diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..42ffc6c --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,45 @@ +name: Lint + +on: + workflow_dispatch: + pull_request: + branches: [ main ] + push: + branches: + - main + paths-ignore: + - 'README.md' + - 'docs/**' + - '.github/**' + - 'LICENSE' + - 'Taskfile.yaml' + - '.gitignore' + - '.gosec.config.json' + - '.editorconfig' + - '.goreleaser.yaml' + - 'examples/**' + +jobs: + lint: + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v3.5.3 + + - name: Set up Go + uses: actions/setup-go@v4.1.0 + with: + go-version: '1.20' + + - name: Install Task + uses: arduino/setup-task@v1.0.3 + with: + version: 3.x + repo-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Install Linter + run: task tools:install:golangci-lint + + - name: Lint + run: task lint diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..1da7e5c --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,63 @@ +name: Release + +# This ensures that the release is only created after the Docker Build Pipeline +# has successfully completed. +on: + workflow_dispatch: + inputs: + semver: + type: string + description: 'Semver (eg: v1.2.3)' + required: true + +permissions: + contents: write + +jobs: + + release: + runs-on: ubuntu-latest + + if : github.event.inputs.semver != '' && startsWith(github.event.inputs.semver, 'v') && github.triggering_actor == 'zcubbs' + + steps: + - name: Checkout Code + uses: actions/checkout@v3.5.3 + + - name: Set up Go + uses: actions/setup-go@v4.1.0 + with: + go-version: '1.21' + + - name: List files + run: tree -Cfi + - name: Write new go.mod into logs + run: cat go.mod + - name: Write new go.sum into logs + run: cat go.sum + + - name: Create tag + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + git config --global user.name '${{ github.triggering_actor }}' + git config --global user.email "${{ github.triggering_actor}}@users.noreply.github.com" + + git add . + git commit --allow-empty -m 'bump ${{ inputs.semver }}' + git tag ${{ inputs.semver }} + git push origin ${{ inputs.semver }} + + - name: Release + uses: softprops/action-gh-release@v1 + with: + name: ${{ inputs.semver }} + tag_name: ${{ inputs.semver }} + + - uses: goreleaser/goreleaser-action@v4 + with: + distribution: goreleaser + version: latest + args: release -f .goreleaser.yaml --clean --verbose + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml new file mode 100644 index 0000000..992331b --- /dev/null +++ b/.github/workflows/scan.yaml @@ -0,0 +1,45 @@ +name: Scan + +on: + workflow_dispatch: + pull_request: + branches: [ main ] + push: + branches: + - main + paths-ignore: + - 'README.md' + - 'docs/**' + - '.github/**' + - 'LICENSE' + - 'Taskfile.yaml' + - '.gitignore' + - '.gosec.config.json' + - '.editorconfig' + - '.goreleaser.yaml' + - 'examples/**' + +jobs: + scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v3.5.3 + + - name: Set up Go + uses: actions/setup-go@v4.1.0 + with: + go-version: '1.20' + + - name: Install Task + uses: arduino/setup-task@v1.0.3 + with: + version: 3.x + repo-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Install Security Scanner + run: task tools:install:gosec + + - name: Run Go Security Scanner + run: task scan diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000..09372dd --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,48 @@ +name: Test + +on: + workflow_dispatch: + pull_request: + branches: [ main ] + push: + branches: + - main + paths-ignore: + - 'README.md' + - 'docs/**' + - '.github/**' + - 'LICENSE' + - 