Merge branch 'master' into feature/export-events

.envrc

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2019–2020 Target, Copyright 2021 The Nix Community
+# SPDX-License-Identifier: Apache-2.0
+if type -P lorri &>/dev/null; then
+  eval "$(lorri direnv)"
+elif type -P nix &>/dev/null; then
+  use nix
+else
+  echo "Found no nix binary. Skipping activating nix-shell..."
+fi

.github/workflows/checks.yaml

@@ -3,6 +3,9 @@
 # Edit Makefile.maker.yaml instead.                                            #
 ################################################################################
 
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 name: Checks
 "on":
   push:
@@ -11,6 +14,7 @@ name: Checks
   pull_request:
     branches:
       - '*'
+  workflow_dispatch: {}
 permissions:
   checks: write
   contents: read
@@ -25,15 +29,17 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.0
+          go-version: 1.23.5
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
           version: latest
       - name: Dependency Licenses Review
         run: make check-dependency-licenses
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
       - name: Run govulncheck
-        uses: golang/govulncheck-action@v1
+        run: govulncheck -format text ./...
       - name: Check for spelling errors
         uses: reviewdog/action-misspell@v1
         with:

.github/workflows/ci.yaml

@@ -3,6 +3,9 @@
 # Edit Makefile.maker.yaml instead.                                            #
 ################################################################################
 
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 name: CI
 "on":
   push:
@@ -15,6 +18,7 @@ name: CI
       - '*'
     paths-ignore:
       - '**.md'
+  workflow_dispatch: {}
 permissions:
   contents: read
 jobs:
@@ -28,7 +32,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.0
+          go-version: 1.23.5
       - name: Build all binaries
         run: make build-all
   test:
@@ -43,7 +47,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.0
+          go-version: 1.23.5
       - name: Run tests and generate coverage report
         run: make build/cover.out
       - name: Upload coverage report to Coveralls

.github/workflows/codeql.yaml

@@ -3,6 +3,9 @@
 # Edit Makefile.maker.yaml instead.                                            #
 ################################################################################
 
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 name: CodeQL
 "on":
   push:
@@ -13,6 +16,7 @@ name: CodeQL
       - master
   schedule:
     - cron: '00 07 * * 1'
+  workflow_dispatch: {}
 permissions:
   actions: read
   contents: read
@@ -28,7 +32,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.0
+          go-version: 1.23.5
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:

.golangci.yaml

@@ -3,6 +3,9 @@
 # Edit Makefile.maker.yaml instead.                                            #
 ################################################################################
 
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 run:
   timeout: 3m # 1m by default
   modules-download-mode: readonly
@@ -32,8 +35,10 @@ linters-settings:
   errcheck:
     # Report about assignment of errors to blank identifier.
     check-blank: true
-    # Report about not checking of errors in type assertions.
-    check-type-assertions: true
+    # Do not report about not checking of errors in type assertions.
+    # This is not as dangerous as skipping error values because an unchecked type assertion just immediately panics.
+    # We disable this because it makes a ton of useless noise esp. in test code.
+    check-type-assertions: false
   forbidigo:
     analyze-types: true # required for pkg:
     forbid:
@@ -45,7 +50,7 @@ linters-settings:
       - ^http\.Handle(?:Func)?$
       # Forbid usage of old and archived square/go-jose
       - pkg: ^gopkg\.in/square/go-jose\.v2$
-        msg: "gopk.in/square/go-jose is arcived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
+        msg: "gopk.in/square/go-jose is archived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
       - pkg: ^github.com/coreos/go-oidc$
         msg: "github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3"
 
