Skip to content

Reorganize jobs in workflows, fix linter and update dependencies. #140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AlphaOne1 merged 2 commits into from
May 17, 2026
Merged

Reorganize jobs in workflows, fix linter and update dependencies. #140

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b491543
Reorganize jobs in workflows, fix linter and update dependencies.
AlphaOne1 May 17, 2026
7ad3a53
Incorporate review comments.
AlphaOne1 May 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
196 changes: 114 additions & 82 deletions .github/workflows/compliance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,34 +19,15 @@ permissions:
contents: read

jobs:
REUSE:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1

- name: REUSE Compliance Check
uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 #v6.0.0

CheckSignedOffCommit:
if: >
github.event_name == 'push' &&
!contains(github.actor, '[bot]') &&
!contains(github.event.pusher.name, '[bot]') &&
github.event.pusher.name != 'web-flow'
CheckSignedOff:
if: github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'bypass-dco')
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: audit

Expand All @@ -56,14 +37,26 @@ jobs:
fetch-depth: 0

- name: Determine pushed commits
id: range
if: >
github.event_name == 'push'
env:
# Use GitHub-provided SHAs to build the range for this push
BEFORE: ${{ github.event.before }}
AFTER: ${{ github.sha }}
GH_ACTOR: ${{ github.actor }}
GH_PUSHER: ${{ github.event.pusher.name }}
run: |
set -euo pipefail

# Bot / web-flow pushes: create empty file so later steps succeed
if echo "$GH_ACTOR" | grep -Fq '[bot]' \
|| echo "$GH_PUSHER" | grep -Fq '[bot]' \
|| [ "$GH_PUSHER" = "web-flow" ]
then
touch shas.txt
exit 0
fi

if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
then
# New branch or force push without previous SHA
Expand All @@ -72,10 +65,25 @@ jobs:
git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt
fi

- name: Get PR commits
if: github.event_name == 'pull_request'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail

# Fetch all commits of the PR with pagination and extract SHAs
gh api -H "Accept: application/vnd.github+json" --paginate \
repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
| jq -r '.[].sha' > shas.txt

- name: Check for Signed-off-by
env:
GH_ACTOR: ${{ github.actor }}
GH_NAME: ${{ github.event.pusher.name }}
GH_NAME: ${{ github.event_name == 'push' && github.event.pusher.name
|| github.event.pull_request.user.login }}
GH_NAME_SOURCE: ${{ github.event_name == 'push' && 'github.event.pusher.name'
|| 'github.event.pull_request.user.login' }}
run: |
set -euo pipefail
missing=""
Expand All @@ -102,27 +110,51 @@ jobs:
echo "Commit $sha missing Signed-off-by"
missing="true"

echo "Committer name: $committer_name"
echo "Committer email: $committer_email"
echo "github.actor: $GH_ACTOR"
echo "github.event.pusher.name: $GH_NAME"
printf "%-38s %s" "Committer name:" "$committer_name"
printf "%-38s %s" "Committer email:" "$committer_email"
printf "%-38s %s" "github.actor:" "$GH_ACTOR"
printf "%-38s %s" "$GH_NAME_SOURCE:" "$GH_NAME"
fi
done < shas.txt

if [ "$missing" = "true" ]
then
echo "DCO check failed on push"
echo "DCO check failed for commits"
exit 1
fi

echo "All pushed commits are signed"
echo "All commits are signed"

CheckSignedOffPullRequest:
if: github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'bypass-dco')
FormatCheck:
strategy:
matrix:
go-version:
- "stable"
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit

- name: Install Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{matrix.go-version}}

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1

- name: FormatCheck
run: if [ `go fmt ./... | wc -l` -gt 0 ] ; then echo "Found unformatted code" ; exit 1 ; else exit 0 ; fi

GolangCI:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
security-events: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
Expand All @@ -132,61 +164,61 @@ jobs:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-depth: 1

- name: Get PR commits
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
gh --version
jq --version
- name: Run golangci-lint
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
with:
version: latest
args: --timeout=5m --output.sarif.path=golangci-lint-results.sarif --output.text.path=stdout

# Fetch all commits of the PR with pagination and extract SHAs
gh api -H "Accept: application/vnd.github+json" --paginate \
repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
| jq -r '.[].sha' > shas.txt
- name: Upload golangci-lint results to GitHub Security tab
uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
sarif_file: golangci-lint-results.sarif

- name: Check for Signed-off-by
env:
GH_ACTOR: ${{ github.actor }}
GH_NAME: ${{ github.event.pull_request.user.login}}
run: |
set -euo pipefail
missing=""
REUSE:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit

while read -r sha
do
[ -n "$sha" ] || continue
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1

# Skip commits from bots
committer_name=`git log --format=%cn -n 1 "$sha"`
committer_email=`git log --format=%ce -n 1 "$sha"`
if echo "$committer_name" | grep -Fq '[bot]' \
|| [ "$committer_name" = "web-flow" ] \
|| echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$'
then
echo "Skipping commit $sha from $committer_name <$committer_email>"
continue
fi
- name: REUSE Compliance Check
uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 #v6.0.0

msg=`git log --format=%B -n 1 "$sha"`
StaticCheck:
strategy:
matrix:
go-version:
- "stable"
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit

if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:'
then
echo "Commit $sha missing Signed-off-by"
missing="true"
- name: Install Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{matrix.go-version}}

echo "Committer name: $committer_name"
echo "Committer email: $committer_email"
echo "github.actor: $GH_ACTOR"
echo "github.event.pull_request.user.login: $GH_NAME"
fi
done < shas.txt
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1

if [ "$missing" = "true" ]
then
echo "DCO check failed"; exit 1
fi
- name: StaticCheck
uses: dominikh/staticcheck-action@9716614d4101e79b4340dd97b10e54d68234e431 # v1.4.1
with:
version: latest
install-go: false
cache-key: ${{matrix.go-version}}

echo "All commits are signed"
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ on:
- cron: '36 3 * * 2'
push:
branches:
- master
- "master"

# Declare default permissions as read-only.
permissions: read-all
Expand Down
43 changes: 8 additions & 35 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,37 +15,10 @@ on:
permissions: read-all

jobs:
GolangCI:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1

- name: Run golangci-lint
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
with:
version: latest
args: --timeout=5m --output.sarif.path=golangci-lint-results.sarif --output.text.path=stdout

- name: Upload golangci-lint results to GitHub Security tab
uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
sarif_file: golangci-lint-results.sarif

TrivyCode:
runs-on: ubuntu-latest
permissions:
contents: read
contents: read
security-events: write
steps:
- name: Harden Runner
Expand All @@ -59,11 +32,11 @@ jobs:
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0
with:
scan-type: 'fs'
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
Expand All @@ -77,7 +50,7 @@ jobs:
- "stable"
runs-on: ubuntu-latest
permissions:
contents: read
contents: read
security-events: write
steps:
- name: Harden Runner
Expand All @@ -89,8 +62,8 @@ jobs:
uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
with:
go-version-input: ${{matrix.go-version}}
output-format: sarif
output-file: govulncheck-results.sarif
output-format: sarif
output-file: govulncheck-results.sarif

- name: Print Sarif
id: printSarif
Expand Down
Loading
Loading