diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index b02b363..85707f7 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -4,7 +4,7 @@ You'll find below general guidelines, which mostly correspond to standard practi >**TL;DR** > -> If you're already an experience go developer on github, then you should just feel at home with us +> If you're already an experienced go developer on github, then you should just feel at home with us > and you may well skip the rest of this document. > > You'll essentially find the usual guideline for a go library project on github. diff --git a/.github/workflows/TODO.md b/.github/workflows/TODO.md deleted file mode 100644 index d389570..0000000 --- a/.github/workflows/TODO.md +++ /dev/null @@ -1,13 +0,0 @@ -* contributors: - * [x] draft PR - * token exchange for auto merge -* release - * [x] relint bash ( redirect {}) - * [x] tag message ignored in release note -* [x] run action linting locally -* [x] pin go install -> gh-actions -* codeql: - * [x] paths_ignore (with an s) -* test: - * [x] bash relint - * [ ] fuzz test diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 4916494..81c88a6 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -1,74 +1,15 @@ name: Dependabot auto-merge -on: pull_request permissions: contents: read +on: + pull_request: + jobs: dependabot: permissions: contents: write pull-requests: write - runs-on: ubuntu-latest - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} - steps: - - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0 - - - name: Auto-approve all dependabot PRs - env: - PR_URL: ${{github.event.pull_request.html_url}} - GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - run: gh pr review --approve "$PR_URL" - - - name: Auto-merge dependabot PRs for development dependencies - if: ${{ contains(steps.metadata.outputs.dependency-group, 'development-dependencies') }} - env: - PR_URL: ${{github.event.pull_request.html_url}} - GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - run: gh pr merge --auto --rebase "$PR_URL" - - - name: Auto-merge dependabot PRs for go-openapi patches - if: >- - ${{ - contains(steps.metadata.outputs.dependency-group, 'go-openapi-dependencies') && - ( - steps.metadata.outputs.update-type == 'version-update:semver-minor' || - steps.metadata.outputs.update-type == 'version-update:semver-patch' - ) - }} - env: - PR_URL: ${{github.event.pull_request.html_url}} - GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - run: gh pr merge --auto --rebase "$PR_URL" - - - name: Auto-merge dependabot PRs for golang.org updates - if: ${{ contains(steps.metadata.outputs.dependency-group, 'golang-org-dependencies') }} - env: - PR_URL: ${{github.event.pull_request.html_url}} - GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - run: gh pr merge --auto --rebase "$PR_URL" - - # Auto merge is current disabled: we need automatic PRs to swap identity (e.g. using a Github App), - # so the pull_request event is properly captured and the PR can validate. - #actions-bot: - # permissions: - # contents: write - # pull-requests: write - # runs-on: ubuntu-latest - # if: ${{ github.event.pull_request.user.login == 'github-actions[bot]' }} - # steps: - # - - # name: Auto-approve all github-actions bot PRs - # env: - # PR_URL: ${{github.event.pull_request.html_url}} - # GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - # run: gh pr review --approve "$PR_URL" - # - - # name: Auto-merge github-actions bot PRs - # env: - # PR_URL: ${{github.event.pull_request.html_url}} - # GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - # run: gh pr merge --auto --rebase "$PR_URL" + uses: go-openapi/ci-workflows/.github/workflows/auto-merge.yml@d0b50195d14745b9a9a8a41cf3bb7ecd874af37a # v0.1.1 + secrets: inherit diff --git a/.github/workflows/bump-release.yml b/.github/workflows/bump-release.yml new file mode 100644 index 0000000..9d8ba9c --- /dev/null +++ b/.github/workflows/bump-release.yml @@ -0,0 +1,46 @@ +name: Bump Release + +permissions: + contents: read + +on: + workflow_dispatch: + inputs: + bump-patch: + description: