Merge branch 'main' into linting

bdhave · Dec 13, 2022 · adcba8c · adcba8c
2 parents ca415d1 + ff52b42
commit adcba8c
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 51 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -9,7 +9,7 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
-name: "CodeQL"
+name: 'CodeQL'
 
 on:
   push:
@@ -18,7 +18,7 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ main ]
   schedule:
-    - cron: '20 20 * * 5'
+    - cron: '20 20 * * 5' # see https://crontab.guru/ for more examples
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -29,7 +29,7 @@ jobs:
       actions: read  # for github/codeql-action/init to get workflow details
       contents: read  # for actions/checkout to fetch code
       security-events: write  # for github/codeql-action/autobuild to send a status report
-    name: Analyze
+    name: 'Analyze'
     runs-on: ubuntu-latest
 
     strategy:
@@ -41,7 +41,7 @@ jobs:
         # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
 
     steps:
-    - name: Harden Runner
+    - name: 'Harden Runner'
       uses: step-security/harden-runner@0a5820a2ec510d2521c1715d24860fc8cd06400a
       with:
         disable-sudo: true
@@ -53,12 +53,12 @@ jobs:
           storage.googleapis.com:443
           sum.golang.org:443
 
-    - name: Checkout repository
-      uses: actions/checkout@bf085276cecdb0cc76fbbe0687a5a0e786646936
+    - name: 'Checkout repository'
+      uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
 
     # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@896079047b4bb059ba6f150a5d87d47dde99e6e5
+    - name: 'Initialize CodeQL'
+      uses: github/codeql-action/init@899bf9c076bcf8a9b657dd1b6d6a8270f89f356a
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -68,8 +68,8 @@ jobs:
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@896079047b4bb059ba6f150a5d87d47dde99e6e5
+    - name: 'Autobuild'
+      uses: github/codeql-action/autobuild@899bf9c076bcf8a9b657dd1b6d6a8270f89f356a
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -82,5 +82,5 @@ jobs:
     #   make bootstrap
     #   make release
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@896079047b4bb059ba6f150a5d87d47dde99e6e5
+    - name: 'Perform CodeQL Analysis'
+      uses: github/codeql-action/analyze@899bf9c076bcf8a9b657dd1b6d6a8270f89f356a
diff --git a/.github/workflows/dependencies-review.yml b/.github/workflows/dependencies-review.yml
@@ -8,18 +8,19 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden Runner
+      - name: 'Harden Runner'
         uses: step-security/harden-runner@0a5820a2ec510d2521c1715d24860fc8cd06400a
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: block
           allowed-endpoints: >
+            api.github.com:443
             github.com:443
             proxy.golang.org:443
             storage.googleapis.com:443
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@bf085276cecdb0cc76fbbe0687a5a0e786646936
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
 
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@df02ee7d42c1ab6f13c6035e757b83333458e51d
+        uses: actions/dependency-review-action@29022577bf5deaf5ce4e137a74d591b4c66c8b99
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -1,4 +1,4 @@
-name: Go
+name: 'Go compilation'
 
 on:
   push:
@@ -14,7 +14,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - name: Harden Runner
+    - name: 'Harden Runner'
       uses: step-security/harden-runner@0a5820a2ec510d2521c1715d24860fc8cd06400a
       with:
         disable-sudo: true
@@ -25,20 +25,21 @@ jobs:
           storage.googleapis.com:443
 
     - name: 'Checkout Repository'
-      uses: actions/checkout@bf085276cecdb0cc76fbbe0687a5a0e786646936
+      uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
 
-    - name: Set up Go
-      uses: actions/setup-go@30c39bfe0c7338d0d8e99486938f1066b2f92108
+    - name: 'Set up Go'
+      uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
       with:
         go-version: 1.19
 
-    - name: Build
+    - name: 'Build'
       run: go build -o vault4summon
 
-    - name: Test
+    - name: 'Test'
       run:  go test ./...
 
