Merge branch 'main' into update-feature-gate-logging

Author: benjaminjb

.github/actions/trivy/action.yaml

@@ -0,0 +1,107 @@
+name: Trivy
+description: Scan this project using Trivy
+
+# The Trivy team maintains an action, but it has trouble caching its vulnerability data:
+# https://github.com/aquasecurity/trivy-action/issues/389
+#
+# The action below uses any recent cache matching `cache-prefix` and calculates a cache key
+# derived from the data Trivy downloads.
+
+inputs:
+  cache:
+    default: restore,success,use
+    description: >-
+      What Trivy data to cache; one or more of restore, save, success, or use.
+
+  database:
+    default: update
+    description: >-
+      How Trivy should handle its data; one of update or skip.
+
+  setup:
+    default: v0.57.1,cache
+    description: >-
+      How to install Trivy; one or more of version, none, or cache.
+
+  cache-directory:
+    default: ${{ github.workspace }}/.cache/trivy
+
+  cache-prefix:
+    default: cache-trivy
+
+  scan-target:
+    default: .
+
+  scan-type:
+    default: filesystem
+
+runs:
+  using: composite
+  steps:
+    # Parse list inputs as separated by commas and spaces.
+    # Select the maximum version-looking string from `inputs.setup`.
+    - id: parsed
+      shell: bash
+      run: |
+        # Validate inputs
+        (
+          <<< '${{ inputs.cache }}' jq -rRsS '"cache=\(split("[,\\s]+"; "") - [""])"'
+          <<< '${{ inputs.setup }}' jq -rRsS '
+            "setup=\(split("[,\\s]+"; "") - [""])",
+            "version=\(split("[,\\s]+"; "") | max_by(split("[v.]"; "") | map(tonumber?)))"
+          '
+        ) | tee --append $GITHUB_OUTPUT
+
+    # Install Trivy as requested.
+    - if: ${{ ! contains(fromJSON(steps.parsed.outputs.setup), 'none') }}
+      uses: aquasecurity/[email protected]
+      with:
+        cache: ${{ contains(fromJSON(steps.parsed.outputs.setup), 'cache') }}
+        version: ${{ steps.parsed.outputs.version }}
+
+    # Restore a recent cache beginning with the prefix.
+    - id: restore
+      if: ${{ contains(fromJSON(steps.parsed.outputs.cache), 'restore') }}
+      uses: actions/cache/restore@v4
+      with:
+        path: ${{ inputs.cache-directory }}
+        key: ${{ inputs.cache-prefix }}-
+
+    - id: trivy
+      shell: bash
+      env:
+        TRIVY_CACHE_DIR: >-
+          ${{ contains(fromJSON(steps.parsed.outputs.cache), 'use') && inputs.cache-directory || '' }}
+        TRIVY_SKIP_CHECK_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_SKIP_DB_UPDATE: ${{ inputs.database == 'skip' }}
+        TRIVY_SKIP_JAVA_DB_UPDATE: ${{ inputs.database == 'skip' }}
+      run: |
+        # Run Trivy
+        trivy '${{ inputs.scan-type }}' '${{ inputs.scan-target }}' || result=$?
+
+        checksum=$([[ -z "${TRIVY_CACHE_DIR}" ]] || cat "${TRIVY_CACHE_DIR}/"*/metadata.json | sha256sum)
+        echo 'cache-key=${{ inputs.cache-prefix }}-'"${checksum%% *}" >> $GITHUB_OUTPUT
+
+        exit "${result-0}"
+
+    # Save updated data to the cache when requested.
+    - if: >-
+        ${{
+          steps.restore.outcome == 'success' &&
+          steps.restore.outputs.cache-matched-key == steps.trivy.outputs.cache-key
+        }}
+      shell: bash
+      run: |
+        # Cache hit on ${{ steps.restore.outputs.cache-matched-key }}
+    - if: >-
+        ${{
+          steps.restore.outputs.cache-matched-key != steps.trivy.outputs.cache-key &&
+          (
+            (contains(fromJSON(steps.parsed.outputs.cache), 'save') && !cancelled()) ||
+            (contains(fromJSON(steps.parsed.outputs.cache), 'success') && success())
+          )
+        }}
+      uses: actions/cache/save@v4
+      with:
+        key: ${{ steps.trivy.outputs.cache-key }}
+        path: ${{ inputs.cache-directory }}

