diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml index 3705f78..df8f653 100644 --- a/.github/dependency-review-config.yaml +++ b/.github/dependency-review-config.yaml @@ -1,5 +1,5 @@ # https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md -allow_licenses: +allow-licenses: - 'Apache-2.0' - 'BSD-2-Clause' - 'BSD-2-Clause-FreeBSD' @@ -10,3 +10,8 @@ allow_licenses: - 'Python-2.0' - 'X11' - 'Zlib' + +# this action is GPL-3 but it is only used in CI +# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806 +allow-dependencies-licenses: > + pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0eed421..0151802 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -3,7 +3,7 @@ on: pull_request: branches: - main -permissions: read-all +permissions: {} jobs: build-snapshot: permissions: diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index b6a528c..2d60b35 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -6,8 +6,7 @@ on: pull_request: branches: - main -permissions: - contents: read +permissions: {} jobs: analyze: permissions: diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index 5e9560f..0c28048 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -3,27 +3,27 @@ on: push: branches: - main -permissions: - contents: read +permissions: {} jobs: coverage: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Configure git - run: | - git config --global user.name "$GITHUB_ACTOR" - git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: stable - name: Calculate coverage run: | - go test -v -covermode=count -coverprofile=coverage.out.raw -coverpkg=./... ./... - grep -v mock_ coverage.out.raw > coverage.out - - name: Convert coverage to lcov - uses: jandelgado/gcov2lcov-action@c680c0f7c7442485f1749eb2a13e54a686e76eb5 # v1.0.9 - - name: Upload coverage to Coveralls - uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 # v2.2.3 + go test -v -covermode=count -coverprofile=cover.out.raw -coverpkg=./... ./... + # remove mocks from coverage calculation + grep -v mock_ cover.out.raw > cover.out + - name: Generage coverage badge + uses: vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787 # v2.8.2 with: - github-token: ${{ secrets.github_token }} + profile: cover.out + local-prefix: github.com/smlx/go-cli-github + git-token: ${{ secrets.GITHUB_TOKEN }} + # orphan branch for storing badges + git-branch: badges diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index b788f00..0636a36 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -4,8 +4,7 @@ on: pull_request: branches: - main -permissions: - contents: read +permissions: {} jobs: dependabot-automerge: permissions: diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index f8309cf..1d3d823 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -3,10 +3,11 @@ on: pull_request: branches: - main -permissions: - contents: read +permissions: {} jobs: dependency-review: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index c96255a..c13568a 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -3,10 +3,11 @@ on: pull_request: branches: - main -permissions: - contents: read +permissions: {} jobs: lint-go: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -17,6 +18,8 @@ jobs: with: args: --timeout=180s lint-commits: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -24,6 +27,8 @@ jobs: fetch-depth: 0 - uses: wagoid/commitlint-github-action@0d749a1a91d4770e983a7b8f83d4a3f0e7e0874e # v5.4.4 lint-actions: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml index e82a87b..5d8bb04 100644 --- a/.github/workflows/ossf-analysis.yaml +++ b/.github/workflows/ossf-analysis.yaml @@ -3,11 +3,12 @@ on: push: branches: - main -permissions: read-all +permissions: {} jobs: ossf-scorecard-analysis: runs-on: ubuntu-latest permissions: + contents: read # Needed if using Code scanning alerts security-events: write # Needed for GitHub OIDC token if publish_results is true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4a90f95..535158b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,7 +3,7 @@ on: push: branches: - main -permissions: read-all +permissions: {} jobs: release-tag: permissions: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 7b16ef0..9b29efb 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -3,10 +3,11 @@ on: pull_request: branches: - main -permissions: - contents: read +permissions: {} jobs: test-go: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/README.md b/README.md index b1383bb..bc48015 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![Release](https://github.com/smlx/go-cli-github/actions/workflows/release.yaml/badge.svg)](https://github.com/smlx/go-cli-github/actions/workflows/release.yaml) [![Go Reference](https://pkg.go.dev/badge/github.com/smlx/go-cli-github.svg)](https://pkg.go.dev/github.com/smlx/go-cli-github) -[![Coverage](https://coveralls.io/repos/github/smlx/go-cli-github/badge.svg?branch=main)](https://coveralls.io/github/smlx/go-cli-github?branch=main) +![coverage](https://raw.githubusercontent.com/smlx/go-cli-github/badges/.badges/main/coverage.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/smlx/go-cli-github)](https://goreportcard.com/report/github.com/smlx/go-cli-github) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/smlx/go-cli-github/badge)](https://securityscorecards.dev/viewer/?uri=github.com/smlx/go-cli-github) [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8168/badge)](https://www.bestpractices.dev/projects/8168) @@ -52,9 +52,21 @@ Then push some code to main: git push -u origin main ``` +1. Create the `badges` branch for storing the README coverage badge. + + ```bash + git checkout --orphan badges + git rm -rf . + rm -f .gitignore + echo 'This branch exists only to contains the coverage badge in the README on `main`.' > README.md + git add README.md + git commit -m 'chore: initialize the badges branch' + git push origin badges + ``` + Then customize the code for your repository: -1. Check out a new branch to set up the repo `git checkout -b setup` +1. Check out a new branch to set up the repo `git checkout -b setup main` 1. Update the code for your project: