From 4c126258d666fe00560bf0c4cc9d15d1125d9854 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 Apr 2026 15:43:01 +0000 Subject: [PATCH 1/2] Bump actions/setup-go from 6.3.0 to 6.4.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.3.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/4b73464bb391d4059bd26b0524d20df3927bd417...4a3601121dd01d1626a1e23e37211e3254c1c06c) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 07dc615..b5258b9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,7 +29,7 @@ jobs: fetch-depth: 1 - name: Install Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod check-latest: true @@ -52,7 +52,7 @@ jobs: - name: Install Go id: install_go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: stable check-latest: true @@ -78,7 +78,7 @@ jobs: fetch-depth: 1 - name: Install Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod check-latest: true @@ -116,7 +116,7 @@ jobs: # fetch-depth: 1 # # - name: Install Go -# uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 +# uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 # with: # go-version-file: go.mod # check-latest: true From ace275d21e913fd30240323763e7d67972516fca Mon Sep 17 00:00:00 2001 From: Alexander Adam Date: Sat, 4 Apr 2026 01:48:31 +0200 Subject: [PATCH 2/2] Refactor GitHub workflows to use reusable environment variables, improve release asset handling, and enhance documentation with security and compliance updates. Signed-off-by: Alexander Adam --- .github/workflows/codeql.yml | 2 +- .github/workflows/compliance.yml | 30 ++++++++++++++++++------------ .github/workflows/release.yml | 18 +++++++++++------- .github/workflows/scorecard.yml | 8 ++++---- CONTRIBUTING.md | 25 +++++++++++++++++++++++++ GOVERNANCE.md | 31 +++++++++++++++++++++++++++++++ README.md | 30 ++++++++++++++++++++++++++++++ 7 files changed, 120 insertions(+), 24 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9dbc887..0eb216a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,7 +24,7 @@ on: schedule: - cron: '28 4 * * 2' -# Declare default permissions as read only. +# Declare default permissions as read-only. permissions: read-all jobs: diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index 3769011..8ddde22 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -57,13 +57,13 @@ jobs: - name: Determine pushed commits id: range + env: + # Use GitHub-provided SHAs to build the range for this push + BEFORE: ${{ github.event.before }} + AFTER: ${{ github.sha }} run: | set -euo pipefail - # Use GitHub-provided SHAs to build the range for this push - BEFORE="${{ github.event.before }}" - AFTER="${{ github.sha }}" - if [ "$BEFORE" = "0000000000000000000000000000000000000000" ] then # New branch or force push without previous SHA @@ -73,6 +73,9 @@ jobs: fi - name: Check for Signed-off-by + env: + GH_ACTOR: ${{ github.actor }} + GH_NAME: ${{ github.event.pusher.name }} run: | set -euo pipefail missing="" @@ -101,8 +104,8 @@ jobs: echo "Committer name: $committer_name" echo "Committer email: $committer_email" - echo "github.actor: ${{ github.actor }}" - echo "github.event.pusher.name: ${{ github.event.pusher.name }}" + echo "github.actor: $GH_ACTOR" + echo "github.event.pusher.name: $GH_NAME" fi done < shas.txt @@ -141,10 +144,13 @@ jobs: # Fetch all commits of the PR with pagination and extract SHAs gh api -H "Accept: application/vnd.github+json" --paginate \ - repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \ - | jq -r '.[].sha' > shas.txt + repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \ + | jq -r '.[].sha' > shas.txt - name: Check for Signed-off-by + env: + GH_ACTOR: ${{ github.actor }} + GH_NAME: ${{ github.event.pull_request.user.login}} run: | set -euo pipefail missing="" @@ -171,10 +177,10 @@ jobs: echo "Commit $sha missing Signed-off-by" missing="true" - echo "Committer name: $committer_name" - echo "Committer email: $committer_email" - echo "github.actor: ${{ github.actor }}" - echo "github.event.pusher.name: ${{ github.event.pusher.name }}" + echo "Committer name: $committer_name" + echo "Committer email: $committer_email" + echo "github.actor: $GH_ACTOR" + echo "github.event.pull_request.user.login: $GH_NAME" fi done < shas.txt diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fca72a2..df5a1be 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,23 +33,26 @@ jobs: - name: Generate source archive shell: bash + env: + TAG_NAME: ${{ github.event.release.tag_name }} run: | set -euo pipefail - TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'` + TAG=`echo "$TAG_NAME" | sed 's/\//-/g'` git archive \ - --format=tar.gz \ - --prefix="geany-src-${TAG}/" \ - --output="geany-src-${TAG}.tar.gz" \ - "${{ github.event.release.tag_name }}" + --format=tar.gz \ + --prefix="geany-src-${TAG}/" \ + --output="geany-src-${TAG}.tar.gz" \ + "$TAG_NAME" - name: Upload Release (via GitHub CLI) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TAG_NAME: ${{ github.event.release.tag_name }} shell: bash run: | set -euo pipefail - gh release upload "${{ github.event.release.tag_name }}" geany-src-*.tar.gz --clobber + gh release upload "$TAG_NAME" geany-src-*.tar.gz --clobber ChecksumReleaseAssets: needs: Build @@ -71,13 +74,14 @@ jobs: - name: Download all release assets via GitHub CLI env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TAG_NAME: ${{ github.event.release.tag_name }} run: | set -euo pipefail mkdir -p release-assets cd release-assets # gets all assets of the release - gh release download "${{ github.event.release.tag_name }}" --clobber + gh release download "$TAG_NAME" --clobber echo "Downloaded assets:" ls -lah diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 099dccd..eb97de5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -9,15 +9,15 @@ name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See + branch_protection_rule: {} + # To guarantee Maintained-check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '36 3 * * 2' push: branches: [ "master" ] -# Declare default permissions as read only. +# Declare default permissions as read-only. permissions: read-all jobs: @@ -25,7 +25,7 @@ jobs: name: Scorecard analysis runs-on: ubuntu-latest permissions: - # Needed to upload the results to code-scanning dashboard. + # Needed to upload the results to the code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e7efefa..1970226 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -133,3 +133,28 @@ flag as follows: ```shell git config --global alias.ci 'commit -s' ``` + +Trust & Compliance +------------------ + + + +### Dependency Management + +Especially when deciding to include new library dependencies, it is suggested to +first check if the desired functionality is already available in the standard +library or to be implemented with minimal effort. So far, there are no additional +runtime libraries selected. For testing purposes widely used +[testify](https://github.com/stretchr/testify) is imported. + +Dependencies are also checked by the linter and must be registered there. +Dependency updates are generally tracked by dependabot. + +Concerning the validity of obtained artifacts, *geany* relies on the +well-established Go module management. It downloads the exact version from +`go.mod` via [git](https://git-scm.org) from the original sources and validates +the check sums stored in the `go.sum` file. \ No newline at end of file diff --git a/GOVERNANCE.md b/GOVERNANCE.md index 59e2cc5..ed2077f 100644 --- a/GOVERNANCE.md +++ b/GOVERNANCE.md @@ -58,3 +58,34 @@ stated. The BDFL may alternatively decide to move to a Steering Committee governance model, in which case this document must be replaced with a new description of roles and responsibilities. + + +Access to Sensitive Resources +----------------------------- + +The following project members have access to sensitive resources (GitHub +Secrets, Repository Settings, Release Keys): + +* Alexander Adam (@AlphaOne1) - BDFL / Primary Maintainer + +Currently, no other contributors have administrative access to the +build infrastructure or cryptographic keys. + + +Project Continuity +------------------ + +To ensure the project's continuity, the following measures are taken: + +*GitHub Successor*: A designated successor has been appointed in the GitHub +account settings to take over repository management if the primary maintainer is +incapacitated. + + + +*Forking*: As a fallback, the MPL-2.0 license ensures that the community can +fork and continue the project at any time. \ No newline at end of file diff --git a/README.md b/README.md index 51c3d97..fe27bdf 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,18 @@

+ + Go Version + + + Latest Release + @@ -59,6 +71,12 @@ REUSE compliance + + SLSA Level 3 + @@ -117,6 +135,18 @@ To install *geany*, you can use the following command: $ go get github.com/AlphaOne1/geany ``` +Builds are secured with SLSA Level 3 provenance via slsa-framework/slsa-github-generator. +The downloaded source archive together with the provenance file `multiple.intoto.jsonl` +can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier/) +(replace the `` with the one you actually downloaded): + +```bash +$ slsa-verifier verify-artifact geany-src-v.tar.gz \ + --provenance-path multiple.intoto.jsonl \ + --source-uri github.com/AlphaOne1/geany \ + --source-tag v +``` + Getting Started ---------------