diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..5c93f0f --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @vmfunc diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..00243d1 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +version: 2 +updates: + - package-ecosystem: gomod + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 5 + labels: + - deps + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 5 + labels: + - deps diff --git a/.github/workflows/automatic-rebase.yml b/.github/workflows/automatic-rebase.yml index 5a6e627..28efd9a 100644 --- a/.github/workflows/automatic-rebase.yml +++ b/.github/workflows/automatic-rebase.yml @@ -1,4 +1,4 @@ -name: Automatic Rebase +name: automatic rebase on: issue_comment: types: [created] @@ -12,7 +12,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Automatic Rebase + - name: automatic rebase uses: cirrus-actions/rebase@1.8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check-large-files.yml b/.github/workflows/check-large-files.yml index 0ae1b2c..87692db 100644 --- a/.github/workflows/check-large-files.yml +++ b/.github/workflows/check-large-files.yml @@ -1,18 +1,26 @@ -name: Check Large Files +name: check large files on: pull_request: push: branches: [main] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: check-large-files: - name: Check for large files + name: check for large files runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Check for large files + - name: check for large files run: | - find . -type f -size +5M | while read file; do - echo "::error file=${file}::File ${file} is larger than 5MB" - done + large_files=$(find . -path ./.git -prune -o -type f -size +5M -print) + if [ -n "$large_files" ]; then + echo "$large_files" | while read -r file; do + echo "::error file=${file}::File ${file} is larger than 5MB" + done + exit 1 + fi diff --git a/.github/workflows/code_quality.yml b/.github/workflows/code_quality.yml index a6ef45e..86ac2e3 100644 --- a/.github/workflows/code_quality.yml +++ b/.github/workflows/code_quality.yml @@ -1,4 +1,4 @@ -name: Qodana +name: qodana on: workflow_dispatch: pull_request: @@ -6,6 +6,10 @@ on: branches: - main +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: qodana: runs-on: ubuntu-latest diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 94fce98..db560df 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,4 +1,4 @@ -name: "Dependency Review" +name: dependency review on: pull_request: push: @@ -7,16 +7,20 @@ on: permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: dependency-review: runs-on: ubuntu-latest steps: - - name: "Checkout Repository" + - name: checkout repository uses: actions/checkout@v4 - - name: "Dependency Review" + - name: dependency review uses: actions/dependency-review-action@v4 continue-on-error: ${{ github.event_name == 'push' }} - - name: "Check Dependency Review Outcome" + - name: check dependency review outcome if: github.event_name == 'push' && failure() run: | echo "::warning::Dependency review failed. Please check the dependencies for potential issues." diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index a4d795a..0ccc097 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -1,24 +1,47 @@ -name: Go +name: go + on: push: branches: ["main"] pull_request: branches: ["main"] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: - build: + lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v4 + - name: set up go + uses: actions/setup-go@v5 with: go-version: "1.24" - - name: Build + - name: golangci-lint + uses: golangci/golangci-lint-action@v6 + with: + version: latest + + build: + runs-on: ubuntu-latest + strategy: + matrix: + go-version: ["1.23", "1.24"] + steps: + - uses: actions/checkout@v4 + - name: set up go + uses: actions/setup-go@v5 + with: + go-version: ${{ matrix.go-version }} + - name: build run: make - - name: Run tests with coverage + - name: run tests with coverage run: go test -race -coverprofile=coverage.out -covermode=atomic ./... - - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + - name: upload coverage to codecov + if: matrix.go-version == '1.24' + uses: codecov/codecov-action@v5 with: files: ./coverage.out fail_ci_if_error: false diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml new file mode 100644 index 0000000..28502c5 --- /dev/null +++ b/.github/workflows/govulncheck.yml @@ -0,0 +1,24 @@ +name: govulncheck + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: "0 6 * * 1" # monday 06:00 UTC + +jobs: + govulncheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: set up go + uses: actions/setup-go@v5 + with: + go-version: "1.24" + - name: install govulncheck + run: go install golang.org/x/vuln/cmd/govulncheck@latest + - name: run govulncheck + run: govulncheck ./... + continue-on-error: true diff --git a/.github/workflows/language.yml b/.github/workflows/language.yml index 48ad129..0dce62d 100644 --- a/.github/workflows/language.yml +++ b/.github/workflows/language.yml @@ -1,4 +1,4 @@ -name: Mind your language +name: mind your language on: issues: types: diff --git a/.github/workflows/markdown-lint.yml b/.github/workflows/markdown-lint.yml index 02f21f7..67f6362 100644 --- a/.github/workflows/markdown-lint.yml +++ b/.github/workflows/markdown-lint.yml @@ -1,4 +1,4 @@ -name: Markdown Lint +name: markdown lint on: pull_request: diff --git a/.github/workflows/misspell.yml b/.github/workflows/misspell.yml index 4ec371d..fec499b 100644 --- a/.github/workflows/misspell.yml +++ b/.github/workflows/misspell.yml @@ -1,10 +1,14 @@ -name: Misspell Check +name: misspell check on: pull_request: push: branches: [main] +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: misspell: name: runner / misspell diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 88a4106..35bfa93 