feat: add server mode (#12)

* feat: add server mode

* fix: remove unneeded struct field from server payload

* feat: add support for gitlab webhook secrets

* feat: expose full webhook payload in expr as 'webhook_event'

* build: go mod tidy

* feat: add tui package and reorganize log output

* feat: configure what ip/port server should listen to

* build: include version in build artefacts

* ci: omit -h flag in build test

* ci: full clone

Author: jippi

.github/workflows/build.yml

@@ -2,8 +2,11 @@ name: "CodeQL"
 
 on:
   push:
+    tags:
+      - v*
     branches:
       - main
+  pull_request:
 
 jobs:
   # ------------------------------

.github/workflows/codeql.yml

@@ -2,10 +2,10 @@ name: Gitleaks
 
 on:
   push:
-    branches:
-      - "main"
     tags:
-      - "v*"
+      - v*
+    branches:
+      - main
   pull_request:
 
 permissions:
@@ -20,6 +20,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: gitleaks/gitleaks-action@v2
         env:

.github/workflows/gitleaks.yml

@@ -2,10 +2,10 @@ name: Grype
 
 on:
   push:
-    branches:
-      - "main"
     tags:
-      - "v*"
+      - v*
+    branches:
+      - main
   pull_request:
 
 jobs:
@@ -22,6 +22,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: anchore/scan-action@v3
         with:

.github/workflows/grype.yml

@@ -26,6 +26,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: actions/setup-go@v5
         with:

.github/workflows/lint.yml

@@ -19,8 +19,6 @@ jobs:
       DOCKER_CLI_EXPERIMENTAL: "enabled"
     steps:
       - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
 
       - uses: arduino/setup-task@v2
         with:

.github/workflows/release.yml

@@ -0,0 +1,63 @@
+name: Security
+
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  # ------------------------------
+
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - uses: arduino/setup-task@v2
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: setup
+        run: task setup
+
+      - name: install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: run govulncheck
+        run: govulncheck ./...
+
+  # ------------------------------
+
+  semgrep:
+    runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/checkout@v4
+        with:
+          repository: dgryski/semgrep-go
+          path: rules
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: semgrep
+        run: semgrep scan --error --enable-nosem -f ./rules .

.github/workflows/security.yml

@@ -0,0 +1,59 @@
+name: Test
+
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: setup-tparse
+        run: go install github.com/mfridman/tparse@latest
+
+      - uses: arduino/setup-task@v2
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: setup
+        run: |
+          task setup
+          task build
+
+      - name: test
+        run: ./scripts/test.sh
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+      - name: Ensure scm-engine binary work
+        run: ./scm-engine -h
+
+      - name: Test scm-engine against test GitLab project
+        run: ./scm-engine evaluate 1
+        env:
+          SCM_ENGINE_TOKEN: "${{ secrets.GITLAB_INTEGRATION_TEST_API_TOKEN }}"
+          SCM_ENGINE_CONFIG_FILE: ".scm-engine.example.yml"
+          GITLAB_PROJECT: "jippi/scm-engine-schema-test"
+          GITLAB_BASEURL: https://gitlab.com/
+
+      - name: Show any diff that may be in the project
+        run: git diff

.github/workflows/test.yml

@@ -179,6 +179,8 @@ linters-settings:
       - i
       - id
       - ok
+      - r
+      - w
 
   tagalign:
     # Align and sort can be used together or separately.

.golangci.yaml

@@ -41,7 +41,7 @@ builds:
     flags:
       - -trimpath
     ldflags:
-      - -s -w -X {{.ModulePath}}/cmd.version={{.Version}} -X {{.ModulePath}}/cmd.commit={{.Commit}} -X {{.ModulePath}}/cmd.date={{ .CommitDate }} -X {{.ModulePath}}/cmd.treeState={{ .IsGitDirty }}
+      - -s -w -X {{.ModulePath}.version={{.Version}} -X {{.ModulePath}}.commit={{.Commit}} -X {{.ModulePath}}.date={{ .CommitDate }} -X {{.ModulePath}}.treeState={{ .IsGitDirty }}
 
 universal_binaries:
   - replace: false

.goreleaser.yaml

@@ -20,12 +20,12 @@ tasks:
 
   build:
     desc: Build the binary
+    cmds:
+      - go build -o scm-engine .
     sources:
       - ./**/*.go
     generates:
       - ./scm-engine
-    cmds:
-      - go build -o scm-engine .
 
   test:
     desc: Run tests

Taskfile.yml

@@ -32,22 +32,22 @@ func Evaluate(cCtx *cli.Context) error {
 		}
 
 		for _, mr := range res {
-			if err := ProcessMR(ctx, client, cfg, mr.ID); err != nil {
+			if err := ProcessMR(ctx, client, cfg, mr.ID, nil); err != nil {
 				return err
 			}
 		}
 
 	// If the flag is set, use that for evaluation
 	case cCtx.String(FlagMergeRequestID) != "":
-		return ProcessMR(ctx, client, cfg, cCtx.String(FlagMergeRequestID))
+		return ProcessMR(ctx, client, cfg, cCtx.String(FlagMergeRequestID), nil)
 
 	// If no flag is set, we require arguments
 	case cCtx.Args().Len() == 0:
 		return fmt.Errorf("Missing required argument: %s", FlagMergeRequestID)
 
 	default:
 		for _, mr := range cCtx.Args().Slice() {
-			if err := ProcessMR(ctx, client, cfg, mr); err != nil {
+			if err := ProcessMR(ctx, client, cfg, mr, nil); err != nil {
 				return err
 			}
 		}