Skip to content

Commit

Permalink
Merge branch 'main' into dependabot/github_actions/actions/setup-go-5
Browse files Browse the repository at this point in the history
Signed-off-by: Jeff Mendoza <[email protected]>
  • Loading branch information
jeffmendoza authored Feb 27, 2024
2 parents e6f4d46 + 92f6ce6 commit 10e9264
Show file tree
Hide file tree
Showing 11 changed files with 1,249 additions and 371 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/postmerge.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
codeql:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v2
with:
languages: go
Expand All @@ -19,7 +19,7 @@ jobs:
scorecard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: ossf/[email protected]
with:
results_file: results.sarif
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/pr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.20'
Expand All @@ -17,7 +17,7 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.20'
Expand All @@ -26,7 +26,7 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.20'
Expand All @@ -36,5 +36,5 @@ jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- uses: actions/dependency-review-action@v3
4 changes: 2 additions & 2 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,14 @@ jobs:
release:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: actions/checkout@v4 # v3.5.2

- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: '1.20'
check-latest: true

- uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5
- uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0

- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6

Expand Down
6 changes: 4 additions & 2 deletions cmd/allstar/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ func main() {
specificPolicyArg := flag.String("policy", "", fmt.Sprintf("Run a specific policy check. Supported policies: %s", supportedPoliciesMsg))
specificRepoArg := flag.String("repo", "", "Run on a specific \"owner/repo\". For example \"ossf/allstar\"")

numWorkersArg := flag.Int("workers", 5, "maximum number of active goroutines for Allstar scans")

flag.Parse()

if *specificPolicyArg != "" {
Expand All @@ -81,7 +83,7 @@ func main() {
}

if runOnce {
_, err := enforce.EnforceAll(ctx, ghc, *specificPolicyArg, *specificRepoArg)
_, err := enforce.EnforceAll(ctx, ghc, *specificPolicyArg, *specificRepoArg, *numWorkersArg)
if err != nil {
log.Fatal().
Err(err).
Expand All @@ -94,7 +96,7 @@ func main() {
go func() {
defer wg.Done()
log.Info().
Err(enforce.EnforceJob(ctx, ghc, (5 * time.Minute), *specificPolicyArg, *specificRepoArg)).
Err(enforce.EnforceJob(ctx, ghc, (5 * time.Minute), *specificPolicyArg, *specificRepoArg, *numWorkersArg)).
Msg("Enforce job shutting down.")
}()
sigs := make(chan os.Signal, 1)
Expand Down
11 changes: 6 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,19 @@ go 1.16

require (
github.com/Masterminds/semver/v3 v3.2.1
github.com/bradleyfalzon/ghinstallation/v2 v2.4.0
github.com/bradleyfalzon/ghinstallation/v2 v2.7.0
github.com/evanphx/json-patch v5.6.0+incompatible
github.com/gobwas/glob v0.2.3
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/google/go-cmp v0.5.9
github.com/google/go-github/v50 v50.2.0
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
github.com/matryer/is v1.4.0 // indirect
github.com/ossf/scorecard/v4 v4.10.5
github.com/rhysd/actionlint v1.6.24
github.com/ossf/scorecard/v4 v4.13.0
github.com/rhysd/actionlint v1.6.26
github.com/rs/zerolog v1.29.1
github.com/shurcooL/githubv4 v0.0.0-20210725200734-83ba7b4c9228
gocloud.dev v0.29.0
golang.org/x/sync v0.2.0
gocloud.dev v0.34.0
golang.org/x/sync v0.3.0
sigs.k8s.io/yaml v1.3.0
)
1,540 changes: 1,214 additions & 326 deletions go.sum

Large diffs are not rendered by default.

8 changes: 4 additions & 4 deletions pkg/enforce/enforce.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ func init() {
//
// TBD: determine if this should remain exported, or if it will only be called
// from EnforceJob.
func EnforceAll(ctx context.Context, ghc ghclients.GhClientsInterface, specificPolicyArg string, specificRepoArg string) (EnforceAllResults, error) {
func EnforceAll(ctx context.Context, ghc ghclients.GhClientsInterface, specificPolicyArg string, specificRepoArg string, numWorkersArg int) (EnforceAllResults, error) {
var repoCount int
var enforceAllResults = make(EnforceAllResults)
ac, err := ghc.Get(0)
Expand All @@ -85,7 +85,7 @@ func EnforceAll(ctx context.Context, ghc ghclients.GhClientsInterface, specificP
Msg("Enforcing policies on installations.")

g, ctx := errgroup.WithContext(ctx)
g.SetLimit(5)
g.SetLimit(numWorkersArg)
var mu sync.Mutex

for _, i := range insts {
Expand Down Expand Up @@ -302,9 +302,9 @@ func getAppInstallationReposReal(ctx context.Context, ic *github.Client) ([]*git

