introduce dockerfile to keep the go to use in ci up-to-date and ci cleanup (#300)

cpanato · puerco · web-flow · commit e42f7b714a42 · 2025-09-12T14:46:41.000-06:00
* introduce dockerfile to keep the go to use in ci up-to-date

Signed-off-by: Carlos Panato &lt;ctadeu@gmail.com&gt;

* set go from the dockerfile and apply best practices

Signed-off-by: Carlos Panato &lt;ctadeu@gmail.com&gt;

* apply best practices

Signed-off-by: Carlos Panato &lt;ctadeu@gmail.com&gt;

* Run commands with context

Signed-off-by: Adolfo García Veytia (Puerco) &lt;puerco@carabiner.dev&gt;

---------

Signed-off-by: Carlos Panato &lt;ctadeu@gmail.com&gt;
Signed-off-by: Adolfo García Veytia (Puerco) &lt;puerco@carabiner.dev&gt;
Co-authored-by: Adolfo García Veytia (Puerco) &lt;puerco@carabiner.dev&gt;
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -23,3 +23,13 @@ updates:
         update-types:
           - "minor"
           - "patch"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      all:
+        update-types:
+          - "minor"
+          - "patch"
diff --git a/.github/workflows/compute_slsa_source.yml b/.github/workflows/compute_slsa_source.yml
@@ -3,12 +3,16 @@ name: "Computes the SLSA source information"
 on:
   workflow_call:
 
+permissions: {}
+
 jobs:
   compute_slsa_source:
+    runs-on: ubuntu-latest
+
     permissions:
       contents: write # needed for storing attestations in the repo
       id-token: write
-    runs-on: ubuntu-latest
+
     steps:
     - name: prov
       uses: slsa-framework/slsa-source-poc/actions/slsa_with_provenance@main
diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml
@@ -5,23 +5,33 @@ name: Go Tests (sourcetool)
 
 on:
   pull_request:
+    branches:
+      - main
+
+permissions: {}
 
 jobs:
   test:
+    runs-on: ubuntu-latest
+
     permissions:
       contents: read
-    runs-on: ubuntu-latest
+
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
+
       - name: Set up Go
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GOVERSION }}
           check-latest: true
+          cache: false
 
       - name: Setup Buf
         uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
@@ -31,7 +41,7 @@ jobs:
 
       - name: Run Go tests
         run: |
-          go test ./...
+          go test -v ./...
 
       - name: Check generated fakes
         run: |
diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml
@@ -9,21 +9,28 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
+
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GOVERSION }}
+          check-latest: true
           cache: false
 
       - run: |
@@ -32,5 +39,4 @@ jobs:
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
-          version: v2.1
-
+          version: v2.4
diff --git a/.github/workflows/local_attest.yml b/.github/workflows/local_attest.yml
@@ -4,8 +4,12 @@
 name: SLSA Source
 on:
   push:
-    branches: [ "main" ]
-    tags: ['**']
+    branches:
+      - main
+    tags:
+      - '**'
+
+permissions: {}
 
 jobs:
   # Whenever new source is pushed recompute the slsa source information.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -7,9 +7,9 @@ on:
   push:
     tags:
       - 'v*'
-permissions:
-  contents: read
-  
+
+permissions: {}
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -18,9 +18,9 @@ jobs:
       id-token: write # To sign attestations
       attestations: write # To push build provenance to attestations store
       contents: write # To create the release
-      
+
     steps:
-      
+
       - name: Setup bnd
         uses: carabiner-dev/actions/install/bnd@HEAD
 
@@ -30,9 +30,13 @@ jobs:
           persist-credentials: false
           fetch-depth: 1
 
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
+
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GOVERSION }}
+          check-latest: true
           cache: false
 
       - name: Install tejolote
@@ -43,7 +47,7 @@ jobs:
       - name: Set tag output
         id: tag
         run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
-  
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         id: goreleaser
@@ -67,5 +71,4 @@ jobs:
             bnd pack attestations/ > sourcetool.intoto.jsonl
             gh release upload ${{ steps.tag.outputs.tag_name }} sourcetool.intoto.jsonl
             # Remove this once GitHub like the tejolote build predicate
-            # bnd push github ${{github.repository}} attestations/sourcetool-${{ steps.tag.outputs.tag_name }}.provenance.json 
-
+            # bnd push github ${{github.repository}} attestations/sourcetool-${{ steps.tag.outputs.tag_name }}.provenance.json
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,3 @@
+# This is used to we scrap the go version and use in CI to get the latest go version
+# and we use dependabot to keep the go version up to date
+FROM golang:1.25.0
diff --git a/pkg/auth/implementation.go b/pkg/auth/implementation.go
@@ -112,7 +112,7 @@ func (di *defaultImplementation) openBrowser(authURL string) error {
 		cmd = "xdg-open"
 	}
 
-	return exec.Command(cmd, append(args, authURL)...).Start() //nolint:gosec // yes variable input
+	return exec.CommandContext(context.Background(), cmd, append(args, authURL)...).Start() //nolint:gosec // yes variable input
 }
 
 // requestDeviceCode requests a device code from GitHub

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# This is used to we scrap the go version and use in CI to get the latest go version`
	`2`	`+# and we use dependabot to keep the go version up to date`
	`3`	`+FROM golang:1.25.0`
Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,7 @@ func (di *defaultImplementation) openBrowser(authURL string) error {`
`112`	`112`	`cmd = "xdg-open"`
`113`	`113`	`}`
`114`	`114`
`115`		`- return exec.Command(cmd, append(args, authURL)...).Start() //nolint:gosec // yes variable input`
	`115`	`+ return exec.CommandContext(context.Background(), cmd, append(args, authURL)...).Start() //nolint:gosec // yes variable input`
`116`	`116`	`}`
`117`	`117`
`118`	`118`	`// requestDeviceCode requests a device code from GitHub`