ci: overhaul workflows — lint, security scanning, release hardening

vmfunc · vmfunc · commit 373b2ae3b592 · 2026-02-13T01:03:48.000+01:00
- add golangci-lint job to go.yml (parallel with build+test)
- add Go 1.23/1.24 version matrix, coverage only on 1.24
- upgrade setup-go@v4→v5, codecov@v4→v5 across all workflows
- fix check-large-files bug (find|while never exits 1), exclude .git/
- add concurrency groups to push+PR workflows (no duplicate runs)
- lowercase all workflow names to match project voice
- add gosec, errorlint, gocognit, nilnil, wastedassign, tenv linters
- remove deprecated exportloopref (Go 1.22 fixed loop var capture)
- new: codeql.yml — semantic SAST with SARIF upload
- new: govulncheck.yml — Go vuln scanner with call-graph analysis
- new: scorecard.yml — OpenSSF supply chain scorecard
- new: dependabot.yml — auto-update Go deps + Actions versions
- release: SHA256 checksums + SBOM generation for all artifacts
- add CODEOWNERS
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @vmfunc
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - deps
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - deps
diff --git a/.github/workflows/automatic-rebase.yml b/.github/workflows/automatic-rebase.yml
@@ -1,4 +1,4 @@
-name: Automatic Rebase
+name: automatic rebase
 on:
   issue_comment:
     types: [created]
@@ -12,7 +12,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Automatic Rebase
+      - name: automatic rebase
         uses: cirrus-actions/rebase@1.8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/check-large-files.yml b/.github/workflows/check-large-files.yml
@@ -1,18 +1,26 @@
-name: Check Large Files
+name: check large files
 
 on:
   pull_request:
   push:
     branches: [main]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   check-large-files:
-    name: Check for large files
+    name: check for large files
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Check for large files
+      - name: check for large files
         run: |
-          find . -type f -size +5M | while read file; do
-            echo "::error file=${file}::File ${file} is larger than 5MB"
-          done
+          large_files=$(find . -path ./.git -prune -o -type f -size +5M -print)
+          if [ -n "$large_files" ]; then
+            echo "$large_files" | while read -r file; do
+              echo "::error file=${file}::File ${file} is larger than 5MB"
+            done
+            exit 1
+          fi
diff --git a/.github/workflows/code_quality.yml b/.github/workflows/code_quality.yml
@@ -1,11 +1,15 @@
-name: Qodana
+name: qodana
 on:
   workflow_dispatch:
   pull_request:
   push:
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   qodana:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,34 @@
+name: codeql
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1" # monday 06:00 UTC
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: set up go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.24"
+      - name: initialize codeql
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+      - name: autobuild
+        uses: github/codeql-action/autobuild@v3
+      - name: perform codeql analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:go"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -1,4 +1,4 @@
-name: "Dependency Review"
+name: dependency review
 on:
   pull_request:
   push:
@@ -7,16 +7,20 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: "Checkout Repository"
+      - name: checkout repository
         uses: actions/checkout@v4
-      - name: "Dependency Review"
+      - name: dependency review
         uses: actions/dependency-review-action@v4
         continue-on-error: ${{ github.event_name == 'push' }}
-      - name: "Check Dependency Review Outcome"
+      - name: check dependency review outcome
         if: github.event_name == 'push' && failure()
         run: |
           echo "::warning::Dependency review failed. Please check the dependencies for potential issues."
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -1,24 +1,47 @@
-name: Go
+name: go
+
 on:
   push:
     branches: ["main"]
   pull_request:
     branches: ["main"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  build:
+  lint:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Go
-        uses: actions/setup-go@v4
+      - name: set up go
+        uses: actions/setup-go@v5
         with:
           go-version: "1.24"
-      - name: Build
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go-version: ["1.23", "1.24"]
+    steps:
+      - uses: actions/checkout@v4
+      - name: set up go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: build
         run: make
-      - name: Run tests with coverage
+      - name: run tests with coverage
         run: go test -race -coverprofile=coverage.out -covermode=atomic ./...
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+      - name: upload coverage to codecov
+        if: matrix.go-version == '1.24'
+        uses: codecov/codecov-action@v5
         with:
           files: ./coverage.out
           fail_ci_if_error: false
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -0,0 +1,23 @@
+name: govulncheck
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1" # monday 06:00 UTC
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: set up go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.24"
+      - name: install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: run govulncheck
+        run: govulncheck ./...
diff --git a/.github/workflows/language.yml b/.github/workflows/language.yml
@@ -1,4 +1,4 @@
-name: Mind your language
+name: mind your language
 on:
   issues:
     types:
diff --git a/.github/workflows/markdown-lint.yml b/.github/workflows/markdown-lint.yml
@@ -1,4 +1,4 @@
-name: Markdown Lint
+name: markdown lint
 
 on:
   pull_request:
diff --git a/.github/workflows/misspell.yml b/.github/workflows/misspell.yml
@@ -1,10 +1,14 @@
-name: Misspell Check
+name: misspell check
 
 on:
   pull_request:
   push:
     branches: [main]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   misspell:
     name: runner / misspell
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,4 +1,4 @@
-name: Release
+name: release
 
 on:
   push:
@@ -19,28 +19,28 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Go
-        uses: actions/setup-go@v4
+      - name: set up go
+        uses: actions/setup-go@v5
         with:
           go-version: "1.24"
 
