Some updates on CI, add new jobs and dependabot config (#29)

* use git hashes instead of git tag * add dependabot * add verify and validate gorelease jobs * add copyright boilerplate * fix lints Signed-off-by: cpanato <ctadeu@gmail.com>
sigstore · May 16, 2022 · cc20420 · cc20420
1 parent 1d333a3
commit cc20420
Show file tree

Hide file tree

Showing 19 changed files with 341 additions and 49 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: weekly
+  open-pull-requests-limit: 10
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: weekly
+  open-pull-requests-limit: 10
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -12,15 +12,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0
       with:
         go-version: 1.18
+        check-latest: true
 
     - name: Build
-      run: go build -v ./...
+      run: make build
 
     - name: Unit Tests
-      run: go test -v ./...
+      run: make unit-test
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -14,7 +14,7 @@ jobs:
       id-token: write  # Enable OIDC
 
       # The rest of these are sanity-check settings, since I'm not sure if the
-      # org default is permissive or restricted. 
+      # org default is permissive or restricted.
       # See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
       # for more details.
       actions: none
@@ -34,13 +34,14 @@ jobs:
       GITSIGN_LOG: "/tmp/gitsign.log"
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
 
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0
       with:
         go-version: 1.18
-
+        check-latest: true
+
     - name: Test Sign and Verify commit
       run: |
         set -e

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,21 +14,25 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
         with:
           fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags)
-      - uses: actions/setup-go@v3
+
+      - uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0
         with:
           go-version: 1.18
-      - uses: actions/cache@v3
+          check-latest: true
+
+      - uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 # v3.0.2
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-      - uses: sigstore/cosign-installer@v2.3.0         # installs cosign
-      - uses: anchore/sbom-action/download-syft@v0.11.0 # installs syft
-      - uses: goreleaser/goreleaser-action@v2          # run goreleaser
+
+      - uses: sigstore/cosign-installer@536b37ec5d5b543420bdfd9b744c5965bd4d8730 # v2.3.0
+      - uses: anchore/sbom-action/download-syft@bb716408e75840bbb01e839347cd213767269d4a # v0.11.0
+      - uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b # v29.1
         with:
           version: latest
           args: release --rm-dist

diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
@@ -0,0 +1,35 @@
+name: validate-release
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['main']
+  workflow_dispatch:
+
+jobs:
+  validate-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
+
+      - uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0
+        with:
+          go-version: 1.18
+          check-latest: true
+
+      - uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 # v3.0.2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - uses: sigstore/cosign-installer@536b37ec5d5b543420bdfd9b744c5965bd4d8730 # v2.3.0
+      - uses: anchore/sbom-action/download-syft@bb716408e75840bbb01e839347cd213767269d4a # v0.11.0
+      - uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b # v29.1
+        with:
+          version: latest
+          args: release --rm-dist --snapshot --skip-sign
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -0,0 +1,41 @@
+name: Verify
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  license-check:
+    name: license boilerplate check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
+      - uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0
+        with:
+          go-version: 1.18
+          check-latest: true
+      - name: Install addlicense
+        run: go install github.com/google/addlicense@v1.0.0
+      - name: Check license headers
+        run: |
+          set -e
+          addlicense -l apache -c 'The Sigstore Authors' -v -ignore *.yml -ignore *.yaml *
+          git diff --exit-code
+
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
+      - uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0
+        with:
+          go-version: 1.18
+          check-latest: true
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@537aa1903e5d359d0b27dbc19ddd22c5087f3fbc # v3.2.0
+        timeout-minutes: 5
+        with:
+          version: v1.46.0
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,36 @@
+linters:
+  enable:
+  - asciicheck
+  - deadcode
+  - depguard
+  - errcheck
+  - errorlint
+  - gofmt
+  - goimports
+  - gosec
+  - gocritic
+  - importas
+  - prealloc
+  - revive
+  - misspell
+  - stylecheck
+  - tparallel
+  - unconvert
+  - unparam
+  - whitespace
+output:
+  uniq-by-line: false
+issues:
+  exclude-rules:
+  - path: _test\.go
+    linters:
+    - errcheck
+    - gosec
+  - text: "SA1019: package golang.org/x/crypto/openpgp"
+    linters:
+    - staticcheck
+  max-issues-per-linter: 0
+  max-same-issues: 0
+run:
+  issues-exit-code: 1
+  timeout: 10m
diff --git a/Makefile b/Makefile
@@ -22,3 +22,7 @@ build:
 .PHONY: install
 install:
 	CGO_ENABLED=0 go install -trimpath -ldflags "$(LDFLAGS)" github.com/sigstore/gitsign
+
+.PHONY: unit-test
+unit-test:
+	go test -v ./...
diff --git a/command_sign.go b/command_sign.go
@@ -1,3 +1,18 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package main
 
 import (
@@ -7,6 +22,7 @@ import (
 	"os"
 
 	"github.com/pkg/errors"
+
 	"github.com/sigstore/gitsign/internal/fulcio"
 	"github.com/sigstore/gitsign/internal/git"
 	"github.com/sigstore/gitsign/internal/signature"
@@ -20,7 +36,7 @@ func commandSign() error {
 	}
 
 	// Git is looking for "\n[GNUPG:] SIG_CREATED ", meaning we need to print a
-	// line before SIG_CREATED. BEGIN_SIGNING seems appropraite. GPG emits this,
+	// line before SIG_CREATED. BEGIN_SIGNING seems appropriate. GPG emits this,
 	// though GPGSM does not.
 	sBeginSigning.emit()
 

diff --git a/command_verify.go b/command_verify.go
@@ -1,3 +1,18 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package main
 
 import (
@@ -9,6 +24,7 @@ import (
 	"os"
 
 	"github.com/pkg/errors"
+
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots"
 	"github.com/sigstore/gitsign/internal"
 	"github.com/sigstore/gitsign/internal/git"
@@ -95,7 +111,7 @@ func verifyDetached() error {
 		f = stdin
 	} else {
 		if f, err = os.Open(fileArgs[1]); err != nil {
-			errors.Wrapf(err, "failed to open message file (%s)", fileArgs[1])
+			return errors.Wrapf(err, "failed to open message file (%s)", fileArgs[1])
 		}
 		defer f.Close()
 	}

diff --git a/internal/fulcio/fulcio.go b/internal/fulcio/fulcio.go
@@ -1,10 +1,11 @@
-// Copyright 2022 Billy Lynch
+//
+// Copyright 2022 The Sigstore Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//      http://www.apache.org/licenses/LICENSE-2.0
+//     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -96,7 +97,6 @@ func (i *Identity) CertificateChain() ([]*x509.Certificate, error) {
 	}
 
 	return append([]*x509.Certificate{cert}, chain...), nil
-
 }
 
 // Signer gets a crypto.Signer that uses the identity's private key.
@@ -105,6 +105,7 @@ func (i *Identity) Signer() (crypto.Signer, error) {
 	if !ok {
 		return nil, fmt.Errorf("could not use signer %T as crypto.Signer", i.sv.SignerVerifier)
 	}
+
 	return s, nil
 }
 
@@ -116,7 +117,7 @@ func (i *Identity) Delete() error {
 
 // Close any manually managed memory held by the Identity.
 func (i *Identity) Close() {
-	return
+	// noop
 }
 
 func (i *Identity) PublicKey() (crypto.PublicKey, error) {