General housekeeping and go updates (#3765)

* have a dedicated workflow for golangci-lint and add e2e to it Signed-off-by: cpanato <ctadeu@gmail.com> * clean up ci Signed-off-by: cpanato <ctadeu@gmail.com> * bump go to 1.22.5 in go.mod Signed-off-by: cpanato <ctadeu@gmail.com> * update release builder to use go1.22.5 Signed-off-by: cpanato <ctadeu@gmail.com> * update softhsm2-pkcs11-prox image Signed-off-by: cpanato <ctadeu@gmail.com> * update Signed-off-by: cpanato <ctadeu@gmail.com> * fix lints Signed-off-by: cpanato <ctadeu@gmail.com> --------- Signed-off-by: cpanato <ctadeu@gmail.com>
sigstore · Jul 5, 2024 · d05a120 · d05a120
1 parent 3d622d1
commit d05a120
Show file tree

Hide file tree

Showing 24 changed files with 236 additions and 143 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -29,13 +29,15 @@ on:
       - main
       - release-*
 
-permissions: read-all
+permissions: {}
 
 jobs:
   build:
     name: build
     runs-on: ubuntu-latest
 
+    if: github.repository == 'sigstore/cosign'
+
     permissions:
       id-token: write
       contents: read

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -30,11 +30,15 @@ on:
 env:
   CODEQL_EXTRACTOR_GO_BUILD_TRACING: true
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
 
+    if: github.repository == 'sigstore/cosign'
+
     permissions:
       security-events: write
       actions: read

diff --git a/.github/workflows/cut-release.yml b/.github/workflows/cut-release.yml
@@ -1,3 +1,18 @@
+#
+# Copyright 2024 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 name: Cut Release
 
 on:

diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
@@ -15,10 +15,15 @@
 name: 'Dependency Review'
 on: [pull_request]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependency-review:
     name: License and Vulnerability Scan
+
+    if: github.repository == 'sigstore/cosign'
+
+    permissions:
+      contents: read
+
     uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@9b1b5aca605f92ec5b1bf3681b1e61b3dbc420cc
diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml
@@ -1,17 +1,38 @@
+#
+# Copyright 2024 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 name: Do Not Submit
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches:
+      - 'main'
+      - 'release-*'
 
-permissions: read-all
+permissions: {}
 
 jobs:
-
   donotsubmit:
     name: Do Not Submit
     runs-on: ubuntu-latest
 
+    if: github.repository == 'sigstore/cosign'
+
+    permissions:
+      contents: read
+
     steps:
       - name: Check out code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v2.4.0

diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -86,9 +86,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: cpanato/vault-installer@ac6d910a90d64f78ef773afe83887a35c95245c6 # v1.0.3
-        with:
-          vault-release: '1.14.1'
+
+      - name: setup vault
+        uses: cpanato/vault-installer@892767a16fcd6afa5c4cceb557a6aacb73427ebb # v1.1.0
 
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:

diff --git a/.github/workflows/e2e-with-binary.yml b/.github/workflows/e2e-with-binary.yml
@@ -28,6 +28,8 @@ on:
     branches: [ 'main' ]
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   e2e-tests-with-binary:
     # Skip if running in a fork that might not have secrets configured.
@@ -41,6 +43,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+
     env:
       COSIGN_YES: "true"
 

diff --git a/.github/workflows/github-oidc.yaml b/.github/workflows/github-oidc.yaml
@@ -28,19 +28,25 @@ on:
     - cron: '0 1 * * *' # 1AM UTC
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
+    runs-on: ubuntu-latest
+    if: github.repository == 'sigstore/cosign'
+
     permissions:
       id-token: write
       packages: write
       contents: read
+
     env:
       GIT_HASH: ${{ github.sha }}
       GIT_VERSION: unstable
       GITHUB_RUN_ID: ${{ github.run_id }}
       GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
       KO_PREFIX: ghcr.io/${{ github.repository }}
-    runs-on: ubuntu-latest
+
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -0,0 +1,62 @@
+# Copyright 2024 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: golangci-lint
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+
+permissions: {}
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version: '1.22'
+          check-latest: true
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+        with:
+          version: v1.59
+          args: --timeout=5m
+
+  golangci-test-e2e:
+    name: lint-test-e2e
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version: '1.22'
+          check-latest: true
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+        with:
+          version: v1.59
+          args: --timeout=5m --build-tags e2e ./test
diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml
@@ -23,7 +23,7 @@ defaults:
   run:
     shell: bash
 
-permissions: read-all
+permissions: {}
 
 jobs:
   cip-test:
@@ -38,6 +38,9 @@ jobs:
         - remote
         - air-gap
 
+    permissions:
+      contents: read
+
     env:
       KO_DOCKER_REPO: "registry.local:5000/policy-controller"
       SCAFFOLDING_RELEASE_VERSION: "v0.7.2"

diff --git a/.github/workflows/milestone.yaml b/.github/workflows/milestone.yaml
diff --git a/.github/workflows/scorecard-action.yml b/.github/workflows/scorecard-action.yml
@@ -1,3 +1,18 @@
+#
+# Copyright 2024 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 name: Scorecards supply-chain security
 on:
   # Only the default branch is supported.
@@ -8,19 +23,21 @@ on:
   push:
     branches: [ main ]
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions: {}
 
 jobs:
   analysis:
     name: Scorecards analysis
     runs-on: ubuntu-latest
+    if: github.repository == 'sigstore/cosign'
+
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
       actions: read
       contents: read
       id-token: write
+
     steps:
       - name: "Checkout code"
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -31,7 +31,7 @@ on:
 permissions: read-all
 
 env:
-  GO_VERSION: '1.21'
+  GO_VERSION: '1.22'
 
 jobs:
   unit-tests:
@@ -215,19 +215,3 @@ jobs:
         run: |
           set -e
           addlicense -check -l apache -c 'The Sigstore Authors' -ignore "third_party/**" -v *
-
-  golangci:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
-        with:
-          go-version: '1.22'
-          check-latest: true
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
-        with:
-          # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.59
-          args: --timeout=5m
diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
@@ -31,9 +31,9 @@ jobs:
     steps:
       - name: Check Signature
         run: |
-          cosign verify ghcr.io/gythialy/golang-cross:v1.22.4-0@sha256:7769c9e4c92f1b598410566270a0aac39f6d0f68491e5bf0862df4ff0f11f06b \
+          cosign verify ghcr.io/gythialy/golang-cross:v1.22.5-0@sha256:5cf8fca7fe80392c8d1597fe89d291d49120507390f25507746f73d4b7f8a8f2 \
           --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-          --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.22.4-0"
+          --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.22.5-0"
         env:
           TUF_ROOT: /tmp
 
@@ -43,7 +43,7 @@ jobs:
       - check-signature
 
     container:
-      image: ghcr.io/gythialy/golang-cross:v1.22.4-0@sha256:7769c9e4c92f1b598410566270a0aac39f6d0f68491e5bf0862df4ff0f11f06b
+      image: ghcr.io/gythialy/golang-cross:v1.22.5-0@sha256:5cf8fca7fe80392c8d1597fe89d291d49120507390f25507746f73d4b7f8a8f2
 
     permissions: {}