'Taskfile.yaml' + - '.gitignore' + - '.gosec.config.json' + - '.editorconfig' + - '.goreleaser.yaml' + - 'examples/**' + +jobs: + test: + runs-on: ubuntu-latest + services: + mailhog: + image: mailhog/mailhog + ports: + - 1025:1025 + - 8025:8025 + + steps: + - name: Checkout Code + uses: actions/checkout@v3.5.3 + + - name: Set up Go + uses: actions/setup-go@v4.1.0 + with: + go-version: '1.20' + + - name: Install Task + uses: arduino/setup-task@v1.0.3 + with: + version: 3.x + repo-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Test + run: task test diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..5e99f52 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,71 @@ +--- + +project_name: Hotpot +before: + hooks: + - go mod tidy +builds: + - env: [CGO_ENABLED=0] + binary: hotpot + goos: + - linux + goarch: + - amd64 + - arm64 + id: "cli" + dir: . + main: ./cmd/cli/main.go + ldflags: + - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.Date={{.Date}} + +archives: + - id: cli-archive + format: tar.gz + files: + - none* + builds: + - cli + format_overrides: + - goos: windows + format: zip + name_template: >- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} +changelog: + sort: asc + filters: + exclude: + - '^docs:' + - '^test:' + - '^conf:' +snapshot: + name_template: SNAPSHOT-{{ .Commit }} +checksum: + name_template: '{{ .ProjectName }}_{{ .Version }}_checksums.txt' +signs: + - cmd: gpg + args: + - --output + - $signature + - --detach-sig + - $artifact + signature: ${artifact}.sig + artifacts: none +release: + github: + owner: zcubbs + name: hotpot + draft: true + prerelease: auto + discussion_category_name: General + header: | + ## ({{ .Date }}) + + Welcome to this new release! + footer: | + ## Thanks! + Those were the changes on {{ .Tag }}! + name_template: "{{.Tag}}" diff --git a/.gosec.config.json b/.gosec.config.json new file mode 100644 index 0000000..bc5265e --- /dev/null +++ b/.gosec.config.json @@ -0,0 +1,5 @@ +{ + "global": { + "exclude": "G304" + } +} diff --git a/Taskfile.yaml b/Taskfile.yaml new file mode 100644 index 0000000..67ab44e --- /dev/null +++ b/Taskfile.yaml @@ -0,0 +1,23 @@ +version: '3' + +vars: + GOOS: "{{OS}}" + +tasks: + + test: + cmds: + - go test ./... + + build:linux: + cmds: + - go env -w GOOS=linux GOARCH=amd64 + - go build -o bin/zrun main.go + + lint: + cmds: + - golangci-lint run ./... -v --timeout 5m + + scan: + cmds: + - gosec -conf .gosec.config.json "./..." diff --git a/pkg/traefik/dns_challenge.go b/pkg/traefik/dns_challenge.go index 9979ad4..371dc53 100644 --- a/pkg/traefik/dns_challenge.go +++ b/pkg/traefik/dns_challenge.go @@ -11,6 +11,7 @@ import ( type DnsProvider string +/* #nosec */ const traefikProviderCredentialsSecretName = "traefik-dns-provider-credentials" const ( @@ -20,12 +21,14 @@ const ( ) const ( - ovhEndpointEnvKey = "OVH_ENDPOINT" - ovhAppKeyEnvKey = "OVH_APPLICATION_KEY" + ovhEndpointEnvKey = "OVH_ENDPOINT" + ovhAppKeyEnvKey = "OVH_APPLICATION_KEY" + /* #nosec */ ovhAppSecretEnvKey = "OVH_APPLICATION_SECRET" ovhConsumerKeyEnvKey = "OVH_CONSUMER_KEY" //azureClientIDEnvKey = "AZURE_CLIENT_ID" + ///* #nosec */ //azureClientSecretEnvKey = "AZURE_CLIENT_SECRET" ) diff --git a/pkg/traefik/traefik.go b/pkg/traefik/traefik.go index 3248c4f..6491e9f 100644 --- a/pkg/traefik/traefik.go +++ b/pkg/traefik/traefik.go @@ -45,7 +45,7 @@ func Install(values Values, kubeconfig string, debug bool) error { } // write tmp manifest - err = os.WriteFile(valuesPath, configFileContent, 0644) + err = os.WriteFile(valuesPath, configFileContent, 0600) if err != nil { return fmt.Errorf("failed to write traefik values.yaml \n %w", err) }