Skip to content
Code Style

[StepSecurity] Apply security best practices #1078

Sign in to view logs

[StepSecurity] Apply security best practices

[StepSecurity] Apply security best practices #1078

Workflow file for this run

.github/workflows/style.yaml at c61aced
# Copyright 2022 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0
name: Code Style
on:
pull_request:
branches:
- 'main'
push:
branches:
- 'main'
permissions: {}
jobs:
gofmt:
name: check gofmt
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Check out code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: './go.mod'
check-latest: true
- uses: chainguard-dev/actions/gofmt@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15
with:
args: -s
goimports:
name: check goimports
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Check out code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: './go.mod'
check-latest: true
- uses: chainguard-dev/actions/goimports@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15
golangci-lint:
name: golangci-lint
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: './go.mod'
check-latest: true
cache: true
- name: golangci-lint
uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
with:
# Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
version: v2.1
lint:
name: Lint
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Check out code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: './go.mod'
check-latest: true
- uses: chainguard-dev/actions/trailing-space@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15
if: ${{ always() }}
- uses: chainguard-dev/actions/eof-newline@cd899cc96227b82170571cad1c3d6378d8cba678 # v1.4.15
if: ${{ always() }}
- uses: step-security/action-tflint@15c8d1fff9c8c2f40157254897d99ef4bb0c5e5d # v1.24.2
if: ${{ always() }}
with:
github_token: ${{ secrets.github_token }}
fail_level: warning
- uses: step-security/action-misspell@185febccfc9a0598c17a34b579cc7e64a54afc6d # v1.27.1
if: ${{ always() }}
with:
github_token: ${{ secrets.github_token }}
fail_level: warning
locale: "US"
exclude: |
**/go.sum
**/third_party/**
./*.yml
- uses: step-security/woke-action-reviewdog@950b04a91ab83c38de67275fe6190a4eb977f261 # v0.1.1
if: ${{ always() }}
with:
github-token: ${{ secrets.github_token }}
reporter: github-pr-check
level: error
fail-on-error: true