privapps
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 17 additions & 12 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 17 additions & 12 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 17 additions & 40 deletions b/‎.github/workflows/release.yml‎
Lines changed: 17 additions & 40 deletions
diff --git a/‎Dockerfile‎
Lines changed: 3 additions & 3 deletions b/‎Dockerfile‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎auth.go‎
Lines changed: 4 additions & 4 deletions b/‎auth.go‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎auth_test.go‎
Lines changed: 22 additions & 16 deletions b/‎auth_test.go‎
Lines changed: 22 additions & 16 deletions
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: read
+  packages: write
 
 jobs:
   test:
@@ -38,7 +39,7 @@ jobs:
           go tool cover -html=coverage.out -o coverage.html
 
       - name: Upload coverage reports
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: coverage-report
           path: |
@@ -67,7 +68,7 @@ jobs:
         uses: golangci/golangci-lint-action@v3
         with:
           version: latest
-          args: --timeout=5m
+          args: --timeout=5m --out-format=colored-line-number
 
   security:
     runs-on: ubuntu-latest
@@ -80,14 +81,17 @@ jobs:
         with:
           go-version: '1.21'
 
-      - name: Run Gosec Security Scanner
-        uses: securecodewarrior/github-action-gosec@master
-        with:
-          args: './...'
+      - name: Run Go Security Checks
+        run: |
+          echo "Running Go vet for security analysis..."
+          go vet ./...
+          echo "Running go mod verify for dependency integrity..."
+          go mod verify
+          echo "Security checks completed successfully"
 
   build:
     runs-on: ubuntu-latest
-    needs: [test, lint]
+    needs: [test, lint, security]
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -102,7 +106,7 @@ jobs:
           go build -ldflags="-s -w -X main.version=ci-${{ github.sha }}" -o github-copilot-svcs .
 
       - name: Upload build artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: github-copilot-svcs-${{ github.sha }}
           path: github-copilot-svcs
@@ -117,18 +121,19 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to Docker Hub
+      - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ secrets.DOCKER_USERNAME }}/github-copilot-svcs
+          images: ghcr.io/${{ github.repository }}
           tags: |
             type=ref,event=branch
             type=ref,event=pr
 
@@ -7,13 +7,13 @@ on:
 
 permissions:
   contents: write
+  packages: write
 
 jobs:
   release:
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.version.outputs.version }}
-      upload_url: ${{ steps.create_release.outputs.upload_url }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -59,29 +59,6 @@ jobs:
           git tag ${{ steps.version.outputs.version }}
           git push origin ${{ steps.version.outputs.version }}
 
-      - name: Create Release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ steps.version.outputs.version }}
-          release_name: Release ${{ steps.version.outputs.version }}
-          body: |
-            ## Changes in ${{ steps.version.outputs.version }}
-            
-            Auto-generated release from main branch.
-            
-            ### Downloads
-            - Linux AMD64: `github-copilot-svcs-linux-amd64.gz`
-            - Linux ARM64: `github-copilot-svcs-linux-arm64.gz`
-            - macOS AMD64: `github-copilot-svcs-darwin-amd64.gz`
-            - macOS ARM64: `github-copilot-svcs-darwin-arm64.gz`
-            - Windows AMD64: `github-copilot-svcs-windows-amd64.exe.gz`
-            - Windows ARM64: `github-copilot-svcs-windows-arm64.exe.gz`
-          draft: false
-          prerelease: false
-
   build:
     needs: release
     runs-on: ubuntu-latest
@@ -136,14 +113,22 @@ jobs:
           ls -la "$GZ_BINARY_NAME"
 
