Bump actions/setup-go from 6.3.0 to 6.4.0

.github/workflows/codeql.yml

@@ -24,7 +24,7 @@ on:
     schedule:
       - cron: '28 4 * * 2'
 
-# Declare default permissions as read only.
+# Declare default permissions as read-only.
 permissions: read-all
 
 jobs:

.github/workflows/compliance.yml

@@ -57,13 +57,13 @@ jobs:
 
           - name: Determine pushed commits
             id: range
+            env:
+                # Use GitHub-provided SHAs to build the range for this push
+                BEFORE: ${{ github.event.before }}
+                AFTER: ${{ github.sha }}
             run: |
                 set -euo pipefail
 
-                # Use GitHub-provided SHAs to build the range for this push
-                BEFORE="${{ github.event.before }}"
-                AFTER="${{ github.sha }}"
-
                 if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
                 then
                     # New branch or force push without previous SHA
@@ -73,6 +73,9 @@ jobs:
                 fi
 
           - name: Check for Signed-off-by
+            env:
+                GH_ACTOR: ${{ github.actor }}
+                GH_NAME: ${{ github.event.pusher.name }}
             run: |
                 set -euo pipefail
                 missing=""
@@ -101,8 +104,8 @@ jobs:
 
                         echo "Committer name:           $committer_name"
                         echo "Committer email:          $committer_email"
-                        echo "github.actor:             ${{ github.actor }}"
-                        echo "github.event.pusher.name: ${{ github.event.pusher.name }}"
+                        echo "github.actor:             $GH_ACTOR"
+                        echo "github.event.pusher.name: $GH_NAME"
                     fi
                 done < shas.txt
 
@@ -141,10 +144,13 @@ jobs:
 
                 # Fetch all commits of the PR with pagination and extract SHAs
                 gh api -H "Accept: application/vnd.github+json" --paginate \
-                  repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
-                  | jq -r '.[].sha' > shas.txt
+                    repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
+                    | jq -r '.[].sha' > shas.txt
 
           - name: Check for Signed-off-by
+            env:
+                GH_ACTOR: ${{ github.actor }}
+                GH_NAME: ${{ github.event.pull_request.user.login}}
             run: |
                 set -euo pipefail
                 missing=""
@@ -171,10 +177,10 @@ jobs:
                         echo "Commit $sha missing Signed-off-by"
                         missing="true"
 
-                        echo "Committer name:           $committer_name"
-                        echo "Committer email:          $committer_email"
-                        echo "github.actor:             ${{ github.actor }}"
-                        echo "github.event.pusher.name: ${{ github.event.pusher.name }}"
+                        echo "Committer name:                       $committer_name"
+                        echo "Committer email:                      $committer_email"
+                        echo "github.actor:                         $GH_ACTOR"
+                        echo "github.event.pull_request.user.login: $GH_NAME"
                     fi
                 done < shas.txt
 

.github/workflows/release.yml

@@ -33,23 +33,26 @@ jobs:
 
           - name: Generate source archive
             shell: bash
+            env:
+                TAG_NAME: ${{ github.event.release.tag_name }}
             run: |
                 set -euo pipefail
 
-                TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
+                TAG=`echo "$TAG_NAME" | sed 's/\//-/g'`
                 git archive \
-                  --format=tar.gz \
-                  --prefix="geany-src-${TAG}/" \
-                  --output="geany-src-${TAG}.tar.gz" \
-                  "${{ github.event.release.tag_name }}"
+                    --format=tar.gz \
+                    --prefix="geany-src-${TAG}/" \
+                    --output="geany-src-${TAG}.tar.gz" \
+                    "$TAG_NAME"
 
           - name: Upload Release (via GitHub CLI)
             env:
                 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                TAG_NAME: ${{ github.event.release.tag_name }}
             shell: bash
             run: |
                 set -euo pipefail
-                gh release upload "${{ github.event.release.tag_name }}" geany-src-*.tar.gz --clobber
+                gh release upload "$TAG_NAME" geany-src-*.tar.gz --clobber
 
     ChecksumReleaseAssets:
         needs: Build
@@ -71,13 +74,14 @@ jobs:
           - name: Download all release assets via GitHub CLI
             env:
                 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                TAG_NAME: ${{ github.event.release.tag_name }}
             run: |
                 set -euo pipefail
 
                 mkdir -p release-assets
                 cd release-assets
                 # gets all assets of the release
-                gh release download "${{ github.event.release.tag_name }}" --clobber
+                gh release download "$TAG_NAME" --clobber
                 echo "Downloaded assets:"
                 ls -lah
 

.github/workflows/scorecard.yml

@@ -9,23 +9,23 @@ name: Scorecard supply-chain security
 on:
     # For Branch-Protection check. Only the default branch is supported. See
     # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-    branch_protection_rule:
-    # To guarantee Maintained check is occasionally updated. See
+    branch_protection_rule: {}
+    # To guarantee Maintained-check is occasionally updated. See
     # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
     schedule:
       - cron: '36 3 * * 2'
     push:
         branches: [ "master" ]
 
-# Declare default permissions as read only.
+# Declare default permissions as read-only.
 permissions: read-all
 
 jobs:
     analysis:
         name: Scorecard analysis
         runs-on: ubuntu-latest
         permissions:
-            # Needed to upload the results to code-scanning dashboard.
+            # Needed to upload the results to the code-scanning dashboard.
             security-events: write
             # Needed to publish results and get a badge (see publish_results below).
             id-token: write