-      - name: Build for Windows
+      - name: build for windows
         run: |
           GOOS=windows GOARCH=amd64 go build -o sif-windows-amd64.exe ./cmd/sif
           GOOS=windows GOARCH=386 go build -o sif-windows-386.exe ./cmd/sif
 
-      - name: Build for macOS
+      - name: build for macOS
         run: |
           GOOS=darwin GOARCH=amd64 go build -o sif-macos-amd64 ./cmd/sif
           GOOS=darwin GOARCH=arm64 go build -o sif-macos-arm64 ./cmd/sif
 
-      - name: Build for Linux
+      - name: build for linux
         run: |
           GOOS=linux GOARCH=amd64 go build -o sif-linux-amd64 ./cmd/sif
           GOOS=linux GOARCH=386 go build -o sif-linux-386 ./cmd/sif
           GOOS=linux GOARCH=arm64 go build -o sif-linux-arm64 ./cmd/sif
 
-      - name: Package releases with modules
+      - name: package releases with modules
         run: |
           for binary in sif-linux-amd64 sif-linux-386 sif-linux-arm64 sif-macos-amd64 sif-macos-arm64; do
             mkdir -p "dist/${binary}"
@@ -55,7 +55,7 @@ jobs:
             cd dist && zip -r "../${binary}.zip" "${binary}" && cd ..
           done
 
-      - name: Build Debian packages
+      - name: build debian packages
         run: |
           VERSION="0.1.0-$(git rev-parse --short HEAD)"
 
@@ -94,10 +94,29 @@ jobs:
             dpkg-deb --build "${pkg_dir}"
           done
 
-      - name: Set release version
+      - name: generate checksums
+        run: |
+          sha256sum \
+            sif-windows-amd64.zip \
+            sif-windows-386.zip \
+            sif-macos-amd64.tar.gz \
+            sif-macos-arm64.tar.gz \
+            sif-linux-amd64.tar.gz \
+            sif-linux-386.tar.gz \
+            sif-linux-arm64.tar.gz \
+            sif_*.deb \
+            > checksums-sha256.txt
+
+      - name: generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          artifact-name: sbom.spdx.json
+          output-file: sbom.spdx.json
+
+      - name: set release version
         run: echo "RELEASE_VERSION=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
 
-      - name: Create Release and Upload Assets
+      - name: create release and upload assets
         uses: softprops/action-gh-release@v2
         with:
           tag_name: automated-release-${{ env.RELEASE_VERSION }}
@@ -120,12 +139,10 @@ jobs:
             - Debian/Ubuntu (32-bit): `sif_*_i386.deb`
             - Debian/Ubuntu (64-bit ARM): `sif_*_arm64.deb`
 
-            ## Installation
+            ## Verification
 
             ```bash
-            tar -xzf sif-linux-amd64.tar.gz
-            cd sif-linux-amd64
-            ./sif -h
+            sha256sum -c checksums-sha256.txt
             ```
 
             For more details, check the [commit history](https://github.com/${{ github.repository }}/commits/main).
@@ -142,10 +159,12 @@ jobs:
             sif_*_amd64.deb
             sif_*_i386.deb
             sif_*_arm64.deb
+            checksums-sha256.txt
+            sbom.spdx.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push to Cloudsmith
+      - name: push to cloudsmith
         env:
           CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
         run: |
diff --git a/.github/workflows/reportcard.yml b/.github/workflows/reportcard.yml
@@ -1,4 +1,4 @@
-name: Update Report Card
+name: update report card
 
 on:
   push:
@@ -7,10 +7,14 @@ on:
     branches: [main]
   workflow_call:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   update-report-card:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Update Go Report Card
+      - name: update go report card
         uses: creekorful/goreportcard-action@v1.0
diff --git a/.github/workflows/runtest.yml b/.github/workflows/runtest.yml
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
diff --git a/.github/workflows/yaml-lint.yml b/.github/workflows/yaml-lint.yml
diff --git a/.golangci.yml b/.golangci.yml

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-name: Mind your language`
	`1`	`+name: mind your language`
`2`	`2`	`on:`
`3`	`3`	`issues:`
`4`	`4`	`types:`