Skip to content

Commit e58910c

Browse files
eapache-opsleveleapache-opslevel
authored
Harden go tools supplychain (#420)
1 parent d83e2d0 commit e58910c

3 files changed

Lines changed: 660 additions & 51 deletions

File tree

Taskfile.yml

Lines changed: 4 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -10,38 +10,29 @@ tasks:
1010
ci:
1111
desc: Workflow to run in CI
1212
cmds:
13-
- task: install-gofumpt
14-
- task: install-golangci-lint
1513
- task: lint
1614
- task: test
1715

1816
lint:
1917
desc: Formatting and linting
2018
dir: "{{.SRC_DIR}}"
2119
cmds:
22-
- test -z "$(gofumpt -d -e . | tee /dev/stderr)"
20+
- test -z "$(go tool gofumpt -d -e . | tee /dev/stderr)"
2321
- go vet ./...
24-
- golangci-lint run
22+
- go tool golangci-lint run
2523

2624
fix:
2725
desc: Fix formatting, linting, go.mod, and update submodule
2826
dir: "{{.SRC_DIR}}"
2927
cmds:
3028
- task: update-opslevel-go
31-
- gofumpt -w .
29+
- go tool gofumpt -w .
3230
- go mod tidy
33-
- golangci-lint run --fix
31+
- go tool golangci-lint run --fix
3432

3533
setup:
3634
desc: Setup linter, formatter, etc. for local testing and CI
3735
cmds:
38-
- cmd: echo "Installing development tools..."
39-
silent: true
40-
- task: install-changie
41-
- task: install-gofumpt
42-
- task: install-golangci-lint
43-
- cmd: echo "Development tools installed!"
44-
silent: true
4536
- task: workspace
4637

4738
test:
@@ -79,41 +70,3 @@ tasks:
7970
- go work use . submodules/opslevel-go
8071
- cmd: echo "opslevel-go workspace ready!"
8172
silent: true
82-
83-
# internal (not directly called) tasks
84-
85-
go-install-tool:
86-
desc: go install '{{.GO_TOOL}}' and set GOBIN if not set
87-
internal: true
88-
silent: true
89-
vars:
90-
IS_TOOL_INSTALLED:
91-
sh: which {{.GO_TOOL}} > /dev/null || echo "1"
92-
cmds:
93-
- test -z "{{.IS_TOOL_INSTALLED}}" || echo "Installing {{.GO_TOOL}}..."
94-
- test -z "{{.IS_TOOL_INSTALLED}}" || go install {{.GO_TOOL_PATH}}
95-
- test -n $(go env GOBIN) || go env -w GOBIN=$(go env GOPATH)/bin
96-
- echo " '{{.GO_TOOL}}' is installed."
97-
requires:
98-
vars: [GO_TOOL, GO_TOOL_PATH]
99-
100-
install-changie:
101-
desc: go install "changie"
102-
internal: true
103-
cmds:
104-
- task: go-install-tool
105-
vars: { GO_TOOL: "changie", GO_TOOL_PATH: "github.com/miniscruff/changie@latest" }
106-
107-
install-gofumpt:
108-
desc: go install "gofumpt"
109-
internal: true
110-
cmds:
111-
- task: go-install-tool
112-
vars: { GO_TOOL: "gofumpt", GO_TOOL_PATH: "mvdan.cc/gofumpt@latest" }
113-
114-
install-golangci-lint:
115-
desc: go install "golangci-lint"
116-
internal: true
117-
cmds:
118-
- task: go-install-tool
119-
vars: { GO_TOOL: "golangci-lint", GO_TOOL_PATH: "github.com/golangci/golangci-lint/cmd/golangci-lint@latest" }

src/go.mod

Lines changed: 188 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,19 +26,75 @@ require (
2626
)
2727