@@ -82,6 +87,12 @@ linters-settings:
   goimports:
     # Put local imports after 3rd-party packages.
     local-prefixes: github.com/sapcc/hermes
+  gomoddirectives:
+    go-version-pattern: '1\.\d+(\.0)?$'
+    replace-allow-list:
+      # for go-pmtud
+      - github.com/mdlayher/arp
+    toolchain-forbidden: true
   gosec:
     excludes:
       # gosec wants us to set a short ReadHeaderTimeout to avoid Slowloris attacks, but doing so would expose us to Keep-Alive race conditions (see https://iximiuz.com/en/posts/reverse-proxy-http-keep-alive-and-502s/)
@@ -109,6 +120,9 @@ linters-settings:
     time-month: true
     time-weekday: true
     tls-signature-scheme: true
+  usetesting:
+    os-setenv: true
+    os-temp-dir: true
   whitespace:
     # Enforce newlines (or comments) after multi-line function signatures.
     multi-func: true
@@ -127,13 +141,15 @@ linters:
     - errcheck
     - errname
     - errorlint
+    - exptostd
     - forbidigo
     - ginkgolinter
     - gocheckcompilerdirectives
     - goconst
     - gocritic
     - gofmt
     - goimports
+    - gomoddirectives
     - gosec
     - gosimple
     - govet
@@ -156,4 +172,5 @@ linters:
     - unparam
     - unused
     - usestdlibvars
+    - usetesting
     - whitespace

.license-scan-overrides.jsonl

@@ -1,6 +1,7 @@
 {"name": "github.com/chzyer/logex", "licenceType": "MIT"}
 {"name": "github.com/hashicorp/vault/api/auth/approle", "licenceType": "MPL-2.0"}
 {"name": "github.com/jpillora/longestcommon", "licenceType": "MIT"}
+{"name": "github.com/miekg/dns", "licenceType": "BSD-3-Clause"}
 {"name": "github.com/spdx/tools-golang", "licenceTextOverrideFile": "vendor/github.com/spdx/tools-golang/LICENSE.code"}
 {"name": "github.com/xeipuuv/gojsonpointer", "licenceType": "Apache-2.0"}
 {"name": "github.com/xeipuuv/gojsonreference", "licenceType": "Apache-2.0"}

.license-scan-rules.json

@@ -2,10 +2,12 @@
   "allowlist": [
     "Apache-2.0",
     "BSD-2-Clause",
+    "BSD-2-Clause-FreeBSD",
     "BSD-3-Clause",
     "ISC",
     "MIT",
     "MPL-2.0",
-    "Unlicense"
+    "Unlicense",
+    "Zlib"
   ]
 }

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23.0-alpine3.20 AS builder
+FROM golang:1.23.5-alpine3.21 AS builder
 
 RUN apk add --no-cache --no-progress ca-certificates gcc git make musl-dev
 
@@ -8,15 +8,15 @@ RUN make -C /src install PREFIX=/pkg GOTOOLCHAIN=local
 
 ################################################################################
 
-FROM alpine:3.20
+FROM alpine:3.21
 
 RUN addgroup -g 4200 appgroup \
   && adduser -h /home/appuser -s /sbin/nologin -G appgroup -D -u 4200 appuser
 
 # upgrade all installed packages to fix potential CVEs in advance
 # also remove apk package manager to hopefully remove dependency on OpenSSL 🤞
 RUN apk upgrade --no-cache --no-progress \
-  && apk del --no-cache --no-progress apk-tools alpine-keys
+  && apk del --no-cache --no-progress apk-tools alpine-keys alpine-release libc-utils
 
 COPY --from=builder /etc/ssl/certs/ /etc/ssl/certs/
 COPY --from=builder /etc/ssl/cert.pem /etc/ssl/cert.pem

Makefile

@@ -3,6 +3,9 @@
 # Edit Makefile.maker.yaml instead.                                            #
 ################################################################################
 
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 MAKEFLAGS=--warn-undefined-variables
 # /bin/sh is dash on Debian which does not support all features of ash/bash
 # to fix that we use /bin/bash only on Debian to not break Alpine
@@ -14,11 +17,17 @@ endif
 
 default: build-all
 
-prepare-static-check: FORCE
+install-golangci-lint: FORCE
 	@if ! hash golangci-lint 2>/dev/null; then printf "\e[1;36m>> Installing golangci-lint (this may take a while)...\e[0m\n"; go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest; fi
+
+install-go-licence-detector: FORCE
 	@if ! hash go-licence-detector 2>/dev/null; then printf "\e[1;36m>> Installing go-licence-detector...\e[0m\n"; go install go.elastic.co/go-licence-detector@latest; fi
+
+install-addlicense: FORCE
 	@if ! hash addlicense 2>/dev/null; then  printf "\e[1;36m>> Installing addlicense...\e[0m\n";  go install github.com/google/addlicense@latest; fi
 
