purpleclay · purpleclay · Oct 11, 2023 · Oct 10, 2023 · Oct 11, 2023 · Oct 11, 2023
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Purple Clay
+# Copyright (c) 2022 - 2023 Purple Clay
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -17,20 +17,19 @@
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
+version = 1
 
-name: dependency-review
-on:
-  pull_request:
+test_patterns = [
+  "**/*_test.go"
+]
 
-permissions:
-  contents: read
+[[analyzers]]
+name = "go"
+enabled = true
 
-jobs:
-  dependency-review:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+    [analyzers.meta]
+    import_root = "github.com/purpleclay/dns53"
 
-      - name: Dependency Review
-        uses: actions/dependency-review-action@v3
+[[analyzers]]
+name = "secret"
+enabled = true
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Purple Clay
+# Copyright (c) 2022 - 2023 Purple Clay
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Purple Clay
+# Copyright (c) 2022 - 2023 Purple Clay
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -29,87 +29,34 @@ on:
       - "go.mod"
       - "go.sum"
   pull_request:
+    branches:
+      - main
     paths:
+      - .github/workflows/ci.yml
       - "**/*.go"
       - "*.go"
       - "go.mod"
       - "go.sum"
+
+permissions:
+  contents: read
+
 jobs:
-  ci:
+  # By splitting testing into its own job will ensure the needs: clause for
+  # static-analysis runs without waiting on the entire matrix. Jobs that run
+  # against macos and windows are considerably slower
+  test:
+    uses: purpleclay/github/.github/workflows/go-test.yml@main
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Set Git Line Endings
-        run: |
-          git config --global core.autocrlf false
-          git config --global core.eol lf
-        if: matrix.os == 'windows-latest'
-
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: 1.19
-
-      - name: Cache Go
-        uses: actions/cache@v3
-        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Install Task
-        uses: arduino/setup-task@v1
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Test
-        run: task test
-
-      - name: Build
-        run: task build
-
-      # All static checks from this point should run on linux as it is the
-      # fastest platform
-      - name: Integration Test
-        if: matrix.os == 'ubuntu-latest'
-        run: task integration-test
-
-      # Temporary workaround until the golangci-lint GitHub action supports 1.19
-      - name: Install golangci-lint
-        if: matrix.os == 'ubuntu-latest'
-        run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
-
-      - name: Lint Code
-        if: matrix.os == 'ubuntu-latest'
-        run: task lint
-
-      - name: misspell
-        if: matrix.os == 'ubuntu-latest'
-        uses: reviewdog/action-misspell@v1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          locale: "UK"
-          exclude: |
-            ./go.mod
-            ./go.sum
-            ./.goreleaser.yml
-            ./Taskfile.yaml
-            ./.github/workflows/**
-            ./CODE_OF_CONDUCT.md
-
-      - name: SonarCloud Scan
-        if: matrix.os == 'ubuntu-latest'
-        uses: SonarSource/sonarcloud-github-action@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+    with:
+      go-version: ${{ vars.GO_VERSION }}
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+
+  lint:
+    uses: purpleclay/github/.github/workflows/golangci-lint.yml@main
+    with:
+      version: ${{ vars.GOLANGCI_LINT_VERSION }}
+      go-version: ${{ vars.GO_VERSION }}
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Purple Clay
+# Copyright (c) 2022 - 2023 Purple Clay
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -18,26 +18,35 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 
-name: dependabot-merge
-on: pull_request
+name: code-security
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "**/*.go"
+      - "*.go"
+      - "go.mod"
+      - "go.sum"
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "**/*.go"
+      - "*.go"
+      - "go.mod"
+      - "go.sum"
 
 permissions:
-  contents: write
+  actions: read
+  contents: read
+  security-events: write
 