2828
require (
29+
4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
30+
4d63.com/gochecknoglobals v0.2.2 // indirect
2931
dario.cat/mergo v1.0.2 // indirect
32+
github.com/4meepo/tagalign v1.4.2 // indirect
33+
github.com/Abirdcfly/dupword v0.1.3 // indirect
34+
github.com/Antonboom/errname v1.0.0 // indirect
35+
github.com/Antonboom/nilnil v1.0.1 // indirect
36+
github.com/Antonboom/testifylint v1.5.2 // indirect
37+
github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect
38+
github.com/Crocmagnon/fatcontext v0.7.1 // indirect
39+
github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
40+
github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 // indirect
41+
github.com/Masterminds/goutils v1.1.1 // indirect
42+
github.com/Masterminds/semver/v3 v3.3.1 // indirect
43+
github.com/Masterminds/sprig/v3 v3.3.0 // indirect
3044
github.com/Microsoft/go-winio v0.6.2 // indirect
45+
github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect
3146
github.com/ProtonMail/go-crypto v1.3.0 // indirect
3247
github.com/agnivade/levenshtein v1.2.1 // indirect
48+
github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
49+
github.com/alexkohler/nakedret/v2 v2.0.5 // indirect
50+
github.com/alexkohler/prealloc v1.0.0 // indirect
51+
github.com/alingse/asasalint v0.0.11 // indirect
52+
github.com/alingse/nilnesserr v0.1.2 // indirect
53+
github.com/ashanbrown/forbidigo v1.6.0 // indirect
54+
github.com/ashanbrown/makezero v1.2.0 // indirect
55+
github.com/atotto/clipboard v0.1.4 // indirect
56+
github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
57+
github.com/bahlo/generic-list-go v0.2.0 // indirect
3358
github.com/beorn7/perks v1.0.1 // indirect
59+
github.com/bkielbasa/cyclop v1.2.3 // indirect
60+
github.com/blizzy78/varnamelen v0.8.0 // indirect
61+
github.com/bombsimon/wsl/v4 v4.5.0 // indirect
62+
github.com/breml/bidichk v0.3.2 // indirect
63+
github.com/breml/errchkjson v0.4.0 // indirect
64+
github.com/buger/jsonparser v1.1.1 // indirect
65+
github.com/butuzov/ireturn v0.3.1 // indirect
66+
github.com/butuzov/mirror v1.3.0 // indirect
67+
github.com/catenacyber/perfsprint v0.8.2 // indirect
68+
github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
3469
github.com/cespare/xxhash/v2 v2.3.0 // indirect
70+
github.com/charithe/durationcheck v0.0.10 // indirect
71+
github.com/charmbracelet/bubbles v0.16.1 // indirect
72+
github.com/charmbracelet/bubbletea v0.24.2 // indirect
73+
github.com/charmbracelet/lipgloss v0.9.1 // indirect
74+
github.com/chavacava/garif v0.1.0 // indirect
3575
github.com/chzyer/readline v1.5.1 // indirect
76+
github.com/ckaznocha/intrange v0.3.0 // indirect
3677
github.com/cloudflare/circl v1.6.1 // indirect
3778
github.com/coder/websocket v1.8.13 // indirect
79+
github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 // indirect
80+
github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
81+
github.com/cqroot/multichoose v0.1.1 // indirect
82+
github.com/cqroot/prompt v0.9.3 // indirect
83+
github.com/curioswitch/go-reassign v0.3.0 // indirect
3884
github.com/cyphar/filepath-securejoin v0.4.1 // indirect
85+
github.com/daixiang0/gci v0.13.5 // indirect
86+
github.com/davecgh/go-spew v1.1.1 // indirect
87+
github.com/denis-tingaikin/go-header v0.5.0 // indirect
3988
github.com/emirpasic/gods v1.18.1 // indirect
89+
github.com/ettle/strcase v0.2.0 // indirect
90+
github.com/fatih/color v1.18.0 // indirect
91+
github.com/fatih/structtag v1.2.0 // indirect
92+
github.com/firefart/nonamedreturns v1.0.5 // indirect
4093
github.com/fsnotify/fsnotify v1.9.0 // indirect