+prepare-static-check: FORCE install-golangci-lint install-go-licence-detector install-addlicense
+
 GO_BUILDFLAGS =
 GO_LDFLAGS =
 GO_TESTENV =
@@ -61,7 +70,7 @@ comma := ,
 check: FORCE static-check build/cover.html build-all
 	@printf "\e[1;32m>> All checks successful.\e[0m\n"
 
-run-golangci-lint: FORCE prepare-static-check
+run-golangci-lint: FORCE install-golangci-lint
 	@printf "\e[1;36m>> golangci-lint\e[0m\n"
 	@golangci-lint run
 
@@ -82,18 +91,26 @@ tidy-deps: FORCE
 	go mod tidy
 	go mod verify
 
-license-headers: FORCE prepare-static-check
+force-license-headers: FORCE install-addlicense
 	@printf "\e[1;36m>> addlicense\e[0m\n"
-	@addlicense -c "SAP SE"  -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
+	echo -n $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...)) | xargs -d" " -I{} bash -c 'year="$$(rg -P "Copyright (....) SAP SE" -Nor "\$$1" {})"; awk -i inplace '"'"'{if (display) {print} else {!/^\/\*/ && !/^\*/ && !/^\$$/}}; /^package /{print;display=1}'"'"' {}; addlicense -c "SAP SE" -s=only -y "$$year" -- {}'
 
-check-license-headers: FORCE prepare-static-check
+license-headers: FORCE install-addlicense
+	@printf "\e[1;36m>> addlicense\e[0m\n"
+	@addlicense -c "SAP SE" -s=only -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
+
+check-license-headers: FORCE install-addlicense
 	@printf "\e[1;36m>> addlicense --check\e[0m\n"
-	@addlicense --check  -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
+	@addlicense --check -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
 
-check-dependency-licenses: FORCE prepare-static-check
+check-dependency-licenses: FORCE install-go-licence-detector
 	@printf "\e[1;36m>> go-licence-detector\e[0m\n"
 	@go list -m -mod=readonly -json all | go-licence-detector -includeIndirect -rules .license-scan-rules.json -overrides .license-scan-overrides.jsonl
 
+goimports: FORCE
+	@printf "\e[1;36m>> goimports -w -local https://github.com/sapcc/hermes\e[0m\n"
+	@goimports -w -local github.com/sapcc/hermes $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
+
 clean: FORCE
 	git clean -dxf build
 