 jobs:
-  dependabot:
-    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    steps:
-      - name: Fetch Metadata
-        id: metadata
-        uses: dependabot/[email protected]
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-
-      # Will only merge if all checks pass and approvals are present
-      - name: Auto-merge PR
-        run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GH_AUTOMERGE }}
+  security-checks:
+    if: ${{ github.actor != 'dependabot[bot]' }}
+    uses: purpleclay/github/.github/workflows/code-security.yml@main
+    with:
+      go-version: ${{ vars.GO_VERSION }}
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Purple Clay
+# Copyright (c) 2022 - 2023 Purple Clay
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -33,6 +33,10 @@ on:
       - "docs/**"
       - "mkdocs.yml"
   workflow_dispatch:
+
+permissions:
+  contents: write
+
 jobs:
   build-docs:
     runs-on: ubuntu-latest
@@ -49,12 +53,12 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GH_GHCR }}
 
-      - run: docker pull ghcr.io/purpleclay/mkdocs-material-insiders
+      - run: docker pull ghcr.io/purpleclay/mkdocs-material-insiders:${{ vars.MKDOCS_MATERIAL_INSIDERS_VERSION }}
 
       - name: Build
+        run: docker run --rm -i -v ${PWD}:/docs ghcr.io/purpleclay/mkdocs-material-insiders:${{ vars.MKDOCS_MATERIAL_INSIDERS_VERSION }} build
         env:
-          GH_TOKEN: ${{ secrets.GH_MKDOCS }}
-        run: docker run --rm -i -e GH_TOKEN=${GH_TOKEN} -v ${PWD}:/docs ghcr.io/purpleclay/mkdocs-material-insiders build
+          CI: true
 
       - name: HTML Test
         uses: wjdp/htmltest-action@master
@@ -63,7 +67,7 @@ jobs:
           config: htmltest.yml
 
       - name: Patch mkdocs.yml Site URL
-        if: startsWith(github.ref, 'refs/tags/v') || ${{ github.event_name == 'workflow_dispatch' }}
+        if: ${{ startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch') }}
         uses: jacobtomlinson/gha-find-replace@v3
         with:
           find: 'site_url: ""'
@@ -72,7 +76,7 @@ jobs:
           include: mkdocs.yml
 
       - name: Patch mkdocs.yml Edit URI
-        if: startsWith(github.ref, 'refs/tags/v') || ${{ github.event_name == 'workflow_dispatch' }}
+        if: ${{ startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch') }}
         uses: jacobtomlinson/gha-find-replace@v3
         with:
           find: 'edit_uri: ""'
@@ -81,7 +85,7 @@ jobs:
           include: mkdocs.yml
 
       - name: Deploy documentation
-        if: startsWith(github.ref, 'refs/tags/v') || ${{ github.event_name == 'workflow_dispatch' }}
+        if: ${{ startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch') }}
+        run: docker run --rm -i -v ${PWD}:/docs ghcr.io/purpleclay/mkdocs-material-insiders:${{ vars.MKDOCS_MATERIAL_INSIDERS_VERSION }} gh-deploy --force
         env:
-          GH_TOKEN: ${{ secrets.GH_MKDOCS }}
-        run: docker run --rm -i -e GH_TOKEN=${GH_TOKEN} -v ${PWD}:/docs ghcr.io/purpleclay/mkdocs-material-insiders gh-deploy --force
+          CI: true
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Purple Clay
+# Copyright (c) 2023 Purple Clay
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -18,23 +18,27 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 
-name: uplift
+name: nsv
 on:
   workflow_dispatch:
 
 jobs:
-  uplift:
+  nsv:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GH_UPLIFT }}
+          token: ${{ secrets.GH_NSV }}
 
-      - name: Release
-        uses: gembaadvantage/uplift-action@v2.0.1
+      - name: Tag
+        uses: purpleclay/nsv-action@v1
         with:
-          args: release --skip-changelog
+          token: ${{ secrets.GH_NSV }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_UPLIFT }}
+          GPG_PRIVATE_KEY: "${{ secrets.GPG_PRIVATE_KEY }}"
+          GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}"
+          GPG_TRUST_LEVEL: "${{ secrets.GPG_TRUST_LEVEL }}"