-action@v6 + with: + version: v1.56.2 + + tidy: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.21' + - run: go mod tidy -v + - run: git diff --exit-code