Add branch-protection workflow, preventing PRs targetting main branch (…

…#221) * Add branch-protection workflow, preventing PRs targetting main branch * Bunp go version and update ci.yaml with fixes to steps aligning pre-main * Fix linting errors. These fixes are already available on pre-main, to maintain consistant CI workflowresults pushing them to main
intelops · Nov 14, 2024 · 4e34a7c · 4e34a7c
1 parent 14cc6a9
commit 4e34a7c
Show file tree

Hide file tree

Showing 9 changed files with 57 additions and 20 deletions.
diff --git a/.github/workflows/branch-protection.yaml b/.github/workflows/branch-protection.yaml
@@ -0,0 +1,20 @@
+name: Check pull request source branch
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - edited
+    branches:
+      - "main"
+jobs:
+  check-branches:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branches
+        run: |
+          if [ ${{ github.head_ref }} != "pre-main" ] && [ ${{ github.base_ref }} == "main" ]; then
+            echo "ERROR: Merge requests to main branch are only allowed from 'pre-main' branch."
+            exit 1
+          fi
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -17,27 +17,29 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
         with:
-          go-version: "1.22"
+          go-version: "1.23"
           cache: false
       - name: Run tests
-        run: go test ./... -coverprofile=coverage.out -coverpkg=./... -covermode=atomic
+        run: |
+          go mod tidy
+          go test ./... -coverprofile=coverage.out -coverpkg=./... -covermode=atomic
       - name: golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6
         with:
-          version: v1.59
+          version: v1.60
           args: -v --config=.ci.yml
           skip-pkg-cache: true
           skip-build-cache: true
 
       - name: Static check
         uses: dominikh/staticcheck-action@fe1dd0c3658873b46f8c9bb3291096a617310ca6 # v1.3.1
         with:
-          version: "2023.1.6"
+          version: "2024.1.1"
           install-go: false
-          cache-key: "1.22"
+          cache-key: "1.23"
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
         with:
@@ -46,7 +48,12 @@ jobs:
           format: sarif
           output: "trivy-results.sarif"
           severity: "CRITICAL,HIGH"
+        env:
+          # Use AWS' ECR mirror for the trivy-db image, as GitHub's Container
+          # Registry is returning a TOOMANYREQUESTS error.
+          # Ref: https://github.com/aquasecurity/trivy-action/issues/389
+          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db:2"
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
         with:
           sarif_file: "trivy-results.sarif"
diff --git a/cmd/artifact_pull.go b/cmd/artifact_pull.go
@@ -106,8 +106,8 @@ func runPullArtifactCmd(cmd *cobra.Command, args []string) error {
 	defer spin.Stop()
 
 	if err := oci.PullArtifact(context.Background(), pullArgs.creds, pullArgs.dest, pullArgs.path); err != nil {
-		fe := color.RedString("Error pulling artifact from remote: %v", err)
-		return fmt.Errorf(fe)
+		errorMessage := color.RedString("Error pulling artifact from remote: %v", err)
+		return fmt.Errorf("%s", errorMessage)
 	}
 	spin.Stop()
 	color.Green("Artifact from %s pulled and stored in :%s", pullArgs.dest, pullArgs.path)

diff --git a/cmd/artifact_push.go b/cmd/artifact_push.go
@@ -200,8 +200,13 @@ func runPushCmd(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	log.Infof(color.GreenString("✔ Artifact pushed successfully to: %v", pushArgs.dest))
-	log.Infof(color.GreenString("✔ Digest: %v", digest))
-	log.Infof(color.GreenString("✔ Digest URL: %v\n", digestURL))
+	// Create formatted messages # Fix govet warnings
+	artifactMessage := color.GreenString("✔ Artifact pushed successfully to: %v", pushArgs.dest)
+	digestMessage := color.GreenString("✔ Digest: %v", digest)
+	digestURLMessage := color.GreenString("✔ Digest URL: %v\n", digestURL)
+
+	log.Info(artifactMessage)
+	log.Info(digestMessage)
+	log.Info(digestURLMessage)
 	return nil
 }
diff --git a/cmd/regoval_dockerfileval.go b/cmd/regoval_dockerfileval.go
@@ -86,7 +86,6 @@ func runDockerfilevalCmd(cmd *cobra.Command, args []string) error {
 	}
 
 	if policy == "" || strings.HasPrefix(policy, "oci://") {
-
 		if err := validate.ValidateWithOCIPolicies(string(dockerfilefileContent),
 			policy,
 			cmd.Name(),
@@ -102,6 +101,8 @@ func runDockerfilevalCmd(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	log.Infof(color.GreenString("Dockerfile: %v validation completed!\n", input))
+	logMessage := color.GreenString("Dockerfile: %v validation completed!\n", input)
+
+	log.Info(logMessage)
 	return nil
 }
diff --git a/cmd/regoval_infrafile.go b/cmd/regoval_infrafile.go
@@ -94,6 +94,7 @@ func runinfrafileCmd(cmd *cobra.Command, args []string) error {
 			return fmt.Errorf("validating %v failed: %v", inputFile, err)
 		}
 	}
-	log.Infof(color.GreenString("infrafile validation for: %v completed", inputFile))
+	logMessage := color.GreenString("infrafile validation for: %v completed", inputFile)
+	log.Info(logMessage)
 	return nil
 }
diff --git a/cmd/regoval_terraform.go b/cmd/regoval_terraform.go
@@ -99,6 +99,7 @@ func runTerraformCmd(cmd *cobra.Command, args []string) error {
 			log.Errorf("Validation %v failed", err)
 		}
 	}
-	log.Infof(color.GreenString("Terraform resource validation for: %v completed", inputFile))
+	logMessage := color.GreenString("Terraform resource validation for: %v completed", inputFile)
+	log.Info(logMessage)
 	return nil
 }
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/intelops/genval
 
-go 1.22.5
+go 1.23
 
 require (
 	cuelang.org/go v0.10.0

diff --git a/pkg/validate/printresults.go b/pkg/validate/printresults.go
@@ -42,7 +42,8 @@ func PrintResults(result rego.ResultSet, metas []*regoMetadata) error {
 						} else {
 							saveStatus = "failed"
 							status = color.New(color.FgRed).Sprint("failed")
-							log.Infof(color.New(color.FgRed).Sprintf("policy evaluation for '%s' failed", key))
+							logMessage := color.New(color.FgRed).Sprintf("policy evaluation for '%s' failed", key)
+							log.Info(logMessage)
 						}
 					} else {
 						// Handle other types of values (non-slice)
@@ -52,7 +53,8 @@ func PrintResults(result rego.ResultSet, metas []*regoMetadata) error {
 						} else {
 							saveStatus = "failed"
 							status = color.New(color.FgRed).Sprint("failed")
-							log.Infof(color.New(color.FgRed).Sprintf("policy evaluation for '%s' failed", key))
+							statusMessage := (color.New(color.FgRed).Sprintf("policy evaluation for '%s' failed", key))
+							log.Info(statusMessage)
 						}
 					}
 					t.AppendRow([]interface{}{key, status, meta.Description, meta.Severity, meta.Benchmark, meta.Category})