Updated workflow files to current templig state.

Signed-off-by: Alexander Adam <alphaone23@gmail.com>

Author: AlphaOne1

.github/workflows/compliance.yml

@@ -19,31 +19,12 @@ permissions:
     contents: read
 
 jobs:
-    REUSE:
-        runs-on: ubuntu-latest
-        steps:
-          - name: Harden Runner
-            uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
-            with:
-                egress-policy: audit
-
-          - name: Checkout
-            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            with:
-                fetch-depth: 1
-
-          - name: REUSE Compliance Check
-            uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 #v6.0.0
-
-    CheckSignedOffCommit:
-        if: >
-            github.event_name == 'push' &&
-            !contains(github.actor, '[bot]') &&
-            !contains(github.event.pusher.name, '[bot]') &&
-            github.event.pusher.name != 'web-flow'
+    CheckSignedOff:
+        if: github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'bypass-dco')
         runs-on: ubuntu-latest
         permissions:
             contents: read
+            pull-requests: read
         steps:
           - name: Harden Runner
             uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
@@ -56,7 +37,11 @@ jobs:
                 fetch-depth: 0
 
           - name: Determine pushed commits
-            id: range
+            if: >
+                github.event_name == 'push' &&
+                !contains(github.actor, '[bot]') &&
+                !contains(github.event.pusher.name, '[bot]') &&
+                github.event.pusher.name != 'web-flow'
             env:
                 # Use GitHub-provided SHAs to build the range for this push
                 BEFORE: ${{ github.event.before }}
@@ -72,10 +57,25 @@ jobs:
                     git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt
                 fi
 
+          - name: Get PR commits
+            if: github.event_name == 'pull_request'
+            env:
+                GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            run: |
+                set -euo pipefail
+                
+                # Fetch all commits of the PR with pagination and extract SHAs
+                gh api -H "Accept: application/vnd.github+json" --paginate \
+                    repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
+                    | jq -r '.[].sha' > shas.txt
+
           - name: Check for Signed-off-by
             env:
                 GH_ACTOR: ${{ github.actor }}
-                GH_NAME: ${{ github.event.pusher.name }}
+                GH_NAME: ${{ github.event.name == 'push' && github.event.pusher.name
+                                                         || github.event.pull_request.user.login }}
+                GH_NAME_SOURCE: ${{ github.event_name == 'push' && 'github.event.pusher.name'
+                                                                || 'github.event.pull_request.user.login' }}
             run: |
                 set -euo pipefail
                 missing=""
@@ -102,27 +102,51 @@ jobs:
                         echo "Commit $sha missing Signed-off-by"
                         missing="true"
 
-                        echo "Committer name:           $committer_name"
-                        echo "Committer email:          $committer_email"
-                        echo "github.actor:             $GH_ACTOR"
-                        echo "github.event.pusher.name: $GH_NAME"
+                        printf "%-38s %s" "Committer name:"  "$committer_name"
+                        printf "%-38s %s" "Committer email:" "$committer_email"
+                        printf "%-38s %s" "github.actor:"    "$GH_ACTOR"
+                        printf "%-38s %s" "$GH_NAME_SOURCE:" "$GH_NAME"
                     fi
                 done < shas.txt
 
                 if [ "$missing" = "true" ]
                 then
-                    echo "DCO check failed on push"
+                    echo "DCO check failed for commits"
                     exit 1
                 fi
 
-                echo "All pushed commits are signed"
+                echo "All commits are signed"
+
+    FormatCheck:
+        strategy:
+            matrix:
+                go-version:
+                  - "stable"
+        runs-on: ubuntu-latest
+        steps:
+          - name: Harden Runner
+            uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+            with:
+                egress-policy: audit
+
+          - name: Install Go
+            uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+            with:
+                go-version: ${{matrix.go-version}}
+
+          - name: Checkout
+            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+            with:
+                fetch-depth: 1
+
+          - name: FormatCheck
+            run: if [ `go fmt ./... | wc -l` -gt 0 ] ; then echo "Found unformatted code" ; exit 1 ; else exit 0 ; fi
 
-    CheckSignedOffPullRequest:
-        if: github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'bypass-dco')
+    GolangCI:
         runs-on: ubuntu-latest
         permissions:
             contents: read
-            pull-requests: read
+            security-events: write
         steps:
           - name: Harden Runner
             uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
@@ -132,61 +156,61 @@ jobs:
           - name: Checkout
             uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
             with:
-                fetch-depth: 0
+                fetch-depth: 1
 
-          - name: Get PR commits
-            env:
-                GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-            run: |
-                set -euo pipefail
-                gh --version
-                jq --version
+          - name: Run golangci-lint
+            uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+            with:
+                version: latest
+                args: --timeout=5m --output.sarif.path=golangci-lint-results.sarif --output.text.path=stdout
 
-                # Fetch all commits of the PR with pagination and extract SHAs
-                gh api -H "Accept: application/vnd.github+json" --paginate \
-                    repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
-                    | jq -r '.[].sha' > shas.txt
+          - name: Upload golangci-lint results to GitHub Security tab
+            uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+            with:
+                sarif_file: golangci-lint-results.sarif
 
-          - name: Check for Signed-off-by
-            env:
-                GH_ACTOR: ${{ github.actor }}
-                GH_NAME: ${{ github.event.pull_request.user.login}}
-            run: |
-                set -euo pipefail
-                missing=""
+    REUSE:
+        runs-on: ubuntu-latest
+        steps:
+          - name: Harden Runner
+            uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+            with:
+                egress-policy: audit
 
-                while read -r sha
-                do
-                    [ -n "$sha" ] || continue
+          - name: Checkout
+            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+            with:
+                fetch-depth: 1
 
