🍲 cooking...

zcubbs · Sep 17, 2023 · 835e20e · 835e20e
1 parent 865cd50
commit 835e20e
Show file tree

Hide file tree

Showing 9 changed files with 306 additions and 3 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -0,0 +1,45 @@
+name: Lint
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'README.md'
+      - 'docs/**'
+      - '.github/**'
+      - 'LICENSE'
+      - 'Taskfile.yaml'
+      - '.gitignore'
+      - '.gosec.config.json'
+      - '.editorconfig'
+      - '.goreleaser.yaml'
+      - 'examples/**'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/[email protected]
+
+      - name: Set up Go
+        uses: actions/[email protected]
+        with:
+          go-version: '1.20'
+
+      - name: Install Task
+        uses: arduino/[email protected]
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Linter
+        run: task tools:install:golangci-lint
+
+      - name: Lint
+        run: task lint
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,63 @@
+name: Release
+
+# This ensures that the release is only created after the Docker Build Pipeline
+# has successfully completed.
+on:
+  workflow_dispatch:
+    inputs:
+      semver:
+        type: string
+        description: 'Semver (eg: v1.2.3)'
+        required: true
+
+permissions:
+  contents: write
+
+jobs:
+
+  release:
+    runs-on: ubuntu-latest
+
+    if : github.event.inputs.semver != '' && startsWith(github.event.inputs.semver, 'v') && github.triggering_actor == 'zcubbs'
+
+    steps:
+      - name: Checkout Code
+        uses: actions/[email protected]
+
+      - name: Set up Go
+        uses: actions/[email protected]
+        with:
+          go-version: '1.21'
+
+      - name: List files
+        run: tree -Cfi
+      - name: Write new go.mod into logs
+        run: cat go.mod
+      - name: Write new go.sum into logs
+        run: cat go.sum
+
+      - name: Create tag
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git config --global user.name '${{ github.triggering_actor }}'
+          git config --global user.email "${{ github.triggering_actor}}@users.noreply.github.com"
+
+          git add .
+          git commit --allow-empty -m 'bump ${{ inputs.semver }}'
+          git tag ${{ inputs.semver }}
+          git push origin ${{ inputs.semver }}
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          name: ${{ inputs.semver }}
+          tag_name: ${{ inputs.semver }}
+
+      - uses: goreleaser/goreleaser-action@v4
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release -f .goreleaser.yaml --clean --verbose
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -0,0 +1,45 @@
+name: Scan
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'README.md'
+      - 'docs/**'
+      - '.github/**'
+      - 'LICENSE'
+      - 'Taskfile.yaml'
+      - '.gitignore'
+      - '.gosec.config.json'
+      - '.editorconfig'
+      - '.goreleaser.yaml'
+      - 'examples/**'
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/[email protected]
+
+      - name: Set up Go
+        uses: actions/[email protected]
+        with:
+          go-version: '1.20'
+
+      - name: Install Task
+        uses: arduino/[email protected]
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Security Scanner
+        run: task tools:install:gosec
+
+      - name: Run Go Security Scanner
+        run: task scan
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -0,0 +1,48 @@
+name: Test
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'README.md'
+      - 'docs/**'
+      - '.github/**'
+      - 'LICENSE'
+      - 'Taskfile.yaml'
+      - '.gitignore'
+      - '.gosec.config.json'
+      - '.editorconfig'
+      - '.goreleaser.yaml'
+      - 'examples/**'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    services:
+      mailhog:
+        image: mailhog/mailhog
+        ports:
+          - 1025:1025
+          - 8025:8025
+
+    steps:
+      - name: Checkout Code
+        uses: actions/[email protected]
+
+      - name: Set up Go
+        uses: actions/[email protected]
+        with:
+          go-version: '1.20'
+
+      - name: Install Task
+        uses: arduino/[email protected]
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Test
+        run: task test
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,71 @@
+---
+
+project_name: Hotpot
+before:
+  hooks:
+    - go mod tidy
+builds:
+  - env: [CGO_ENABLED=0]
+    binary: hotpot
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    id: "cli"
+    dir: .
+    main: ./cmd/cli/main.go
+    ldflags:
+      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.Date={{.Date}}
+
+archives:
+  - id: cli-archive
+    format: tar.gz
+    files:
+      - none*
+    builds:
+      - cli
+    format_overrides:
+      - goos: windows
+        format: zip
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+      - '^conf:'
+snapshot:
+  name_template: SNAPSHOT-{{ .Commit }}
+checksum:
+  name_template: '{{ .ProjectName }}_{{ .Version }}_checksums.txt'
+signs:
+  - cmd: gpg
+    args:
+      - --output
+      - $signature
+      - --detach-sig
+      - $artifact
+    signature: ${artifact}.sig
+    artifacts: none
+release:
+  github:
+    owner: zcubbs
+    name: hotpot
+  draft: true
+  prerelease: auto
+  discussion_category_name: General
+  header: |
+    ## ({{ .Date }})
+
+    Welcome to this new release!
+  footer: |
+    ## Thanks!
+    Those were the changes on {{ .Tag }}!
+  name_template: "{{.Tag}}"
diff --git a/.gosec.config.json b/.gosec.config.json
@@ -0,0 +1,5 @@
+{
+  "global": {
+    "exclude": "G304"
+  }
+}
diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -0,0 +1,23 @@
+version: '3'
+
+vars:
+  GOOS: "{{OS}}"
+
+tasks:
+
+  test:
+    cmds:
+      - go test ./...
+
+  build:linux:
+    cmds:
+      - go env -w GOOS=linux GOARCH=amd64
+      - go build -o bin/zrun main.go
+
+  lint:
+    cmds:
+      - golangci-lint run ./... -v --timeout 5m
+
+  scan:
+    cmds:
+      - gosec -conf .gosec.config.json "./..."
diff --git a/pkg/traefik/dns_challenge.go b/pkg/traefik/dns_challenge.go
@@ -11,6 +11,7 @@ import (
 
 type DnsProvider string
 
+/* #nosec */
 const traefikProviderCredentialsSecretName = "traefik-dns-provider-credentials"
 
 const (
@@ -20,12 +21,14 @@ const (
 )
 
 const (
-	ovhEndpointEnvKey    = "OVH_ENDPOINT"
-	ovhAppKeyEnvKey      = "OVH_APPLICATION_KEY"
+	ovhEndpointEnvKey = "OVH_ENDPOINT"
+	ovhAppKeyEnvKey   = "OVH_APPLICATION_KEY"
+	/* #nosec */
 	ovhAppSecretEnvKey   = "OVH_APPLICATION_SECRET"
 	ovhConsumerKeyEnvKey = "OVH_CONSUMER_KEY"
 
 	//azureClientIDEnvKey     = "AZURE_CLIENT_ID"
+	///* #nosec */
 	//azureClientSecretEnvKey = "AZURE_CLIENT_SECRET"
 )
 

diff --git a/pkg/traefik/traefik.go b/pkg/traefik/traefik.go
@@ -45,7 +45,7 @@ func Install(values Values, kubeconfig string, debug bool) error {
 	}
 
 	// write tmp manifest
-	err = os.WriteFile(valuesPath, configFileContent, 0644)
+	err = os.WriteFile(valuesPath, configFileContent, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write traefik values.yaml \n %w", err)
 	}