       - name: Upload Release Asset
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: softprops/action-gh-release@v2
         with:
-          upload_url: ${{ needs.release.outputs.upload_url }}
-          asset_path: ./github-copilot-svcs-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.suffix }}.gz
-          asset_name: github-copilot-svcs-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.suffix }}.gz
-          asset_content_type: application/gzip
+          tag_name: ${{ needs.release.outputs.version }}
+          files: ./github-copilot-svcs-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.suffix }}.gz
+          body: |
+            ## Changes in ${{ needs.release.outputs.version }}
+            
+            Auto-generated release from main branch.
+            
+            ### Downloads
+            - Linux AMD64: `github-copilot-svcs-linux-amd64.gz`
+            - Linux ARM64: `github-copilot-svcs-linux-arm64.gz`
+            - macOS AMD64: `github-copilot-svcs-darwin-amd64.gz`
+            - macOS ARM64: `github-copilot-svcs-darwin-arm64.gz`
+            - Windows AMD64: `github-copilot-svcs-windows-amd64.exe.gz`
+            - Windows ARM64: `github-copilot-svcs-windows-arm64.exe.gz`
 
   docker:
     needs: release
@@ -155,12 +140,6 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -172,9 +151,7 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: |
-            ${{ secrets.DOCKER_USERNAME }}/github-copilot-svcs
-            ghcr.io/${{ github.repository }}
+          images: ghcr.io/${{ github.repository }}
           tags: |
             type=semver,pattern={{version}},value=${{ needs.release.outputs.version }}
             type=semver,pattern={{major}}.{{minor}},value=${{ needs.release.outputs.version }}
 
@@ -5,10 +5,10 @@ WORKDIR /app
 # Install git and ca-certificates for building
 RUN apk add --no-cache git ca-certificates
 
-# Copy go mod files
-COPY go.mod go.sum ./
+# Copy go mod file
+COPY go.mod ./
 
-# Download dependencies
+# Download dependencies (this will create go.sum if it doesn't exist)
 RUN go mod download
 
 # Copy source code
 
@@ -59,7 +59,7 @@ func authenticate(cfg *Config) error {
 	}
 
 	// Step 1: Get device code
-	body := fmt.Sprintf(`{"client_id":"%s","scope":"%s"}`, copilotClientID, copilotScope)
+	body := fmt.Sprintf(`{"client_id":%q,"scope":%q}`, copilotClientID, copilotScope)
 	req, err := http.NewRequest("POST", copilotDeviceCodeURL, strings.NewReader(body))
 	if err != nil {
 		return err
@@ -110,7 +110,7 @@ func pollForGitHubToken(cfg *Config, deviceCode string, interval int) (string, e
 	for i := 0; i < 120; i++ { // Poll for 2 minutes max
 		time.Sleep(time.Duration(interval) * time.Second)
 
-		body := fmt.Sprintf(`{"client_id":"%s","device_code":"%s","grant_type":"urn:ietf:params:oauth:grant-type:device_code"}`,
+		body := fmt.Sprintf(`{"client_id":%q,"device_code":%q,"grant_type":"urn:ietf:params:oauth:grant-type:device_code"}`,
 			copilotClientID, deviceCode)
 		req, err := http.NewRequest("POST", copilotTokenURL, strings.NewReader(body))
 		if err != nil {
@@ -147,7 +147,7 @@ func pollForGitHubToken(cfg *Config, deviceCode string, interval int) (string, e
 	return "", fmt.Errorf("authentication timed out")
 }
 
-func getCopilotToken(cfg *Config, githubToken string) (string, int64, int64, error) {
+func getCopilotToken(cfg *Config, githubToken string) (token string, expiresAt, refreshIn int64, err error) {
 	req, err := http.NewRequest("GET", copilotAPIKeyURL, http.NoBody)
 	if err != nil {
 		return "", 0, 0, err
@@ -161,7 +161,7 @@ func getCopilotToken(cfg *Config, githubToken string) (string, int64, int64, err
 	}
 	defer resp.Body.Close()
 
-	if resp.StatusCode != 200 {
+	if resp.StatusCode != http.StatusOK {
 		return "", 0, 0, fmt.Errorf("failed to get Copilot token: %d", resp.StatusCode)
 	}
 
