Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: hectorm/cetusguard
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.0.12
Choose a base ref
...
head repository: hectorm/cetusguard
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.0.13
Choose a head ref
2 contributors
Loading
Showing with 205 additions and 212 deletions.
  1. +20 −6 .github/dependabot.yml
  2. +117 −141 .github/workflows/main.yml
  3. +40 −40 .github/workflows/security-code.yml
  4. +19 −19 .github/workflows/security-scorecard.yml
  5. +1 −1 Dockerfile
  6. +7 −4 e2e/run.sh
  7. +1 −1 go.mod
26 changes: 20 additions & 6 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,27 @@
# yaml-language-server: $schema=https://json.schemastore.org/dependabot-2.0.json
version: 2

updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
groups:
gomod-minor-patch:
update-types: ["minor", "patch"]

- package-ecosystem: 'docker'
directory: '/'
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: 'weekly'
interval: "weekly"
groups:
docker-all:
patterns: ["*"]

- package-ecosystem: 'github-actions'
directory: '/'
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: 'weekly'
interval: "monthly"
groups:
github-actions-all:
patterns: ["*"]
258 changes: 117 additions & 141 deletions .github/workflows/main.yml
View file
Original file line number Diff line number Diff line change
@@ -1,107 +1,107 @@
name: 'Main'
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: "Main"

on:
push:
tags: ['*']
branches: ['*']
tags: ["*"]
branches: ["*"]
pull_request:
branches: ['*']
branches: ["*"]
workflow_dispatch:

permissions: {}

jobs:

gofmt:
name: 'Gofmt'
runs-on: 'ubuntu-latest'
name: "Gofmt"
runs-on: "ubuntu-latest"
permissions:
contents: 'read'
contents: "read"
steps:
- name: 'Checkout'
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332'
- name: 'Set up Go'
uses: 'actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7'
- name: "Checkout"
uses: "actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332"
- name: "Set up Go"
uses: "actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32"
with:
go-version-file: './go.mod'
go-version-file: "./go.mod"
check-latest: true
- name: 'Gofmt'
- name: "Gofmt"
run: |
make gofmt
staticcheck:
name: 'Staticcheck'
runs-on: 'ubuntu-latest'
name: "Staticcheck"
runs-on: "ubuntu-latest"
permissions:
contents: 'read'
contents: "read"
steps:
- name: 'Checkout'
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332'
- name: 'Set up Go'
uses: 'actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7'
- name: "Checkout"
uses: "actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332"
- name: "Set up Go"
uses: "actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32"
with:
go-version-file: './go.mod'
go-version-file: "./go.mod"
check-latest: true
- name: 'Staticcheck'
uses: 'dominikh/staticcheck-action@fe1dd0c3658873b46f8c9bb3291096a617310ca6'
- name: "Staticcheck"
uses: "dominikh/staticcheck-action@fe1dd0c3658873b46f8c9bb3291096a617310ca6"
with:
install-go: false

