Merge pull request #3 from bigcommerce/merge-upstream

Merge upstream commits

Author: alowde

.editorconfig

@@ -0,0 +1,19 @@
+# EditorConfig is awesome: http://EditorConfig.org
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+trim_trailing_whitespace = true
+insert_final_newline = true
+charset = utf-8
+
+[*.{yml, yaml}]
+indent_size = 2
+
+[*.go]
+indent_style = tab
+
+[Makefile]
+indent_style = tab

.github/dependabot.yml

@@ -6,3 +6,8 @@ updates:
       interval: "weekly"
     reviewers:
       - "Shopify/infrasec"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"

.github/pull_request_template.md

@@ -0,0 +1,36 @@
+## Pull Request Template
+
+### Description
+Please provide a brief description of the changes in this PR.
+
+### Type of Change
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Documentation update
+- [ ] Code refactoring
+- [ ] Other (please describe):
+
+### Testing
+- [ ] I have run `make pr-tests` and all tests pass
+- [ ] I have added tests that prove my fix is effective or that my feature works
+- [ ] New and existing unit tests pass locally with my changes
+
+### Code Quality
+- [ ] My code follows the style guidelines of this project
+- [ ] I have performed a self-review of my own code
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] I have made corresponding changes to the documentation
+
+### Before Submitting
+Please ensure you have completed the following before submitting your PR:
+
+```bash
+# Run comprehensive tests
+make pr-tests
+```
+
+If the above command fails, please fix the issues before submitting your PR.
+
+### Additional Notes
+Add any other context about the pull request here.

.github/workflows/docker-master.yaml

@@ -6,51 +6,67 @@ on:
 
 jobs:
   build-and-push-docker-image:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
     name: Build Docker image and push to repositories with tag latest
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          images: |
-            lablabs/cloudflare_exporter
-            ghcr.io/lablabs/cloudflare_exporter
-          # generate Docker tags based on the following events/attributes
-          tags: type=raw,value=latest
-
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+        uses: actions/checkout@v5
 
       - name: Login to Github Packages
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build image and push to Docker Hub and GitHub Container Registry
-        uses: docker/build-push-action@v2
+
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
         with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          push: true
-
-      - name: Image digest
-        run: echo ${{ steps.docker_build.outputs.digest }}
+          go-version-file: "go.mod"
+          cache: false
+
+
+      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
+        with:
+          version: v0.18.0
+      - name: Build and push
+        id: publish-image
+        env:
+          KO_DOCKER_REPO: "ghcr.io/${{ github.repository }}"
+        run: |
+          ko build . --sbom=none --bare --platform linux/arm64,linux/amd64 -t latest \
+            --image-label org.opencontainers.image.title=cloudflare-exporter \
+            --image-label org.opencontainers.image.description="Prometheus CloudFlare Exporter" \
+            --image-label org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }} \
+            --image-label org.opencontainers.image.revision=${{ github.sha }} \
+            --image-label org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} \
+            --image-label org.opencontainers.image.licenses=Apache-2.0 \
+            --image-label org.opencontainers.image.version=latest \
+            --image-label org.opencontainers.image.created="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+
+  distribute-to-dockerhub:
+    runs-on: ubuntu-latest
+    needs:
+      - build-and-push-docker-image
+    permissions:
+      packages: read
+    steps:
+      - name: Copy image to dockerhub
+        env:
+          GHCR_REPO: "ghcr.io/${{ github.repository }}"
+          GHCR_USERNAME: ${{ github.actor }}
+          GHCR_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKER_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          docker run --rm quay.io/containers/skopeo:v1.18.0 \
+            copy --multi-arch all \
+            --src-creds "$GHCR_USERNAME:$GHCR_PASSWORD" \
+            --dest-creds "$DOCKER_USERNAME:$DOCKER_TOKEN" \
+            docker://${GHCR_REPO}:latest \
+            docker://lablabs/cloudflare_exporter:latest

.github/workflows/docker-release.yaml

@@ -7,52 +7,91 @@ on:
 
 jobs:
   build-and-push-docker-image:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+
     name: Build Docker image and push to repositories with version tag
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          images: |
-            lablabs/cloudflare_exporter
-            ghcr.io/lablabs/cloudflare_exporter
-          # generate Docker tags based on the following events/attributes
-          tags: type=ref,event=tag
-
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+        uses: actions/checkout@v5
 
