diff --git a/.github/.env.base b/.github/.env.base index 3e70e55..9db2fc4 100644 --- a/.github/.env.base +++ b/.github/.env.base @@ -147,7 +147,7 @@ GO_COVERAGE_PROVIDER=internal CODECOV_TOKEN_REQUIRED=false # Go Coverage Tool Version -GO_COVERAGE_VERSION=v1.1.12 # https://github.com/mrz1836/go-coverage +GO_COVERAGE_VERSION=v1.1.13 # https://github.com/mrz1836/go-coverage/releases GO_COVERAGE_USE_LOCAL=false # Use local version for development # Core Coverage Settings @@ -232,12 +232,12 @@ REDIS_CACHE_FORCE_PULL=false # Force pull Redis images even when cache # 🪄 MAGE-X CONFIGURATION # ================================================================================================ -MAGE_X_VERSION=v1.7.12 # https://github.com/mrz1836/mage-x/releases +MAGE_X_VERSION=v1.7.13 # https://github.com/mrz1836/mage-x/releases MAGE_X_USE_LOCAL=false # Use local version for development MAGE_X_AUTO_DISCOVER_BUILD_TAGS=true # Enable auto-discovery of build tags MAGE_X_AUTO_DISCOVER_BUILD_TAGS_EXCLUDE=race,custom # Comma-separated list of tags to exclude MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea # Format exclusion paths (comma-separated directories to exclude from formatting) -MAGE_X_GITLEAKS_VERSION=8.28.0 # https://github.com/gitleaks/gitleaks/releases +MAGE_X_GITLEAKS_VERSION=8.29.0 # https://github.com/gitleaks/gitleaks/releases MAGE_X_GOFUMPT_VERSION=v0.9.2 # https://github.com/mvdan/gofumpt/releases MAGE_X_GOLANGCI_LINT_VERSION=v2.6.1 # https://github.com/golangci/golangci-lint/releases MAGE_X_GORELEASER_VERSION=v2.12.7 # https://github.com/goreleaser/goreleaser/releases @@ -291,7 +291,7 @@ NANCY_EXCLUDES=CVE-2024-38513,CVE-2023-45142 # Github Secret(s): OSSI_USERNAME and OSSI_TOKEN # Security Tools -GITLEAKS_VERSION=8.28.0 # https://github.com/gitleaks/gitleaks/releases +GITLEAKS_VERSION=8.29.0 # https://github.com/gitleaks/gitleaks/releases GOVULNCHECK_VERSION=v1.1.4 # https://pkg.go.dev/golang.org/x/vuln NANCY_VERSION=v1.0.51 # https://github.com/sonatype-nexus-community/nancy/releases @@ -300,7 +300,7 @@ NANCY_VERSION=v1.0.51 # https://github.com/sonatype-nexus-commu # ================================================================================================ # Pre-Commit System -GO_PRE_COMMIT_VERSION=v1.3.5 # https://github.com/mrz1836/go-pre-commit +GO_PRE_COMMIT_VERSION=v1.4.1 # https://github.com/mrz1836/go-pre-commit/releases GO_PRE_COMMIT_USE_LOCAL=false # Use local version for development # System Settings @@ -322,6 +322,7 @@ GO_PRE_COMMIT_ALL_FILES=true GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.6.1 # https://github.com/golangci/golangci-lint/releases GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2 # https://github.com/mvdan/gofumpt/releases GO_PRE_COMMIT_GOIMPORTS_VERSION=latest # https://github.com/golang/tools +GO_PRE_COMMIT_GITLEAKS_VERSION=v8.29.0 # https://github.com/gitleaks/gitleaks/releases # Build tags for golangci-lint and other tools GO_PRE_COMMIT_BUILD_TAGS= @@ -335,6 +336,8 @@ GO_PRE_COMMIT_ENABLE_MOD_TIDY=true GO_PRE_COMMIT_ENABLE_WHITESPACE=true GO_PRE_COMMIT_ENABLE_EOF=true GO_PRE_COMMIT_ENABLE_AI_DETECTION=true +GO_PRE_COMMIT_ENABLE_GITLEAKS=true +GO_PRE_COMMIT_GITLEAKS_ALL_FILES=false # Auto-staging Settings GO_PRE_COMMIT_FMT_AUTO_STAGE=true @@ -353,6 +356,7 @@ GO_PRE_COMMIT_MOD_TIDY_TIMEOUT=60 GO_PRE_COMMIT_WHITESPACE_TIMEOUT=30 GO_PRE_COMMIT_EOF_TIMEOUT=30 GO_PRE_COMMIT_AI_DETECTION_TIMEOUT=30 +GO_PRE_COMMIT_GITLEAKS_TIMEOUT=60 # Path Configuration GO_PRE_COMMIT_HOOKS_PATH=.git/hooks diff --git a/.github/workflows/fortress-pre-commit.yml b/.github/workflows/fortress-pre-commit.yml index 81be627..5cbb89f 100644 --- a/.github/workflows/fortress-pre-commit.yml +++ b/.github/workflows/fortress-pre-commit.yml @@ -139,7 +139,7 @@ jobs: with: path: | ~/.cache/go-pre-commit-tools - key: ${{ inputs.primary-runner }}-go-pre-commit-tools-golangci-${{ env.GO_PRE_COMMIT_GOLANGCI_LINT_VERSION }}-fumpt-${{ env.GO_PRE_COMMIT_FUMPT_VERSION }} + key: ${{ inputs.primary-runner }}-go-pre-commit-tools-golangci-${{ env.GO_PRE_COMMIT_GOLANGCI_LINT_VERSION }}-fumpt-${{ env.GO_PRE_COMMIT_FUMPT_VERSION }}-gitleaks-${{ env.GO_PRE_COMMIT_GITLEAKS_VERSION }}-goimports-${{ env.GO_PRE_COMMIT_GOIMPORTS_VERSION }} - name: 🛠️ Make cached go-pre-commit and tools usable if: env.GO_PRE_COMMIT_USE_LOCAL != 'true' @@ -256,20 +256,22 @@ jobs: echo "" echo "🔧 Tool Versions:" echo " • Max File Size: ${{ env.GO_PRE_COMMIT_MAX_FILE_SIZE_MB }} MB" - echo " • golangci-lint: ${{ env.GO_PRE_COMMIT_GOLANGCI_LINT_VERSION }}" + echo " • gitleaks: ${{ env.GO_PRE_COMMIT_GITLEAKS_VERSION }}" echo " • gofumpt: ${{ env.GO_PRE_COMMIT_FUMPT_VERSION }}" echo " • goimports: ${{ env.GO_PRE_COMMIT_GOIMPORTS_VERSION }}" + echo " • golangci-lint: ${{ env.GO_PRE_COMMIT_GOLANGCI_LINT_VERSION }}" echo "" echo "📁 Configuration:" echo " • Exclude Patterns: ${{ env.GO_PRE_COMMIT_EXCLUDE_PATTERNS }}" echo " • Color Output: ${{ env.GO_PRE_COMMIT_COLOR_OUTPUT }}" echo "" echo "🔧 Individual Checks:" + echo " • eof: ${{ env.GO_PRE_COMMIT_ENABLE_EOF }}" echo " • fumpt: ${{ env.GO_PRE_COMMIT_ENABLE_FUMPT }}" + echo " • gitleaks: ${{ env.GO_PRE_COMMIT_ENABLE_GITLEAKS }}" echo " • lint: ${{ env.GO_PRE_COMMIT_ENABLE_LINT }}" echo " • mod-tidy: ${{ env.GO_PRE_COMMIT_ENABLE_MOD_TIDY }}" echo " • whitespace: ${{ env.GO_PRE_COMMIT_ENABLE_WHITESPACE }}" - echo " • eof: ${{ env.GO_PRE_COMMIT_ENABLE_EOF }}" echo "" echo "==================================================" @@ -622,20 +624,16 @@ jobs: fi # Clean and filter output (colors should be disabled but handle any remaining codes) - # Remove any remaining ANSI codes and filter redundant summary lines + # Remove any remaining ANSI codes but preserve all check results echo "$CHECKS_OUTPUT" | \ sed -E 's/\x1b\[[0-9;]*[mGKH]//g' | \ sed 's/\xc2\x9b\[[0-9;]*[mGKH]//g' | \ sed 's/�\[[0-9;]*[mGKH]//g' | \ sed 's/�//g' | \ - tr -d '\033' | \ - grep -v '^✓.*check passed$' | \ - grep -v '^✓.*completed successfully$' | \ - grep -v '^✓.*passed on.*file' | \ - grep -v '^✓ All checks passed!' + tr -d '\033' # Extract executed checks from output (if format allows) - EXECUTED_CHECKS=$(echo "$CHECKS_OUTPUT" | grep -E "Running:|Executing:|✓" | sed 's/.*Running: //;s/.*Executing: //;s/.*✓ //' | tr '\n' ',' | sed 's/,$//' || echo "fumpt,lint,mod-tidy,whitespace,eof") + EXECUTED_CHECKS=$(echo "$CHECKS_OUTPUT" | grep -E "Running:|Executing:|✓" | sed 's/.*Running: //;s/.*Executing: //;s/.*✓ //' | tr '\n' ',' | sed 's/,$//' || echo "fumpt,lint,mod-tidy,whitespace,eof,gitleaks") echo "executed=$EXECUTED_CHECKS" >> $GITHUB_OUTPUT if [ "${CHECKS_EXIT:-0}" -ne 0 ]; then @@ -722,7 +720,7 @@ jobs: fi echo "### 🔍 Checks Executed" >> $GITHUB_STEP_SUMMARY - CHECKS="${{ steps.run-checks.outputs.executed || 'fumpt,lint,mod-tidy,whitespace,eof' }}" + CHECKS="${{ steps.run-checks.outputs.executed || 'fumpt,lint,mod-tidy,whitespace,eof,gitleaks' }}" echo "$CHECKS" | tr ',' '\n' | while read check; do if [ -n "$check" ]; then echo "- ✅ $check" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/fortress-security-scans.yml b/.github/workflows/fortress-security-scans.yml index abb117c..a4df452 100644 --- a/.github/workflows/fortress-security-scans.yml +++ b/.github/workflows/fortress-security-scans.yml @@ -391,7 +391,7 @@ jobs: - name: 🔍 Run gitleaks scan if: steps.repo-check.outputs.is_same_repo == 'true' - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v8.27.2 + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 env: GITHUB_TOKEN: ${{ secrets.github-token }} GITLEAKS_LICENSE: ${{ secrets.gitleaks-license }}