smlx · smlx · Dec 20, 2023 · Dec 20, 2023 · Dec 20, 2023 · Dec 20, 2023
diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml
@@ -1,5 +1,5 @@
 # https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
-allow_licenses:
+allow-licenses:
 - 'Apache-2.0'
 - 'BSD-2-Clause'
 - 'BSD-2-Clause-FreeBSD'
@@ -10,3 +10,8 @@ allow_licenses:
 - 'Python-2.0'
 - 'X11'
 - 'Zlib'
+
+# this action is GPL-3 but it is only used in CI
+# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806
+allow-dependencies-licenses: >
+  pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -3,7 +3,7 @@ on:
   pull_request:
     branches:
     - main
-permissions: read-all
+permissions: {}
 jobs:
   build-snapshot:
     permissions:

diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -6,8 +6,7 @@ on:
   pull_request:
     branches:
     - main
-permissions:
-  contents: read
+permissions: {}
 jobs:
   analyze:
     permissions:

diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
@@ -3,27 +3,27 @@ on:
   push:
     branches:
     - main
-permissions:
-  contents: read
+permissions: {}
 jobs:
   coverage:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - name: Configure git
-      run: |
-        git config --global user.name "$GITHUB_ACTOR"
-        git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
         go-version: stable
     - name: Calculate coverage
       run: |
-        go test -v -covermode=count -coverprofile=coverage.out.raw -coverpkg=./... ./...
-        grep -v mock_ coverage.out.raw > coverage.out
-    - name: Convert coverage to lcov
-      uses: jandelgado/gcov2lcov-action@c680c0f7c7442485f1749eb2a13e54a686e76eb5 # v1.0.9
-    - name: Upload coverage to Coveralls
-      uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 # v2.2.3
+        go test -v -covermode=count -coverprofile=cover.out.raw -coverpkg=./... ./...
+        # remove mocks from coverage calculation
+        grep -v mock_ cover.out.raw > cover.out
+    - name: Generage coverage badge
+      uses: vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787 # v2.8.2
       with:
-        github-token: ${{ secrets.github_token }}
+        profile: cover.out
+        local-prefix: github.com/smlx/go-cli-github
+        git-token: ${{ secrets.GITHUB_TOKEN }}
+        # orphan branch for storing badges
+        git-branch: badges
diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml
@@ -4,8 +4,7 @@ on:
   pull_request:
     branches:
     - main
-permissions:
-  contents: read
+permissions: {}
 jobs:
   dependabot-automerge:
     permissions:

diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -3,10 +3,11 @@ on:
   pull_request:
     branches:
     - main
-permissions:
-  contents: read
+permissions: {}
 jobs:
   dependency-review:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -3,10 +3,11 @@ on:
   pull_request:
     branches:
     - main
-permissions:
-  contents: read
+permissions: {}
 jobs:
   lint-go:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -17,13 +18,17 @@ jobs:
       with:
         args: --timeout=180s
   lint-commits:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         fetch-depth: 0
     - uses: wagoid/commitlint-github-action@0d749a1a91d4770e983a7b8f83d4a3f0e7e0874e # v5.4.4
   lint-actions:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml
@@ -3,11 +3,12 @@ on:
   push:
     branches:
     - main
-permissions: read-all
+permissions: {}
 jobs:
   ossf-scorecard-analysis:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       # Needed if using Code scanning alerts
       security-events: write
       # Needed for GitHub OIDC token if publish_results is true

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -3,7 +3,7 @@ on:
   push:
     branches:
     - main
-permissions: read-all
+permissions: {}
 jobs:
   release-tag:
     permissions:

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -3,10 +3,11 @@ on:
   pull_request:
     branches:
     - main
-permissions:
-  contents: read
+permissions: {}
 jobs:
   test-go:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 [![Release](https://github.com/smlx/go-cli-github/actions/workflows/release.yaml/badge.svg)](https://github.com/smlx/go-cli-github/actions/workflows/release.yaml)
 [![Go Reference](https://pkg.go.dev/badge/github.com/smlx/go-cli-github.svg)](https://pkg.go.dev/github.com/smlx/go-cli-github)
-[![Coverage](https://coveralls.io/repos/github/smlx/go-cli-github/badge.svg?branch=main)](https://coveralls.io/github/smlx/go-cli-github?branch=main)
+![coverage](https://raw.githubusercontent.com/smlx/go-cli-github/badges/.badges/main/coverage.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/smlx/go-cli-github)](https://goreportcard.com/report/github.com/smlx/go-cli-github)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/smlx/go-cli-github/badge)](https://securityscorecards.dev/viewer/?uri=github.com/smlx/go-cli-github)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8168/badge)](https://www.bestpractices.dev/projects/8168)
@@ -52,9 +52,21 @@ Then push some code to main:
     git push -u origin main
     ```
 
+1. Create the `badges` branch for storing the README coverage badge.
+
+    ```bash
+    git checkout --orphan badges
+    git rm -rf .
+    rm -f .gitignore
+    echo 'This branch exists only to contains the coverage badge in the README on `main`.' > README.md
+    git add README.md
+    git commit -m 'chore: initialize the badges branch'
+    git push origin badges
+    ```
+
 Then customize the code for your repository:
 
-1. Check out a new branch to set up the repo `git checkout -b setup`
+1. Check out a new branch to set up the repo `git checkout -b setup main`
 
 1. Update the code for your project: