diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bfbeb12..03ae7e6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,30 +5,45 @@ updates: directory: / schedule: interval: weekly - time: "06:00" - timezone: UTC + # offset from the hour to avoid other build jobs + time: "06:34" + timezone: Etc/UTC open-pull-requests-limit: 10 commit-message: prefix: chore include: scope + groups: + gha: + patterns: + - "*" - package-ecosystem: gomod directory: / schedule: interval: weekly - time: "06:00" - timezone: UTC + # offset from the hour to avoid other build jobs + time: "06:34" + timezone: Etc/UTC allow: # direct and indirect updates - dependency-type: "all" commit-message: prefix: chore include: scope + groups: + gomod: + patterns: + - "*" - package-ecosystem: docker directory: / schedule: interval: weekly - time: "06:00" - timezone: UTC + # offset from the hour to avoid other build jobs + time: "06:34" + timezone: Etc/UTC commit-message: prefix: chore include: scope + groups: + docker: + patterns: + - "*" diff --git a/.github/workflows/security_analysis.yml b/.github/workflows/security_analysis.yml index f2d8a3e..cfbc391 100644 --- a/.github/workflows/security_analysis.yml +++ b/.github/workflows/security_analysis.yml @@ -4,15 +4,27 @@ name: Security Analysis on: push: branches: [master] + paths: + - "**.go" + - "go.mod" + - "go.sum" pull_request: branches: [master] + paths: + - "**.go" + - "go.mod" + - "go.sum" schedule: - - cron: "0 6 * * *" + # 06:12 - offset from the hour to avoid other build jobs + - cron: "12 6 * * *" jobs: codeql: name: CodeQL runs-on: ubuntu-latest + permissions: + # allow uploading sarif results + security-events: write steps: - name: Checkout repository uses: actions/checkout@v4 @@ -22,18 +34,38 @@ jobs: with: languages: go + # analyzes + uploads sarif - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 govulncheck: name: govulncheck runs-on: ubuntu-latest + permissions: + # allow uploading sarif results + security-events: write steps: - name: Checkout repository uses: actions/checkout@v4 - name: Vulnerability Scan Go Code - uses: Templum/govulncheck-action@v1.0.1 + uses: golang/govulncheck-action@v1 with: - go-version: 1.22 - vulncheck-version: v1.0.1 \ No newline at end of file + go-version-file: go.mod + repo-checkout: false + output-format: sarif + output-file: govulncheck.sarif + + - name: Fix govulncheck SARIF output + # https://github.com/docker/buildx/blob/d4eca07af8385dca95b4c38535a9bbaa3bfc0fa9/hack/dockerfiles/govulncheck.Dockerfile#L22-L25 + # Make sure "results" field is defined in SARIF output otherwise GitHub Code Scanning + # will fail when uploading report with "Invalid SARIF. Missing 'results' array in run." + # Relates to https://github.com/golang/vuln/blob/ffdef74cc44d7eb71931d8d414c478b966812488/internal/sarif/sarif.go#L69 + run: | + cat <<< $(jq '(.runs[] | select(.results == null) | .results) |= []' govulncheck.sarif) > govulncheck.sarif + + - name: Upload Scan SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: govulncheck.sarif + category: govulncheck diff --git a/Makefile b/Makefile index ecd62e5..e37f21e 100644 --- a/Makefile +++ b/Makefile @@ -60,7 +60,7 @@ LDFLAGS=-s -w \ -X github.com/controlplaneio/badrobot/cmd.commit=$(GIT_SHA) PACKAGE = none -BATS_PARALLEL_JOBS := $(shell command -v parallel 2>/dev/null && echo '--jobs 20') +BATS_PARALLEL_JOBS := $(shell command -v parallel 2>&1 >/dev/null && echo '--jobs 20') .PHONY: all all: help @@ -83,26 +83,30 @@ test: ## unit and local acceptance tests @echo "+ $@" make test-unit build test-acceptance -test/bin/%: - git submodule update --init -- $@ +.PHONY: check-and-reinit-submodules +check-and-reinit-submodules: + @if git submodule status | grep "^[-+]" ; then \ + git submodule update --init; \ + fi -.PHONY: bats -bats: test/bin/bats test/bin/bats-assert test/bin/bats-support ## fetch bats dependencies +.PHONY: uninit-submodules +uninit-submodules: + git submodule deinit -f . .PHONY: test-acceptance -test-acceptance: bats build ## acceptance tests +test-acceptance: check-and-reinit-submodules build ## acceptance tests @echo "+ $@" bash -xc 'cd test && ./bin/bats/bin/bats $(BATS_PARALLEL_JOBS) .' .PHONY: test-unit test-unit: ## golang unit tests @echo "+ $@" - go test -race $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}" + CGO_ENABLED=1 go test -race $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}" .PHONY: test-unit-verbose test-unit-verbose: ## golang unit tests (verbose) @echo "+ $@" - go test -race -v $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}" + CGO_ENABLED=1 go test -race -v $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}" # --- diff --git a/go.mod b/go.mod index 14eb6b0..dfa2a23 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,8 @@ module github.com/controlplaneio/badrobot -go 1.22.0 +go 1.23 -toolchain go1.22.2 +toolchain go1.23.3 require ( github.com/ghodss/yaml v1.0.0 @@ -30,8 +30,8 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/apimachinery v0.31.3 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect - sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 // indirect + sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.3 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index 69ad62a..478c22c 100644 --- a/go.sum +++ b/go.sum @@ -102,10 +102,10 @@ k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4= k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 h1:jGnCPejIetjiy2gqaJ5V0NLwTpF4wbQ6cZIItJCSHno= +k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/structured-merge-diff/v4 v4.4.3 h1:sCP7Vv3xx/CWIuTPVN38lUPx0uw0lcLfzaiDa8Ja01A= sigs.k8s.io/structured-merge-diff/v4 v4.4.3/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= diff --git a/test/bin/bats b/test/bin/bats index 410dd22..b640ec3 160000 --- a/test/bin/bats +++ b/test/bin/bats @@ -1 +1 @@ -Subproject commit 410dd229a5ed005c68167cc90ed0712ad2a1c909 +Subproject commit b640ec3cf2c7c9cfc9e6351479261186f76eeec8 diff --git a/test/bin/bats-assert b/test/bin/bats-assert index 397c735..e2d855b 160000 --- a/test/bin/bats-assert +++ b/test/bin/bats-assert @@ -1 +1 @@ -Subproject commit 397c735212bf1a06cfdd0cb7806c5a6ea79582bf +Subproject commit e2d855bc78619ee15b0c702b5c30fb074101159f diff --git a/test/bin/bats-support b/test/bin/bats-support index 3c8fadc..9bf10e8 160000 --- a/test/bin/bats-support +++ b/test/bin/bats-support @@ -1 +1 @@ -Subproject commit 3c8fadc5097c9acfc96d836dced2bb598e48b009 +Subproject commit 9bf10e876dd6b624fe44423f0b35e064225f7556