Bump a patch version release + type: boolean + required: false + default: true + bump-minor: + description: Bump a minor version release + type: boolean + required: false + default: false + bump-major: + description: Bump a major version release + type: boolean + required: false + default: false + tag-message-title: + description: Tag message title to prepend to the release notes + required: false + type: string + tag-message-body: + description: | + Tag message body to prepend to the release notes. + (use "|" to replace end of line). + required: false + type: string + +jobs: + bump-release: + permissions: + contents: write + uses: go-openapi/ci-workflows/.github/workflows/bump-release.yml@d0b50195d14745b9a9a8a41cf3bb7ecd874af37a # v0.1.1 + with: + bump-patch: ${{ inputs.bump-patch }} + bump-minor: ${{ inputs.bump-minor }} + bump-major: ${{ inputs.bump-major }} + tag-message-title: ${{ inputs.tag-message-title }} + tag-message-body: ${{ inputs.tag-message-body }} + secrets: inherit diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6062f3c..5e4edac 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,41 +1,22 @@ name: "CodeQL" -permissions: - contents: read - on: push: branches: [ "master" ] pull_request: branches: [ "master" ] - paths-ignore: + paths-ignore: # remove this clause if CodeQL is a required check - '**/*.md' schedule: - cron: '39 19 * * 5' +permissions: + contents: read + jobs: - analyze: - name: Analyze. - runs-on: ubuntu-latest - timeout-minutes: 360 + codeql: permissions: contents: read security-events: write - # actions: read # <- is needed only for private repositories - strategy: - fail-fast: false - matrix: - language: ['go','actions'] - steps: - - - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 - with: - languages: ${{ matrix.language }} - - - name: Analyze ${{ matrix.language }} - uses: github/codeql-action/analyze@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 + uses: go-openapi/ci-workflows/.github/workflows/codeql.yml@d0b50195d14745b9a9a8a41cf3bb7ecd874af37a # v0.1.1 + secrets: inherit diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml index cf29de0..422719d 100644 --- a/.github/workflows/contributors.yml +++ b/.github/workflows/contributors.yml @@ -1,49 +1,18 @@ name: Contributors -permissions: - contents: read - on: schedule: - cron: '18 4 * * 6' workflow_dispatch: +permissions: + contents: read + jobs: - update-contributors: - name: all-time contributors + contributors: permissions: pull-requests: write contents: write - runs-on: ubuntu-latest - steps: - - - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - - name: Identify all-time contributors to this repository - uses: github/contributors@e345de71bbd056a34a70709afd4f4bf0a270cc1a # v1.7.7 - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPOSITORY: ${{ github.repository }} - LINK_TO_PROFILE: 'True' - - - name: Rename contributor file - run: | - rm -rf contributors.json - mv contributors.md CONTRIBUTORS.md - - - name: Create a PR - id: create-pull-request - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 - with: - commit-message: "doc: updated contributors file" - branch: doc/contributors-bot - delete-branch: true - title: "doc: updated contributors file" - token: ${{ secrets.GITHUB_TOKEN }} - labels: "bot" - draft: true - assignees: fredbi - reviewers: fredbi - sign-commits: true + uses: go-openapi/ci-workflows/.github/workflows/contributors.yml@d0b50195d14745b9a9a8a41cf3bb7ecd874af37a # v0.1.1 + secrets: inherit diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml index 7d41174..cd67b1b 100644 --- a/.github/workflows/go-test.yml +++ b/.github/workflows/go-test.yml @@ -1,4 +1,8 @@ -name: go-test +name: go test + +permissions: + pull-requests: read + contents: read on: push: @@ -7,342 +11,7 @@ on: pull_request: -permissions: - pull-requests: read - contents: read - jobs: - lint: - name: Lint - runs-on: ubuntu-latest - steps: - - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version: stable - check-latest: true - cache: true - - - name: golangci-lint - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 - with: - version: latest - only-new-issues: true - skip-cache: true - test: - name: Unit tests - runs-on: ${{ matrix.os }} - needs: [lint] - - strategy: - matrix: - os: [ ubuntu-latest, macos-latest, windows-latest ] - go: ['oldstable', 'stable' ] - - steps: - - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version: '${{ matrix.go }}' - check-latest: true - cache: true - - - name: Install gotestsum - uses: go-openapi/gh-actions/install/gotestsum@ca5928fe952ce03d9e6a61a8284a508a9cc8d4f1 - - - name: Run unit tests - shell: bash - run: > - gotestsum - --jsonfile 'unit.report.