Merge branch 'main' into #24-switch-to-mautrix

.envrc

@@ -0,0 +1 @@
+layout_poetry

.github/workflows/documentation.yml

@@ -31,6 +31,9 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python3 -
+
       - name: Install dependencies
         run: make setup
 

.github/workflows/main.yml

@@ -1,4 +1,5 @@
 name: Main
+
 on:
   push:
     branches:
@@ -7,18 +8,27 @@ on:
       - '**'
       - '!v[0-9]+.[0-9]+.[0-9]+'
   pull_request:
+
 jobs:
   test_build:
     name: Test and build
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
+
       - name: Export GOBIN
         uses: actions/setup-go@v2
         with:
           go-version: 1.16
+
+      - name: Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python3 -
+
       - name: Install dependencies
         run: make setup
+
       - name: Run tests
-        run: make test
+        run: |
+          source $(poetry env info --path)/bin/activate
+          make test

.github/workflows/publish.yml

@@ -25,11 +25,16 @@ jobs:
         with:
           go-version: 1.16
 
+      - name: Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python3 -
+
       - name: Install dependencies
         run: make setup
 
       - name: Run tests
-        run: make test
+        run: |
+          source $(poetry env info --path)/bin/activate
+          make test
 
       - name: Log in to the Container registry
         uses: docker/login-action@v1
@@ -53,3 +58,12 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1,6 +1,7 @@
 out/
 *.db
 config.yml
+docs/
 
 ### Go
 # Binaries for programs and plugins
@@ -19,8 +20,154 @@ config.yml
 # Dependency directories (remove the comment below to include it)
 # vendor/
 
+### Python
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+### VisualStudioCode
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
 *.code-workspace
 
-# Build documentation
+# Local History for Visual Studio Code
+.history/
 
-docs/

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "tests/semgrep-rules"]
+	path = tests/semgrep-rules
+	url = https://github.com/returntocorp/semgrep-rules

.goreleaser.yml

@@ -0,0 +1,19 @@
+builds:
+  - id: pushbits
+    main: ./cmd/pushbits
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - 386
+      - arm
+      - arm64
+
+checksum:
+  algorithm: sha256
+
+archives:
+  - id: pushbits
+    builds:
+      - pushbits
+    format: tar.gz

Makefile

@@ -1,23 +1,45 @@
+# References:
+# [1] Needed so the Go files of semgrep-rules do not interfere with static analysis
+
+DOCS_DIR := ./docs
+OUT_DIR := ./out
+TESTS_DIR := ./tests
+
+SEMGREP_MODFILE := $(TESTS_DIR)/semgrep-rules/go.mod
+
 .PHONY: build
 build:
-	mkdir -p ./out
-	go build -ldflags="-w -s" -o ./out/pushbits ./cmd/pushbits
+	mkdir -p $(OUT_DIR)
+	go build -ldflags="-w -s" -o $(OUT_DIR)/pushbits ./cmd/pushbits
+
+.PHONY: clean
+clean:
+	rm -rf $(DOCS_DIR)
+	rm -rf $(OUT_DIR)
+	rm -rf $(SEMGREP_MODFILE)
 
 .PHONY: test
 test:
-	stdout=$$(gofmt -l . 2>&1); if [ "$$stdout" ]; then exit 1; fi
+	touch $(SEMGREP_MODFILE) # See [1].
+	go fmt ./...
 	go vet ./...
-	gocyclo -over 10 $(shell find . -iname '*.go' -type f)
+	gocyclo -over 10 $(shell find . -type f \( -iname '*.go' ! -path "./tests/semgrep-rules/*" \))
 	staticcheck ./...
 	go test -v -cover ./...
+	gosec -exclude-dir=tests ./...
+	semgrep --lang=go --config=tests/semgrep-rules/go --metrics=off
+	rm -rf $(SEMGREP_MODFILE) # See [1].
 	@printf '\n%s\n' "> Test successful"
 
 .PHONY: setup
 setup:
+	git submodule update --init --recursive
 	go install github.com/fzipp/gocyclo/cmd/gocyclo@latest
+	go install github.com/securego/gosec/v2/cmd/gosec@latest
 	go install github.com/swaggo/swag/cmd/swag@latest
 	go install honnef.co/go/tools/cmd/staticcheck@latest
+	poetry install
 
 .PHONY: swag
 swag:
-	swag init --parseDependency=true -d . -g cmd/pushbits/main.go
+	swag init --parseDependency=true --exclude $(TESTS_DIR) -g cmd/pushbits/main.go