94+
github.com/fzipp/gocyclo v0.6.0 // indirect
4195
github.com/gabriel-vasile/mimetype v1.4.9 // indirect
96+
github.com/ghostiam/protogetter v0.3.9 // indirect
97+
github.com/go-critic/go-critic v0.12.0 // indirect
4298
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
4399
github.com/go-git/go-billy/v5 v5.6.2 // indirect
44100
github.com/go-ini/ini v1.67.0 // indirect
@@ -47,56 +103,188 @@ require (
47103
github.com/go-playground/locales v0.14.1 // indirect
48104
github.com/go-playground/universal-translator v0.18.1 // indirect
49105
github.com/go-playground/validator/v10 v10.27.0 // indirect
106+
github.com/go-toolsmith/astcast v1.1.0 // indirect
107+
github.com/go-toolsmith/astcopy v1.1.0 // indirect
108+
github.com/go-toolsmith/astequal v1.2.0 // indirect
109+
github.com/go-toolsmith/astfmt v1.1.0 // indirect
110+
github.com/go-toolsmith/astp v1.1.0 // indirect
111+
github.com/go-toolsmith/strparse v1.1.0 // indirect
112+
github.com/go-toolsmith/typep v1.1.0 // indirect
50113
github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
114+
github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
51115
github.com/gobwas/glob v0.2.3 // indirect
116+
github.com/gofrs/flock v0.12.1 // indirect
52117
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
118+
github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect
119+
github.com/golangci/go-printf-func-name v0.1.0 // indirect
120+
github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d // indirect
121+
github.com/golangci/golangci-lint v1.64.8 // indirect
122+
github.com/golangci/misspell v0.6.0 // indirect
123+
github.com/golangci/plugin-module-register v0.1.1 // indirect
124+
github.com/golangci/revgrep v0.8.0 // indirect
125+
github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
126+
github.com/google/go-cmp v0.7.0 // indirect
53127
github.com/google/uuid v1.6.0 // indirect
128+
github.com/gordonklaus/ineffassign v0.1.0 // indirect
54129
github.com/gosimple/unidecode v1.0.1 // indirect
130+
github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
131+
github.com/gostaticanalysis/comment v1.5.0 // indirect
132+
github.com/gostaticanalysis/forcetypeassert v0.2.0 // indirect
133+
github.com/gostaticanalysis/nilerr v0.1.1 // indirect
134+
github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
135+
github.com/hashicorp/go-version v1.7.0 // indirect
136+
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
55137
github.com/hasura/go-graphql-client v0.14.4 // indirect
138+
github.com/hexops/gotextdiff v1.0.3 // indirect
139+
github.com/huandu/xstrings v1.5.0 // indirect
56140
github.com/inconshreveable/mousetrap v1.1.0 // indirect
141+
github.com/invopop/jsonschema v0.13.0 // indirect
57142
github.com/itchyny/timefmt-go v0.1.6 // indirect
58143
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
144+
github.com/jgautheron/goconst v1.7.1 // indirect
145+
github.com/jingyugao/rowserrcheck v1.1.1 // indirect
146+
github.com/jjti/go-spancheck v0.6.4 // indirect
147+
github.com/julz/importas v0.2.0 // indirect
148+
github.com/karamaru-alpha/copyloopvar v1.2.1 // indirect
149+
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
59150
github.com/kevinburke/ssh_config v1.4.0 // indirect
151+
github.com/kisielk/errcheck v1.9.0 // indirect
152+
github.com/kkHAIKE/contextcheck v1.1.6 // indirect
153+
github.com/kulti/thelper v0.6.3 // indirect
154+
github.com/kunwardeep/paralleltest v1.0.10 // indirect
155+
github.com/lasiar/canonicalheader v1.1.2 // indirect
156+
github.com/ldez/exptostd v0.4.2 // indirect
157+