${{ matrix.os }}-${{ matrix.go }}.json' - -- - -race - -p 2 - -count 1 - -timeout=20m - -coverprofile='unit.coverage.${{ matrix.os }}-${{ matrix.go }}.out' - -covermode=atomic - -coverpkg="$(go list)"/... - ./... - - - name: Upload coverage artifacts - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - # *.coverage.* pattern is automatically detected by codecov - path: '**/*.coverage.*.out' - name: 'unit.coverage.${{ matrix.os }}-${{ matrix.go }}' - retention-days: 1 - - - name: Upload test report artifacts - # upload report even if test fail. BTW, this is when they are valuable. - if: ${{ !cancelled() }} - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - with: - path: '**/unit.report.*.json' - name: 'unit.report.${{ matrix.os }}-${{ matrix.go }}' - retention-days: 1 - - test-complete: - # description: | - # Be explicit about all tests being passed. This allows for setting up only a few status checks on PRs. - name: tests completed - needs: [test,fuzz-test] - runs-on: ubuntu-latest - steps: - - - name: Tests completed - run: | - echo "::notice title=Success:All tests passed" - - collect-coverage: - # description: | - # Gather, merge then uploads test coverage files from all test jobs (this includes integration tests, - # like codegen-test). This reduces the number of failures due to codecov hitting github API rate limit. - name: collect test coverage - needs: [test-complete] - if: ${{ !cancelled() && needs.test-complete.result == 'success' }} - runs-on: ubuntu-latest - steps: - - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - - - name: Download coverage artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 - with: - run-id: "${{ github.run_id }}" - pattern: "*.coverage.*" - # artifacts resolve as folders - path: coverage/ - - - name: Upload coverage to codecov - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 - with: - name: Aggregated coverage - # All *.coverage.*.out files uploaded should be detected by the codecov action. - # NOTE: we lose the flags on individual test reports (e.g. by os, by go version, unit vs integration tests) - fail_ci_if_error: false - verbose: false - - collect-reports: - # description: | - # Gather, merge then uploads test report files from unit test jobs. - # - # At this moment test reports are published on both codecov - # (see ) and the github actions UI - # (see ). - name: collect test reports - needs: [test] - if: ${{ !cancelled() }} - runs-on: ubuntu-latest - steps: - - - name: Download test report artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 - with: - run-id: "${{ github.run_id }}" - pattern: "*.report.*" - # artifacts resolve as folders - path: reports/ - - - name: Install go-junit-report - uses: go-openapi/gh-actions/install/go-junit-report@ca5928fe952ce03d9e6a61a8284a508a9cc8d4f1 - - - name: Convert test reports to a merged JUnit XML - # NOTE: codecov test reports only support JUnit format at this moment. See https://docs.codecov.com/docs/test-analytics. - # Ideally, codecov improve a bit their platform, so we may only need a single pass to CTRF format. - # - # As a contemplated alternative, we could use gotestsum above to produce the JUnit XML directly. - # At this moment, we keep a json format to dispatch test reports to codecov as well as to CTRF reports. - # - # TODO(fredbi): investigate - use mikepenz/action-junit-report@v5, that packages most of the following scripts - # in a single action. Alternative: for that action. - run: | - find reports/ -name \*.json -print0 | xargs -0 cat | go-junit-report -parser gojson -out=reports/junit_report.xml - - - name: Upload test results to Codecov - # This allows for using the test results UI on codecov - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 - with: - files: '**/junit_report.xml' - report_type: 'test_results' - fail_ci_if_error: false - handle_no_reports_found: true - verbose: true - - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version: stable - check-latest: true - cache: true - - - name: Install go-ctrf-json-reporter - uses: go-openapi/gh-actions/install/go-ctrf-json-reporter@ca5928fe952ce03d9e6a61a8284a508a9cc8d4f1 - - - name: Convert test reports to CTRF JSON - # description: | - # This step publishes CTRF test reports on github UI (actions) - run: | - appName="${{ github.repository }}" - buildNumber="${{ github.run_id }}" - appVersion="${{ github.event.pull_request.head.sha }}" - if [[ -z "${appVersion}" ]] ; then - # for push events - appVersion="${{ github.sha }}" - fi - - # reconstruct platform information from the file name - while read -r report ; do - reformated=$(echo "${report##*/}"|sed -E 's/(go)([[:digit:]]+)\.([[:digit:]]+)/\1\2\3/') # e.g. go1.24 becomes go124 - mapfile -d'.' -t -s 2 -n 2 split < <(echo "$reformated") # skip the first 2 parts, stop on 2 more parts - envstring="${split[0]}" - osPlatform="${envstring%-*}" - osRelease="${envstring##*-}" - - # this is a best effort only: tests may be cancelled upstream and produce incorrect reports - go-ctrf-json-reporter \ - -quiet \ - -appName "${appName}" \ - -appVersion "${appVersion}" \ - -buildNumber "${buildNumber}" \ - -osPlatform "${osPlatform}" \ - -osRelease "${osRelease}" \ - -output "./reports/ctrf_report_${osPlatform}_${osRelease}.json" < "${report}" || true - done < <(find reports -name \*.json) - - # NOTE: at this moment, we don't upload CTRF reports as artifacts. - # Some of the CTRF reports are therefore not available (flaky tests, history, ...). - # - # See https://github.com/ctrf-io/github-test-reporter?tab=readme-ov-file#report-showcase - # for more reporting possibilities. At the moment, we keep it simple, as most advanced features - # require a github token (thus adding the complexity of a separate workflow starting on pull_request_target). - # - # For the moment, we are contented with these simple reports. This is an opportunity to compare the insight they - # provide as compared to what is uploaded to codecov. - # - # Codecov analytics are pretty poor at this moment. On the other hand, they manage the bot that pushes back - # PR comments. - # - # They also handle the storage of past test reports, so as to assess flaky tests. - - - name: Publish Test Summary Results - uses: ctrf-io/github-test-reporter@024bc4b64d997ca9da86833c6b9548c55c620e40 # v1.0.26 - with: - report-path: 'reports/ctrf_report_*.json' - use-suite-name: true - summary-report: true # post a report to the github actions summary - github-report: true - failed-folded-report: true - - fuzz-test: - name: fuzz test - runs-on: ubuntu-latest - env: - CORPUS_MAX_SIZE_MB: 250 - FUZZ_TIME: 1m30s - FUZZ_MINIMIZE_TIME: 5m - steps: - - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version: stable - check-latest: true - cache: true - - - name: Locate go fuzz cache - run: | - GOCACHE=$(go env GOCACHE) - echo "CORPUS_DIR=${GOCACHE}/fuzz" >> "${GITHUB_ENV}" - - - name: Retrieve fuzz corpus from cache - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - with: - key: ${{ runner.os }}-go-fuzz - path: - ${{ env.CORPUS_DIR }} - - - name: Manage fuzz corpus cache size - run: | - mkdir -p "${CORPUS_DIR}" - # This script checks that the size of the corpus cache doesn't exceed ${CORPUS_MAX_SIZE_MB}, - # and if it does, it removes all oldest files beyond that size. - - function size() { - local location=$1 - local unit=$2 - - du -s"${unit}" "${location}"|cut -f1 - } - - function purge() { - local location=$1 - local max_size_b=$2 - declare -i current_size_b=0 file_size_b=0 purged_files=0 - - while read -r filename ; do - file_size_b="$(size "${filename}" "b")" - ((current_size_b+=file_size_b)) - - if [[ ${current_size_b} -le ${max_size_b} ]] ; then - continue - fi - if [[ ${file_size_b} -eq 0 ]] ; then - continue - fi - - rm -f "${filename}" - ((purged_files+=1)) - done < <(find "${location}" -type f -print0 | xargs -0 ls -t) - - echo ${purged_files} - } - - CURRENT_SIZE_MB="$(size "${CORPUS_DIR}" "m")" - if [[ "${CURRENT_SIZE_MB}" -lt "${MAX_SIZE_MB}" ]] ; then - echo "::notice:cache size remains under the accepted size of ${MAX_SIZE_MB} MB: ${CURRENT_SIZE_MB} MB" - - exit 0 - fi - - declare -i max_size_b=$(("${CORPUS_MAX_SIZE_MB}" * 1024 * 1024)) - purged_files=$(purge "${purged_dir}" "${max_size_b}"); - echo "::notice:cache size is ${CURRENT_SIZE_MB} MB: purging oldest files to keep it under ${CORPUS_MAX_SIZE_MB} MB" - if [[ ${purged_files} -gt 0 ]] ; then - echo "::notice:removed ${purged_files} files to keep the cache size below ${CORPUS_MAX_SIZE_MB} MB" - fi - FINAL_SIZE_MB="$(size "${CORPUS_DIR}" "m")" - echo "::notice:purged cache size: ${FINAL_SIZE_MB} MB" - - - name: Run go fuzz tests - # TODO(fredbi): ./... is not supported: we should run as a matrix test multiple fuzz tests - run: > - go test - -fuzz=Fuzz - -run=Fuzz - -fuzztime='${{ env.FUZZ_TIME }}' - -fuzzminimizetime='${{ env.FUZZ_MINIMIZE_TIME }}' - ./... - - - name: Upload failed corpus - if: ${{ failure() }} - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 - # TODO(fredbi): ideally, after uploading, we should fire a pull request to add - # this corpus to testdata. - with: - path: ${{ env.CORPUS_DIR }} - name: '${{ runner.os }}-fuzz-corpus-failure' - retention-days: 60 - - - name: Report fuzz corpus cache size - run: | - FINAL_SIZE=$(du -m "${CORPUS_DIR}"|cut -f1) - echo "::notice title=fuzz corpus size:${FINAL_SIZE}MB" + uses: go-openapi/ci-workflows/.github/workflows/go-test.yml@d0b50195d14745b9a9a8a41cf3bb7ecd874af37a # v0.1.1 + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eff2e2f..cf4ed2d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,64 +1,18 @@ name: Release -permissions: - contents: read - -# description: | -# Build a github release on pushed tag. -# -# The only available asset is a release note. - on: push: tags: - v[0-9]+* +permissions: + contents: read + jobs: - gh-release: - name: Create release - runs-on: ubuntu-latest + release: permissions: contents: write - steps: - - - name: Checkout code - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - fetch-depth: 0 - - - name: Extract tag message - id: get-message - # tag message is not retrieved unless with fetch the ref explictly - run: | - git fetch --depth=1 origin +refs/tags/*:refs/tags/* - MESSAGE=$(git tag -l '${{ github.ref_name }}' --format='%(contents:subject) - - %(contents:body) - ') - export MESSAGE - { - echo "message<> "${GITHUB_OUTPUT}" - - echo "Message in git tag ${{ github.ref_name }}" - echo "$MESSAGE" - - - name: Generate release notes - id: notes - env: - GITHUB_TOKEN: ${{ github.token }} - GITHUB_REPO: ${{ github.repository }} - uses: orhun/git-cliff-action@d77b37db2e3f7398432d34b72a12aa3e2ba87e51 # v4.6.0 - with: - config: '.cliff.toml' - args: >- - --current - --with-tag-message '${{ steps.get-message.outputs.message }}' - - - name: Create github release - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 - with: - body: ${{ steps.notes.outputs.content }} - generate_release_notes: false + uses: go-openapi/ci-workflows/.github/workflows/release.yml@d0b50195d14745b9a9a8a41cf3bb7ecd874af37a # v0.1.1 + with: + tag: ${{ github.ref_name }} + secrets: inherit diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml index 5002035..53a0471 100644 --- a/.github/workflows/scanner.yml +++ b/.github/workflows/scanner.yml @@ -1,17 +1,5 @@ name: Vulnerability scans -permissions: read-all - -# description: | -# A fast vulnerability scan on the repo that effectively supplements ossf scorecard and codesql -# and may run every day. -# -# * trivy reports are often more easily actionable than codeql reports. -# * govumnscan supplements this analysis with a more go-specific approach -# -# NOTE: at