-    - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
+    - name: 'Upload binaries'
+      uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
       with:
         name: vault4summon linux amd64
         path: vault4summon
diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
@@ -1,4 +1,4 @@
-name: Run Gosec
+name: 'Run Gosec'
 on:
   push:
     branches:
@@ -7,7 +7,7 @@ on:
     branches:
       - master
   schedule:
-      - cron: '0 0 * * 0'
+      - cron: '0 0 * * *' # see https://crontab.guru/ for more examples
 
 permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
@@ -21,35 +21,37 @@ jobs:
     env:
       GO111MODULE: on
     steps:
-      - name: Harden Runner
+      - name: 'Harden Runner'
         uses: step-security/harden-runner@0a5820a2ec510d2521c1715d24860fc8cd06400a
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: block
           allowed-endpoints: >
             github.com:443
             api.github.com:443
             proxy.golang.org:443
+            storage.googleapis.com:443
+            artifactcache.actions.githubusercontent.com:443
 
-      - name: Checkout Source
-        uses: actions/checkout@bf085276cecdb0cc76fbbe0687a5a0e786646936
+      - name: 'Checkout Source'
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
 
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@f79c584dbbec47a01a69adbe3e2e96f54bbe74d6
+      - name: 'Run Gosec Security Scanner'
+        uses: securego/gosec@f9a8bf0152af9f9bda93de373ddb3762f0d12f14
         with:
           # we let the report trigger content trigger a failure using the GitHub Security features.
           args: '-no-fail -fmt sarif -out gosec.sarif ./...'
 
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5
+      - name: 'Upload SARIF file'
+        uses: github/codeql-action/upload-sarif@899bf9c076bcf8a9b657dd1b6d6a8270f89f356a
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: gosec.sarif
 
-      - name: "Upload artifact"
+      - name: 'Upload artifact'
         uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
         with:
           name: Gosec SARIF file
           path: gosec.sarif
-          retention-days: 5
+          retention-days: 7
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,22 +14,22 @@ jobs:
       contents: write  # for goreleaser/goreleaser-action to create a GitHub release
     runs-on: ubuntu-latest
     steps:
-      - name: Harden Runner
+      - name: 'Harden Runner'
         uses: step-security/harden-runner@0a5820a2ec510d2521c1715d24860fc8cd06400a
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
           allowed-endpoints: >
             github.com:443
 
-      - name: Checkout
-        uses: actions/checkout@bf085276cecdb0cc76fbbe0687a5a0e786646936
+      - name: 'Checkout'
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
 
-      - name: Set up Go
-        uses: actions/setup-go@30c39bfe0c7338d0d8e99486938f1066b2f92108
+      - name: 'Set up Go'
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
         with:
           go-version: 1.19.x
 
-      - name: Run GoReleaser
+      - name: 'Run GoReleaser'
         uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757
         with:
           distribution: goreleaser

diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
@@ -1,10 +1,10 @@
-name: Scorecards supply-chain security
+name: 'Scorecards supply-chain security'
 on:
   # Only the default branch is supported.
   branch_protection_rule:
   schedule:
     # Weekly on Saturdays.
-    - cron: '30 1 * * 6'
+    - cron: '30 1 * * 6' # see https://crontab.guru/ for more examples
   push:
     branches: [ main, master ]
 
@@ -13,7 +13,7 @@ permissions: read-all
 
 jobs:
   analysis:
-    name: Scorecards analysis
+    name: 'Scorecards analysis'
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
@@ -24,7 +24,7 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden Runner
+      - name: 'Harden Runner'
         uses: step-security/harden-runner@0a5820a2ec510d2521c1715d24860fc8cd06400a
         with:
           disable-sudo: true
@@ -42,7 +42,7 @@ jobs:
             
 
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
         with:
           persist-credentials: false
 
@@ -74,6 +74,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5
+        uses: github/codeql-action/upload-sarif@899bf9c076bcf8a9b657dd1b6d6a8270f89f356a
         with:
           sarif_file: scorecards.sarif
diff --git a/.run/go build vault4summon.go.run.xml b/.run/go build vault4summon.go.run.xml
@@ -0,0 +1,11 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="go build vault4summon.go" type="GoApplicationRunConfiguration" factoryName="Go Application" nameIsGenerated="true">
+    <module name="vault4summon" />
+    <working_directory value="$PROJECT_DIR$" />
+    <parameters value="secret/hello#foo" />
+    <kind value="FILE" />
+    <directory value="$PROJECT_DIR$" />
+    <filePath value="$PROJECT_DIR$/vault4summon.go" />
+    <method v="2" />
+  </configuration>
+</component>
diff --git a/flake.lock b/flake.lock