upd buf

.github/workflows/build.yaml

@@ -19,8 +19,7 @@ permissions:
   pull-requests: write
 
 env:
-  VAULT_ADDR: https://vault.eng.aserto.com/
-  BUF_VERSION: "1.52.1"
+  BUF_VERSION: "1.61.0"
 
 jobs:
   build:
@@ -31,24 +30,13 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      -
-        name: Read Configuration
-        uses: hashicorp/vault-action@v3
-        id: vault
-        with:
-          url: ${{ env.VAULT_ADDR }}
-          token: ${{ secrets.VAULT_TOKEN }}
-          secrets: |
-            kv/data/github    "USERNAME"          | GH_USERNAME;
-            kv/data/github    "READ_WRITE_TOKEN"  | GH_TOKEN;
-            kv/data/buf.build "ASERTO_BUF_TOKEN"  | ASERTO_BUF_TOKEN;
       -
         name: Buf Build
         uses: bufbuild/buf-action@v1
         with:
           version:  ${{ env.BUF_VERSION }}
-          token: ${{ steps.vault.outputs.ASERTO_BUF_TOKEN}}
-          github_token: ${{ steps.vault.outputs.GH_TOKEN}}
+          token: ${{ secrets.ASERTO_BUF_TOKEN}}
+          github_token: ${{ secrets.GITHUB_TOKEN}}
           push_disable_create: true
 
   trigger-dispatches:
@@ -68,19 +56,12 @@ jobs:
 
     name: Generate on ${{ matrix.cfg.project }}
     steps:
-      -
-        name: Read Configuration
-        uses: hashicorp/vault-action@v3
-        id: vault
-        with:
-          url: ${{ env.VAULT_ADDR }}
-          token: ${{ secrets.VAULT_TOKEN }}
-          secrets: |
-            kv/data/github    "USERNAME"          | GH_USERNAME;
-            kv/data/github    "READ_WRITE_TOKEN"  | GH_TOKEN;
       -
         name: Trigger dispatch
         run: |
           curl -XPOST -u "${GH_USERNAME}:${GH_TOKEN}" \
           -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" \
           https://api.github.com/repos/aserto-dev/${{ matrix.cfg.project }}/actions/workflows/ci.yaml/dispatches --data '{"ref": "main", "inputs": {"proto_ref": "${{ github.ref }}", "proto_sha": "${{ github.sha }}" }}'
+        env:
+          GH_USERNAME: ${{ secrets.USERNAME }}
+          GH_TOKEN: $${{ secrets.READ_WRITE_TOKEN }}

.github/workflows/gitleaks.yml

@@ -0,0 +1,19 @@
+name: gitleaks
+on:
+  pull_request:
+  push:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 4 * * *" # run once a day at 4 AM
+jobs:
+  scan:
+    name: gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

makefile

@@ -10,46 +10,49 @@ GOOS               := $(shell go env GOOS)
 GOARCH             := $(shell go env GOARCH)
 GOPRIVATE          := "github.com/aserto-dev"
 
-BIN_DIR            := ./bin
+BIN_DIR            := ${PWD}/bin
 EXT_DIR            := ${PWD}/.ext
 EXT_BIN_DIR        := ${EXT_DIR}/bin
 EXT_TMP_DIR        := ${EXT_DIR}/tmp
 
-VAULT_VER	         := 1.8.12
-SVU_VER 	         := 3.2.3
-BUF_VER            := 1.52.1
+SVU_VER            := 3.3.0
+BUF_VER            := 1.61.0
 
 PROJECT            := authorizer
-BUF_TOKEN          := $(shell ${EXT_BIN_DIR}/vault kv get -field ASERTO_BUF_TOKEN kv/buf.build)
 BUF_REPO           := "buf.build/aserto-dev/${PROJECT}"
 BUF_LATEST         := $(shell ${EXT_BIN_DIR}/buf registry module label list ${BUF_REPO} --format json | jq -r '.labels[0].name')
-BUF_DEV_IMAGE      := ${BIN_DIR}/${PROJECT}.bin
-GIT_ORG            := "https://github.com/aserto-dev"
+BUF_DEV_IMAGE      := "${PROJECT}.bin"
 PROTO_REPO         := "pb-${PROJECT}"
+GIT_ORG            := "https://github.com/aserto-dev"
 
 RELEASE_TAG        := $$(${EXT_BIN_DIR}/svu current)
 
 .DEFAULT_GOAL      := buf-build
 
 .PHONY: deps
-deps: info install-vault install-buf install-svu
-	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-
-.PHONY: vault-login
-vault-login:
+deps: info install-buf install-svu
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@vault login -method=github token=$$(gh auth token)
 
 .PHONY: buf-login
 buf-login:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
 	@echo ${BUF_TOKEN} | ${EXT_BIN_DIR}/buf registry login --token-stdin
 
+.PHONY: buf-dep-update
+buf-dep-update:
+	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
+	@${EXT_BIN_DIR}/buf dep update
+
 .PHONY: buf-format
 buf-format:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
 	@${EXT_BIN_DIR}/buf format -w proto
 
+.PHONY: buf-build
+buf-build: ${BIN_DIR}
+	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
+	@${EXT_BIN_DIR}/buf build --output ${BIN_DIR}/${BUF_DEV_IMAGE}
+
 .PHONY: buf-lint
 buf-lint:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
@@ -60,21 +63,11 @@ buf-breaking:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
 	@${EXT_BIN_DIR}/buf breaking --against "${GIT_ORG}/${PROTO_REPO}.git#branch=main"
 
-.PHONY: buf-build
-buf-build: ${BIN_DIR}
-	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@${EXT_BIN_DIR}/buf build --output ${BUF_DEV_IMAGE}
-
 .PHONY: buf-push
 buf-push:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
 	@${EXT_BIN_DIR}/buf push --label ${RELEASE_TAG}
 
-.PHONY: buf-dep-update
-buf-dep-update:
-	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@${EXT_BIN_DIR}/buf dep update
-
 .PHONY: info
 info:
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
@@ -91,23 +84,14 @@ info:
 	@echo "BUF_DEV_IMAGE: ${BUF_DEV_IMAGE}"
 	@echo "PROTO_REPO:    ${PROTO_REPO}"
 
-.PHONY: install-vault
-install-vault: ${EXT_BIN_DIR} ${EXT_TMP_DIR}
-	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@curl -s -o ${EXT_TMP_DIR}/vault.zip https://releases.hashicorp.com/vault/${VAULT_VER}/vault_${VAULT_VER}_${GOOS}_${GOARCH}.zip
-	@unzip -o ${EXT_TMP_DIR}/vault.zip vault -d ${EXT_BIN_DIR}/  &> /dev/null
-	@chmod +x ${EXT_BIN_DIR}/vault
-	@${EXT_BIN_DIR}/vault --version 
-
 .PHONY: install-buf
 install-buf: ${EXT_BIN_DIR}
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
-	@gh release download v${BUF_VER} --repo https://github.com/bufbuild/buf --pattern "buf-$$(uname -s)-$$(uname -m)" --output "${EXT_BIN_DIR}/buf" --clobber
-	@chmod +x ${EXT_BIN_DIR}/buf
+	@GOBIN=${EXT_BIN_DIR} go install github.com/bufbuild/buf/cmd/buf@v${BUF_VER}
 	@${EXT_BIN_DIR}/buf --version
 
 .PHONY: install-svu
-install-svu: ${EXT_BIN_DIR} ${EXT_TMP_DIR}
+install-svu: ${EXT_BIN_DIR}
 	@echo -e "$(ATTN_COLOR)==> $@ $(NO_COLOR)"
 	@GOBIN=${EXT_BIN_DIR} go install github.com/caarlos0/svu/v3@v${SVU_VER}
 	@${EXT_BIN_DIR}/svu --version