test:
name: 'Test on ${{ matrix.os }}'
needs: ['gofmt', 'staticcheck']
runs-on: '${{ matrix.os }}'
name: "Test on ${{ matrix.os }}"
needs: ["gofmt", "staticcheck"]
runs-on: "${{ matrix.os }}"
permissions:
contents: 'read'
contents: "read"
strategy:
fail-fast: false
matrix:
os: ['ubuntu-latest', 'windows-latest', 'macos-latest']
os: ["ubuntu-latest", "windows-latest", "macos-latest"]
steps:
- name: 'Checkout'
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332'
- name: 'Set up Go'
uses: 'actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7'
- name: "Checkout"
uses: "actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332"
- name: "Set up Go"
uses: "actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32"
with:
go-version-file: './go.mod'
go-version-file: "./go.mod"
check-latest: true
- name: 'Test'
- name: "Test"
run: |
make test
test-race:
name: 'Test race'
needs: ['gofmt', 'staticcheck']
runs-on: 'ubuntu-latest'
name: "Test race"
needs: ["gofmt", "staticcheck"]
runs-on: "ubuntu-latest"
permissions:
contents: 'read'
contents: "read"
steps:
- name: 'Checkout'
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332'
- name: 'Set up Go'
uses: 'actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7'
- name: "Checkout"
uses: "actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332"
- name: "Set up Go"
uses: "actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32"
with:
go-version-file: './go.mod'
go-version-file: "./go.mod"
check-latest: true
- name: 'Test race'
- name: "Test race"
run: |
make test-race
test-e2e:
name: 'Test e2e'
needs: ['gofmt', 'staticcheck']
runs-on: 'ubuntu-20.04'
name: "Test e2e"
needs: ["gofmt", "staticcheck"]
runs-on: "ubuntu-24.04"
permissions:
contents: 'read'
contents: "read"
steps:
- name: 'Checkout'
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332'
- name: 'Set up Go'
uses: 'actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7'
- name: "Checkout"
uses: "actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332"
- name: "Set up Go"
uses: "actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32"
with:
go-version-file: './go.mod'
go-version-file: "./go.mod"
check-latest: true
- name: 'Test e2e'
- name: "Test e2e"
run: |
make test-e2e
@@ -110,71 +110,70 @@ jobs:
Build for
${{ matrix.go.GOOS }}-${{ matrix.go.GOARCH }}
${{ matrix.go.GOARM != '' && format('v{0}', matrix.go.GOARM) || '' }}
needs: ['test', 'test-race', 'test-e2e']
runs-on: 'ubuntu-latest'
needs: ["test", "test-race", "test-e2e"]
runs-on: "ubuntu-latest"
permissions:
contents: 'read'
contents: "read"
strategy:
fail-fast: false
matrix:
go: [
{ GOOS: 'linux', GOARCH: 'amd64' },
{ GOOS: 'linux', GOARCH: 'arm64' },
{ GOOS: 'linux', GOARCH: 'arm', GOARM: '7' },
{ GOOS: 'linux', GOARCH: 'arm', GOARM: '6' },
{ GOOS: 'linux', GOARCH: 'riscv64' },
{ GOOS: 'linux', GOARCH: 'ppc64le' },
{ GOOS: 'linux', GOARCH: 's390x' },
{ GOOS: 'windows', GOARCH: 'amd64' },
{ GOOS: 'windows', GOARCH: 'arm64' },
{ GOOS: 'darwin', GOARCH: 'amd64' },
{ GOOS: 'darwin', GOARCH: 'arm64' },
]
go:
- { GOOS: "linux", GOARCH: "amd64" }
- { GOOS: "linux", GOARCH: "arm64" }
- { GOOS: "linux", GOARCH: "arm", GOARM: "7" }
- { GOOS: "linux", GOARCH: "arm", GOARM: "6" }
- { GOOS: "linux", GOARCH: "riscv64" }
- { GOOS: "linux", GOARCH: "ppc64le" }
- { GOOS: "linux", GOARCH: "s390x" }
- { GOOS: "windows", GOARCH: "amd64" }
- { GOOS: "windows", GOARCH: "arm64" }
- { GOOS: "darwin", GOARCH: "amd64" }
- { GOOS: "darwin", GOARCH: "arm64" }
steps:
- name: 'Checkout'
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332'
- name: 'Set up Go'
uses: 'actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7'
- name: "Checkout"
uses: "actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332"
- name: "Set up Go"
uses: "actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32"
with:
go-version-file: './go.mod'
go-version-file: "./go.mod"
check-latest: true
- name: 'Build'
- name: "Build"
run: |
make build \
GOOS="${{ matrix.go.GOOS }}" \
GOARCH="${{ matrix.go.GOARCH }}" \
GOARM="${{ matrix.go.GOARM }}"
file ./dist/*-*-* && gzip -nv ./dist/*-*-*
- name: 'Upload artifacts'
uses: 'actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808'
- name: "Upload artifacts"
uses: "actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a"
with:
name: 'dist-${{ matrix.go.GOOS }}-${{ matrix.go.GOARCH }}-${{ matrix.go.GOARM }}'
path: './dist/*.gz'
name: "dist-${{ matrix.go.GOOS }}-${{ matrix.go.GOARCH }}-${{ matrix.go.GOARM }}"
path: "./dist/*.gz"
retention-days: 1

