diff --git a/.github/actions/setup-goreleaser/action.yml b/.github/actions/setup-goreleaser/action.yml index 5d3a572..4c6ea9d 100644 --- a/.github/actions/setup-goreleaser/action.yml +++ b/.github/actions/setup-goreleaser/action.yml @@ -105,7 +105,7 @@ runs: # -------------------------------------------------------------------- - name: ✅ Install GoReleaser (cache miss) if: steps.check-existing.outputs.exists != 'true' && steps.goreleaser-cache.outputs.cache-hit != 'true' - uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0 + uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1 with: distribution: goreleaser version: ${{ inputs.goreleaser-version }} diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0e84b92..adf33b6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -2,9 +2,7 @@ # Dependabot Configuration # # Purpose: -# • Keep Go modules, GitHub Actions and DevContainer images/features -# base images up‑to‑date with zero‑day security patches and semantic‑version -# upgrades. +# • Keep GitHub Actions updated with the latest security patches and features. # • Reduce attack surface by limiting outdated dependencies. # • Minimise PR noise via smart grouping and sane pull‑request limits. # @@ -13,13 +11,13 @@ # https://docs.github.com/en/code-security/dependabot/configuration-options-for-dependency-updates # # Security Hardened Defaults: -# • Weekly cadence (Monday 09:00 America/New_York) – align with CVE dump cycle. +# • Weekly cadence (Tuesday 11:00 America/New_York) – align with typical maintenance windows. # • Direct dependencies only – prevents unsolicited transitive churn. -# • PRs labeled, assigned, and target the protected "master" branch. +# • PRs labeled, assigned, and target the protected master branch. # • PR titles prefixed with chore(scope): – conventional commits. # • Force‑push and delete‑branch disabled via branch‑protection rules. # • PR limit = 10 to avoid queue flooding. -# • All dependency PRs require passing CI + CODEOWNERS review. +# • All dependency PRs require passing CI checks before merging. # ──────────────────────────────────────────────────────────────── version: 2 @@ -33,19 +31,15 @@ updates: target-branch: "master" schedule: interval: "weekly" - day: "monday" - time: "09:00" + day: "tuesday" + time: "11:00" timezone: "America/New_York" allow: - dependency-type: "direct" groups: - security-deps: - patterns: - - "*crypto*" - - "*security*" - - "*auth*" - - "*jwt*" - - "*oauth*" + gomod-all: + applies-to: version-updates + patterns: ["*"] update-types: ["minor", "patch"] open-pull-requests-limit: 10 assignees: ["mrz1836"] @@ -62,8 +56,8 @@ updates: target-branch: "master" schedule: interval: "weekly" - day: "monday" - time: "09:15" + day: "tuesday" + time: "11:15" timezone: "America/New_York" allow: - dependency-type: "direct" @@ -85,8 +79,8 @@ updates: target-branch: "master" schedule: interval: "weekly" - day: "monday" - time: "09:30" + day: "tuesday" + time: "11:30" timezone: "America/New_York" allow: - dependency-type: "direct" diff --git a/.github/env/10-coverage.env b/.github/env/10-coverage.env index 93d4daf..cc18773 100644 --- a/.github/env/10-coverage.env +++ b/.github/env/10-coverage.env @@ -32,7 +32,7 @@ GO_COVERAGE_PROVIDER=internal CODECOV_TOKEN_REQUIRED=false # Go Coverage Tool Version -GO_COVERAGE_VERSION=v1.3.8 +GO_COVERAGE_VERSION=v1.3.9 GO_COVERAGE_USE_LOCAL=false # ================================================================================================ diff --git a/.github/env/10-mage-x.env b/.github/env/10-mage-x.env index 59eb03c..f302e65 100644 --- a/.github/env/10-mage-x.env +++ b/.github/env/10-mage-x.env @@ -36,7 +36,7 @@ # ================================================================================================ # MAGE-X version -MAGE_X_VERSION=v1.20.15 +MAGE_X_VERSION=v1.20.16 # For mage-x development, set to 'true' to use local version instead of downloading from releases MAGE_X_USE_LOCAL=false @@ -62,7 +62,7 @@ MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea MAGE_X_GITLEAKS_VERSION=8.30.1 MAGE_X_GOFUMPT_VERSION=v0.9.2 MAGE_X_GOLANGCI_LINT_VERSION=v2.11.4 -MAGE_X_GORELEASER_VERSION=v2.15.3 +MAGE_X_GORELEASER_VERSION=v2.15.4 MAGE_X_GOVULNCHECK_VERSION=v1.1.4 MAGE_X_GO_SECONDARY_VERSION=1.24.x MAGE_X_GO_VERSION=1.24.x @@ -72,7 +72,7 @@ MAGE_X_STATICCHECK_VERSION=2026.1 MAGE_X_SWAG_VERSION=v1.16.6 MAGE_X_YAMLFMT_VERSION=v0.21.0 MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260409210113-8e83ce0f7b1c -MAGE_X_MAGE_VERSION=v1.17.1 +MAGE_X_MAGE_VERSION=v1.17.2 # ================================================================================================ # 📝 RUNTIME VARIABLES (set by setup-goreleaser action) diff --git a/.github/env/10-pre-commit.env b/.github/env/10-pre-commit.env index 450fb72..642ea6e 100644 --- a/.github/env/10-pre-commit.env +++ b/.github/env/10-pre-commit.env @@ -26,7 +26,7 @@ # 🪝 PRE-COMMIT TOOL VERSION # ================================================================================================ -GO_PRE_COMMIT_VERSION=v1.8.1 +GO_PRE_COMMIT_VERSION=v1.8.2 GO_PRE_COMMIT_USE_LOCAL=false # ================================================================================================ diff --git a/.github/workflows/fortress-security-scans.yml b/.github/workflows/fortress-security-scans.yml index c65885c..98369a5 100644 --- a/.github/workflows/fortress-security-scans.yml +++ b/.github/workflows/fortress-security-scans.yml @@ -160,6 +160,20 @@ jobs: if [[ $NANCY_EXIT_CODE -eq 0 ]]; then echo "nancy-status=success" >> $GITHUB_OUTPUT echo "✅ Nancy scan completed - no vulnerabilities found" + elif grep -qi "rate limited by OSS Index" nancy-output.log; then + # OSS Index rate-limited the scan; treat as inconclusive, NOT as a CI failure. + # Add OSSI_USERNAME and OSSI_TOKEN secrets to authenticate and lift the limit. + echo "nancy-status=rate-limited" >> $GITHUB_OUTPUT + echo "⚠️ Nancy scan inconclusive - OSS Index rate-limited the request (not failing CI)." + echo " Configure OSSI_USERNAME and OSSI_TOKEN secrets to authenticate and lift the limit." + echo " Register at https://ossindex.sonatype.org/user/register" + elif grep -qi "402 Payment Required" nancy-output.log; then + # OSS Index returned 402 (free-tier quota exhausted / paid plan required); + # treat as inconclusive, NOT as a CI failure. + echo "nancy-status=payment-required" >> $GITHUB_OUTPUT + echo "⚠️ Nancy scan inconclusive - OSS Index returned 402 Payment Required (not failing CI)." + echo " Configure OSSI_USERNAME and OSSI_TOKEN secrets to authenticate against your OSS Index account." + echo " Register at https://ossindex.sonatype.org/user/register" else echo "nancy-status=failure" >> $GITHUB_OUTPUT echo "❌ Nancy scan completed - vulnerabilities detected (exit code: $NANCY_EXIT_CODE)" @@ -168,11 +182,27 @@ jobs: # -------------------------------------------------------------------- # Create GitHub Annotations for failures # -------------------------------------------------------------------- - - name: 📋 Create GitHub Annotations + - name: 📋 Create GitHub Annotations (vulnerabilities) if: always() && steps.run-nancy.outputs.nancy-status == 'failure' run: | echo "::error title=Nancy Security Scan Failed::Vulnerabilities detected in Go dependencies - see job summary for details" + # -------------------------------------------------------------------- + # Create GitHub Annotations for rate-limited scans (warning, not error) + # -------------------------------------------------------------------- + - name: 📋 Create GitHub Annotations (rate-limited) + if: always() && steps.run-nancy.outputs.nancy-status == 'rate-limited' + run: | + echo "::warning title=Nancy Rate Limited::OSS Index rate-limited the scan; results inconclusive. Add OSSI_USERNAME and OSSI_TOKEN secrets to authenticate and lift the limit." + + # -------------------------------------------------------------------- + # Create GitHub Annotations for 402 Payment Required (warning, not error) + # -------------------------------------------------------------------- + - name: 📋 Create GitHub Annotations (payment-required) + if: always() && steps.run-nancy.outputs.nancy-status == 'payment-required' + run: | + echo "::warning title=Nancy Payment Required::OSS Index returned 402 Payment Required; results inconclusive. Add OSSI_USERNAME and OSSI_TOKEN secrets to authenticate against your OSS Index account." + # -------------------------------------------------------------------- # Summary of Nancy results # -------------------------------------------------------------------- @@ -192,6 +222,10 @@ jobs: if [[ "$NANCY_STATUS" == "success" ]]; then echo "| **Result** | ✅ No vulnerabilities found |" >> $GITHUB_STEP_SUMMARY + elif [[ "$NANCY_STATUS" == "rate-limited" ]]; then + echo "| **Result** | ⚠️ Rate limited by OSS Index — scan inconclusive (CI not failed) |" >> $GITHUB_STEP_SUMMARY + elif [[ "$NANCY_STATUS" == "payment-required" ]]; then + echo "| **Result** | ⚠️ OSS Index returned 