Initial implementation

This evolves the POC from the initial commit to an initial, somewhat usable, implementation of ghasum. This initial version supports an initialization command to start using ghasum in a project. A verification command to check stored checksums of a project against computed checksums for the actions used. And an update command to update the stored checksums of a project with newly computed checksums.
chains-project · Feb 17, 2024 · 8dc84a6 · 8dc84a6
1 parent 35dd46a
commit 8dc84a6
Show file tree

Hide file tree

Showing 87 changed files with 6,406 additions and 421 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -1,22 +1,31 @@
-# Check out EditorConfig at: https://editorconfig.org
+# Configuration file for EditorConfig (https://editorconfig.org)
 
 root=true
 
 [*]
 charset=utf-8
 insert_final_newline=true
-max_line_length=100
+max_line_length=80
 trim_trailing_whitespace=true
 
+[Containerfile*]
+indent_style=tab
+
+[LICENSE]
+indent_size=unset
+indent_style=space
+
 [*.go]
-indent_size=2
 indent_style=tab
 
 [*.md]
 indent_size=unset
 indent_style=space
 
-[LICENSE]
+[*.txtar]
 indent_size=unset
+indent_style=unset
+
+[*.yml]
+indent_size=2
 indent_style=space
-max_line_length=80
diff --git a/.gitattributes b/.gitattributes
@@ -1,3 +1,5 @@
+# Configuration file for git (https://git-scm.com/docs/gitattributes)
+
 * text=auto
 
 # don't diff machine generated files

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+# Configuration file for Dependabot (https://github.com/dependabot)
+
+version: 2
+updates:
+- package-ecosystem: github-actions
+  directory: /
+  open-pull-requests-limit: 1
+  schedule:
+    interval: daily
+    time: "03:00"
+  labels:
+  - ci/cd
+  - dependencies
+- package-ecosystem: gomod
+  directory: /
+  open-pull-requests-limit: 1
+  schedule:
+    interval: daily
+    time: "03:00"
+  labels:
+  - dependencies
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,30 @@
+name: Audit
+on:
+  pull_request:
+    paths:
+    - '**/*.go'
+    - .github/workflows/audit.yml
+    - go.mod
+    - go.sum
+  push:
+    branches:
+    - main
+  schedule:
+  - cron: 0 2 * * *
+  workflow_dispatch: ~
+
+permissions: read-all
+
+jobs:
+  vulnerabilities:
+    name: Vulnerabilities
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Audit
+      run: go run tasks.go audit
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -0,0 +1,96 @@
+name: Check
+on:
+  pull_request: ~
+  push:
+    branches:
+    - main
+
+permissions: read-all
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Build binary
+      run: go run tasks.go build
+  dogfeed:
+    name: Dogfeed
+    runs-on: ubuntu-22.04
+    needs:
+    - test
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Uninitialize ghasum
+      run: rm -f .github/workflows/gha.sum
+    - name: Run on this repository
+      run: |
+        go run ./cmd/ghasum init
+        go run ./cmd/ghasum verify
+  format:
+    name: Format
+    runs-on: ubuntu-22.04
+    needs:
+    - build
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Check source code formatting
+      run: go run tasks.go format-check
+  reproducible:
+    name: Reproducible build
+    runs-on: ubuntu-22.04
+    needs:
+    - build
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Check reproducibility
+      run: go run tasks.go reproducible
+  test:
+    name: Test
+    runs-on: ubuntu-22.04
+    needs:
+    - build
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Run tests
+      run: go run tasks.go coverage
+  vet:
+    name: Vet
+    runs-on: ubuntu-22.04
+    needs:
+    - build
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Vet source code
+      run: go run tasks.go vet
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,28 @@
+name: CodeQL
+on:
+  pull_request: ~
+  push:
+    branches:
+    - main
+
+permissions: read-all
+
+jobs:
+  go:
+    name: Go
+    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write # To upload CodeQL results
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3.24.3
+      with:
+        languages: go
+    - name: Perform CodeQL analysis
+      uses: github/codeql-action/analyze@v3.24.3
diff --git a/.github/workflows/gha.sum b/.github/workflows/gha.sum
@@ -0,0 +1,6 @@
+version 1
+
+actions/checkout@v4.1.1 Xl8z/l21IIpcBDsjpnq7jsBPk/RY26RwvDVL8FrajmE=
+actions/setup-go@v5.0.0 lSvPPozeojJimtMLZ7cX1J/h8r1i30yGoTYQbst/jA4=
+github/codeql-action@v3.24.3 GLS8dPEK5utIAgML5u2KUEdc7VhRnelkSnA8wJmaYHk=
+ncipollo/release-action@v1.14.0 +JAIlT/RB99JgfxlDrAcAdBnaKX4y8hyFWnHc4j7tfM=
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,34 @@
+name: Publish
+on:
+  push:
+    tags:
+    - v[0-9]+.[0-9]+.[0-9]+
+
+permissions: read-all
+
+jobs:
+  github-release:
+    name: GitHub Release
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write # To create a GitHub Release
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Install Go
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Get release version
+      id: version
+      shell: bash
+      run: echo "value=${GITHUB_REF#refs/tags/}" >>"${GITHUB_OUTPUT}"
+    - name: Compile
+      run: go run tasks.go build-all
+    - name: Create GitHub release
+      uses: ncipollo/release-action@v1.14.0
+      with:
+        tag: ${{ steps.version.outputs.value }}
+        name: Release ${{ steps.version.outputs.value }}
+        body: ${{ steps.version.outputs.value }}
+        artifacts: ./_compiled/*
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -0,0 +1,28 @@
+name: Semgrep
+on:
+  push:
+    branches:
+    - main
+
+permissions: read-all
+
+jobs:
+  semgrep:
+    name: Semgrep
+    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write # To upload SARIF results
+    container:
+      image: returntocorp/semgrep
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4.1.1
+    - name: Perform Semgrep analysis
+      run: semgrep ci --sarif --output semgrep.sarif
+      env:
+        SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+    - name: Upload Semgrep report to GitHub
+      uses: github/codeql-action/upload-sarif@v3.24.3
+      if: ${{ failure() || success() }}
+      with:
+        sarif_file: semgrep.sarif
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,9 @@
-gha.sum
+# Ignore file for git (https://git-scm.com/docs/gitignore)
+
+/_compiled/
+/cover.html
+/cover.out
+/ghasum*
 