build-push-docker:
name: 'Build and push Docker images'
needs: ['build']
runs-on: 'ubuntu-latest'
name: "Build and push Docker images"
needs: ["build"]
runs-on: "ubuntu-latest"
permissions:
contents: 'read'
contents: "read"
steps:
- name: 'Checkout'
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332'
- name: 'Set up QEMU'
uses: 'docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3'
- name: 'Set up Docker Buildx'
uses: 'docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb'
- name: 'Login to Docker Hub'
- name: "Checkout"
uses: "actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332"
- name: "Set up QEMU"
uses: "docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf"
- name: "Set up Docker Buildx"
uses: "docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db"
- name: "Login to Docker Hub"
if: "github.event_name != 'pull_request'"
uses: 'docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446'
uses: "docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567"
with:
registry: 'docker.io'
username: '${{ secrets.DOCKERHUB_USERNAME }}'
password: '${{ secrets.DOCKERHUB_TOKEN }}'
- name: 'Extract metadata'
id: 'meta'
uses: 'docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81'
registry: "docker.io"
username: "${{ secrets.DOCKERHUB_USERNAME }}"
password: "${{ secrets.DOCKERHUB_TOKEN }}"
- name: "Extract metadata"
id: "meta"
uses: "docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81"
with:
images: |
docker.io/${{ github.repository }}
@@ -183,53 +182,30 @@ jobs:
type=semver,pattern=v{{version}}
type=semver,pattern=v{{major}}.{{minor}}
type=semver,pattern=v{{major}}
- name: 'Build and push'
uses: 'docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003'
- name: "Build and push"
uses: "docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85"
with:
context: './'
platforms: 'linux/amd64,linux/arm64/v8,linux/arm/v7,linux/arm/v6,linux/riscv64,linux/ppc64le,linux/s390x'
tags: '${{ steps.meta.outputs.tags }}'
labels: '${{ steps.meta.outputs.labels }}'
context: "./"
platforms: "linux/amd64,linux/arm64/v8,linux/arm/v7,linux/arm/v6,linux/riscv64,linux/ppc64le,linux/s390x"
tags: "${{ steps.meta.outputs.tags }}"
labels: "${{ steps.meta.outputs.labels }}"
push: "${{ github.event_name != 'pull_request' }}"

release-github:
name: 'Create GitHub release'
publish-github-release:
name: "Publish GitHub release"
if: "startsWith(github.ref, 'refs/tags/v')"
needs: ['build', 'build-push-docker']
runs-on: 'ubuntu-latest'
needs: ["build", "build-push-docker"]
runs-on: "ubuntu-latest"
permissions:
contents: 'write'
contents: "write"
steps:
- name: 'Download artifacts'
uses: 'actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e'
- name: "Download artifacts"
uses: "actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16"
with:
pattern: 'dist-*'
pattern: "dist-*"
merge-multiple: true
- name: 'Create release'
env:
GITHUB_PAT: '${{ secrets.GITHUB_TOKEN }}'
run: |
RELEASE_STATUS="$(curl -fs --proto '=https' --tlsv1.3 --globoff \
--url "https://api.github.com/repos/${GITHUB_REPOSITORY:?}/releases/tags/${GITHUB_REF_NAME:?}" \
--header "Authorization: Bearer ${GITHUB_PAT:?}" \
--header 'Accept: application/vnd.github.v3+json' \
--header 'Content-Type: application/json' \
--write-out '%{http_code}' --output /dev/null ||:)"
if [ "${RELEASE_STATUS:?}" = '200' ]; then exit 0; fi
RELEASE_ID="$(curl -fsS --proto '=https' --tlsv1.3 --globoff \
--url "https://api.github.com/repos/${GITHUB_REPOSITORY:?}/releases" \
--header "Authorization: Bearer ${GITHUB_PAT:?}" \
--header 'Accept: application/vnd.github.v3+json' \
--header 'Content-Type: application/json' \
--data "$(jq -rn --arg tag "${GITHUB_REF_NAME:?}" '{"name": $tag, "tag_name": $tag, "generate_release_notes": true}')" | jq -r '.id')"
if [ -z "${RELEASE_ID-}" ] || [ "${RELEASE_ID:?}" = 'null' ]; then exit 1; fi
for asset in ./*; do
[ -f "${asset:?}" ] || continue
encodedAssetName="$(jq -rn --arg v "$(basename "${asset:?}")" '$v|@uri')"
curl -fsS --proto '=https' --tlsv1.3 --globoff \
--url "https://uploads.github.com/repos/${GITHUB_REPOSITORY:?}/releases/${RELEASE_ID:?}/assets?name=${encodedAssetName:?})" \
--header "Authorization: Bearer ${GITHUB_PAT:?}" \
--header 'Accept: application/vnd.github.v3+json' \
--header 'Content-Type: application/octet-stream' \
--data-binary "@${asset:?}" --output /dev/null
done
path: "assets"
- name: "Publish"
uses: "hectorm/ghaction-release@066200d04c3549852afa243d631ea3dc93390f68"
with:
assets-path: "./assets/"
Loading