README.md

@@ -9,9 +9,7 @@
 
 <div align="center">
 	<h1>PushBits</h1>
-	<h4 align="center">
-		Receive your important notifications immediately, over <a href="https://matrix.org/">Matrix</a>.
-	</h4>
+	<p align="center"><b>Receive your important notifications immediately, over <a href="https://matrix.org/">Matrix</a>.</b></p>
 	<p>PushBits enables you to send push notifications via a simple web API, and delivers them to your users.</p>
 </div>
 
@@ -31,21 +29,7 @@ It enables you to send notifications via a simple web API, and delivers them to
 This is similar to what [Pushover](https://pushover.net/) and [Gotify](https://gotify.net/) offer, but it does not require an additional app.
 
 The vision is to have compatibility with Gotify on the sending side, while on the receiving side an established service is used.
-This has the advantages that
-- sending plugins written for Gotify (like those for [Watchtower](https://containrrr.dev/watchtower/) and [Jellyfin](https://jellyfin.org/)) as well as
-- receiving clients written for Matrix
-can be reused.
-
-### Why Matrix instead of X?
-
-This project totally would've used Signal if it would offer a proper API.
-Sadly, neither [Signal](https://signal.org/) nor [WhatsApp](https://www.whatsapp.com/) come with an API (at the time of writing) through which PushBits could interact.
-
-In [Telegram](https://telegram.org/) there is an API to run bots, but these are limited in that they cannot create chats by themselves.
-If you insist on going with Telegram, have a look at [webhook2telegram](https://github.com/muety/webhook2telegram).
-
-The idea of a federated, synchronized but yet end-to-end encrypted protocol is awesome, but its clients simply aren't really there yet.
-Still, if you haven't tried it yet, we'd encourage you to check it out.
+This has the advantages that we need to maintain neither plugins (like those for [Watchtower](https://containrrr.dev/watchtower/) and [Jellyfin](https://jellyfin.org/)) nor clients.
 
 ## 🤘&nbsp;Features
 
@@ -57,18 +41,38 @@ Still, if you haven't tried it yet, we'd encourage you to check it out.
 - [ ] Two-factor authentication, [issue](https://github.com/pushbits/server/issues/19)
 - [ ] Bi-directional key verification, [issue](https://github.com/pushbits/server/issues/20)
 
-## 👮&nbsp;Acknowledgments
+## 👮&nbsp;License and Acknowledgments
 
-The idea for this software and most parts of the initial source are heavily inspired by [Gotify](https://gotify.net/).
-Many thanks to [jmattheis](https://jmattheis.de/) for his well-structured code.
+Please refer to [the LICENSE file](LICENSE) to learn more about the license of this code.
+It applies only where not specified differently.
 
-## 💻&nbsp;Development
+The idea for this software was inspired by [Gotify](https://gotify.net/).
 
-The source code is located on [GitHub](https://github.com/pushbits/server).
-You can retrieve it by checking out the repository as follows.
+## 💻&nbsp;Development and Contributions
 
+The source code is located [on GitHub](https://github.com/pushbits/server).
+You can retrieve it by checking out the repository as follows:
 ```bash
 git clone https://github.com/pushbits/server.git
 ```
 
-[![Stargazers over time](https://starchart.cc/pushbits/server.svg)](https://starchart.cc/pushbits/server)
+:wrench: **Want to contribute?**
+Before moving forward, please refer to [our contribution guidelines](CONTRIBUTING.md).
+
+:mailbox: **Found a security vulnerability?**
+Check [this document](SECURITY.md) for information on how you can bring it to our attention.
+
+:star: **Like fancy graphs?** See [our stargazers over time](https://starchart.cc/pushbits/server).
+
+## ❓&nbsp;Frequently Asked Questions (FAQ)
+
+### Why Matrix instead of X?
+
+This project totally would've used Signal if it would offer a proper API.
+Sadly, neither [Signal](https://signal.org/) nor [WhatsApp](https://www.whatsapp.com/) come with an API (at the time of writing) through which PushBits could interact.
+
+In [Telegram](https://telegram.org/) there is an API to run bots, but these are limited in that they cannot create chats by themselves.
+If you insist on going with Telegram, have a look at [webhook2telegram](https://github.com/muety/webhook2telegram).
+
+The idea of a federated, synchronized but yet end-to-end encrypted protocol is awesome, but its clients simply aren't really there yet.
+Still, if you haven't tried it yet, we'd encourage you to check it out.