Update CI

.github/dependabot.yml → .github/dependabot.yaml

@@ -3,12 +3,12 @@ updates:
 - package-ecosystem: github-actions
   directory: /
   schedule:
-    interval: daily
-- package-ecosystem: gomod
+    interval: weekly
+- package-ecosystem: docker
   directory: /
   schedule:
     interval: daily
-- package-ecosystem: docker
+- package-ecosystem: gomod
   directory: /
   schedule:
     interval: daily

.github/dependency-review-config.yaml

@@ -0,0 +1,17 @@
+# https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
+allow-licenses:
+- 'Apache-2.0'
+- 'BSD-2-Clause'
+- 'BSD-2-Clause-FreeBSD'
+- 'BSD-3-Clause'
+- 'ISC'
+- 'MIT'
+- 'PostgreSQL'
+- 'Python-2.0'
+- 'X11'
+- 'Zlib'
+
+# this action is GPL-3 but it is only used in CI
+# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806
+allow-dependencies-licenses: >
+  pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787

.github/workflows/build.yaml

@@ -1,68 +1,54 @@
-name: Build
-on: pull_request
+name: build
+on:
+  pull_request:
+    branches:
+    - main
+permissions: {}
 jobs:
-  build:
+  build-snapshot:
+    permissions:
+      contents: read
+      packages: write
     runs-on: ubuntu-latest
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Install Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: stable
-    - name: Set up environment
-      run: echo "GOVERSION=$(go version)" >> $GITHUB_ENV
-    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v5
-      with:
-        version: latest
-        args: build --snapshot --rm-dist
-    - name: Tar up binaries
-      # work around limitations in the upload/download artifact actions
-      # https://github.com/actions/download-artifact#limitations
-      run: tar -cvf dist.tar dist
-    - name: Upload binaries tar file
-      uses: actions/upload-artifact@v4
-      with:
-        name: dist.tar
-        path: dist.tar
-  buildimage:
-    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     strategy:
       matrix:
         binary:
-        - ssh-portal-api
         - ssh-portal
+        - ssh-portal-api
         - ssh-token
-    needs: build
-    runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Download binaries tar file
-      uses: actions/download-artifact@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
-        name: dist.tar
-    - name: Untar binaries
-      run: tar -xvf dist.tar
+        go-version: stable
+    - run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
+    - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+      with:
+        version: latest
+        args: build --clean --debug --single-target --snapshot
     - name: Login to GHCR
-      uses: docker/login-action@v3
+      if: github.actor != 'dependabot[bot]'
+      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Docker metadata
-      # this id is namespaced per matrix run
+    - name: Get Docker metadata
+      if: github.actor != 'dependabot[bot]'
       id: docker_metadata
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5.4.0
       with:
-        images: ghcr.io/uselagoon/lagoon-ssh-portal/${{ matrix.binary }}
+        images: ghcr.io/${{ github.repository }}/${{ matrix.binary }}
+    - run: echo "GITHUB_REPOSITORY_NAME=$(basename ${{ github.repository }})" >> "$GITHUB_ENV"
     - name: Build and push ${{ matrix.binary }} container image
-      id: docker_build
-      uses: docker/build-push-action@v5
+      if: github.actor != 'dependabot[bot]'
+      uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
       with:
         push: true
         tags: ${{ steps.docker_metadata.outputs.tags }}
         labels: ${{ steps.docker_metadata.outputs.labels }}
-        file: deploy/${{ matrix.binary }}/Dockerfile
+        file: Dockerfile
+        build-args: BINARY=${{ matrix.binary }}
         context: dist/${{ matrix.binary }}_linux_amd64_v1

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,32 @@
+name: codeQL
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+permissions: {}
+jobs:
+  analyze:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+        - go
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      with:
+        go-version: stable
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11
+      with:
+        languages: ${{ matrix.language }}
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11

.github/workflows/coverage.yaml

@@ -1,32 +1,29 @@
-name: Coverage
+name: coverage
 on:
   push:
     branches:
     - main
-
+permissions: {}
 jobs:
   coverage:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-    - name: Configure git
-      run: |
-        git config --global user.name "$GITHUB_ACTOR"
-        git config --global user.email "[email protected]"
-    - name: Set up go
-      uses: actions/setup-go@v5
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
         go-version: stable
-    - name: Install Dependencies
-      run: sudo apt-get update && sudo apt-get -u install libpcsclite-dev
     - name: Calculate coverage
       run: |
-        go test -v -covermode=count -coverprofile=coverage.out.raw -coverpkg=./... ./...
-        grep -v mock_ coverage.out.raw > coverage.out
-    - name: Convert coverage to lcov
-      uses: jandelgado/gcov2lcov-action@v1
-    - name: Coveralls
-      uses: coverallsapp/github-action@v2
+        go test -v -covermode=atomic -coverprofile=cover.out.raw -coverpkg=./... ./...
+        # remove mocks from coverage calculation
+        grep -v mock_ cover.out.raw > cover.out
+    - name: Generage coverage badge
+      uses: vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787 # v2.8.2
       with:
-        github-token: ${{ secrets.github_token }}
+        profile: cover.out
+        local-prefix: github.com/uselagoon/lagoon-ssh-portal
+        git-token: ${{ secrets.GITHUB_TOKEN }}
+        # orphan branch for storing badges
+        git-branch: badges

.github/workflows/dependabot-automerge.yaml

@@ -1,17 +1,26 @@
 # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
-name: Dependabot auto-merge
-on: pull_request
-
-permissions:
-  contents: write
-  pull-requests: write
-
+name: dependabot auto-merge
+on:
+  pull_request:
+    branches:
+    - main
+permissions: {}
 jobs:
-  dependabot:
+  dependabot-automerge:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.actor == 'dependabot[bot]'
     steps:
-    - name: Enable auto-merge for Dependabot PRs
+    - name: Fetch dependabot metadata
+      id: metadata
+      uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
+      with:
+        github-token: "${{ secrets.GITHUB_TOKEN }}"
+    - name: Auto-merge Dependabot PRs
+      # don't auto-merge action updates to appease OpenSSF scorecard
+      if: ${{ ! contains(steps.metadata.outputs.package-ecosystem, 'github-actions') }}
       run: gh pr merge --auto --merge "$PR_URL"
       env:
         PR_URL: ${{github.event.pull_request.html_url}}

.github/workflows/dependency-review.yaml

@@ -1,15 +1,16 @@
-name: 'Dependency Review'
+name: dependency review
 on:
-- pull_request
-permissions:
-  contents: read
+  pull_request:
+    branches:
+    - main
+permissions: {}
 jobs:
   dependency-review:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-    - name: 'Checkout Repository'
-      uses: actions/checkout@v4
-    - name: Dependency Review
-      uses: actions/dependency-review-action@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4
       with:
-        config-file: '.github/dependency-review-config.yml'
+        config-file: .github/dependency-review-config.yaml

.github/workflows/lint.yaml

@@ -1,26 +1,37 @@
-name: Lint
-on: pull_request
+name: lint
+on:
+  pull_request:
+    branches:
+    - main
+permissions: {}
 jobs:
-  golangci-lint:
-    name: lint
+  lint-go:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-    - name: Install Go
-      uses: actions/setup-go@v5
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
         go-version: stable
-    - name: golangci-lint
-      uses: golangci/golangci-lint-action@v3
+    - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
       with:
         args: --timeout=180s
-  commitlint:
+  lint-commits:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout
-      uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         fetch-depth: 0
-    - name: Lint commit messages
-      uses: wagoid/commitlint-github-action@v5
+    - uses: wagoid/commitlint-github-action@0d749a1a91d4770e983a7b8f83d4a3f0e7e0874e # v5.4.4
+  lint-actions:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: docker://rhysd/actionlint:latest@sha256:2eb91a78b5a19140be099c7b4262d298c2567f2a9f27e10ed2a4323c5bcface8
+      with:
+        args: -color

.github/workflows/ossf-analysis.yaml

@@ -0,0 +1,31 @@
+name: OSSF scorecard
+on:
+  push:
+    branches:
+    - main
+permissions: {}
+jobs:
+  ossf-scorecard-analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # Needed if using Code scanning alerts
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - name: Run analysis
+      uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # Publish the results for public repositories to enable scorecard badges. For more details, see
+        # https://github.com/ossf/scorecard-action#publishing-results.
+        # For private repositories, `publish_results` will automatically be set to `false`, regardless
+        # of the value entered here.
+        publish_results: true
+    - name: Upload SARIF results to code scanning
+      uses: github/codeql-action/upload-sarif@b374143c1149a9115d881581d29b8390bbcbb59c # v3.22.11
+      with:
+        sarif_file: results.sarif