From 42d6f4d4d36a888cf5a00ac33883a60194c7b328 Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Mon, 9 Dec 2024 11:39:07 +0000 Subject: [PATCH 1/7] chore(deps): group dependabot prs and offset Group PRs from dependabot to reduce notification and maintenance fatigue Offset the timers just to avoid peak times --- .github/dependabot.yml | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bfbeb12..03ae7e6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,30 +5,45 @@ updates: directory: / schedule: interval: weekly - time: "06:00" - timezone: UTC + # offset from the hour to avoid other build jobs + time: "06:34" + timezone: Etc/UTC open-pull-requests-limit: 10 commit-message: prefix: chore include: scope + groups: + gha: + patterns: + - "*" - package-ecosystem: gomod directory: / schedule: interval: weekly - time: "06:00" - timezone: UTC + # offset from the hour to avoid other build jobs + time: "06:34" + timezone: Etc/UTC allow: # direct and indirect updates - dependency-type: "all" commit-message: prefix: chore include: scope + groups: + gomod: + patterns: + - "*" - package-ecosystem: docker directory: / schedule: interval: weekly - time: "06:00" - timezone: UTC + # offset from the hour to avoid other build jobs + time: "06:34" + timezone: Etc/UTC commit-message: prefix: chore include: scope + groups: + docker: + patterns: + - "*" From b36ee69ef7a4631e522ce29bb194c187b56c528c Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Mon, 9 Dec 2024 13:44:40 +0000 Subject: [PATCH 2/7] chore: init submodules properly --- Makefile | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index ecd62e5..db9140c 100644 --- a/Makefile +++ b/Makefile @@ -83,14 +83,18 @@ test: ## unit and local acceptance tests @echo "+ $@" make test-unit build test-acceptance -test/bin/%: - git submodule update --init -- $@ +.PHONY: check-and-reinit-submodules +check-and-reinit-submodules: + @if git submodule status | grep "^[-+]" ; then \ + git submodule update --init; \ + fi -.PHONY: bats -bats: test/bin/bats test/bin/bats-assert test/bin/bats-support ## fetch bats dependencies +.PHONY: uninit-submodules +uninit-submodules: + git submodule deinit -f . .PHONY: test-acceptance -test-acceptance: bats build ## acceptance tests +test-acceptance: check-and-reinit-submodules build ## acceptance tests @echo "+ $@" bash -xc 'cd test && ./bin/bats/bin/bats $(BATS_PARALLEL_JOBS) .' From 2ec97eee7866ec6111f99e15393513eb1c785bbb Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Mon, 9 Dec 2024 13:45:06 +0000 Subject: [PATCH 3/7] chore: ensure `go test -race` is called with `CGO_ENABLED=1` `-race` requires `CGO_ENABLED=1` --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index db9140c..279421b 100644 --- a/Makefile +++ b/Makefile @@ -101,12 +101,12 @@ test-acceptance: check-and-reinit-submodules build ## acceptance tests .PHONY: test-unit test-unit: ## golang unit tests @echo "+ $@" - go test -race $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}" + CGO_ENABLED=1 go test -race $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}" .PHONY: test-unit-verbose test-unit-verbose: ## golang unit tests (verbose) @echo "+ $@" - go test -race -v $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}" + CGO_ENABLED=1 go test -race -v $$(go list ./... | grep -v '/vendor/') -run "$${RUN:-.*}" # --- From 4a11bde660798335e5281c73ead195b7bf9a91f3 Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Mon, 9 Dec 2024 13:46:32 +0000 Subject: [PATCH 4/7] chore: use official govulncheck-action and upload results Use official govulncheck-action Upload sarif results to show findings Add permission to upload new and existing CodeQL results Filter only on go paths for go security checks --- .github/workflows/security_analysis.yml | 32 +++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/.github/workflows/security_analysis.yml b/.github/workflows/security_analysis.yml index f2d8a3e..921d201 100644 --- a/.github/workflows/security_analysis.yml +++ b/.github/workflows/security_analysis.yml @@ -4,15 +4,27 @@ name: Security Analysis on: push: branches: [master] + paths: + - "**.go" + - "go.mod" + - "go.sum" pull_request: branches: [master] + paths: + - "**.go" + - "go.mod" + - "go.sum" schedule: - - cron: "0 6 * * *" + # 06:12 - offset from the hour to avoid other build jobs + - cron: "12 6 * * *" jobs: codeql: name: CodeQL runs-on: ubuntu-latest + permissions: + # allow uploading sarif results + security-events: write steps: - name: Checkout repository uses: actions/checkout@v4 @@ -22,18 +34,30 @@ jobs: with: languages: go + # analyzes + uploads sarif - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 govulncheck: name: govulncheck runs-on: ubuntu-latest + permissions: + # allow uploading sarif results + security-events: write steps: - name: Checkout repository uses: actions/checkout@v4 - name: Vulnerability Scan Go Code - uses: Templum/govulncheck-action@v1.0.1 + uses: golang/govulncheck-action@v1 with: - go-version: 1.22 - vulncheck-version: v1.0.1 \ No newline at end of file + go-version-file: go.mod + repo-checkout: false + output-format: sarif + output-file: govulncheck.sarif + + - name: Upload Scan SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: govulncheck.sarif + category: govulncheck From 1e5d95a58918a3f2b770ab2c029651b87e9f8c42 Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Mon, 9 Dec 2024 13:47:36 +0000 Subject: [PATCH 5/7] chore(deps): update go dependencies --- go.mod | 8 ++++---- go.sum | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 14eb6b0..dfa2a23 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,8 @@ module github.com/controlplaneio/badrobot -go 1.22.0 +go 1.23 -toolchain go1.22.2 +toolchain go1.23.3 require ( github.com/ghodss/yaml v1.0.0 @@ -30,8 +30,8 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/apimachinery v0.31.3 // indirect k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect - sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 // indirect + sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.3 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index 69ad62a..478c22c 100644 --- a/go.sum +++ b/go.sum @@ -102,10 +102,10 @@ k8s.io/apimachinery v0.31.3 h1:6l0WhcYgasZ/wk9ktLq5vLaoXJJr5ts6lkaQzgeYPq4= k8s.io/apimachinery v0.31.3/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= -sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078 h1:jGnCPejIetjiy2gqaJ5V0NLwTpF4wbQ6cZIItJCSHno= +k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/structured-merge-diff/v4 v4.4.3 h1:sCP7Vv3xx/CWIuTPVN38lUPx0uw0lcLfzaiDa8Ja01A= sigs.k8s.io/structured-merge-diff/v4 v4.4.3/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= From 42a35a4b76e7310910cb194b3c7ad6db802285b2 Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Mon, 9 Dec 2024 13:57:03 +0000 Subject: [PATCH 6/7] chore(deps): bump bats submodules --- Makefile | 2 +- test/bin/bats | 2 +- test/bin/bats-assert | 2 +- test/bin/bats-support | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 279421b..e37f21e 100644 --- a/Makefile +++ b/Makefile @@ -60,7 +60,7 @@ LDFLAGS=-s -w \ -X github.com/controlplaneio/badrobot/cmd.commit=$(GIT_SHA) PACKAGE = none -BATS_PARALLEL_JOBS := $(shell command -v parallel 2>/dev/null && echo '--jobs 20') +BATS_PARALLEL_JOBS := $(shell command -v parallel 2>&1 >/dev/null && echo '--jobs 20') .PHONY: all all: help diff --git a/test/bin/bats b/test/bin/bats index 410dd22..b640ec3 160000 --- a/test/bin/bats +++ b/test/bin/bats @@ -1 +1 @@ -Subproject commit 410dd229a5ed005c68167cc90ed0712ad2a1c909 +Subproject commit b640ec3cf2c7c9cfc9e6351479261186f76eeec8 diff --git a/test/bin/bats-assert b/test/bin/bats-assert index 397c735..e2d855b 160000 --- a/test/bin/bats-assert +++ b/test/bin/bats-assert @@ -1 +1 @@ -Subproject commit 397c735212bf1a06cfdd0cb7806c5a6ea79582bf +Subproject commit e2d855bc78619ee15b0c702b5c30fb074101159f diff --git a/test/bin/bats-support b/test/bin/bats-support index 3c8fadc..9bf10e8 160000 --- a/test/bin/bats-support +++ b/test/bin/bats-support @@ -1 +1 @@ -Subproject commit 3c8fadc5097c9acfc96d836dced2bb598e48b009 +Subproject commit 9bf10e876dd6b624fe44423f0b35e064225f7556 From b62f744b9cd7a6c9b501e1e667ef4dfed879f1a6 Mon Sep 17 00:00:00 2001 From: Jack Kelly Date: Mon, 9 Dec 2024 14:15:28 +0000 Subject: [PATCH 7/7] chore: fix govulncheck sarif output On a successful run of govulncheck it doesn't produce any runs entries --- .github/workflows/security_analysis.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/security_analysis.yml b/.github/workflows/security_analysis.yml index 921d201..cfbc391 100644 --- a/.github/workflows/security_analysis.yml +++ b/.github/workflows/security_analysis.yml @@ -56,6 +56,14 @@ jobs: output-format: sarif output-file: govulncheck.sarif + - name: Fix govulncheck SARIF output + # https://github.com/docker/buildx/blob/d4eca07af8385dca95b4c38535a9bbaa3bfc0fa9/hack/dockerfiles/govulncheck.Dockerfile#L22-L25 + # Make sure "results" field is defined in SARIF output otherwise GitHub Code Scanning + # will fail when uploading report with "Invalid SARIF. Missing 'results' array in run." + # Relates to https://github.com/golang/vuln/blob/ffdef74cc44d7eb71931d8d414c478b966812488/internal/sarif/sarif.go#L69 + run: | + cat <<< $(jq '(.runs[] | select(.results == null) | .results) |= []' govulncheck.sarif) > govulncheck.sarif + - name: Upload Scan SARIF file uses: github/codeql-action/upload-sarif@v3 with: