Merge pull request #76 from smlx/update-ci

update ci
smlx · Jun 28, 2024 · 265bce3 · 265bce3
2 parents 66c8eee + 0fe42d1
commit 265bce3
Show file tree

Hide file tree

Showing 14 changed files with 144 additions and 132 deletions.
diff --git a/.github/commitlint.config.js b/.github/commitlint.config.js
diff --git a/.github/commitlint.config.mjs b/.github/commitlint.config.mjs
@@ -0,0 +1,29 @@
+/* Taken from: https://github.com/wagoid/commitlint-github-action/blob/7f0a61df502599e1f1f50880aaa7ec1e2c0592f2/commitlint.config.mjs */
+/* eslint-disable import/no-extraneous-dependencies */
+import { maxLineLength } from '@commitlint/ensure'
+
+const bodyMaxLineLength = 100
+
+const validateBodyMaxLengthIgnoringDeps = (parsedCommit) => {
+  const { type, scope, body } = parsedCommit
+  const isDepsCommit =
+    type === 'chore' && (scope === 'deps' || scope === 'deps-dev')
+
+  return [
+    isDepsCommit || !body || maxLineLength(body, bodyMaxLineLength),
+    `body's lines must not be longer than ${bodyMaxLineLength}`,
+  ]
+}
+
+export default {
+  extends: ['@commitlint/config-conventional'],
+  plugins: ['commitlint-plugin-function-rules'],
+  rules: {
+    'body-max-line-length': [0],
+    'function-rules/body-max-line-length': [
+      2,
+      'always',
+      validateBodyMaxLengthIgnoringDeps,
+    ],
+  },
+}
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -1,26 +1,44 @@
 version: 2
 updates:
 - package-ecosystem: github-actions
+  commit-message:
+    prefix: chore
+    include: scope
   directory: /
   schedule:
-    interval: weekly
+    interval: monthly
   groups:
     github-actions:
       patterns:
       - "*"
+      update-types:
+      - "minor"
+      - "patch"
 - package-ecosystem: docker
+  commit-message:
+    prefix: chore
+    include: scope
   directory: /
   schedule:
-    interval: daily
+    interval: monthly
   groups:
     docker:
       patterns:
       - "*"
+      update-types:
+      - "minor"
+      - "patch"
 - package-ecosystem: gomod
+  commit-message:
+    prefix: chore
+    include: scope
   directory: /
   schedule:
-    interval: daily
+    interval: monthly
   groups:
     gomod:
       patterns:
       - "*"
+      update-types:
+      - "minor"
+      - "patch"
diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml
@@ -11,7 +11,10 @@ allow-licenses:
 - 'X11'
 - 'Zlib'
 
+allow-dependencies-licenses:
 # this action is GPL-3 but it is only used in CI
 # https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806
-allow-dependencies-licenses: >
-  pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787
+- pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787
+# this package is MPL-2.0 and has a CNCF exception
+# https://github.com/cncf/foundation/blob/9b8c9173c2101c1b4aedad3caf2c0128715133f6/license-exceptions/cncf-exceptions-2022-04-12.json#L43C17-L43C47
+- pkg:golang/github.com/go-sql-driver/mysql
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -15,20 +15,20 @@ jobs:
         binary:
         - sems_mitm_exporter
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: ${{ github.event.pull_request.head.sha }}
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: stable
-    - run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
-    - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+    - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+      id: goreleaser
       with:
         version: latest
-        args: build --clean --debug --single-target --snapshot
+        args: build --clean --verbose --single-target --snapshot
     - name: Login to GHCR
       if: github.actor != 'dependabot[bot]'
-      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
@@ -42,11 +42,29 @@ jobs:
     - run: echo "GITHUB_REPOSITORY_NAME=$(basename ${{ github.repository }})" >> "$GITHUB_ENV"
     - name: Build and push ${{ matrix.binary }} container image
       if: github.actor != 'dependabot[bot]'
-      uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+      uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
       with:
         push: true
         tags: ${{ steps.docker_metadata.outputs.tags }}
         labels: ${{ steps.docker_metadata.outputs.labels }}
         file: Dockerfile
         build-args: BINARY=${{ matrix.binary }}
         context: dist/${{ matrix.binary }}_linux_amd64_v1
+  check-tag:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      with:
+        fetch-depth: 0
+    - id: ccv
+      uses: smlx/ccv@d3de774e9b607b079940a7a86952f44643743336 # v0.9.0
+      with:
+        write-tag: false
+    - run: |
+        echo "new-tag=$NEW_TAG"
+        echo "new-tag-version=$NEW_TAG_VERSION"
+      env:
+        NEW_TAG: ${{steps.ccv.outputs.new-tag}}
+        NEW_TAG_VERSION: ${{steps.ccv.outputs.new-tag-version}}
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
@@ -10,20 +10,20 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: stable
     - name: Calculate coverage
       run: |
         go test -v -covermode=atomic -coverprofile=cover.out.raw -coverpkg=./... ./...
-        # remove mocks from coverage calculation
-        grep -Ev 'mock_|_enumer.go' cover.out.raw > cover.out
+        # remove generated code from coverage calculation
+        grep -Ev 'internal/mock|_enumer.go' cover.out.raw > cover.out
     - name: Generage coverage badge
-      uses: vladopajic/go-test-coverage@97ecc524075d8ece0e1a406edec1c191e2dd3277 # v2.8.3
+      uses: vladopajic/go-test-coverage@1079cd4e58dda229c04ffdb6324fc3756b8542ff # v2.10.1
       with:
         profile: cover.out
-        local-prefix: github.com/smlx/goodwe-exporters
+        local-prefix: github.com/${{ github.repository }}
         git-token: ${{ secrets.GITHUB_TOKEN }}
         # orphan branch for storing badges
         git-branch: badges
diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml
@@ -15,7 +15,7 @@ jobs:
     steps:
     - name: Fetch dependabot metadata
       id: metadata
-      uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
+      uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0
       with:
         github-token: "${{ secrets.GITHUB_TOKEN }}"
     - name: Enable auto-merge for Dependabot PRs # these still need approval before merge

diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -10,7 +10,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+    - uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
       with:
         config-file: .github/dependency-review-config.yaml
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -10,11 +10,11 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: stable
-    - uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
+    - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
       with:
         args: --timeout=180s --enable gocritic
   lint-commits:
@@ -23,18 +23,18 @@ jobs:
       pull-requests: read
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: 0
-    - uses: wagoid/commitlint-github-action@5ce82f5d814d4010519d15f0552aec4f17a1e1fe # v5.4.5
+    - uses: wagoid/commitlint-github-action@7f0a61df502599e1f1f50880aaa7ec1e2c0592f2 # v6.0.1
       with:
-        configFile: .github/commitlint.config.js
+        configFile: .github/commitlint.config.mjs
   lint-actions:
     permissions:
       contents: read
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: docker://rhysd/actionlint:latest@sha256:2eb91a78b5a19140be099c7b4262d298c2567f2a9f27e10ed2a4323c5bcface8
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+    - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0
       with:
         args: -color
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,63 +11,70 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     outputs:
-      new-tag: ${{ steps.bump-tag.outputs.new }}
-      new-tag-version: ${{ steps.bump-tag.outputs.new_tag_version }}
+      new-tag: ${{ steps.ccv.outputs.new-tag }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: 0
-    - name: Configure git
-      run: |
-        git config --global user.name "$GITHUB_ACTOR"
-        git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-      with:
-        go-version: stable
-    - name: Install ccv
-      run: >
-        curl -sSL https://github.com/smlx/ccv/releases/download/v0.3.2/ccv_0.3.2_linux_amd64.tar.gz
-        | sudo tar -xz -C /usr/local/bin ccv
     - name: Bump tag if necessary
-      id: bump-tag
-      run: |
-        if [ -z "$(git tag -l "$(ccv)")" ]; then
-          git tag "$(ccv)"
-          git push --tags
-          echo "new=true" >> "$GITHUB_OUTPUT"
-          echo "new_tag_version=$(git tag --points-at HEAD)" >> "$GITHUB_OUTPUT"
-        fi
+      id: ccv
+      uses: smlx/ccv@d3de774e9b607b079940a7a86952f44643743336 # v0.9.0
   release-build:
     permissions:
       # create release
       contents: write
-      # push docker images to regsitry
+      # push docker images to registry
       packages: write
       # use OIDC token for signing
       id-token: write
+      # required by attest-build-provenance
+      attestations: write
     needs: release-tag
     if: needs.release-tag.outputs.new-tag == 'true'
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: 0
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: stable
     - name: Login to GHCR
-      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Set up environment
-      run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
-    - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
-    - uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
-    - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+    - uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
+      id: sbom
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Move sbom to avoid dirty git
+      run: mv "$GITHUB_SBOM_PATH" ./sbom.spdx.json
+      env:
+        GITHUB_SBOM_PATH: ${{ steps.sbom.outputs.fileName }}
+    - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+      id: goreleaser
       with:
         version: latest
         args: release --clean
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_SBOM_PATH: ./sbom.spdx.json
+    # attest archives
+    - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0
+      with:
+        subject-path: "dist/*.tar.gz"
+    # parse artifacts to the format required for image attestation
+    - run: |
+        echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test("sems_mitm_exporter:v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
+        echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test("sems_mitm_exporter:v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
+      id: image_metadata_sems_mitm_exporter
+      env:
+        ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}}
+    # attest images
+    - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0
+      with:
+        subject-digest: ${{steps.image_metadata_sems_mitm_exporter.outputs.digest}}
+        subject-name: ${{steps.image_metadata_sems_mitm_exporter.outputs.name}}
+        push-to-registry: true
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -10,10 +10,10 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: ${{ github.event.pull_request.head.sha }}
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: stable
     - run: go test -v ./...