added gosec & govulncheck

gorilla · Jul 23, 2023 · 116e70b · 116e70b
1 parent d11e39a
commit 116e70b
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 28 deletions.
diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml
@@ -5,6 +5,9 @@ on:
   issues:
     types:
       - opened
+  pull_request:
+    types:
+      - opened
 
 jobs:
   add-to-project:

diff --git a/.github/workflows/pull-request-size-labeler.yml b/.github/workflows/pull-request-size-labeler.yml
@@ -0,0 +1,30 @@
+name: Pull request size labeler
+
+on: [pull_request]
+
+jobs:
+  labeler:
+    runs-on: ubuntu-latest
+    name: Label the PR size
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: codelytv/pr-size-labeler@v1
+        with:
+          GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_TOKEN }}
+          xs_label: 'size/xs'
+          xs_max_size: '10'
+          s_label: 'size/s'
+          s_max_size: '100'
+          m_label: 'size/m'
+          m_max_size: '500'
+          l_label: 'size/l'
+          l_max_size: '1000'
+          xl_label: 'size/xl'
+          fail_if_xl: 'false'
+          message_if_xl: >
+            This PR exceeds the recommended size of 1000 lines.
+            Please make sure you are NOT addressing multiple issues with one PR.
+            Note this PR might be rejected due to its size.
+          files_to_ignore: ''
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
   verify-and-test:
     strategy:
       matrix: 
-        go: ['1.18', '1.19','1.20']
+        go: ['1.19','1.20']
         os: [ubuntu-latest, macos-latest, windows-latest]
       fail-fast: true
     runs-on: ${{ matrix.os }}
@@ -28,13 +28,28 @@ jobs:
           go-version: ${{ matrix.go }}
           cache: false
 
-      - name: Verify
+      - name: Run GolangCI-Lint
         uses: golangci/golangci-lint-action@v3
         with: 
           version: v1.53
           args: --timeout=5m
-
+
+      - name: Run GoSec
+        if: matrix.os == 'ubuntu-latest'
+        uses: securego/gosec@master
+        with:
+          args: ./...
+
+      - name: Run GoVulnCheck
+        uses: golang/govulncheck-action@v1
+        with:
+          go-version-input: ${{ matrix.go }}
+          go-package: ./...
+
       - name: Test
-        run: go test -race --coverprofile=coverage.txt --covermode=atomic -v ./...
+        run: go test -race -cover -coverprofile=coverage -covermode=atomic -v ./...
+
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v3
+        with:
+          files: ./coverage
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+coverage.coverprofile
diff --git a/Makefile b/Makefile
@@ -1,33 +1,36 @@
-SHELL := /bin/bash
+GO_LINT=$(shell which golint 2> /dev/null || echo '')
+GO_LINT_URI=github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 
-# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
-ifeq (,$(shell go env GOBIN))
-GOBIN=$(shell go env GOPATH)/bin
-else
-GOBIN=$(shell go env GOBIN)
-endif
+# Resolving binary dependencies for specific targets
+GO_SEC=$(shell which gosec 2> /dev/null || echo '')
+GO_SEC_URI=github.com/securego/gosec/v2/cmd/gosec@latest
 
-# LINT is the path to the golangci-lint binary
-LINT = $(shell which golangci-lint)
+# Resolving binary dependencies for specific targets
+GO_VULNCHECK=$(shell which govulncheck 2> /dev/null || echo '')
+GO_VULNCHECK_URI=golang.org/x/vuln/cmd/govulncheck@latest
 
 .PHONY: golangci-lint
 golangci-lint:
-ifeq (, $(LINT))
-  ifeq (, $(shell which golangci-lint))
-	@{ \
-	set -e ;\
-	go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest ;\
-	}
-  override LINT=$(GOBIN)/golangci-lint
-  else
-  override LINT=$(shell which golangci-lint)
-  endif
-endif
+	$(if $(GO_LINT), ,go install $(GO_LINT_URI))
+	@echo "##### Running golangci-lint"
+	golangci-lint run -v
+
+.PHONY: gosec
+gosec:
+	$(if $(GO_SEC), ,go install $(GO_SEC_URI))
+	@echo "##### Running gosec"
+	gosec ./...
+
+.PHONY: govulncheck
+govulncheck:
+	$(if $(GO_VULNCHECK), ,go install $(GO_VULNCHECK_URI))
+	@echo "##### Running govulncheck"
+	govulncheck ./...
 
 .PHONY: verify
-verify: golangci-lint
-	$(LINT) run
+verify: golangci-lint gosec govulncheck
 
 .PHONY: test
 test:
-	go test -race --coverprofile=coverage.coverprofile --covermode=atomic -v ./...
+	@echo "##### Running tests"
+	go test -race -cover -coverprofile=coverage.coverprofile -covermode=atomic -v ./...