diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a7c9ebcd..5ac1e919 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,15 +19,37 @@ updates: directory: "/" schedule: interval: "daily" + groups: + gomod: + update-types: + - "patch" + - package-ecosystem: "gomod" directory: "./hack/tools" schedule: interval: "daily" + groups: + gomod-hack: + update-types: + - "minor" + - "patch" + - package-ecosystem: "github-actions" directory: "/" schedule: interval: "daily" + groups: + actions: + update-types: + - "minor" + - "patch" + - package-ecosystem: "docker" directory: "/" schedule: interval: "daily" + groups: + docker: + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/auto_merge.yaml b/.github/workflows/auto_merge.yaml deleted file mode 100644 index aa8f5100..00000000 --- a/.github/workflows/auto_merge.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: Dependabot auto-merge - -on: - pull_request: - -permissions: read-all - -jobs: - dependabot: - permissions: - contents: write - pull-requests: write - runs-on: ubuntu-latest - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} - steps: - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - - - name: Enable auto-merge for Dependabot PRs - if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' }} - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{ github.event.pull_request.html_url }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/build-snapshot.yaml b/.github/workflows/build-snapshot.yaml new file mode 100644 index 00000000..6772390e --- /dev/null +++ b/.github/workflows/build-snapshot.yaml @@ -0,0 +1,44 @@ +name: build-snapshot + +on: + pull_request: + +permissions: {} + +jobs: + snapshot: + permissions: + contents: read + + runs-on: ubuntu-latest + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + tag_name: ${{ steps.tag.outputs.tag_name }} + steps: + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 + + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version-file: './go.mod' + check-latest: true + + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11 + - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 + + - name: Set LDFLAGS + id: ldflags + run: | + source ./release/ldflags.sh + goflags=$(ldflags) + echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV" + + - name: Run GoReleaser + id: run-goreleaser + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + with: + version: latest + args: release --clean --skip=sign --snapshot + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + LDFLAGS: ${{ env.GO_FLAGS }} diff --git a/.github/workflows/codeql_analysis.yaml b/.github/workflows/codeql_analysis.yaml index 2c8e9672..ea31aa99 100644 --- a/.github/workflows/codeql_analysis.yaml +++ b/.github/workflows/codeql_analysis.yaml @@ -42,6 +42,11 @@ jobs: - name: Checkout repository uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + with: + go-version-file: './go.mod' + check-latest: true + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a862703a..004cbf34 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -56,11 +56,14 @@ jobs: set -euo pipefail checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" - + - name: Set tag output id: tag run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" + - name: build and sign images + run: make sign-container-release + provenance: needs: [release] permissions: diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 0d4808e6..e4885ac2 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -95,5 +95,5 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 with: - version: v1.54 - args: --timeout=5m --verbose + version: v1.58 + args: --timeout=10m --verbose diff --git a/.goreleaser.yml b/.goreleaser.yml index e6a6a6f2..9241fd07 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -11,13 +11,9 @@ before: hooks: - go mod tidy - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' -# if running a release we will generate the