@@ -115,29 +132,34 @@ help: FORCE
 	@printf "  make \e[36m<target>\e[0m\n"
 	@printf "\n"
 	@printf "\e[1mGeneral\e[0m\n"
-	@printf "  \e[36mvars\e[0m                       Display values of relevant Makefile variables.\n"
-	@printf "  \e[36mhelp\e[0m                       Display this help.\n"
+	@printf "  \e[36mvars\e[0m                         Display values of relevant Makefile variables.\n"
+	@printf "  \e[36mhelp\e[0m                         Display this help.\n"
 	@printf "\n"
 	@printf "\e[1mPrepare\e[0m\n"
-	@printf "  \e[36mprepare-static-check\e[0m       Install any tools required by static-check. This is used in CI before dropping privileges, you should probably install all the tools using your package manager\n"
+	@printf "  \e[36minstall-golangci-lint\e[0m        Install golangci-lint required by run-golangci-lint/static-check\n"
+	@printf "  \e[36minstall-go-licence-detector\e[0m  Install-go-licence-detector required by check-dependency-licenses/static-check\n"
+	@printf "  \e[36minstall-addlicense\e[0m           Install addlicense required by check-license-headers/license-headers/static-check\n"
+	@printf "  \e[36mprepare-static-check\e[0m         Install any tools required by static-check. This is used in CI before dropping privileges, you should probably install all the tools using your package manager\n"
 	@printf "\n"
 	@printf "\e[1mBuild\e[0m\n"
-	@printf "  \e[36mbuild-all\e[0m                  Build all binaries.\n"
-	@printf "  \e[36mbuild/hermes\e[0m               Build hermes.\n"
-	@printf "  \e[36minstall\e[0m                    Install all binaries. This option understands the conventional 'DESTDIR' and 'PREFIX' environment variables for choosing install locations.\n"
+	@printf "  \e[36mbuild-all\e[0m                    Build all binaries.\n"
+	@printf "  \e[36mbuild/hermes\e[0m                 Build hermes.\n"
+	@printf "  \e[36minstall\e[0m                      Install all binaries. This option understands the conventional 'DESTDIR' and 'PREFIX' environment variables for choosing install locations.\n"
 	@printf "\n"
 	@printf "\e[1mTest\e[0m\n"
-	@printf "  \e[36mcheck\e[0m                      Run the test suite (unit tests and golangci-lint).\n"
-	@printf "  \e[36mrun-golangci-lint\e[0m          Install and run golangci-lint. Installing is used in CI, but you should probably install golangci-lint using your package manager.\n"
-	@printf "  \e[36mbuild/cover.out\e[0m            Run tests and generate coverage report.\n"
-	@printf "  \e[36mbuild/cover.html\e[0m           Generate an HTML file with source code annotations from the coverage report.\n"
-	@printf "  \e[36mstatic-check\e[0m               Run static code checks\n"
+	@printf "  \e[36mcheck\e[0m                        Run the test suite (unit tests and golangci-lint).\n"
+	@printf "  \e[36mrun-golangci-lint\e[0m            Install and run golangci-lint. Installing is used in CI, but you should probably install golangci-lint using your package manager.\n"
+	@printf "  \e[36mbuild/cover.out\e[0m              Run tests and generate coverage report.\n"
+	@printf "  \e[36mbuild/cover.html\e[0m             Generate an HTML file with source code annotations from the coverage report.\n"
+	@printf "  \e[36mstatic-check\e[0m                 Run static code checks\n"
 	@printf "\n"
 	@printf "\e[1mDevelopment\e[0m\n"
-	@printf "  \e[36mtidy-deps\e[0m                  Run go mod tidy and go mod verify.\n"
-	@printf "  \e[36mlicense-headers\e[0m            Add license headers to all non-vendored .go files.\n"
-	@printf "  \e[36mcheck-license-headers\e[0m      Check license headers in all non-vendored .go files.\n"
-	@printf "  \e[36mcheck-dependency-licenses\e[0m  Check all dependency licenses using go-licence-detector.\n"
-	@printf "  \e[36mclean\e[0m                      Run git clean.\n"
+	@printf "  \e[36mtidy-deps\e[0m                    Run go mod tidy and go mod verify.\n"
+	@printf "  \e[36mforce-license-headers\e[0m        Remove and re-add all license headers to all non-vendored source code files.\n"
+	@printf "  \e[36mlicense-headers\e[0m              Add license headers to all non-vendored source code files.\n"
+	@printf "  \e[36mcheck-license-headers\e[0m        Check license headers in all non-vendored .go files.\n"
+	@printf "  \e[36mcheck-dependency-licenses\e[0m    Check all dependency licenses using go-licence-detector.\n"
+	@printf "  \e[36mgoimports\e[0m                    Run goimports on all non-vendored .go files\n"
+	@printf "  \e[36mclean\e[0m                        Run git clean.\n"
 
 .PHONY: FORCE

REUSE.toml

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
+version = 1
+
+[[annotations]]
+path = [
+  ".github/CODEOWNERS",
+  ".github/renovate.json",
+  ".gitignore",
+  ".license-scan-overrides.jsonl",
+  ".license-scan-rules.json",
+  "go.mod",
+  "go.sum",
+  "Makefile.maker.yaml",
+]
+SPDX-FileCopyrightText = "SAP SE"
+SPDX-License-Identifier = "Apache-2.0"