feat: modernize CI pipelines, add Trivy scanning, update CodeQL

apham0001 · apham0001 · commit d837608ecdd8 · 2026-03-25T21:34:36.000+01:00
- Update all GitHub Actions to latest versions (v4/v5/v6)
- Fix CodeQL from deprecated v1 to v3
- Add Trivy filesystem vulnerability scanning
- Add QEMU + Buildx for multi-arch Docker builds (amd64 + arm64)
- Add GHCR as additional registry
- Add security-events permission for SARIF upload
- Update .goreleaser.yaml for multi-arch docker manifests
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,62 +1,35 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
 name: "CodeQL"
-
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
+    branches: [main]
   schedule:
     - cron: '0 17 * * 2'
-
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-
+    permissions:
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
-        # Override automatic language detection by changing the below list
-        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
-        language: [ 'go' ]
-        # Learn more...
-        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
-
+        language: ['go']
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
-
-      # Initializes the CodeQL tools for scanning.
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+      - name: Run go generate
+        run: go generate ./...
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-          # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
-
-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 https://git.io/JvXDl
-
-      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-      #    and modify them (or add more) to build your code if your project
-      #    uses a compiled language
-
-      #- run: |
-      #   make bootstrap
-      #   make release
-
+        uses: github/codeql-action/autobuild@v3
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -3,22 +3,20 @@ on:
   push:
   pull_request:
 jobs:
-  test:
+  lint:
     name: Run lint
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.23
+          go-version: '1.25'
       - name: Run go generate
-        run: go generate
+        run: go generate ./...
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.62
+          version: latest
           args: -E asciicheck -E bodyclose -E dupl -E errorlint -E copyloopvar -E funlen
-          skip-pkg-cache: true
-          skip-build-cache: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,38 +3,53 @@ on:
   push:
     branches:
       - main
+    tags:
+      - 'v*'
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.23
+          go-version: '1.25'
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to Quay.io
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Import signing key
         run: echo "${GPG_KEY}" | base64 -d | gpg --batch --import && echo "${GPG_KEY}" | base64 -d >/tmp/signing.gpg
         env:
           GPG_KEY: ${{ secrets.GPG_KEY }}
       - name: Install packages
         run: sudo apt-get install dpkg-sig rpm
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v6
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -8,12 +8,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.23
+          go-version: '1.25'
       - name: Run go generate
-        run: go generate
+        run: go generate ./...
       - name: Run go tests
         run: go test -cover -p 1 -v ./...
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,30 @@
+name: Trivy Security Scan
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'
+jobs:
+  trivy-fs:
+    name: Trivy Filesystem Scan
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner (filesystem)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-fs-results.sarif'
+          severity: 'CRITICAL,HIGH'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-fs-results.sarif'
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -10,6 +10,7 @@ builds:
       - windows
     goarch:
       - amd64
+      - arm64
     env:
       - CGO_ENABLED=0
 archives:
@@ -57,11 +58,48 @@ nfpms:
     bindir: /usr/bin
 dockers:
   - image_templates:
-      - "containerssh/agent:latest"
-      - "containerssh/agent:{{ .Tag }}"
-      - "quay.io/containerssh/agent:latest"
-      - "quay.io/containerssh/agent:{{ .Tag }}"
+      - "containerssh/agent:{{ .Tag }}-amd64"
+      - "quay.io/containerssh/agent:{{ .Tag }}-amd64"
+      - "ghcr.io/containerssh/agent:{{ .Tag }}-amd64"
     dockerfile: Dockerfile
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+    goarch: amd64
+  - image_templates:
+      - "containerssh/agent:{{ .Tag }}-arm64"
+      - "quay.io/containerssh/agent:{{ .Tag }}-arm64"
+      - "ghcr.io/containerssh/agent:{{ .Tag }}-arm64"
+    dockerfile: Dockerfile
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/arm64"
+    goarch: arm64
+docker_manifests:
+  - name_template: "containerssh/agent:{{ .Tag }}"
+    image_templates:
+      - "containerssh/agent:{{ .Tag }}-amd64"
+      - "containerssh/agent:{{ .Tag }}-arm64"
+  - name_template: "containerssh/agent:latest"
+    image_templates:
+      - "containerssh/agent:{{ .Tag }}-amd64"
+      - "containerssh/agent:{{ .Tag }}-arm64"
+  - name_template: "quay.io/containerssh/agent:{{ .Tag }}"
+    image_templates:
+      - "quay.io/containerssh/agent:{{ .Tag }}-amd64"
+      - "quay.io/containerssh/agent:{{ .Tag }}-arm64"
+  - name_template: "quay.io/containerssh/agent:latest"
+    image_templates:
+      - "quay.io/containerssh/agent:{{ .Tag }}-amd64"
+      - "quay.io/containerssh/agent:{{ .Tag }}-arm64"
+  - name_template: "ghcr.io/containerssh/agent:{{ .Tag }}"
+    image_templates:
+      - "ghcr.io/containerssh/agent:{{ .Tag }}-amd64"
+      - "ghcr.io/containerssh/agent:{{ .Tag }}-arm64"
+  - name_template: "ghcr.io/containerssh/agent:latest"
+    image_templates:
+      - "ghcr.io/containerssh/agent:{{ .Tag }}-amd64"
+      - "ghcr.io/containerssh/agent:{{ .Tag }}-arm64"
 source:
   enabled: true
   name_template: 'containerssh-agent-{{ .Version }}-source'