github.com/ldez/gomoddirectives v0.6.1 // indirect
158+
github.com/ldez/grignotin v0.9.0 // indirect
159+
github.com/ldez/tagliatelle v0.7.1 // indirect
160+
github.com/ldez/usetesting v0.4.2 // indirect
60161
github.com/leodido/go-urn v1.4.0 // indirect
162+
github.com/leonklingele/grouper v1.1.2 // indirect
163+
github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
164+
github.com/macabu/inamedparam v0.1.3 // indirect
165+
github.com/mailru/easyjson v0.7.7 // indirect
166+
github.com/maratori/testableexamples v1.0.0 // indirect
167+
github.com/maratori/testpackage v1.1.1 // indirect
168+
github.com/matoous/godox v1.1.0 // indirect
61169
github.com/mattn/go-colorable v0.1.14 // indirect
62170
github.com/mattn/go-isatty v0.0.20 // indirect
171+
github.com/mattn/go-localereader v0.0.1 // indirect
172+
github.com/mattn/go-runewidth v0.0.16 // indirect
173+
github.com/mgechev/revive v1.7.0 // indirect
174+
github.com/miniscruff/changie v1.22.0 // indirect
175+
github.com/mitchellh/copystructure v1.2.0 // indirect
176+
github.com/mitchellh/go-homedir v1.1.0 // indirect
177+
github.com/mitchellh/reflectwalk v1.0.2 // indirect
178+
github.com/moricho/tparallel v0.3.2 // indirect
179+
github.com/muesli/ansi v0.0.0-20211018074035-2e021307bc4b // indirect
180+
github.com/muesli/cancelreader v0.2.2 // indirect
181+
github.com/muesli/reflow v0.3.0 // indirect
182+
github.com/muesli/termenv v0.15.2 // indirect
63183
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
184+
github.com/nakabonne/nestif v0.3.1 // indirect
185+
github.com/nishanths/exhaustive v0.12.0 // indirect
186+
github.com/nishanths/predeclared v0.2.2 // indirect
187+
github.com/nunnatsa/ginkgolinter v0.19.1 // indirect
188+
github.com/olekukonko/tablewriter v0.0.5 // indirect
64189
github.com/opslevel/moredefaults v0.0.0-20240529152742-17d1318a3c12 // indirect
65190
github.com/pelletier/go-toml/v2 v2.2.4 // indirect
66191
github.com/pjbgf/sha1cd v0.4.0 // indirect
67192
github.com/pkg/errors v0.9.1 // indirect
193+
github.com/pmezard/go-difflib v1.0.0 // indirect
194+
github.com/polyfloyd/go-errorlint v1.7.1 // indirect
68195
github.com/prometheus/client_golang v1.23.0 // indirect
69196
github.com/prometheus/client_model v0.6.2 // indirect
70197
github.com/prometheus/common v0.65.0 // indirect
71198
github.com/prometheus/procfs v0.17.0 // indirect
199+
github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1 // indirect
200+
github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
201+
github.com/quasilyte/gogrep v0.5.0 // indirect
202+
github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
203+
github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
204+
github.com/raeperd/recvcheck v0.2.0 // indirect
72205
github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
206+
github.com/rivo/uniseg v0.4.7 // indirect
207+
github.com/rogpeppe/go-internal v1.14.1 // indirect
208+
github.com/russross/blackfriday/v2 v2.1.0 // indirect
209+
github.com/ryancurrah/gomodguard v1.3.5 // indirect
210+
github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
73211
github.com/sagikazarmark/locafero v0.10.0 // indirect
212+
github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
213+
github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect
214+
github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
215+
github.com/sashamelentyev/usestdlibvars v1.28.0 // indirect
216+
github.com/securego/gosec/v2 v2.22.2 // indirect
74217
github.com/sergi/go-diff v1.4.0 // indirect
218+
github.com/shopspring/decimal v1.4.0 // indirect
75219