.github/workflows/test.yml

@@ -29,7 +29,7 @@ jobs:
                 fetch-depth: 1
 
           - name: Install Go
-            uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+            uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
             with:
                 go-version-file: go.mod
                 check-latest: true
@@ -52,7 +52,7 @@ jobs:
 
           - name: Install Go
             id: install_go
-            uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+            uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
             with:
                 go-version: stable
                 check-latest: true
@@ -78,7 +78,7 @@ jobs:
                 fetch-depth: 1
 
           - name: Install Go
-            uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+            uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
             with:
                 go-version-file: go.mod
                 check-latest: true
@@ -116,7 +116,7 @@ jobs:
 #                fetch-depth: 1
 #
 #          - name: Install Go
-#            uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+#            uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
 #            with:
 #                go-version-file: go.mod
 #                check-latest: true

CONTRIBUTING.md

@@ -133,3 +133,28 @@ flag as follows:
 ```shell
 git config --global alias.ci 'commit -s'
 ```
+
+Trust & Compliance
+------------------
+
+<!-- not yet
+*geany* is built with security in mind. For a detailed justification of its
+security design and threat model, please refer to the
+[Security Assurance Case](SECURITY_ASSURANCE.md).
+-->
+
+### Dependency Management
+
+Especially when deciding to include new library dependencies, it is suggested to
+first check if the desired functionality is already available in the standard
+library or to be implemented with minimal effort. So far, there are no additional
+runtime libraries selected. For testing purposes widely used
+[testify](https://github.com/stretchr/testify) is imported.
+
+Dependencies are also checked by the linter and must be registered there.
+Dependency updates are generally tracked by dependabot.
+
+Concerning the validity of obtained artifacts, *geany* relies on the
+well-established Go module management. It downloads the exact version from
+`go.mod` via [git](https://git-scm.org) from the original sources and validates
+the check sums stored in the `go.sum` file.

GOVERNANCE.md

@@ -58,3 +58,34 @@ stated.
 The BDFL may alternatively decide to move to a Steering Committee governance
 model, in which case this document must be replaced with a new description of
 roles and responsibilities.
+
+
+Access to Sensitive Resources
+-----------------------------
+
+The following project members have access to sensitive resources (GitHub
+Secrets, Repository Settings, Release Keys):
+
+* Alexander Adam (@AlphaOne1) - BDFL / Primary Maintainer
+
+Currently, no other contributors have administrative access to the
+build infrastructure or cryptographic keys.
+
+
+Project Continuity
+------------------
+
+To ensure the project's continuity, the following measures are taken:
+
+*GitHub Successor*: A designated successor has been appointed in the GitHub
+account settings to take over repository management if the primary maintainer is
+incapacitated.
+
+<!-- Currently this is not implemented, uncomment, if is indeed enacted:
+*Access Recovery*: Recovery keys for the repository and build infrastructure are
+stored in a secure digital vault with emergency access enabled for a trusted
+party.
+-->
+
+*Forking*: As a fallback, the MPL-2.0 license ensures that the community can
+fork and continue the project at any time.

README.md

@@ -5,6 +5,18 @@
 <!-- markdownlint-disable MD013 MD033 MD041 -->
 <p align="center">
     <!--<img src="geany_logo.svg" width="25%" alt="Logo"><br>-->
+    <a href="https://github.com/AlphaOne1/geany/blob/HEAD/go.mod"
+       rel="external noopener noreferrer"
+       target="_blank">
+        <img src="https://img.shields.io/github/go-mod/go-version/AlphaOne1/geany"
+             alt="Go Version">
+    </a>
+    <a href="https://github.com/AlphaOne1/geany/releases"
+       rel="external noopener noreferrer"
+       target="_blank">
+        <img src="https://img.shields.io/github/v/release/AlphaOne1/geany"
+             alt="Latest Release">
+    </a>
     <a href="https://github.com/AlphaOne1/geany/actions/workflows/test.yml"
        rel="external noopener noreferrer"
        target="_blank">
@@ -59,6 +71,12 @@
         <img src="https://api.reuse.software/badge/github.com/AlphaOne1/geany"
             alt="REUSE compliance">
     </a>
+    <a href="https://slsa.dev"
+       rel="external noopener noreferrer"
+       target="_blank">
+        <img src="https://slsa.dev/images/gh-badge-level3.svg"
+             alt="SLSA Level 3">
+    </a>
     <a href="https://app.fossa.com/projects/git%2Bgithub.com%2FAlphaOne1%2Fgeany?ref=badge_shield&issueType=license"
        rel="external noopener noreferrer"
        target="_blank">
@@ -117,6 +135,18 @@ To install *geany*, you can use the following command:
 $ go get github.com/AlphaOne1/geany
 ```
 
+Builds are secured with SLSA Level 3 provenance via slsa-framework/slsa-github-generator.
+The downloaded source archive together with the provenance file `multiple.intoto.jsonl`
+can be verified using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier/)
+(replace the `<VERSION>` with the one you actually downloaded):
+
+```bash
+$ slsa-verifier verify-artifact geany-src-v<VERSION>.tar.gz \
+    --provenance-path multiple.intoto.jsonl                 \
+    --source-uri github.com/AlphaOne1/geany                 \
+    --source-tag v<VERSION>
+```
+
 
 Getting Started
 ---------------