use taskfile, binny, et. al.

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

.binny.yaml

@@ -0,0 +1,85 @@
+tools:
+  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
+  - name: binny
+    version:
+      want: v0.6.3
+    method: github-release
+    with:
+      repo: anchore/binny
+
+  # used for linting
+  - name: golangci-lint
+    version:
+      want: v1.56.1
+    method: github-release
+    with:
+      repo: golangci/golangci-lint
+
+  # used for showing the changelog at release
+  - name: glow
+    version:
+      want: v1.5.1
+    method: github-release
+    with:
+      repo: charmbracelet/glow
+
+  # used to release
+  - name: goreleaser
+    version:
+      want: v1.24.0
+    method: github-release
+    with:
+      repo: goreleaser/goreleaser
+
+  # used for organizing imports during static analysis
+  - name: gosimports
+    version:
+      want: v0.3.8
+    method: github-release
+    with:
+      repo: rinchsan/gosimports
+
+  # used at release to generate the changelog
+  - name: chronicle
+    version:
+      want: v0.8.0
+    method: github-release
+    with:
+      repo: anchore/chronicle
+
+  # used during static analysis for license compliance
+  - name: bouncer
+    version:
+      want: v0.4.0
+    method: github-release
+    with:
+      repo: wagoodman/go-bouncer
+
+  # used for showing benchmark testing
+  - name: benchstat
+    version:
+      want: latest
+      method: go-proxy
+      with:
+        module: golang.org/x/perf
+        allow-unresolved-version: true
+    method: go-install
+    with:
+      entrypoint: cmd/benchstat
+      module: golang.org/x/perf
+
+  # used for running all local and CI tasks
+  - name: task
+    version:
+      want: v3.34.1
+    method: github-release
+    with:
+      repo: go-task/task
+
+  # used for triggering a release
+  - name: gh
+    version:
+      want: v2.43.1
+    method: github-release
+    with:
+      repo: cli/cli

.bouncer.yaml

@@ -1,9 +1,11 @@
 permit:
   - BSD.*
+  - CC0.*
   - MIT.*
   - Apache.*
   - MPL.*
-  - CC0-1.0
+  - ISC
+  - WTFPL
 
 ignore-packages:
   # crypto/internal/boring is released under the openSSL license as a part of the Golang Standard Libary

.github/actions/bootstrap/action.yaml

@@ -1,80 +1,60 @@
 name: "Bootstrap"
+
 description: "Bootstrap all tools and dependencies"
 inputs:
   go-version:
     description: "Go version to install"
     required: true
-    default: "1.19.x"
-  use-go-cache:
-    description: "Restore go cache"
+    default: "1.21.x"
+  go-dependencies:
+    description: "Download go dependencies"
     required: true
     default: "true"
   cache-key-prefix:
     description: "Prefix all cache keys with this value"
     required: true
-    default: "831180ac25"
-  build-cache-key-prefix:
-    description: "Prefix build cache key with this value"
+    default: "1ac8281053"
+  compute-fingerprints:
+    description: "Compute test fixture fingerprints"
     required: true
-    default: "f8b6d31dea"
+    default: "true"
   bootstrap-apt-packages:
     description: "Space delimited list of tools to install via apt"
     default: ""
 
+
 runs:
   using: "composite"
   steps:
-    - uses: actions/setup-go@v3
+    # note: go mod and build is automatically cached on default with v4+
+    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
+      if: inputs.go-version != ''
       with:
         go-version: ${{ inputs.go-version }}
 
     - name: Restore tool cache
       id: tool-cache
-      uses: actions/cache@v3
+      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
       with:
-        path: ${{ github.workspace }}/.tmp
-        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
+        path: ${{ github.workspace }}/.tool
+        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('.binny.yaml') }}
 
-    # note: we need to keep restoring the go mod cache before bootstrapping tools since `go install` is used in
-    # some installations of project tools.
-    - name: Restore go module cache
-      id: go-mod-cache
-      if: inputs.use-go-cache == 'true'
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/go/pkg/mod
-        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-go-${{ inputs.go-version }}-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ inputs.cache-key-prefix }}-${{ runner.os }}-go-${{ inputs.go-version }}-
-
-    - name: (cache-miss) Bootstrap project tools
+    - name: Install project tools
       shell: bash
-      if: steps.tool-cache.outputs.cache-hit != 'true'
-      run: make bootstrap-tools
+      run: make tools
 
-    - name: Restore go build cache
-      id: go-cache
-      if: inputs.use-go-cache == 'true'
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cache/go-build
-        key: ${{ inputs.cache-key-prefix }}-${{ inputs.build-cache-key-prefix }}-${{ runner.os }}-go-${{ inputs.go-version }}-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ inputs.cache-key-prefix }}-${{ inputs.build-cache-key-prefix }}-${{ runner.os }}-go-${{ inputs.go-version }}-
-
-    - name: (cache-miss) Bootstrap go dependencies
-      shell: bash
-      if: steps.go-mod-cache.outputs.cache-hit != 'true' && inputs.use-go-cache == 'true'
-      run: make bootstrap-go
-
-    - name: Bootstrap CI dependencies
+    - name: Install go dependencies
+      if: inputs.go-dependencies == 'true'
       shell: bash
-      run: make ci-bootstrap
+      run: make ci-bootstrap-go
 