 ## IDEs
 .idea/

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,50 @@
+<!-- SPDX-License-Identifier: CC0-1.0 -->
+
+# Contributing Guidelines
+
+The maintainers of `ghasum` welcome contributions and corrections. This includes
+improvements to the documentation or code base, tests, bug fixes, and
+implementations of new features. We recommend you open an issue before making
+any substantial changes so you can be sure your work won't be rejected. But for
+small changes, such as fixing a typo, you can open a Pull Request directly.
+
+If you decide to make a contribution, please use the following workflow:
+
+- Fork the repository.
+- Create a new branch from the latest `main`.
+- Make your changes on the new branch.
+- Commit to the new branch and push the commit(s).
+- Open a Pull Request against `main`.
+
+## Prerequisites
+
+To be able to contribute you need the following tooling:
+
+- [git];
+- [Go] v1.21.5 or later;
+- (Recommended) a code editor with [EditorConfig] support;
+
+Or a [OCI] compatible container engine, in which case you can run an ephemeral
+development container using the command `go run tasks.go dev-env`  (if you don't
+have [Go] installed, manually run the commands from the `TaskDevEnv` function in
+the `tasks.go` file).
+
+## Tasks
+
+This project uses a custom Go-based task runner to run common tasks. To get
+started run:
+
+```shell
+go run tasks.go
+```
+
+We recommend configuring the following command alias:
+
+```shell
+alias gask='go run tasks.go'
+```
+
+[editorconfig]: https://editorconfig.org/
+[git]: https://git-scm.com/
+[go]: https://go.dev/
+[oci]: https://opencontainers.org/
diff --git a/Containerfile.dev b/Containerfile.dev
@@ -0,0 +1,31 @@
+# MIT No Attribution
+#
+# Copyright (c) 2024 Eric Cornelissen
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+FROM docker.io/golang:1.22.0-alpine3.19
+
+RUN apk add --no-cache \
+	bash git perl-utils zip \
+	&& \
+	echo "alias gask='go run tasks.go'" >~/.bashrc
+
+WORKDIR /ghasum
+COPY go.mod go.sum ./
+RUN go mod download
+
+ENTRYPOINT ["/bin/bash"]