diff --git a/.github/workflows/check-generated.yml b/.github/workflows/check-generated.yml index b303341..40980dd 100644 --- a/.github/workflows/check-generated.yml +++ b/.github/workflows/check-generated.yml @@ -13,27 +13,7 @@ on: workflow_dispatch: {} jobs: - check-go-generate: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version-file: go.mod - check-latest: true - - - name: Ensure 'go generate' is clean - run: | - # shellcheck disable=SC2046 - go generate $(go list ./...) - echo - echo - - if ! git diff --name-only --exit-code; then - echo "The files above need updating. Please run 'go generate'." - exit 1 - fi + check-generated: + permissions: + contents: read + uses: capnspacehook/go-workflows/.github/workflows/check-generated.yml@master diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 715c71d..a6b4a24 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,4 @@ -name: CodeQL +name: Run CodeQL on: push: @@ -13,43 +13,9 @@ on: workflow_dispatch: {} jobs: - analyze: - runs-on: ubuntu-latest - timeout-minutes: 15 + codeql: permissions: - actions: read + actions: write contents: read security-events: write - - strategy: - fail-fast: false - matrix: - language: - - go - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" + uses: capnspacehook/go-workflows/.github/workflows/codeql.yml@master diff --git a/.github/workflows/lint-actions.yml b/.github/workflows/lint-actions.yml index 02f78c0..bef7520 100644 --- a/.github/workflows/lint-actions.yml +++ b/.github/workflows/lint-actions.yml @@ -9,20 +9,6 @@ on: jobs: lint-workflows: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version-file: go.mod - check-latest: true - - - name: Lint workflow files - run: | - echo "::add-matcher::.github/actionlint-matcher.json" - go install github.com/rhysd/actionlint/cmd/actionlint@latest - actionlint + permissions: + contents: read + uses: capnspacehook/go-workflows/.github/workflows/lint-actions.yml@master diff --git a/.github/workflows/lint-docker.yml b/.github/workflows/lint-docker.yml index 6ed8493..eaa71e3 100644 --- a/.github/workflows/lint-docker.yml +++ b/.github/workflows/lint-docker.yml @@ -9,13 +9,6 @@ on: jobs: lint-dockerfile: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Lint Dockerfile - uses: hadolint/hadolint-action@v3.1.0 - with: - dockerfile: Dockerfile + permissions: + contents: read + uses: capnspacehook/go-workflows/.github/workflows/lint-docker.yml@master diff --git a/.github/workflows/lint-go.yml b/.github/workflows/lint-go.yml index 9653af7..f1bfc1f 100644 --- a/.github/workflows/lint-go.yml +++ b/.github/workflows/lint-go.yml @@ -11,62 +11,7 @@ on: workflow_dispatch: {} jobs: - check-mod-tidy: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install Go - id: install-go - uses: actions/setup-go@v4 - with: - go-version-file: go.mod - check-latest: true - - - name: Ensure go.mod was tidied - run: | - go mod tidy -compat ${{ steps.install-go.outputs.go-version }} - STATUS=$(git status --porcelain go.mod go.sum) - if [ -n "$STATUS" ]; then - echo "Running go mod tidy modified go.mod and/or go.sum" - exit 1 - fi - exit 0 - - staticcheck: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install Go - id: install-go - uses: actions/setup-go@v4 - with: - go-version-file: go.mod - check-latest: true - - - name: Lint with staticcheck - uses: dominikh/staticcheck-action@v1.3.0 - with: - install-go: false - - golangci-lint: - runs-on: ubuntu-latest - timeout-minutes: 15 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install Go - id: install-go - uses: actions/setup-go@v4 - with: - go-version-file: go.mod - check-latest: true - - - name: Lint with golangci-lint - uses: golangci/golangci-lint-action@v3.7.0 + lint-go: + permissions: + contents: read + uses: capnspacehook/go-workflows/.github/workflows/lint-go.yml@master diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 323b54c..c59b1b6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,126 +8,9 @@ on: - "v*.*.