       - name: Login to Github Packages
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build image and push to Docker Hub and GitHub Container Registry
-        uses: docker/build-push-action@v2
+
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+        with:
+          go-version-file: "go.mod"
+          cache: false
+
+
+      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
         with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          push: true
-
-      - name: Image digest
-        run: echo ${{ steps.docker_build.outputs.digest }}
-  
+          version: v0.18.0
+      - name: Build and push
+        id: publish-image
+        env:
+          IMAGE_VERSION: ${{ github.ref_name }}
+          KO_DOCKER_REPO: "ghcr.io/${{ github.repository }}"
+        run: |
+          ko build . --sbom=none --image-refs ./image-digest --bare --platform linux/arm64,linux/amd64 -t ${IMAGE_VERSION} \
+            --image-label org.opencontainers.image.title=cloudflare-exporter \
+            --image-label org.opencontainers.image.description="Prometheus CloudFlare Exporter" \
+            --image-label org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }} \
+            --image-label org.opencontainers.image.revision=${{ github.sha }} \
+            --image-label org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} \
+            --image-label org.opencontainers.image.licenses=Apache-2.0 \
+            --image-label org.opencontainers.image.version=${IMAGE_VERSION} \
+            --image-label org.opencontainers.image.created="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+
+          # Extract image digest from ko output
+          # The file contains multiple lines (one per platform + manifest list at the end)
+          # We need only the last line (manifest list) for attestation
+          cat ./image-digest
+          IMAGE_REF=$(head -n 1 ./image-digest)
+          IMAGE_DIGEST=$(echo "$IMAGE_REF" | cut -d'@' -f2)
+
+          echo "Image reference: $IMAGE_REF"
+          echo "Image digest: $IMAGE_DIGEST"
+
+          echo "digest=$IMAGE_DIGEST" >> "$GITHUB_OUTPUT"
+          echo "image-ref=$IMAGE_REF" >> "$GITHUB_OUTPUT"
+
+      - name: Attest
+        uses: actions/attest-build-provenance@v3
+        id: attest
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.publish-image.outputs.digest }}
+          push-to-registry: true
+
+  distribute-to-dockerhub:
+    runs-on: ubuntu-latest
+    needs:
+      - build-and-push-docker-image
+    permissions:
+      packages: read
+    steps:
+      - name: Copy image to dockerhub
+        env:
+          IMAGE_VERSION: ${{ github.ref_name }}
+          GHCR_REPO: "ghcr.io/${{ github.repository }}"
+          GHCR_USERNAME: ${{ github.actor }}
+          GHCR_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKER_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          docker run --rm quay.io/containers/skopeo:v1.18.0 \
+            copy --multi-arch all \
+            --src-creds "$GHCR_USERNAME:$GHCR_PASSWORD" \
+            --dest-creds "$DOCKER_USERNAME:$DOCKER_TOKEN" \
+            docker://${GHCR_REPO}:${IMAGE_VERSION} \
+            docker://lablabs/cloudflare_exporter:${IMAGE_VERSION}

.github/workflows/go-build.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
       - name: Generate build files
         uses: thatisuday/go-cross-build@v1
         with:
@@ -23,4 +23,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          args: "./dist/*"
+          args: "./dist/*"

.github/workflows/golangci-lint.yml

@@ -10,8 +10,11 @@ jobs:
     name: GO lang CI linter
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
+        with:
+          go-version: "1.25"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2 # https://github.com/marketplace/actions/run-golangci-lint
+        uses: golangci/golangci-lint-action@v8 # https://github.com/marketplace/actions/run-golangci-lint
         with:
-          version: v1.43
+          version: latest

.github/workflows/lint-test.yaml

@@ -7,21 +7,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@v4
         with:
           version: v3.4.0
 
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v6
         with:
-          python-version: 3.7
+          python-version: 3.8
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.0.1
+        uses: helm/chart-testing-action@v2.7.0
 
       - name: Run chart-testing (list-changed)
         id: list-changed
@@ -35,7 +35,7 @@ jobs:
         run: ct lint --target-branch master
 
       - name: Create kind cluster
-        uses: helm/kind-action@v1.2.0
+        uses: helm/kind-action@v1.12.0
         if: steps.list-changed.outputs.changed == 'true'
 
       - name: Run chart-testing (install)