github.com/sirupsen/logrus v1.9.3 // indirect
220+
github.com/sivchari/containedctx v1.0.3 // indirect
221+
github.com/sivchari/tenv v1.12.1 // indirect
76222
github.com/skeema/knownhosts v1.3.1 // indirect
223+
github.com/sonatard/noctx v0.1.0 // indirect
77224
github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
225+
github.com/sourcegraph/go-diff v0.7.0 // indirect
78226
github.com/spf13/afero v1.14.0 // indirect
79227
github.com/spf13/cast v1.9.2 // indirect
228+
github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
229+
github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect
230+
github.com/stretchr/objx v0.5.2 // indirect
231+
github.com/stretchr/testify v1.10.0 // indirect
80232
github.com/subosito/gotenv v1.6.0 // indirect
81233
github.com/tchap/go-patricia/v2 v2.3.3 // indirect
234+
github.com/tdakkota/asciicheck v0.4.1 // indirect
235+
github.com/tetafro/godot v1.5.0 // indirect
236+
github.com/timakin/bodyclose v0.0.0-20241017074812-ed6a65f985e3 // indirect
237+
github.com/timonwong/loggercheck v0.10.1 // indirect
238+
github.com/tomarrell/wrapcheck/v2 v2.10.0 // indirect
239+
github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
240+
github.com/ultraware/funlen v0.2.0 // indirect
241+
github.com/ultraware/whitespace v0.2.0 // indirect
242+
github.com/uudashr/gocognit v1.2.0 // indirect
243+
github.com/uudashr/iface v1.3.1 // indirect
82244
github.com/vektah/gqlparser/v2 v2.5.30 // indirect
245+
github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
83246
github.com/xanzy/ssh-agent v0.3.3 // indirect
84247
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
85248
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
249+
github.com/xen0n/gosmopolitan v1.2.2 // indirect
250+
github.com/yagipy/maintidx v1.0.0 // indirect
86251
github.com/yashtewari/glob-intersection v0.2.0 // indirect
252+
github.com/yeya24/promlinter v0.3.0 // indirect
253+
github.com/ykadowak/zerologlint v0.1.5 // indirect
254+
gitlab.com/bosi/decorder v0.4.2 // indirect
255+
go-simpler.org/musttag v0.13.0 // indirect
256+
go-simpler.org/sloglint v0.9.0 // indirect
87257
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
88258
go.opentelemetry.io/otel v1.37.0 // indirect
89259
go.opentelemetry.io/otel/metric v1.37.0 // indirect
90260
go.opentelemetry.io/otel/sdk v1.37.0 // indirect
91261
go.opentelemetry.io/otel/trace v1.37.0 // indirect
262+
go.uber.org/atomic v1.9.0 // indirect
263+
go.uber.org/automaxprocs v1.6.0 // indirect
264+
go.uber.org/multierr v1.9.0 // indirect
265+
go.uber.org/zap v1.24.0 // indirect
92266
go.yaml.in/yaml/v2 v2.4.2 // indirect
93267
golang.org/x/crypto v0.41.0 // indirect
268+
golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
269+
golang.org/x/mod v0.27.0 // indirect
94270
golang.org/x/net v0.43.0 // indirect
271+
golang.org/x/sync v0.16.0 // indirect
95272
golang.org/x/sys v0.35.0 // indirect
273+
golang.org/x/term v0.34.0 // indirect
96274
golang.org/x/text v0.28.0 // indirect
275+
golang.org/x/tools v0.36.0 // indirect
97276
google.golang.org/protobuf v1.36.8 // indirect
98277
gopkg.in/warnings.v0 v0.1.2 // indirect
278+
honnef.co/go/tools v0.6.1 // indirect
279+
mvdan.cc/gofumpt v0.8.0 // indirect
280+
mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
99281
sigs.k8s.io/yaml v1.6.0 // indirect
100282
)
101283

102284
replace github.com/opslevel/opslevel-go/v2025 => ./submodules/opslevel-go
285+
286+
tool (
287+
github.com/golangci/golangci-lint/cmd/golangci-lint
288+
github.com/miniscruff/changie
289+
mvdan.cc/gofumpt
290+
)

0 commit comments

Comments
 (0)