// EnforceJob is a reconciliation job that enforces policies on all repos every
// d duration. It runs forever until the context is done.
func EnforceJob(ctx context.Context, ghc *ghclients.GHClients, d time.Duration, specificPolicyArg string, specificRepoArg string) error {
func EnforceJob(ctx context.Context, ghc *ghclients.GHClients, d time.Duration, specificPolicyArg string, specificRepoArg string, numWorkersArg int) error {
for {
_, err := EnforceAll(ctx, ghc, specificPolicyArg, specificRepoArg)
_, err := EnforceAll(ctx, ghc, specificPolicyArg, specificRepoArg, numWorkersArg)
if err != nil {
log.Error().
Err(err).
Expand Down
8 changes: 5 additions & 3 deletions pkg/enforce/enforce_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -549,7 +549,8 @@ func TestEnforceAll(t *testing.T) {
policy1Results = test.Policy1Results
policy2Results = test.Policy2Results

enforceAllResults, err := EnforceAll(context.Background(), mockGhc, "", "")
numWorkers := 1
enforceAllResults, err := EnforceAll(context.Background(), mockGhc, "", "", numWorkers)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
Expand Down Expand Up @@ -581,15 +582,16 @@ func TestSuspendedEnforce(t *testing.T) {
}
suspended = false
gaicalled = false
if _, err := EnforceAll(context.Background(), &MockGhClients{}, "", ""); err != nil {
numWorkers := 1
if _, err := EnforceAll(context.Background(), &MockGhClients{}, "", "", numWorkers); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if !gaicalled {
t.Errorf("Expected getAppInstallationRepos() to be called, but wasn't")
}
suspended = true
gaicalled = false
if _, err := EnforceAll(context.Background(), &MockGhClients{}, "", ""); err != nil {
if _, err := EnforceAll(context.Background(), &MockGhClients{}, "", "", numWorkers); err != nil {
t.Fatalf("Unexpected error: %v", err)
}
if gaicalled {
Expand Down
2 changes: 1 addition & 1 deletion pkg/policies/scorecard/scorecard.go
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ func convertLogs(logs []checker.CheckDetail) []string {
if l.Msg.Finding.Location == nil {
s = append(s, fmt.Sprintf("%v", l.Msg.Finding.Message))
} else {
s = append(s, fmt.Sprintf("%v[%v]:%v", l.Msg.Finding.Location.Value, *l.Msg.Finding.Location.LineStart, l.Msg.Finding.Message))
s = append(s, fmt.Sprintf("%v[%v]:%v", *l.Msg.Finding.Location.Snippet, *l.Msg.Finding.Location.LineStart, l.Msg.Finding.Message))
}
} else {
s = append(s, fmt.Sprintf("%v[%v]:%v", l.Msg.Path, l.Msg.Offset, l.Msg.Text))
Expand Down
2 changes: 1 addition & 1 deletion pkg/policies/workflow/workflow.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ func (b Workflow) Check(ctx context.Context, c *github.Client, owner,
}

logs := convertLogs(l.Flush())
pass := res.Score >= checker.MaxResultScore
pass := res.Score >= checker.MaxResultScore || res.Score == checker.InconclusiveResultScore
var notify string
if !pass {
notify = fmt.Sprintf(`Project is out of compliance with Dangerous Workflow policy: %v
Expand Down
27 changes: 6 additions & 21 deletions pkg/scorecard/scorecard.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ type ScClient struct {
ScRepoClient clients.RepoClient
}

var scClients map[string]*ScClient
var scClients map[string]*ScClient = make(map[string]*ScClient)
var mMutex sync.RWMutex

const defaultGitRef = "HEAD"
Expand All @@ -53,26 +53,16 @@ func init() {
// exist. The github repo is initialized, which means the tarball is
// downloaded.
func Get(ctx context.Context, fullRepo string, tr http.RoundTripper) (*ScClient, error) {
mMutex.RLock()
if scClients == nil {
mMutex.RUnlock()
mMutex.Lock()
scClients = make(map[string]*ScClient)
mMutex.Unlock()
} else {
mMutex.RUnlock()
}
mMutex.RLock()
mMutex.Lock()
if scc, ok := scClients[fullRepo]; ok {
mMutex.RUnlock()
mMutex.Unlock()
return scc, nil
}
mMutex.RUnlock()
scc, err := create(ctx, fullRepo, tr)
if err != nil {
mMutex.Unlock()
return nil, err
}
mMutex.Lock()
scClients[fullRepo] = scc
mMutex.Unlock()
return scc, nil
Expand All @@ -81,18 +71,13 @@ func Get(ctx context.Context, fullRepo string, tr http.RoundTripper) (*ScClient,
// Function Close will close the scorecard clients. This cleans up the
// downloaded tarball.
func Close(fullRepo string) {
mMutex.RLock()
if scClients == nil {
mMutex.RUnlock()
return
}
mMutex.Lock()
scc, ok := scClients[fullRepo]
mMutex.RUnlock()
if !ok {
mMutex.Unlock()
return
}
scc.ScRepoClient.Close()
mMutex.Lock()
delete(scClients, fullRepo)
mMutex.Unlock()
}
Expand Down

0 comments on commit 10e9264

Please sign in to comment.