.github/workflows/codeql-analysis.yaml

@@ -1,24 +1,28 @@
+# https://codeql.github.com
 name: CodeQL
 
 on:
   pull_request:
   push:
     branches:
       - main
-      - master
   schedule:
     - cron: '10 18 * * 2'
 
+env:
+  # Use the Go toolchain installed by setup-go
+  # https://github.com/actions/setup-go/issues/457
+  GOTOOLCHAIN: local
+
 jobs:
   analyze:
-    runs-on: ubuntu-latest
+    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
     permissions:
       actions: read
       contents: read
       security-events: write
 
-    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
-
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5

.github/workflows/govulncheck.yaml

@@ -0,0 +1,48 @@
+# https://go.dev/security/vuln
+name: govulncheck
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+env:
+  # Use the Go toolchain installed by setup-go
+  # https://github.com/actions/setup-go/issues/457
+  GOTOOLCHAIN: local
+
+jobs:
+  vulnerabilities:
+    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
+    permissions:
+      security-events: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Install Go and produce a SARIF report. This fails only when the tool is
+      # unable to scan.
+      - name: Prepare report
+        uses: golang/govulncheck-action@v1
+        with:
+          output-file: 'govulncheck-results.sarif'
+          output-format: 'sarif'
+          repo-checkout: false
+
+      # Submit the SARIF report to GitHub code scanning. Pull request checks
+      # succeed or fail according to branch protection rules.
+      # - https://docs.github.com/en/code-security/code-scanning
+      - name: Upload results to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'govulncheck-results.sarif'
+        # TODO: https://go.dev/issue/70157
+        if: ${{ false }}
+
+      # Print any detected vulnerabilities to the workflow log. This step fails
+      # when the tool detects a vulnerability in code that is called.
+      # - https://go.dev/blog/govulncheck
+      - name: Log results
+        run: govulncheck --format text --show verbose ./...

.github/workflows/lint.yaml

@@ -3,6 +3,11 @@ name: Linters
 on:
   pull_request:
 
+env:
+  # Use the Go toolchain installed by setup-go
+  # https://github.com/actions/setup-go/issues/457
+  GOTOOLCHAIN: local
+
 jobs:
   golangci-lint:
     runs-on: ubuntu-latest

.github/workflows/test.yaml

@@ -5,7 +5,11 @@ on:
   push:
     branches:
       - main
-      - master
+
+env:
+  # Use the Go toolchain installed by setup-go
+  # https://github.com/actions/setup-go/issues/457
+  GOTOOLCHAIN: local
 
 jobs:
   go-test:
@@ -35,7 +39,6 @@ jobs:
       - run: ENVTEST_K8S_VERSION="${KUBERNETES#default}" make check-envtest
         env:
           KUBERNETES: "${{ matrix.kubernetes }}"
-          GOEXPERIMENT: nocoverageredesign # https://go.dev/issue/65653
           GO_TEST: go test --coverprofile 'envtest.coverage' --coverpkg ./internal/...
 
       # Upload coverage to GitHub
@@ -71,7 +74,6 @@ jobs:
       - run: make createnamespaces check-envtest-existing
         env:
           PGO_TEST_TIMEOUT_SCALE: 1.2
-          GOEXPERIMENT: nocoverageredesign # https://go.dev/issue/65653
           GO_TEST: go test --coverprofile 'envtest-existing.coverage' --coverpkg ./internal/...
 
