Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactoring formats and security enhancements #46

Merged
merged 4 commits into from
Dec 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
## Issue: <!-- link the issue or issues this PR resolves here -->
<!-- If your PR depends on changes from another pr link them here and describe why they are needed in your solution section. -->

## Problem
<!-- Describe the root cause of the issue you are resolving. This may include what behavior is observed and why it is not desirable. If this is a new feature describe why we need this feature and how it will be used. -->

## Solution
<!-- Describe what you changed to fix the issue. Relate your changes back to the original issue / feature and explain how this addresses the issue. -->

## Testing
<!-- Note: Confirm if the repro steps in the GitHub issue are valid, if not, please update the issue with accurate repro steps. -->

Expand All @@ -19,6 +19,6 @@

## QA Testing Considerations
<!-- Highlight areas or (additional) cases that QA should test w.r.t a fresh install as well as the upgrade scenarios -->

### Regressions Considerations
<!-- Dedicated section to specifically call out any areas that with higher chance of regressions caused by this change, include estimation of probability of regressions -->
2 changes: 1 addition & 1 deletion .github/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@ changelog:
- title: 👒 Dependencies
labels:
- dependencies
- title: 📚 Other Changes
- title: 📚 Other Changes
labels:
- "*"
9 changes: 8 additions & 1 deletion .github/workflows/_test-acceptance.tmpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,20 @@ on:
type: string
default: "latest"

permissions:
contents: read

jobs:
test:
name: 'Test plugin on Vault v${{ inputs.vault-version }} + Nexus Repository v${{ inputs.nxr-version }}'
runs-on: ubuntu-latest
permissions:
contents: write
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/dependency-review.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,13 @@ jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: 'Checkout Repository'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: 'Dependency Review'
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
11 changes: 11 additions & 0 deletions .github/workflows/greet.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,21 @@ on:
issues:


permissions:
contents: read

jobs:
greeting:
permissions:
issues: write # for actions/first-interaction to comment on first issue
pull-requests: write # for actions/first-interaction to comment on first PR
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: Greetings for PR and issues
uses: actions/first-interaction@34f15e814fe48ac9312ccf29db4e74fa767cbab7 # v1.3.0
with:
Expand Down
10 changes: 8 additions & 2 deletions .github/workflows/labeler.yaml
Original file line number Diff line number Diff line change
@@ -1,15 +1,21 @@
name: Labeler
on: [ pull_request_target ]

permissions:
contents: read

jobs:
label:

runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/lint.yaml
Original file line number Diff line number Diff line change
@@ -1,10 +1,20 @@
name: Lint

on:
push:
branches: "*"
pull_request:


permissions:
contents: read

jobs:
pre_job:
# continue-on-error: true
permissions:
actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
contents: read # for fkirc/skip-duplicate-actions to read and compare commits
runs-on: ubuntu-latest
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
Expand All @@ -17,13 +27,25 @@ jobs:
cancel_others: 'true'
do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
paths: '["go.mod", "go.sum", "src/**/*"]'

golangci:
name: GolangCI Lint
needs: pre_job
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
runs-on: ubuntu-latest
if: needs.pre_job.outputs.should_skip != 'true'
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: golangci-lint
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
Expand Down
31 changes: 24 additions & 7 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,10 @@ jobs:
run: |
set -euo pipefail

checksum_file="$(echo $ARTIFACTS | jq -r '.[] | select (.type=="Checksum") | .path')"
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
echo "project-name=$(echo $GITHUB_REPOSITORY | cut -d'/' -f2)" >> "$GITHUB_OUTPUT"
hashes="$(echo "${ARTIFACTS}" | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)"

echo "hashes=${hashes}" >> "${GITHUB_OUTPUT}"
echo "project-name=$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)" >> "${GITHUB_OUTPUT}"

attestation:
needs: [ goreleaser ]
Expand All @@ -61,6 +62,11 @@ jobs:
contents: write # To download assets from draft release.
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
Expand Down Expand Up @@ -107,6 +113,11 @@ jobs:
permissions:
contents: write # To download assets from draft release.
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
Expand All @@ -128,14 +139,15 @@ jobs:
- name: Verify assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
HASHES: ${{ needs.goreleaser.outputs.hashes }}
PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
VERSION: ${{ github.ref_name }}
run: |
set -euo pipefail
checksums="$(echo ${CHECKSUMS} | base64 -d)"

checksums="$(base64 -d <<< "${HASHES}")"
while read -r line; do
fn="$(echo ${line} | cut -d ' ' -f2)"
fn="$(echo "${line}" | cut -d ' ' -f2)"

echo "Verifying ${fn} with GH CLI"
gh attestation verify "${fn}" --repo "${GITHUB_REPOSITORY}"
Expand All @@ -145,7 +157,7 @@ jobs:
--source-uri "github.com/${GITHUB_REPOSITORY}" \
--source-tag "${VERSION}" \
"${fn}"
done <<<"$checksums"
done <<<"${checksums}"

acceptance-test:
needs: [ goreleaser, attestation, provenance ]
Expand All @@ -167,6 +179,11 @@ jobs:
contents: write # To edit release.
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
schedule:
- cron: '0 0 * * *' # daily

permissions:
contents: read

jobs:
security:
if: github.repository == 'manhtukhang/vault-plugin-secrets-nexus-repository'
Expand All @@ -14,17 +17,24 @@ jobs:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Run Snyk to check for code vulnerabilities
uses: snyk/actions/golang@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
continue-on-error: true # To make sure that SARIF upload gets called
with:
args: --sarif-file-output=snyk.sarif

- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/scorecard.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ jobs:
id-token: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
Expand Down
13 changes: 12 additions & 1 deletion .github/workflows/test-acceptance.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,15 @@ on:
pull_request:


permissions:
contents: read

jobs:
pre_job:
# continue-on-error: true
permissions:
actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
contents: read # for fkirc/skip-duplicate-actions to read and compare commits
runs-on: ubuntu-latest
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
Expand All @@ -21,13 +27,18 @@ jobs:
cancel_others: 'true'
do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
paths: '["go.mod", "go.sum", "Makefile", "src/**/*", "test/**/*"]'

build:
name: Build plugin executable binary
needs: pre_job
runs-on: ubuntu-latest
if: needs.pre_job.outputs.should_skip != 'true'
steps:

- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,20 @@ jobs:
cancel_others: 'true'
do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
paths: '["go.mod", "go.sum", "Makefile", "src/**/*"]'

test:
name: Test
needs: pre_job
runs-on: ubuntu-latest
steps:

- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Setup Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
Expand Down
23 changes: 23 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.21.2
hooks:
- id: gitleaks
- repo: https://github.com/golangci/golangci-lint
rev: v1.62.2
hooks:
- id: golangci-lint
- repo: https://github.com/jumanjihouse/pre-commit-hooks
rev: 3.0.0
hooks:
- id: shellcheck
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: check-yaml
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/rhysd/actionlint
rev: v1.7.4
hooks:
- id: actionlint
Loading
Loading