images in this step -# if running in the CI the CI env va is set by github action runner and we dont run the ko steps -# this is needed because we are generating files that goreleaser was not aware to push to GH project release - - /bin/bash -c 'if [ -n "$CI" ]; then make sign-container-release; fi' -gomod: - proxy: true +# gomod: +# proxy: true sboms: - artifacts: binary @@ -94,5 +90,5 @@ release: prerelease: auto draft: true # allow for manual edits github: - owner: sigstore + owner: cpanato name: timestamp-authority diff --git a/Dockerfile b/Dockerfile index 30d287f0..93f2cebb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.21.6@sha256:7b575fe0d9c2e01553b04d9de8ffea6d35ca3ab3380d2a8db2acc8f0f1519a53 AS builder +FROM golang:1.22.2@sha256:d5302d40dc5fbbf38ec472d1848a9d2391a13f93293a6a5b0b87c99dc0eaa6ae AS builder ENV APP_ROOT=/opt/app-root ENV GOPATH=$APP_ROOT @@ -29,7 +29,7 @@ RUN go build -ldflags "${SERVER_LDFLAGS}" ./cmd/timestamp-server RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o timestamp-server_debug ./cmd/timestamp-server # Multi-Stage production build -FROM golang:1.21.6@sha256:7b575fe0d9c2e01553b04d9de8ffea6d35ca3ab3380d2a8db2acc8f0f1519a53 as deploy +FROM golang:1.22.2@sha256:d5302d40dc5fbbf38ec472d1848a9d2391a13f93293a6a5b0b87c99dc0eaa6ae as deploy # Retrieve the binary from the previous stage COPY --from=builder /opt/app-root/src/timestamp-server /usr/local/bin/timestamp-server @@ -39,7 +39,7 @@ CMD ["timestamp-server", "serve"] # debug compile options & debugger FROM deploy as debug -RUN go install github.com/go-delve/delve/cmd/dlv@v1.9.0 +RUN go install github.com/go-delve/delve/cmd/dlv@v1.22.1 # overwrite server and include debugger COPY --from=builder /opt/app-root/src/timestamp-server_debug /usr/local/bin/timestamp-server diff --git a/Makefile b/Makefile index 52c51a06..663d20db 100644 --- a/Makefile +++ b/Makefile @@ -39,7 +39,7 @@ ifeq ($(DIFF), 1) GIT_TREESTATE = "dirty" endif -KO_PREFIX ?= ghcr.io/sigstore +KO_PREFIX ?= ghcr.io/cpanato export KO_DOCKER_REPO=$(KO_PREFIX) # Binaries diff --git a/cmd/fetch-tsa-certs/fetch_tsa_certs.go b/cmd/fetch-tsa-certs/fetch_tsa_certs.go index 012cccd7..fe18517c 100644 --- a/cmd/fetch-tsa-certs/fetch_tsa_certs.go +++ b/cmd/fetch-tsa-certs/fetch_tsa_certs.go @@ -85,7 +85,7 @@ func fetchCertificateChain(ctx context.Context, parent, intermediateKMSKey, leaf if err != nil { return nil, err } - intermediateSigner, _, err := intermediateKMSSigner.CryptoSigner(ctx, func(err error) {}) + intermediateSigner, _, err := intermediateKMSSigner.CryptoSigner(ctx, func(_ error) {}) if err != nil { return nil, err } @@ -176,7 +176,7 @@ func fetchCertificateChain(ctx context.Context, parent, intermediateKMSKey, leaf if err != nil { return nil, err } - leafKMSSigner, _, err = kmsSigner.CryptoSigner(ctx, func(err error) {}) + leafKMSSigner, _, err = kmsSigner.CryptoSigner(ctx, func(_ error) {}) if err != nil { return nil, err } diff --git a/cmd/timestamp-cli/app/format/wrap.go b/cmd/timestamp-cli/app/format/wrap.go index 8148b26a..e2fbb6c8 100644 --- a/cmd/timestamp-cli/app/format/wrap.go +++ b/cmd/timestamp-cli/app/format/wrap.go @@ -29,7 +29,7 @@ type CobraCmd func(cmd *cobra.Command, args []string) type formatCmd func(args []string) (interface{}, error) func WrapCmd(f formatCmd) CobraCmd { - return func(cmd *cobra.Command, args []string) { + return func(_ *cobra.Command, args []string) { obj, err := f(args) if err != nil { log.CliLogger.Fatal(err) diff --git a/cmd/timestamp-cli/app/inspect.go b/cmd/timestamp-cli/app/inspect.go index aa724b7a..b2440348 100644 --- a/cmd/timestamp-cli/app/inspect.go +++ b/cmd/timestamp-cli/app/inspect.go @@ -44,13 +44,13 @@ var inspectCmd = &cobra.Command{ Use: "inspect", Short: "Inspect timestamp", Long: "Inspect the signed timestamp response.", - PreRunE: func(cmd *cobra.Command, args []string) error { + PreRunE: func(cmd *cobra.Command, _ []string) error { if err := viper.BindPFlags(cmd.Flags()); err != nil { log.CliLogger.Fatal("Error initializing cmd line args: ", err) } return nil }, - Run: format.WrapCmd(func(args []string) (interface{}, error) { + Run: format.WrapCmd(func(_ []string) (interface{}, error) { tsr := viper.GetString("timestamp") tsrBytes, err := os.ReadFile(filepath.Clean(tsr)) if err != nil { diff --git a/cmd/timestamp-cli/app/root.go b/cmd/timestamp-cli/app/root.go index 45f628eb..6b5c8ac8 100644 --- a/cmd/timestamp-cli/app/root.go +++ b/cmd/timestamp-cli/app/root.go @@ -32,7 +32,7 @@ var rootCmd = &cobra.Command{ Use: "timestamp-cli", Short: "Timestamp CLI", Long: `Timestamp command line interface tool`, - PersistentPreRunE: func(cmd *cobra.Command, args []string) error { + PersistentPreRunE: func(cmd *cobra.Command, _ []string) error { return initConfig(cmd) }, } diff --git a/cmd/timestamp-cli/app/timestamp.go b/cmd/timestamp-cli/app/timestamp.go index 42d6e331..c7e4b79f 100644 --- a/cmd/timestamp-cli/app/timestamp.go +++ b/cmd/timestamp-cli/app/timestamp.go @@ -60,13 +60,13 @@ var timestampCmd = &cobra.Command{ Use: "timestamp", Short: "Signed timestamp command", Long: "Fetches a signed RFC 3161 timestamp. The timestamp response can be verified locally using a timestamp certificate chain.", - PreRunE: func(cmd *cobra.Command, args []string) error { + PreRunE: func(cmd *cobra.Command, _ []string) error { if err := viper.BindPFlags(cmd.Flags()); err != nil { log.CliLogger.Fatal("Error initializing cmd line args: ", err) } return nil }, - Run: format.WrapCmd(func(args []string) (interface{}, error) { + Run: format.WrapCmd(func(_ []string) (interface{}, error) { return runTimestamp() }), } diff --git a/cmd/timestamp-cli/app/verify.go b/cmd/timestamp-cli/app/verify.go index b995b5ab..68036ce5 100644 --- a/cmd/timestamp-cli/app/verify.go +++ b/cmd/timestamp-cli/app/verify.go @@ -60,13 +60,13 @@ var verifyCmd = &cobra.Command{ Use: "verify", Short: "Verify timestamp", Long: "Verify the timestamp response using a timestamp certificate chain.", - PreRunE: func(cmd *cobra.Command, args []string) error { + PreRunE: func(cmd *cobra.Command, _ []string) error { if err := viper.BindPFlags(cmd.Flags()); err != nil { log.CliLogger.Fatal("Error initializing cmd line args: ", err) } return nil }, - Run: format.WrapCmd(func(args []string) (interface{}, error) { + Run: format.WrapCmd(func(_ []string) (interface{}, error) { return runVerify() }), } diff --git a/cmd/timestamp-server/app/serve.go b/cmd/timestamp-server/app/serve.go index 47bb96e1..e7b4bfbf 100644 --- a/cmd/timestamp-server/app/serve.go +++ b/cmd/timestamp-server/app/serve.go @@ -33,7 +33,7 @@ var serveCmd = &cobra.Command{ Use: "serve", Short: "start http server with configured api", Long: `Starts a http server and serves the configured api`, - Run: func(cmd *cobra.Command, args []string) { + Run: func(cmd *cobra.Command, _ []string) { if err := viper.BindPFlags(cmd.Flags()); err != nil { log.Logger.Fatal(err) } diff --git a/go.mod b/go.mod index d0975738..8d3ee66f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/sigstore/timestamp-authority -go 1.21 +go 1.22 require ( cloud.google.com/go/security v1.16.1 diff --git a/hack/tools/go.mod b/hack/tools/go.mod index b02f1c53..d48c8038 100644 --- a/hack/tools/go.mod +++ b/hack/tools/go.mod @@ -1,6 +1,6 @@ module github.com/sigstore/timestamp-authority/hack/tools -go 1.21 +go 1.22 require github.com/go-swagger/go-swagger v0.30.5 diff --git a/pkg/signer/signer.go b/pkg/signer/signer.go index b9b9663a..ee79d53d 100644 --- a/pkg/signer/signer.go +++ b/pkg/signer/signer.go @@ -49,7 +49,7 @@ func NewCryptoSigner(ctx context.Context, hash crypto.Hash, signer, kmsKey, tink if err != nil { return nil, err } - s, _, err := signer.CryptoSigner(ctx, func(err error) {}) + s, _, err := signer.CryptoSigner(ctx, func(_ error) {}) return s, err case TinkScheme: primaryKey, err := GetPrimaryKey(ctx, tinkKmsKey, hcVaultToken)