       # Upload coverage to GitHub

.github/workflows/trivy.yaml

@@ -1,14 +1,41 @@
+# https://aquasecurity.github.io/trivy
 name: Trivy
 
 on:
   pull_request:
   push:
     branches:
       - main
-      - master
+
+env:
+  # Use the Go toolchain installed by setup-go
+  # https://github.com/actions/setup-go/issues/457
+  GOTOOLCHAIN: local
 
 jobs:
+  cache:
+    # Run only one of these jobs at a time across the entire project.
+    concurrency: { group: trivy-cache }
+    # Do not fail this workflow when this job fails.
+    continue-on-error: true
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download Trivy
+        uses: ./.github/actions/trivy
+        env:
+          TRIVY_DEBUG: true
+          TRIVY_DOWNLOAD_DB_ONLY: true
+          TRIVY_NO_PROGRESS: true
+          TRIVY_SCANNERS: license,secret,vuln
+
   licenses:
+    # Run this job after the cache job regardless of its success or failure.
+    needs: [cache]
+    if: >-
+      ${{ !cancelled() }}
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -20,52 +47,56 @@ jobs:
 
       # Report success only when detected licenses are listed in [/trivy.yaml].
       - name: Scan licenses
-        uses: aquasecurity/[email protected]
+        uses: ./.github/actions/trivy
         env:
           TRIVY_DEBUG: true
+          TRIVY_EXIT_CODE: 1
+          TRIVY_SCANNERS: license
         with:
-          scan-type: filesystem
-          scanners: license
-          exit-code: 1
+          cache: restore,use
+          database: skip
 
   vulnerabilities:
-    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
-
+    # Run this job after the cache job regardless of its success or failure.
+    needs: [cache]
+    if: >-
+      ${{ github.repository == 'CrunchyData/postgres-operator' && !cancelled() }}
     permissions:
-      # for github/codeql-action/upload-sarif to upload SARIF results
-      security-events: write 
+      security-events: write
 
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
 
-      # Run trivy and log detected and fixed vulnerabilities
-      # This report should match the uploaded code scan report below
-      # and is a convenience/redundant effort for those who prefer to
-      # read logs and/or if anything goes wrong with the upload.
-      - name: Log all detected vulnerabilities
-        uses: aquasecurity/[email protected]
+      # Print any detected secrets or vulnerabilities to the workflow log for
+      # human consumption. This step fails only when Trivy is unable to scan.
+      # A later step uploads results to GitHub as a pull request check.
+      - name: Log detected vulnerabilities
+        uses: ./.github/actions/trivy
+        env:
+          TRIVY_SCANNERS: secret,vuln
         with:
-          scan-type: filesystem
-          hide-progress: true
-          ignore-unfixed: true
-          scanners: secret,vuln
+          cache: restore,use
+          database: skip
 
-      # Upload actionable results to the GitHub Security tab.
-      # Pull request checks fail according to repository settings.
-      # - https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
-      # - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
+      # Produce a SARIF report of actionable results. This step fails only when
+      # Trivy is unable to scan.
       - name: Report actionable vulnerabilities
-        uses: aquasecurity/[email protected]
+        uses: ./.github/actions/trivy
+        env:
+          TRIVY_IGNORE_UNFIXED: true
+          TRIVY_FORMAT: 'sarif'
+          TRIVY_OUTPUT: 'trivy-results.sarif'
+          TRIVY_SCANNERS: secret,vuln
         with:
-          scan-type: filesystem
-          ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          scanners: secret,vuln
+          cache: use
+          database: skip
+          setup: none
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      # Submit the SARIF report to GitHub code scanning. Pull requests checks
+      # succeed or fail according to branch protection rules.
+      # - https://docs.github.com/en/code-security/code-scanning
+      - name: Upload results to GitHub
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'

.golangci.next.yaml

@@ -10,7 +10,6 @@ linters:
   enable:
     - contextcheck
     - err113
-    - errchkjson
     - gocritic
     - godot
     - godox
@@ -27,13 +26,16 @@ linters:
     - wastedassign
 
 issues:
+  exclude-rules:
+    # We call external linters when they are installed: Flake8, ShellCheck, etc.
+    - linters: [gosec]
+      path: '_test[.]go$'
+      text: 'G204: Subprocess launched with variable'
+
   # https://github.com/golangci/golangci-lint/issues/2239
   exclude-use-default: false
 
 linters-settings:
-  errchkjson:
-    check-error-free-encoding: true
-
   thelper:
     # https://github.com/kulti/thelper/issues/27
     tb:   { begin: true, first: true }