-                    # Skip commits from bots
-                    committer_name=`git log --format=%cn -n 1 "$sha"`
-                    committer_email=`git log --format=%ce -n 1 "$sha"`
-                    if    echo "$committer_name" | grep -Fq '[bot]' \
-                       || [ "$committer_name" = "web-flow" ]        \
-                       || echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$'
-                    then
-                        echo "Skipping commit $sha from $committer_name <$committer_email>"
-                        continue
-                    fi
+          - name: REUSE Compliance Check
+            uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 #v6.0.0
 
-                    msg=`git log --format=%B -n 1 "$sha"`
+    StaticCheck:
+        strategy:
+            matrix:
+                go-version:
+                  - "stable"
+        runs-on: ubuntu-latest
+        steps:
+          - name: Harden Runner
+            uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+            with:
+                egress-policy: audit
 
-                    if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:'
-                    then
-                        echo "Commit $sha missing Signed-off-by"
-                        missing="true"
+          - name: Install Go
+            uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+            with:
+                go-version: ${{matrix.go-version}}
 
-                        echo "Committer name:                       $committer_name"
-                        echo "Committer email:                      $committer_email"
-                        echo "github.actor:                         $GH_ACTOR"
-                        echo "github.event.pull_request.user.login: $GH_NAME"
-                    fi
-                done < shas.txt
+          - name: Checkout
+            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+            with:
+                fetch-depth: 1
 
-                if [ "$missing" = "true" ]
-                then
-                    echo "DCO check failed"; exit 1
-                fi
+          - name: StaticCheck
+            uses: dominikh/staticcheck-action@9716614d4101e79b4340dd97b10e54d68234e431 # v1.4.1
+            with:
+                version: latest
+                install-go: false
+                cache-key: ${{matrix.go-version}}
 
-                echo "All commits are signed"

.github/workflows/scorecard.yml

@@ -15,7 +15,8 @@ on:
     schedule:
       - cron: '36 3 * * 2'
     push:
-        branches: [ "master" ]
+        branches:
+          -  "master"
 
 # Declare default permissions as read-only.
 permissions: read-all

.github/workflows/security.yml

@@ -15,37 +15,10 @@ on:
 permissions: read-all
 
 jobs:
-    GolangCI:
-        runs-on: ubuntu-latest
-        permissions:
-            contents:        read
-            security-events: write
-        steps:
-          - name: Harden Runner
-            uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
-            with:
-                egress-policy: audit
-
-          - name: Checkout
-            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            with:
-                fetch-depth: 1
-
-          - name: Run golangci-lint
-            uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
-            with:
-                version: latest
-                args:    --timeout=5m --output.sarif.path=golangci-lint-results.sarif --output.text.path=stdout
-
-          - name: Upload golangci-lint results to GitHub Security tab
-            uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
-            with:
-                sarif_file: golangci-lint-results.sarif
-
     TrivyCode:
         runs-on: ubuntu-latest
         permissions:
-            contents:        read
+            contents: read
             security-events: write
         steps:
           - name: Harden Runner
@@ -59,11 +32,11 @@ jobs:
           - name: Run Trivy vulnerability scanner in fs mode
             uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0
             with:
-                scan-type:      'fs'
+                scan-type: 'fs'
                 ignore-unfixed: true
-                format:         'sarif'
-                output:         'trivy-results.sarif'
-                severity:       'CRITICAL,HIGH'
+                format: 'sarif'
+                output: 'trivy-results.sarif'
+                severity: 'CRITICAL,HIGH'
 
           - name: Upload Trivy scan results to GitHub Security tab
             uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
@@ -77,7 +50,7 @@ jobs:
                   - "stable"
         runs-on: ubuntu-latest
         permissions:
-            contents:        read
+            contents: read
             security-events: write
         steps:
           - name: Harden Runner
@@ -89,8 +62,8 @@ jobs:
             uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
             with:
                 go-version-input: ${{matrix.go-version}}
-                output-format:    sarif
-                output-file:      govulncheck-results.sarif
+                output-format: sarif
+                output-file: govulncheck-results.sarif
 
           - name: Print Sarif
             id: printSarif

.github/workflows/test.yml

@@ -15,60 +15,6 @@ on:
 permissions: read-all
 
 jobs:
-    FormatCheck:
-        strategy:
-            matrix:
-                go-version:
-                  - "stable"
-        runs-on: ubuntu-latest
-        steps:
-          - name: Harden Runner
-            uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
-            with:
-                egress-policy: audit
-
-          - name: Install Go
-            uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-            with:
-                go-version: ${{matrix.go-version}}
-
-          - name: Checkout
-            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            with:
-                fetch-depth: 1
-
-          - name: FormatCheck
-            run: if [ `go fmt ./... | wc -l` -gt 0 ] ; then echo "Found unformatted code" ; exit 1 ; else exit 0 ; fi
-
-    StaticCheck:
-        strategy:
-            matrix:
-                go-version:
-                  - "stable"
-        runs-on: ubuntu-latest
-        steps:
-          - name: Harden Runner
-            uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
-            with:
-                egress-policy: audit
-
-          - name: Install Go
-            uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-            with:
-                go-version: ${{matrix.go-version}}
-
-          - name: Checkout
-            uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-            with:
-                fetch-depth: 1
-
-          - name: StaticCheck
-            uses: dominikh/staticcheck-action@9716614d4101e79b4340dd97b10e54d68234e431 # v1.4.1
-            with:
-                version: latest
-                install-go: false
-                cache-key: ${{matrix.go-version}}
-
     Test:
         strategy:
             matrix:

.golangci.yaml

@@ -15,6 +15,7 @@ linters:
 
     disable:
       - exhaustruct
+      - gomodguard
       - noinlineerr
       - nonamedreturns
       - wsl