this moment, we don't want to adopt snyk, which requires a token, provides an extra dashboard etc. -# Most likely, snyk would be redundant with trivy. - on: branch_protection_rule: push: @@ -19,51 +7,13 @@ on: schedule: - cron: '18 4 * * 3' -jobs: - analysis: - name: Vulnerability scan - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - steps: - - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - persist-credentials: false - - - name: Vulnerability scan by trivy - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 - with: - scan-type: repo - format: sarif - hide-progress: false - output: trivy-code-report.sarif - scanners: vuln,secret - exit-code: 0 - - - name: Upload trivy findings to code scanning dashboard - uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 - with: - category: trivy - sarif_file: trivy-code-report.sarif +permissions: + contents: read - govulnscan: - name: go vulnerability scan - runs-on: ubuntu-latest +jobs: + scanners: permissions: contents: read security-events: write - steps: - - - id: govulncheck - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 - with: - output-format: sarif - output-file: govulnscan-report.sarif - - - name: Upload govulnscan findings to code scanning dashboard - uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6 - with: - category: govulnscan - sarif_file: govulnscan-report.sarif + uses: go-openapi/ci-workflows/.github/workflows/scanner.yml@d0b50195d14745b9a9a8a41cf3bb7ecd874af37a # V0.1.1 + secrets: inherit diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml new file mode 100644 index 0000000..537bd42 --- /dev/null +++ b/.github/workflows/tag-release.yml @@ -0,0 +1,19 @@ +name: Release on tag + +permissions: + contents: read + +on: + push: + tags: + - v[0-9]+* + +jobs: + gh-release: + name: Create release + permissions: + contents: write + uses: go-openapi/ci-workflows/.github/workflows/release.yml@d0b50195d14745b9a9a8a41cf3bb7ecd874af37a # v0.1.1 + with: + tag: ${{ github.ref_name }} + secrets: inherit diff --git a/README.md b/README.md index 1f98ab0..b61b63f 100644 --- a/README.md +++ b/README.md @@ -8,8 +8,7 @@ [![Release][release-badge]][release-url] [![Go Report Card][gocard-badge]][gocard-url] [![CodeFactor Grade][codefactor-badge]][codefactor-url] [![License][license-badge]][license-url] - -[![GoDoc][godoc-badge]][godoc-url] [![go version][goversion-badge]][goversion-url] ![Top language][top-badge] ![Commits since latest release][commits-badge] +[![GoDoc][godoc-badge]][godoc-url] [![Slack Channel][slack-logo]![slack-badge]][slack-url] [![go version][goversion-badge]][goversion-url] ![Top language][top-badge] ![Commits since latest release][commits-badge] --- @@ -104,6 +103,15 @@ using the special trailing character "-" is not implemented. * [Maintainers documentation](docs/MAINTAINERS.md) * [Code style](docs/STYLE.md) +## Cutting a new release + +Maintainers can cut a new release by either: + +* running [this workflow](https://github.com/go-openapi/jsonpointer/actions/workflows/bump-release.yml) +* or pushing a semver tag + * signed tags are preferred + * The tag message is prepended to release notes + [test-badge]: https://github.com/go-openapi/jsonpointer/actions/workflows/go-test.yml/badge.svg [test-url]: https://github.com/go-openapi/jsonpointer/actions/workflows/go-test.yml @@ -128,8 +136,9 @@ using the special trailing character "-" is not implemented. [doc-url]: https://goswagger.io/go-openapi [godoc-badge]: https://pkg.go.dev/badge/github.com/go-openapi/jsonpointer [godoc-url]: http://pkg.go.dev/github.com/go-openapi/jsonpointer -[slack-badge]: https://slackin.goswagger.io/badge.svg -[slack-url]: https://slackin.goswagger.io +[slack-logo]: https://a.slack-edge.com/e6a93c1/img/icons/favicon-32.png +[slack-badge]: https://img.shields.io/badge/slack-blue?link=https%3A%2F%2Fgoswagger.slack.com%2Farchives%2FC04R30YM +[slack-url]: https://goswagger.slack.com/archives/C04R30YMU [license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg [license-url]: https://github.com/go-openapi/jsonpointer/?tab=Apache-2.0-1-ov-file#readme