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: Release +name: release on: push: @@ -19,28 +19,28 @@ jobs: contents: write steps: - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v4 + - name: set up go + uses: actions/setup-go@v5 with: go-version: "1.24" - - name: Build for Windows + - name: build for windows run: | GOOS=windows GOARCH=amd64 go build -o sif-windows-amd64.exe ./cmd/sif GOOS=windows GOARCH=386 go build -o sif-windows-386.exe ./cmd/sif - - name: Build for macOS + - name: build for macOS run: | GOOS=darwin GOARCH=amd64 go build -o sif-macos-amd64 ./cmd/sif GOOS=darwin GOARCH=arm64 go build -o sif-macos-arm64 ./cmd/sif - - name: Build for Linux + - name: build for linux run: | GOOS=linux GOARCH=amd64 go build -o sif-linux-amd64 ./cmd/sif GOOS=linux GOARCH=386 go build -o sif-linux-386 ./cmd/sif GOOS=linux GOARCH=arm64 go build -o sif-linux-arm64 ./cmd/sif - - name: Package releases with modules + - name: package releases with modules run: | for binary in sif-linux-amd64 sif-linux-386 sif-linux-arm64 sif-macos-amd64 sif-macos-arm64; do mkdir -p "dist/${binary}" @@ -55,7 +55,7 @@ jobs: cd dist && zip -r "../${binary}.zip" "${binary}" && cd .. done - - name: Build Debian packages + - name: build debian packages run: | VERSION="0.1.0-$(git rev-parse --short HEAD)" @@ -94,10 +94,29 @@ jobs: dpkg-deb --build "${pkg_dir}" done - - name: Set release version + - name: generate checksums + run: | + sha256sum \ + sif-windows-amd64.zip \ + sif-windows-386.zip \ + sif-macos-amd64.tar.gz \ + sif-macos-arm64.tar.gz \ + sif-linux-amd64.tar.gz \ + sif-linux-386.tar.gz \ + sif-linux-arm64.tar.gz \ + sif_*.deb \ + > checksums-sha256.txt + + - name: generate SBOM + uses: anchore/sbom-action@v0 + with: + artifact-name: sbom.spdx.json + output-file: sbom.spdx.json + + - name: set release version run: echo "RELEASE_VERSION=$(git rev-parse --short HEAD)" >> $GITHUB_ENV - - name: Create Release and Upload Assets + - name: create release and upload assets uses: softprops/action-gh-release@v2 with: tag_name: automated-release-${{ env.RELEASE_VERSION }} @@ -120,12 +139,10 @@ jobs: - Debian/Ubuntu (32-bit): `sif_*_i386.deb` - Debian/Ubuntu (64-bit ARM): `sif_*_arm64.deb` - ## Installation + ## Verification ```bash - tar -xzf sif-linux-amd64.tar.gz - cd sif-linux-amd64 - ./sif -h + sha256sum -c checksums-sha256.txt ``` For more details, check the [commit history](https://github.com/${{ github.repository }}/commits/main). @@ -142,10 +159,12 @@ jobs: sif_*_amd64.deb sif_*_i386.deb sif_*_arm64.deb + checksums-sha256.txt + sbom.spdx.json env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Push to Cloudsmith + - name: push to cloudsmith env: CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} run: | diff --git a/.github/workflows/reportcard.yml b/.github/workflows/reportcard.yml index 431a2f7..adc0acd 100644 --- a/.github/workflows/reportcard.yml +++ b/.github/workflows/reportcard.yml @@ -1,4 +1,4 @@ -name: Update Report Card +name: update report card on: push: @@ -7,10 +7,14 @@ on: branches: [main] workflow_call: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: update-report-card: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Update Go Report Card + - name: update go report card uses: creekorful/goreportcard-action@v1.0 diff --git a/.github/workflows/runtest.yml b/.github/workflows/runtest.yml index 2a50355..425431b 100644 --- a/.github/workflows/runtest.yml +++ b/.github/workflows/runtest.yml @@ -1,4 +1,4 @@ -name: Functional Test +name: functional test on: push: @@ -12,13 +12,13 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v4 + - name: set up go + uses: actions/setup-go@v5 with: go-version: "1.24" - - name: Build Sif + - name: build sif run: make - - name: Run Sif with features + - name: run sif with features run: | ./sif -u https://example.com -dnslist small -dirlist small -dork -git -whois -cms -framework if [ $? -eq 0 ]; then @@ -28,7 +28,7 @@ jobs: exit 1 fi - - name: Test module system + - name: test module system run: | echo "Listing modules..." ./sif -lm diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..3056f1a --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,30 @@ +name: scorecard + +on: + push: + branches: [main] + schedule: + - cron: "0 6 * * 1" # monday 06:00 UTC + +permissions: read-all + +jobs: + analysis: + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + - name: run scorecard + uses: ossf/scorecard-action@v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + - name: upload sarif results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 8342578..bbc9e1a 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -1,4 +1,4 @@ -name: Shell Check +name: shell check on: pull_request: diff --git a/.github/workflows/yaml-lint.yml b/.github/workflows/yaml-lint.yml index aa0e29c..154ec45 100644 --- a/.github/workflows/yaml-lint.yml +++ b/.github/workflows/yaml-lint.yml @@ -1,4 +1,4 @@ -name: YAML Lint +name: yaml lint on: pull_request: diff --git a/.golangci.yml b/.golangci.yml index 69e9c5a..9258ae2 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -13,7 +13,12 @@ linters: - prealloc # slice preallocation hints - bodyclose # http response body not closed - noctx # http requests without context - - exportloopref # loop variable capture + - gosec # security issues + - errorlint # error wrapping and comparison + - gocognit # cognitive complexity + - nilnil # return nil, nil + - wastedassign # assignments to variables never read + - usetesting # os.Setenv in tests instead of t.Setenv, etc. linters-settings: govet: @@ -29,6 +34,12 @@ linters-settings: - diagnostic - style - performance + gosec: + excludes: + - G104 # errcheck covers this + - G304 # sif reads user-supplied wordlist paths — intentional + gocognit: + min-complexity: 30 run: timeout: 5m