*" jobs: - release-binary: - runs-on: ubuntu-latest - if: github.ref_type == 'tag' - timeout-minutes: 15 + release: permissions: id-token: write contents: write - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Checkout tags - run: git fetch --force --tags - - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version-file: go.mod - check-latest: true - - - name: Install cosign - uses: sigstore/cosign-installer@main - - - name: Build and release with goreleaser - uses: goreleaser/goreleaser-action@v5 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - distribution: goreleaser - version: latest - args: release - - release-image: - runs-on: ubuntu-latest - timeout-minutes: 15 - permissions: - id-token: write packages: write - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install cosign - uses: sigstore/cosign-installer@v3 - - - name: Install Docker buildx - uses: docker/setup-buildx-action@v3 - - - name: Build list of Docker tags to use - id: tag-types - run: | - if [[ ${{ contains(github.ref, 'tag') }} == true ]]; then - TAGS=" - type=semver,pattern={{major}},priority=920 - type=semver,pattern={{major}}.{{minor}},priority=910 - type=semver,pattern={{version}},priority=900 - type=ref,event=branch - type=sha,format=long" - else - TAGS=" - type=ref,event=branch - type=sha,format=long" - fi - - # https://trstringer.com/github-actions-multiline-strings - { - echo "TAGS<> "$GITHUB_ENV" - - - name: Set Docker labels and tags - id: metadata - uses: docker/metadata-action@v5 - with: - images: ghcr.io/${{ github.repository }} - flavor: | - latest=true - tags: ${{ env.TAGS }} - - - name: Login to container registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Get latest git tag - id: get-tag - uses: olegtarasov/get-tag@v2.1 - - - name: Set build arguments - id: build-args - run: | - VERSION=${{ steps.get-tag.outputs.tag }} - if [[ -z ${VERSION} ]]; then - VERSION=devel - fi - echo "version=${VERSION}" >> "${GITHUB_OUTPUT}" - - - name: Build and push Docker image - id: build-push - uses: docker/build-push-action@v5 - with: - context: . - push: true - build-args: | - VERSION=${{ steps.build-args.outputs.version }} - tags: ${{ steps.metadata.outputs.tags }} - labels: ${{ steps.metadata.outputs.labels }} - - - name: Sign container image - env: - COSIGN_EXPERIMENTAL: "true" - run: cosign sign --yes ghcr.io/${{ github.repository }}@${{ steps.build-push.outputs.digest }} - - - name: Scan container image for vulnerabilities - uses: chainguard-images/actions/vul-scans@main - with: - image: ghcr.io/${{ github.repository }}@${{ steps.build-push.outputs.digest }} - RUN_SNYK: false + uses: capnspacehook/go-workflows/.github/workflows/release.yml@master diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index cd56aca..1a1419d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,6 +10,9 @@ on: workflow_dispatch: {} +permissions: + contents: read + jobs: race-test: # required for nftables to work correctly @@ -20,10 +23,12 @@ jobs: uses: actions/checkout@v4 - name: Install Go - uses: actions/setup-go@v4 + uses: WillAbides/setup-go-faster@v1.11.0 with: go-version-file: go.mod - check-latest: true + + - name: Cache Go files + uses: capnspacehook/cache-go@v1 # the test is compiled and run as root so that whalewall can # interface with nftables, which is a privileged operation @@ -39,10 +44,12 @@ jobs: uses: actions/checkout@v4 - name: Install Go - uses: actions/setup-go@v4 + uses: WillAbides/setup-go-faster@v1.11.0 with: go-version-file: go.mod - check-latest: true + + - name: Cache Go files + uses: capnspacehook/cache-go@v1 # run the integration tests but use a binary to create rules # to test with landlock and seccomp filters active @@ -71,10 +78,12 @@ jobs: tags: whalewall:test - name: Install Go - uses: actions/setup-go@v4 + uses: WillAbides/setup-go-faster@v1.11.0 with: go-version-file: go.mod - check-latest: true + + - name: Cache Go files + uses: capnspacehook/cache-go@v1 # run the integration tests but use a container to create rules # to test with landlock and seccomp filters active diff --git a/.github/workflows/vuln.yml b/.github/workflows/vuln.yml index 6fb74da..e96715d 100644 --- a/.github/workflows/vuln.yml +++ b/.github/workflows/vuln.yml @@ -13,20 +13,7 @@ on: workflow_dispatch: {} jobs: - govulncheck: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Install Go - uses: actions/setup-go@v4 - with: - go-version-file: go.mod - check-latest: true - - - name: Scan for known vulnerable dependencies - run: | - go install golang.org/x/vuln/cmd/govulncheck@latest - govulncheck ./... + vuln-check: + permissions: + contents: read + uses: capnspacehook/go-workflows/.github/workflows/vuln.yml@master