Merge pull request #61 from smlx/ossf-game

Ossf game
smlx · Dec 12, 2023 · e386f0c · e386f0c
2 parents d66e9f5 + 3688be9
commit e386f0c
Show file tree

Hide file tree

Showing 7 changed files with 104 additions and 55 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -5,11 +5,15 @@ on:
     - main
 permissions: read-all
 jobs:
-  build-binaries:
+  build-snapshot:
     permissions:
       contents: read
-      actions: write
+      packages: write
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        binary:
+        - go-cli-github
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
@@ -21,50 +25,22 @@ jobs:
     - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
       with:
         version: latest
-        args: build --snapshot --clean
-    - name: Upload binary artifacts
-      # work around limitations in the upload/download artifact actions
-      # https://github.com/actions/download-artifact#limitations
-      run: tar -cvf dist.tar dist
-    - name: Upload binaries tar file
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-      with:
-        name: dist.tar
-        path: dist.tar
-  build-images:
-    permissions:
-      contents: read
-      actions: read
-      packages: write
-      id-token: write
-    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
-    strategy:
-      matrix:
-        binary:
-        - go-cli-github
-    needs: build-binaries
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - name: Download binary artifacts
-      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
-      with:
-        name: dist.tar
-    - name: Untar binaries
-      run: tar -xvf dist.tar
+        args: build --clean --debug --single-target --snapshot
     - name: Login to GHCR
+      if: github.actor != 'dependabot[bot]'
       uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Get Docker metadata
+      if: github.actor != 'dependabot[bot]'
       id: docker_metadata
       uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0
       with:
         images: ghcr.io/${{ github.repository }}/${{ matrix.binary }}
     - name: Build and push ${{ matrix.binary }} container image
-      id: docker_build
+      if: github.actor != 'dependabot[bot]'
       uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
       with:
         push: true

diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -7,11 +7,13 @@ on:
     branches:
     - main
 permissions:
-  actions: read
   contents: read
-  security-events: write
 jobs:
   analyze:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml
@@ -5,10 +5,12 @@ on:
     branches:
     - main
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 jobs:
   dependabot-automerge:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]'
     steps:

diff --git a/Makefile b/Makefile
@@ -14,4 +14,5 @@ generate: mod-tidy
 
 .PHONY: build
 build:
-	GOVERSION=$$(go version) goreleaser build  --clean --debug --snapshot
+	GOVERSION=$$(go version) \
+						goreleaser build --clean --debug --single-target --snapshot
diff --git a/README.md b/README.md
@@ -76,20 +76,6 @@ Configure the repository:
 
     * Set Workflow permissions to "Read repository contents and package permissions"
 
-1. Go to repository Settings > Branches and add branch protection to `main`, and enable:
-
-    * Require a PR before merging
-        * Dismiss stale pull request approvals
-    * Require status checks to pass before merging
-        * Require branches to be up-to-date before merging.
-        * Required status checks:
-            * CodeQL
-            * lint-actions
-            * lint-commits
-            * lint-go
-            * test-go
-            * dependency-review
-            * build-binaries
-    * Include administrators
+1. Go to repository Settings > Rules > Rulesets, and import the `protect-default-branch.json` ruleset.
 
 1. That's it.
diff --git a/deploy/go-cli-github/Dockerfile b/deploy/go-cli-github/Dockerfile
@@ -1,3 +1,3 @@
-FROM alpine:3.19
+FROM alpine:3.19@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
 ENTRYPOINT ["/go-cli-github"]
 COPY go-cli-github /
diff --git a/protect-default-branch.json b/protect-default-branch.json
@@ -0,0 +1,82 @@
+{
+  "id": 239413,
+  "name": "protect-default-branch",
+  "target": "branch",
+  "source_type": "Repository",
+  "source": "smlx/go-cli-github",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "exclude": [],
+      "include": [
+        "~DEFAULT_BRANCH"
+      ]
+    }
+  },
+  "rules": [
+    {
+      "type": "deletion"
+    },
+    {
+      "type": "non_fast_forward"
+    },
+    {
+      "type": "update"
+    },
+    {
+      "type": "creation"
+    },
+    {
+      "type": "required_linear_history"
+    },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 1,
+        "dismiss_stale_reviews_on_push": false,
+        "require_code_owner_review": false,
+        "require_last_push_approval": false,
+        "required_review_thread_resolution": false
+      }
+    },
+    {
+      "type": "required_status_checks",
+      "parameters": {
+        "strict_required_status_checks_policy": true,
+        "required_status_checks": [
+          {
+            "context": "CodeQL",
+            "integration_id": 57789
+          },
+          {
+            "context": "lint-actions",
+            "integration_id": 15368
+          },
+          {
+            "context": "lint-commits",
+            "integration_id": 15368
+          },
+          {
+            "context": "lint-go",
+            "integration_id": 15368
+          },
+          {
+            "context": "test-go",
+            "integration_id": 15368
+          },
+          {
+            "context": "dependency-review",
+            "integration_id": 15368
+          }
+        ]
+      }
+    }
+  ],
+  "bypass_actors": [
+    {
+      "actor_id": 5,
+      "actor_type": "RepositoryRole",
+      "bypass_mode": "pull_request"
+    }
+  ]
+}