OPS-4460 - Github actions for pr validation

.github/workflows/ci.yml

@@ -1,27 +1,38 @@
+name: CI
 on:
   push:
   workflow_dispatch:
 
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build-with-coverage:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+
       - name: Unshallow
         run: git fetch --prune --unshallow
+
       - name: Configure git for private modules
         env:
           TOKEN: ${{ secrets.SPECTRO_TOKEN }}
           USER: ${{ secrets.SPECTRO_USER }}
         run: git config --global url."https://${USER}:${TOKEN}@github.com".insteadOf "https://github.com"
+
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.21
+          go-version-file: go.mod
+
       - name: Vet
         run: make vet
+
       - name: Lint
         run: make lint
+
       - name: Test
         run: make test

.github/workflows/gitleaks.yml → .github/workflows/gitleaks-pr-validation.yaml

@@ -1,22 +1,19 @@
-name: GitLeaks
+name: GitLeaksPRValidation
+on: [pull_request]
 
-on:
-  pull_request:
-    branches:
-    - main
-  workflow_dispatch: {}
+concurrency:
+  group: gitleaks-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-  gitleaks-scan:
+  gitleaks-pr-scan:
     runs-on: ubuntu-latest
     container:
-      image: gcr.io/spectro-common-dev/fayasa/bulwark:latest
+      image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
       env:
         REPO: ${{ github.event.repository.name }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      credentials:
-        username: _json_key
-        password: ${{ secrets.GCR_SPCD_JSON_KEY }}
+        GITLEAKS_CONFIG: /workspace/config.toml
     steps:
 
       - name: run-bulwark-gitleaks-scan
@@ -36,4 +33,4 @@ jobs:
             exit 1
           else 
             echo "GitLeaks validation check passed"
-          fi
+          fi

.github/workflows/golicense-pr-validation.yaml

@@ -0,0 +1,26 @@
+name: GoLicensesPRValidation
+on: [pull_request]
+
+concurrency:
+  group: go-licenses-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  go-licenses-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-images-public/golang:1.22-alpine
+    steps:
+      - name: install-go-licenses
+        run: GOBIN=/usr/local/bin go install github.com/google/go-licenses@latest
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: set-github-access
+        run: |
+          /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github
+          /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github
+
+      - name: go-licenses-scan
+        run: go-licenses check --ignore github.com/spectrocloud ./...

.github/workflows/gosec-pr-validation.yaml

@@ -0,0 +1,38 @@
+name: GoSecPRValidation
+on: [pull_request]
+
+concurrency:
+  group: gosec-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gosec-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gosec:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: gosec-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+          GO111MODULE: on
+        run: /workspace/bulwark -name CodeSASTGoSec -verbose -target $REPO -tags "branch:$BRANCH,rules:-G101"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=$REPO-result.json
+          issues=$(cat $resultPath | jq -r '.Stats.found')
+          echo "Found ${issues} issues"
+          echo "Issues by Rule ID"
+          jq -r '.Issues | group_by (.rule_id)[] | {rule: .[0].rule_id, count: length}' $resultPath
+          if [ "$issues" -gt 0 ]; then
+            echo "GoSec SAST scan failed with below findings..."
+            cat $resultPath
+            exit 1
+          else 
+            echo "GoSec SAST scan passed"
+          fi

.github/workflows/govulncheck-pr-validation.yaml

@@ -0,0 +1,28 @@
+name: GoVulnCheckPRValidation
+on: [pull_request]
+
+concurrency:
+  group: govulncheck-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  govulncheck-pr-scan:
+    runs-on: security-runner
+    container:
+      image: gcr.io/spectro-images-public/golang:1.22-alpine
+    steps:
+      - name: install-govulncheck
+        run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: set-github-access
+        run: |
+          /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github
+          /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github
+
+      - name: govulncheck-scan
+        run: |
+          go version
+          govulncheck -mode source ./...

client/addon_deployment_update.go

@@ -52,8 +52,8 @@ func (h *V1Client) PatchWithRetry(params *clientV1.V1SpectroClustersPatchProfile
 	var err error
 	rand.NewSource(time.Now().UnixNano())
 	for attempt := 0; attempt < h.retryAttempts; attempt++ {
-		// small jitter to prevent simultaneous retries
-		s := rand.Intn(h.retryAttempts) // n will be between 0 and number of retries
+		// small jitter to prevent simultaneous retries. n will be between 0 and number of retries.
+		s := rand.Intn(h.retryAttempts) // #nosec G404 - random number is not used for security purposes
 		log.Printf("Sleeping %d seconds, retry: %d, cluster:%s, profile:%s, ", s, attempt, params.UID, params.Body.Profiles[0].UID)
 		time.Sleep(time.Duration(s) * time.Second)
 		err = h.ClustersPatchProfiles(params)

client/client.go

@@ -206,7 +206,7 @@ func (h *V1Client) httpClient() *http.Client {
 		Transport: &http.Transport{
 			Proxy: http.ProxyFromEnvironment,
 			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: h.insecureSkipVerify,
+				InsecureSkipVerify: h.insecureSkipVerify, // #nosec G402 - InsecureSkipVerify is enabled via user input
 			},
 		},
 	}

go.mod

@@ -1,8 +1,6 @@
 module github.com/spectrocloud/palette-sdk-go
 
-go 1.21
-
-toolchain go1.21.1
+go 1.22
 
 require (
 	github.com/go-openapi/runtime v0.26.0