     - name: Install apt packages
       if: inputs.bootstrap-apt-packages != ''
       shell: bash
       run: |
         DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y ${{ inputs.bootstrap-apt-packages }}
+
+    - name: Create all cache fingerprints
+      if: inputs.compute-fingerprints == 'true'
+      shell: bash
+      run: make fingerprints

.github/workflows/validations.yaml

@@ -108,18 +108,12 @@ jobs:
         with:
           limit-access-to-actor: true
 
-      - name: Build key for test-fixture cache
-        run: make integration-fingerprint
-
       - name: Restore integration test-fixture cache
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
         with:
           path: ${{ github.workspace }}/test/integration/test-fixtures/cache
           key: ${{ runner.os }}-integration-test-cache-${{ hashFiles('test/integration/test-fixtures/cache.fingerprint') }}
 
-      - name: Build key for tool cache
-        run: make integration-tools-fingerprint
-
       - name: Restore integration tool cache
         id: integration-tool-cache
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2

.gitignore

@@ -1,15 +1,48 @@
-/test/results/
+# local development tailoring
+go.work
+go.work.sum
+.tool-versions
+
+# app configuration
+/.syft.yaml
+
+# tool and bin directories
+.tmp/
+bin/
+/bin
+/.bin
+/build
+/dist
+/snapshot
+/.tool
+/.task
+
+# changelog generation
+CHANGELOG.md
+VERSION
+
+# IDE configuration
 .vscode/
-*.tar
 .idea/
+.server/
+.history/
+
+# test related
+*.fingerprint
+/test/results
+coverage.txt
 *.log
+
+# probable archives
 .images
-.tmp/
-*.DS_Store
-coverage.txt
-**/test-fixtures/cache/
-**/*.fingerprint
-snapshot/
+*.tar
+*.jar
+*.war
+*.ear
+*.jpi
+*.hpi
+*.zip
+*.iml
 
 # Binaries for programs and plugins
 *.exe
@@ -23,3 +56,17 @@ snapshot/
 
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
+
+# macOS Finder metadata
+.DS_STORE
+
+*.profile
+
+# attestation
+cosign.key
+cosign.pub
+
+# Byte-compiled object files for python
+__pycache__/
+*.py[cod]
+*$py.class

.golangci.yaml

@@ -1,15 +1,17 @@
-run:
-  timeout: 10m
-linters-settings:
-  funlen:
-    lines: 75
+issues:
+  max-same-issues: 25
+
+  # TODO: enable this when we have coverage on docstring comments
+#  # The list of ids of default excludes to include or disable.
+#  include:
+#    - EXC0002 # disable excluding of issues about comments from golint
+
 linters:
   # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
   disable-all: true
   enable:
     - asciicheck
     - bodyclose
-    - depguard
     - dogsled
     - dupl
     - errcheck
@@ -37,18 +39,38 @@ linters:
     - unused
     - whitespace
 
+linters-settings:
+  funlen:
+    # Checks the number of lines in a function.
+    # If lower than 0, disable the check.
+    # Default: 60
+    lines: 70
+    # Checks the number of statements in a function.
+    # If lower than 0, disable the check.
+    # Default: 40
+    statements: 50
+output:
+  uniq-by-line: false
+run:
+  timeout: 10m
+
 # do not enable...
-#    - deadcode     # The owner seems to have abandoned the linter. Replaced by "unused".
+#    - deadcode          # The owner seems to have abandoned the linter. Replaced by "unused".
+#    - depguard          # We don't have a configuration for this yet
+#    - goprintffuncname  # does not catch all cases and there are exceptions
+#    - nakedret          # does not catch all cases and should not fail a build
 #    - gochecknoglobals
 #    - gochecknoinits    # this is too aggressive
+#    - rowserrcheck disabled per generics https://github.com/golangci/golangci-lint/issues/2649
 #    - godot
 #    - godox
 #    - goerr113
-#    - golint       # deprecated
-#    - gomnd        # this is too aggressive
-#    - interfacer   # this is a good idea, but is no longer supported and is prone to false positives
-#    - lll          # without a way to specify per-line exception cases, this is not usable
-#    - maligned     # this is an excellent linter, but tricky to optimize and we are not sensitive to memory layout optimizations
+#    - goimports   # we're using gosimports now instead to account for extra whitespaces (see https://github.com/golang/go/issues/20818)
+#    - golint      # deprecated
+#    - gomnd       # this is too aggressive
+#    - interfacer  # this is a good idea, but is no longer supported and is prone to false positives
+#    - lll         # without a way to specify per-line exception cases, this is not usable
+#    - maligned    # this is an excellent linter, but tricky to optimize and we are not sensitive to memory layout optimizations
 #    - nestif
 #    - nolintlint   # as of go1.19 this conflicts with the behavior of gofmt, which is a deal-breaker (lint-fix will still fail when running lint)
 #    - prealloc     # following this rule isn't consistently a good idea, as it sometimes forces unnecessary allocations that result in less idiomatic code

.goreleaser.yaml

@@ -0,0 +1,6 @@
+release:
+  prerelease: auto
+  draft: false
+
+builds:
+  - skip: true