From 9195199375c0151aa64f1ad491f17bd5ef1ad327 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 5 Dec 2023 17:20:16 +0800
Subject: [PATCH 1/4] feat: add secret scanning instructions

---
 README.md | 52 +++++++++++++++++++++++++++-------------------------
 1 file changed, 27 insertions(+), 25 deletions(-)

diff --git a/README.md b/README.md
index 8733afc..b45c6ea 100644
--- a/README.md
+++ b/README.md
@@ -15,33 +15,35 @@ It adds basic PR building, dependabot integration, testing, coverage etc.
    ```
 2. Update the `release` workflow branch from `main` to `foo` to disable it, commit all the files, and push to `main` on a new repo.
 2. Update for your project, send a PR and merge it once green:
-   * rename `deploy/go-cli-github` to `deploy/$YOUR_COMMAND`
-   * update `deploy/$YOUR_COMMAND/Dockerfile`
-   * rename `cmd/go-cli-github` to `cmd/$YOUR_COMMAND`
-   * update `.goreleaser.yml` to build `cmd/$YOUR_COMMAND`
-   * update the links at the top of the README
-   * update the `build`, `release`, and `tag-to-release` workflows, replacing `go-cli-github` with `$YOUR_COMMAND`.
-   * update module in `go.mod` and in `cmd/$YOUR_COMMAND/*.go`, `internal/server/serve_test.go`
+    * rename `deploy/go-cli-github` to `deploy/$YOUR_COMMAND`
+    * update `deploy/$YOUR_COMMAND/Dockerfile`
+    * rename `cmd/go-cli-github` to `cmd/$YOUR_COMMAND`
+    * update `.goreleaser.yml` to build `cmd/$YOUR_COMMAND`
+    * update the links at the top of the README
+    * update the `build`, `release`, and `tag-to-release` workflows, replacing `go-cli-github` with `$YOUR_COMMAND`
+    * update module in `go.mod` and in `cmd/$YOUR_COMMAND/*.go`, `internal/server/serve_test.go`
 3. Go to repository Settings > General:
-   * Disable wiki and projects
-   * Allow only merge commits for Pull Requests
-   * Allow auto-merge
-   * Automatically delete head branches
+    * Disable wiki and projects
+    * Allow only merge commits for Pull Requests
+    * Allow auto-merge
+    * Automatically delete head branches
 4. Go to repository Settings > Branches and add branch protection to `main`, and enable:
-   * Require a PR before merging
-     * Dismiss stale pull request approvals
-   * Require status checks to pass before merging
-     * Require branches to be up-to-date before merging.
-     * Required status checks:
-       * CodeQL
-       * build
-       * buildimage
-       * commitlint
-       * go-test
-       * lint
-   * Include administrators
+    * Require a PR before merging
+        * Dismiss stale pull request approvals
+    * Require status checks to pass before merging
+        * Require branches to be up-to-date before merging.
+        * Required status checks:
+            * CodeQL
+            * build
+            * buildimage
+            * commitlint
+            * go-test
+            * lint
+    * Include administrators
 5. Go to repository Settings > Code security and analysis, and enable:
-   * Dependabot alerts
-   * Dependabot security updates
+    * Dependabot alerts
+    * Dependabot security updates
+    * Secret scanning
+        * Push protection
 6. When ready to release, rename the target branch in the release workflow from `foo` to `main`, and send a PR.
 7. That's it.

From ba143a9f3bb81cb5516fec9b06bf57895fc01511 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Wed, 6 Dec 2023 10:48:16 +0800
Subject: [PATCH 2/4] feat: add workflow permissions instructions to README

