Reusable workflow

.github/codeql/codeql-config.yml

@@ -0,0 +1,16 @@
+# Copyright 2020 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+#
+name: "CodeQL config"
+queries:
+  # Run all extra query suites, both because we want to
+  # and because it'll act as extra testing. This is why
+  # we include both even though one is a superset of the
+  # other, because we're testing the parsing logic and
+  # that the suites exist in the codeql bundle.
+  - uses: security-extended
+  - uses: security-and-quality
+paths-ignore:
+  - tests
+  - lib

.github/workflows/analysis.yml

@@ -0,0 +1,71 @@
+# Copyright 2020 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+
+name: "Analysis"
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '33 23 * * 4'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  scorecards:
+    name: Scorecards
+    uses: wabarc/.github/.github/workflows/reusable-scorecards.yml@main
+    if: |
+      github.event_name == 'pull_request' ||
+      github.ref == 'refs/heads/main'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      actions: read
+      contents: read
+
+  codeql:
+    name: CodeQL
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+    uses: wabarc/.github/.github/workflows/reusable-codeql.yml@main
+    with:
+      language: ${{ matrix.language }}
+      config-file: './.github/codeql/codeql-config.yml'
+
+  nancy:
+    name: Sonatype Nancy
+    uses: wabarc/.github/.github/workflows/reusable-nancy.yml@main
+
+  semgrep:
+    name: Semgrep Scan
+    if: github.actor != 'dependabot[bot]'
+    uses: wabarc/.github/.github/workflows/reusable-semgrep.yml@main
+
+  fossa:
+    if: github.event_name != 'pull_request'
+    name: FOSSA
+    uses: wabarc/.github/.github/workflows/reusable-fossa.yml@main
+    secrets:
+      fossa-apikey: ${{ secrets.FOSSA_APIKEY }}
+
+  dependency-review:
+    name: Dependency Review
+    uses: wabarc/.github/.github/workflows/reusable-dependency-review.yml@main

.github/workflows/linter.yml

@@ -1,3 +1,7 @@
+# Copyright 2020 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+#
 name: Linter
 
 on:
@@ -9,114 +13,34 @@ on:
       - '**'
     types: [ opened, synchronize, reopened ]
 
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code base
-        if: github.event_name == 'push'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Lint Code Base
-        uses: github/super-linter@v4
-        env:
-          DEFAULT_BRANCH: 'main'
-          VALIDATE_MARKDOWN: true
-          VALIDATE_DOCKERFILE: true
-          VALIDATE_BASH: true
-          VALIDATE_BASH_EXEC: true
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+  contents: read
 
-  go:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code base
-        if: github.event_name == 'push'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+jobs:
+  super-linter:
+    name: Super Linter
+    uses: wabarc/.github/.github/workflows/reusable-super-linter.yml@main
 
-      - name: Golang linter
-        uses: golangci/golangci-lint-action@v3
+  golangci:
+    name: golangci-lint
+    uses: wabarc/.github/.github/workflows/reusable-golangci.yml@main
 
   shellcheck:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code base
-        if: github.event_name == 'push'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Run shellcheck with reviewdog
-        uses: reviewdog/action-shellcheck@v1
+    name: ShellCheck
+    uses: wabarc/.github/.github/workflows/reusable-shellcheck.yml@main
 
   misspell:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code base
-        if: github.event_name == 'push'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Run misspell with reviewdog
-        uses: reviewdog/action-misspell@v1
+    name: Misspell
+    uses: wabarc/.github/.github/workflows/reusable-misspell.yml@main
 
   alex:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code base
-        if: github.event_name == 'push'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+    name: Alex
+    uses: wabarc/.github/.github/workflows/reusable-alex.yml@main
 
-      - name: Run alex with reviewdog
-        uses: reviewdog/action-alex@v1
+  urlcheck:
+    name: URLCheck
+    uses: wabarc/.github/.github/workflows/reusable-urlcheck.yml@main
 
   goreportcard:
-    if: ${{ github.ref == 'refs/heads/main' }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Run Go report card
-        run: |
-          path=$(curl -sf -X POST -F "repo=github.com/$GITHUB_REPOSITORY" https://goreportcard.com/checks | jq -r '.redirect')
-          echo -e "\nSee report for https://goreportcard.com${path}"
+    name: Go Report Card
+    uses: wabarc/.github/.github/workflows/reusable-goreportcard.yml@main

.github/workflows/release.yml

@@ -129,6 +129,8 @@ jobs:
       if: startsWith(github.ref, 'refs/tags/')
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+      permissions:
+        contents: write
       with:
         body_path: gittaglogs.txt
         files: ${{ env.PRODUCT }}/*${{ env.PRODUCT }}*

.github/workflows/stale.yml

@@ -1,19 +1,19 @@
+# Copyright 2020 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+#
 name: Stale
 
 on:
   schedule:
     - cron: "0 3 * * 6"
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
 
 jobs:
   stale:
     name: Stale
-    runs-on: ubuntu-latest
-    steps:
-      - name: Mark stale issues and pull requests
-        uses: actions/stale@v5
-        with:
-          repo-token: ${{ github.token }}
-          stale-issue-message: "This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days"
-          stale-pr-message: 'It has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-          days-before-stale: 120
-          days-before-close: 5
+    uses: wabarc/.github/.github/workflows/reusable-stale.yml@main

.github/workflows/testing.yml

@@ -32,38 +32,54 @@ jobs:
         os: [ ubuntu-latest, macos-latest, windows-latest ]
         go: [ "1.18", "1.19" ]
     steps:
-    - name: Set up Go 1.x
-      uses: actions/setup-go@v3
-      with:
-        go-version: ${{ matrix.go }}
+      - name: Harden Runner
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
 
-    - name: Set up Chrome
-      uses: browser-actions/setup-chrome@latest
-      with:
-        chrome-version: stable
+      - name: Set up Go 1.x
+        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.3.1
+        with:
+          go-version: ${{ matrix.go }}
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      - name: Set up Chrome
+        uses: browser-actions/setup-chrome@37c79b7f0199cec79c8b6a414e806d88c8662bdd
+        with:
+          chrome-version: stable
 
-    - name: Cache go module
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod
-          ~/Library/Caches/go-build
-          ~\AppData\Local\go-build
-          ~\go\pkg\mod
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
+      - name: Check out code base
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          fetch-depth: 0
 
-    - name: Get dependencies
-      run: |
-        go get -v -t -d ./...
+      - name: Check out code base
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
-    - name: Run test
-      env:
-        CGO_ENABLED: 1
-      run: |
-        go test -v -race -cover -covermode=atomic ./...
+      - name: Cache go module
+        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+            ~/Library/Caches/go-build
+            ~\AppData\Local\go-build
+            ~\go\pkg\mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Get dependencies
+        run: |
+          go get -v -t -d ./...
+
+      - name: Run test
+        env:
+          CGO_ENABLED: 1
+        run: |
+          go test -v -race -cover -covermode=atomic ./...