402 Payment Required — scan inconclusive (CI not failed) |" >> $GITHUB_STEP_SUMMARY else echo "| **Result** | ❌ Vulnerabilities detected |" >> $GITHUB_STEP_SUMMARY fi @@ -201,8 +235,58 @@ jobs: echo "The following vulnerabilities were excluded from the scan:" >> $GITHUB_STEP_SUMMARY echo "${{ env.NANCY_EXCLUDES }}" >> $GITHUB_STEP_SUMMARY - # Show failure details if applicable - if [[ "$NANCY_STATUS" != "success" ]] && [[ -f nancy-output.log ]]; then + # Rate-limited: explain clearly that CI was NOT failed and how to remediate + if [[ "$NANCY_STATUS" == "rate-limited" ]]; then + echo "" >> $GITHUB_STEP_SUMMARY + echo "### ⚠️ OSS Index Rate Limit" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Sonatype's OSS Index rate-limited this request before Nancy could complete the scan." >> $GITHUB_STEP_SUMMARY + echo "**This is not a vulnerability detection** and CI has **not** been failed for this run." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**To remediate (recommended):**" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "1. Register a free account at ." >> $GITHUB_STEP_SUMMARY + echo "2. Retrieve your username (email) and API token from ." >> $GITHUB_STEP_SUMMARY + echo "3. Add them as repository secrets named \`OSSI_USERNAME\` and \`OSSI_TOKEN\`." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Authenticated requests have a substantially higher rate limit and avoid this state." >> $GITHUB_STEP_SUMMARY + if [[ -f nancy-output.log ]]; then + echo "" >> $GITHUB_STEP_SUMMARY + echo "
" >> $GITHUB_STEP_SUMMARY + echo "Click to expand Nancy output" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + head -50 nancy-output.log >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + echo "
" >> $GITHUB_STEP_SUMMARY + fi + # Payment-required (402): explain clearly that CI was NOT failed and how to remediate + elif [[ "$NANCY_STATUS" == "payment-required" ]]; then + echo "" >> $GITHUB_STEP_SUMMARY + echo "### ⚠️ OSS Index Payment Required (402)" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Sonatype's OSS Index returned **402 Payment Required**, indicating the free-tier quota for unauthenticated requests has been exhausted." >> $GITHUB_STEP_SUMMARY + echo "**This is not a vulnerability detection** and CI has **not** been failed for this run." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**To remediate (recommended):**" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "1. Register a free account at ." >> $GITHUB_STEP_SUMMARY + echo "2. Retrieve your username (email) and API token from ." >> $GITHUB_STEP_SUMMARY + echo "3. Add them as repository secrets named \`OSSI_USERNAME\` and \`OSSI_TOKEN\`." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Authenticated requests have a higher quota and avoid this state." >> $GITHUB_STEP_SUMMARY + if [[ -f nancy-output.log ]]; then + echo "" >> $GITHUB_STEP_SUMMARY + echo "
" >> $GITHUB_STEP_SUMMARY + echo "Click to expand Nancy output" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + head -50 nancy-output.log >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + echo "
" >> $GITHUB_STEP_SUMMARY + fi + # Real vulnerability failure: keep existing details section + elif [[ "$NANCY_STATUS" == "failure" ]] && [[ -f nancy-output.log ]]; then echo "" >> $GITHUB_STEP_SUMMARY echo "### 🚨 Vulnerability Details" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY @@ -252,6 +336,12 @@ jobs: # -------------------------------------------------------------------- # Fail job if vulnerabilities found + # + # Only fires when nancy-status == 'failure' (real vulnerabilities). + # The 'rate-limited' status is intentionally excluded: an OSS Index rate + # limit produces an inconclusive scan, not a vulnerability finding, and + # must not red-X CI. See the run-nancy step above for the rate-limit + # detection logic. # -------------------------------------------------------------------- - name: 🚨 Fail job if vulnerabilities found if: always() && steps.run-nancy.outputs.nancy-status == 'failure' diff --git a/.github/workflows/fortress.yml b/.github/workflows/fortress.yml index d0e7589..c2535d0 100644 --- a/.github/workflows/fortress.yml +++ b/.github/workflows/fortress.yml @@ -1,7 +1,7 @@ # ------------------------------------------------------------------------------------ # 🏰 GoFortress - Enterprise-grade CI/CD fortress for Go applications # -# Version: 1.7.2 | Released: 2026-03-09 +# Version: 1.7.3 | Released: 2026-04-28 # # Built Strong. Tested Harder. #