---
 README.md | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index b45c6ea..57a6a50 100644
--- a/README.md
+++ b/README.md
@@ -13,8 +13,8 @@ It adds basic PR building, dependabot integration, testing, coverage etc.
    ```bash
    git clone git@github.com:smlx/go-cli-github.git $PROJECT_DIR && rm -rf ./$PROJECT_DIR/.git
    ```
-2. Update the `release` workflow branch from `main` to `foo` to disable it, commit all the files, and push to `main` on a new repo.
-2. Update for your project, send a PR and merge it once green:
+1. Update the `release` workflow branch from `main` to `foo` to disable it, commit all the files, and push to `main` on a new repo.
+1. Update for your project, send a PR and merge it once green:
     * rename `deploy/go-cli-github` to `deploy/$YOUR_COMMAND`
     * update `deploy/$YOUR_COMMAND/Dockerfile`
     * rename `cmd/go-cli-github` to `cmd/$YOUR_COMMAND`
@@ -22,12 +22,12 @@ It adds basic PR building, dependabot integration, testing, coverage etc.
     * update the links at the top of the README
     * update the `build`, `release`, and `tag-to-release` workflows, replacing `go-cli-github` with `$YOUR_COMMAND`
     * update module in `go.mod` and in `cmd/$YOUR_COMMAND/*.go`, `internal/server/serve_test.go`
-3. Go to repository Settings > General:
+1. Go to repository Settings > General:
     * Disable wiki and projects
     * Allow only merge commits for Pull Requests
     * Allow auto-merge
     * Automatically delete head branches
-4. Go to repository Settings > Branches and add branch protection to `main`, and enable:
+1. Go to repository Settings > Branches and add branch protection to `main`, and enable:
     * Require a PR before merging
         * Dismiss stale pull request approvals
     * Require status checks to pass before merging
@@ -40,10 +40,12 @@ It adds basic PR building, dependabot integration, testing, coverage etc.
             * go-test
             * lint
     * Include administrators
-5. Go to repository Settings > Code security and analysis, and enable:
+1. Go to repository Settings > Code security and analysis, and enable:
     * Dependabot alerts
     * Dependabot security updates
     * Secret scanning
         * Push protection
-6. When ready to release, rename the target branch in the release workflow from `foo` to `main`, and send a PR.
-7. That's it.
+1. Go to repository Settings > Actions > General:
+    * Set Workflow permissions to "Read repository contents and package permissions"
+1. When ready to release, rename the target branch in the release workflow from `foo` to `main`, and send a PR.
+1. That's it.

From bdde38f48a3a880a056a2a042992e10c436c0603 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Wed, 6 Dec 2023 10:48:39 +0800
Subject: [PATCH 3/4] feat: add OSSF scorecard

---
 .github/workflows/ossf-scorecard.yaml | 35 +++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 .github/workflows/ossf-scorecard.yaml

diff --git a/.github/workflows/ossf-scorecard.yaml b/.github/workflows/ossf-scorecard.yaml
new file mode 100644
index 0000000..7cdf2bb
--- /dev/null
+++ b/.github/workflows/ossf-scorecard.yaml
@@ -0,0 +1,35 @@
+name: Scorecard analysis workflow
+on:
+  push:
+    branches:
+    - main
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed if using Code scanning alerts
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+
+    steps:
+    - name: "Checkout code"
+      uses: actions/checkout@v4
+
+    - name: "Run analysis"
+      uses: ossf/scorecard-action@v2
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # Publish the results for public repositories to enable scorecard badges. For more details, see
+        # https://github.com/ossf/scorecard-action#publishing-results.
+        # For private repositories, `publish_results` will automatically be set to `false`, regardless
+        # of the value entered here.
+        publish_results: true
+
+    - name: "Upload SARIF results to code scanning"
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: results.sarif

From b5beabc9ed6e5da261f22cd5f2f92694560fb59a Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Wed, 6 Dec 2023 10:52:42 +0800
Subject: [PATCH 4/4] feat: bump go.mod to 1.21

---
 go.mod | 2 +-
 go.sum | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 03247dc..c90281c 100644
--- a/go.mod
+++ b/go.mod
@@ -1,5 +1,5 @@
 module github.com/smlx/go-cli-github
 
-go 1.19
+go 1.21
 
 require github.com/alecthomas/kong v0.8.1
diff --git a/go.sum b/go.sum
index 14b62cf..021aabe 100644
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,8 @@
 github.com/alecthomas/assert/v2 v2.1.0 h1:tbredtNcQnoSd3QBhQWI7QZ3XHOVkw1Moklp2ojoH/0=
+github.com/alecthomas/assert/v2 v2.1.0/go.mod h1:b/+1DI2Q6NckYi+3mXyH3wFb8qG37K/DuK80n7WefXA=
 github.com/alecthomas/kong v0.8.1 h1:acZdn3m4lLRobeh3Zi2S2EpnXTd1mOL6U7xVml+vfkY=
 github.com/alecthomas/kong v0.8.1/go.mod h1:n1iCIO2xS46oE8ZfYCNDqdR0b0wZNrXAIAqro/2132U=
 github.com/alecthomas/repr v0.1.0 h1:ENn2e1+J3k09gyj2shc0dHr/yjaWSHRlrJ4DPMevDqE=
+github.com/alecthomas/repr v0.1.0/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
+github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=