ci: full clone

Author: jippi

.github/workflows/build.yml

@@ -20,6 +20,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: gitleaks/gitleaks-action@v2
         env:

.github/workflows/gitleaks.yml

@@ -22,6 +22,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: anchore/scan-action@v3
         with:

.github/workflows/grype.yml

@@ -26,6 +26,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: actions/setup-go@v5
         with:

.github/workflows/lint.yml

@@ -19,8 +19,6 @@ jobs:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
       - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
 
       - uses: arduino/setup-task@v2
         with:

.github/workflows/release.yml

@@ -0,0 +1,58 @@
+name: Security
+
+on:
+  pull_request_target:
+
+permissions:
+  contents: read
+
+jobs:
+  # ------------------------------
+
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - uses: arduino/setup-task@v2
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: setup
+        run: task setup
+
+      - name: install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: run govulncheck
+        run: govulncheck ./...
+
+  # ------------------------------
+
+  semgrep:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/checkout@v4
+        with:
+          repository: dgryski/semgrep-go
+          path: rules
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: semgrep
+        run: semgrep scan --error --enable-nosem -f ./rules .

.github/workflows/security.yml

@@ -0,0 +1,54 @@
+name: Test
+
+on:
+  pull_request_target:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: setup-tparse
+        run: go install github.com/mfridman/tparse@latest
+
+      - uses: arduino/setup-task@v2
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: setup
+        run: |
+          task setup
+          task build
+
+      - name: test
+        run: ./scripts/test.sh
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+      - name: Ensure scm-engine binary work
+        run: ./scm-engine
+
+      - name: Test scm-engine against test GitLab project
+        run: ./scm-engine evaluate 1
+        env:
+          SCM_ENGINE_TOKEN: "${{ secrets.GITLAB_INTEGRATION_TEST_API_TOKEN }}"
+          SCM_ENGINE_CONFIG_FILE: ".scm-engine.example.yml"
+          GITLAB_PROJECT: "jippi/scm-engine-schema-test"
+          GITLAB_BASEURL: https://gitlab.com/
+
+      - name: Show any diff that may be in the project
+        run: git diff

.github/workflows/test.yml

@@ -20,12 +20,12 @@ tasks:
 
   build:
     desc: Build the binary
+    cmds:
+      - go build -o scm-engine .
     sources:
       - ./**/*.go
     generates:
       - ./scm-engine
-    cmds:
-      - go build -o scm-engine .
 
   test:
     desc: Run tests

Taskfile.yml

@@ -27,7 +27,7 @@ func main() {
 	app := &cli.App{
 		Name:                 "scm-engine",
 		Usage:                "GitHub/GitLab automation",
-		Copyright:            "Christian Winther",
+		Copyright:            "Christian Winther?!",
 		EnableBashCompletion: true,
 		Suggest:              true,
 		Version:              fmt.Sprintf("%s (date: %s; commit: %s)", version, date, commit),