 
@@ -22,20 +22,24 @@ func TestAuthenticate(t *testing.T) {
 				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 					if r.URL.Path == "/login/device/code" {
 						w.Header().Set("Content-Type", "application/json")
-						json.NewEncoder(w).Encode(map[string]interface{}{
+						if err := json.NewEncoder(w).Encode(map[string]interface{}{
 							"device_code":      "test_device_code",
 							"user_code":        "TEST123",
 							"verification_uri": "https://github.com/login/device",
 							"expires_in":       900,
 							"interval":         5,
-						})
+						}); err != nil {
+							http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+						}
 					} else if r.URL.Path == "/login/oauth/access_token" {
 						w.Header().Set("Content-Type", "application/json")
-						json.NewEncoder(w).Encode(map[string]interface{}{
+						if err := json.NewEncoder(w).Encode(map[string]interface{}{
 							"access_token": "gho_test_token",
 							"scope":        "copilot",
 							"token_type":   "bearer",
-						})
+						}); err != nil {
+							http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+						}
 					}
 				}))
 			},
@@ -45,7 +49,7 @@ func TestAuthenticate(t *testing.T) {
 		{
 			name: "device code request fails",
 			setupServer: func() *httptest.Server {
-				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 					w.WriteHeader(http.StatusInternalServerError)
 				}))
 			},
@@ -105,10 +109,12 @@ func TestGetCopilotToken(t *testing.T) {
 				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 					if r.URL.Path == "/copilot_internal/v2/token" {
 						w.Header().Set("Content-Type", "application/json")
-						json.NewEncoder(w).Encode(map[string]interface{}{
+						if err := json.NewEncoder(w).Encode(map[string]interface{}{
 							"token":      "ghu_test_copilot_token",
 							"expires_at": time.Now().Add(time.Hour).Unix(),
-						})
+						}); err != nil {
+							http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+						}
 					}
 				}))
 			},
@@ -118,7 +124,7 @@ func TestGetCopilotToken(t *testing.T) {
 			name:        "invalid github token",
 			githubToken: "invalid_token",
 			setupServer: func() *httptest.Server {
-				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 					w.WriteHeader(http.StatusUnauthorized)
 				}))
 			},
@@ -170,9 +176,9 @@ func TestRefreshToken(t *testing.T) {
 			name:         "successful token refresh",
 			currentToken: "ghu_old_token",
 			setupServer: func() *httptest.Server {
-				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 					w.Header().Set("Content-Type", "application/json")
-					json.NewEncoder(w).Encode(map[string]interface{}{
+					_ = json.NewEncoder(w).Encode(map[string]interface{}{
 						"token":      "ghu_new_token",
 						"expires_at": time.Now().Add(time.Hour).Unix(),
 					})
@@ -185,7 +191,7 @@ func TestRefreshToken(t *testing.T) {
 			name:         "refresh fails",
 			currentToken: "ghu_invalid_token",
 			setupServer: func() *httptest.Server {
-				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 					w.WriteHeader(http.StatusUnauthorized)
 				}))
 			},
@@ -237,17 +243,17 @@ func TestPollForGitHubToken(t *testing.T) {
 			deviceCode: "test_device_code",
 			setupServer: func() *httptest.Server {
 				callCount := 0
-				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 					callCount++
 					w.Header().Set("Content-Type", "application/json")
 					if callCount == 1 {
 						// First call returns pending
-						json.NewEncoder(w).Encode(map[string]interface{}{
+						_ = json.NewEncoder(w).Encode(map[string]interface{}{
 							"error": "authorization_pending",
 						})
 					} else {
 						// Second call returns success
-						json.NewEncoder(w).Encode(map[string]interface{}{
+						_ = json.NewEncoder(w).Encode(map[string]interface{}{
 							"access_token": "gho_test_token",
 							"scope":        "copilot",
 							"token_type":   "bearer",
@@ -261,9 +267,9 @@ func TestPollForGitHubToken(t *testing.T) {
 			name:       "polling timeout",
 			deviceCode: "test_device_code",
 			setupServer: func() *httptest.Server {
-				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 					w.Header().Set("Content-Type", "application/json")
-					json.NewEncoder(w).Encode(map[string]interface{}{
+					_ = json.NewEncoder(w).Encode(map[string]interface{}{
 						"error": "authorization_pending",
 					})
 				}))