From a6dfc7812993fac46a299a81fc001da6019ab93d Mon Sep 17 00:00:00 2001 From: g-bgg Date: Mon, 19 Jan 2026 10:40:39 +0100 Subject: [PATCH 1/2] bump deps, sign images, few fixes --- .github/workflows/build.yaml | 6 ++--- .github/workflows/docker.yaml | 51 ++++++++++++++++++++++++++--------- Dockerfile | 4 +-- go.mod | 8 +++--- go.sum | 12 ++++----- 5 files changed, 53 insertions(+), 28 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6ab7e21..00abca2 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -22,7 +22,7 @@ jobs: - name: Run golangci-lint uses: reviewdog/action-golangci-lint@v2 with: - go_version: "1.24.3" + go_version: "1.25.4" - name: Run hadolint uses: reviewdog/action-hadolint@v1 @@ -59,9 +59,7 @@ jobs: with: image-ref: 'controlplane/netassertv2-packet-sniffer:${{ github.sha }}' format: 'table' + ignore-unfixed: true exit-code: '1' vuln-type: 'os,library' - output: 'trivy-results.txt' severity: 'CRITICAL,HIGH,MEDIUM' - - - run: cat trivy-results.txt diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 0825af1..b97d72b 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -5,35 +5,62 @@ on: tags: - "v[0-9]+.[0-9]+.[0-9]+" +env: + GH_REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: docker: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + attestations: write + steps: - name: Checkout code - uses: actions/checkout@v2 - - - name: Print Tag - run: | - echo "Tag name from GITHUB_REF_NAME: $GITHUB_REF_NAME" - echo "Tag name from github.ref_name: ${{ github.ref_name }}" + uses: actions/checkout@v5 - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 + + - name: Install cosign + uses: sigstore/cosign-installer@v3 + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ${{ env.GH_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v4 + id: buildpush + uses: docker/build-push-action@v6 with: platforms: linux/amd64,linux/arm64 + sbom: true + provenance: mode=max push: true tags: | - controlplane/netassertv2-packet-sniffer:${{ github.ref_name }} - controlplane/netassertv2-packet-sniffer:latest + docker.io/controlplane/netassertv2-packet-sniffer:${{ github.ref_name }} + docker.io/controlplane/netassertv2-packet-sniffer:latest + ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }} + ${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }}:latest + + - name: Sign artifact + run: | + cosign sign --yes \ + "${{ env.GH_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.buildpush.outputs.digest }}" + cosign sign --yes \ + "docker.io/controlplane/netassertv2-packet-sniffer@${{ steps.buildpush.outputs.digest }}" diff --git a/Dockerfile b/Dockerfile index 476a141..214f95a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24-alpine AS builder +FROM golang:1.25-alpine AS builder COPY . /build WORKDIR /build RUN apk add --no-cache build-base libpcap-dev && \ @@ -8,7 +8,7 @@ RUN apk add --no-cache build-base libpcap-dev && \ # we need to enable CGO as we need to compile with libpcap bindings GO111MODULE=on CGO_ENABLED=1 GOOS=linux go build -v -o /packet-capture . -FROM alpine:3.21 +FROM alpine:3.23 COPY --from=builder /packet-capture /usr/bin/packet-capture diff --git a/go.mod b/go.mod index c5adb47..70638c9 100644 --- a/go.mod +++ b/go.mod @@ -1,12 +1,12 @@ module github.com/controlplaneio/netassertv2-packet-sniffer -go 1.24.3 +go 1.25.4 require ( - github.com/ardanlabs/conf/v3 v3.7.2 + github.com/ardanlabs/conf/v3 v3.10.0 github.com/google/gopacket v1.1.19 github.com/stretchr/testify v1.9.0 - go.uber.org/zap v1.27.0 + go.uber.org/zap v1.27.1 ) require ( @@ -17,7 +17,7 @@ require ( github.com/rogpeppe/go-internal v1.8.1 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/net v0.38.0 // indirect - golang.org/x/sys v0.33.0 // indirect + golang.org/x/sys v0.40.0 // indirect gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 6b0e55c..9001c87 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -github.com/ardanlabs/conf/v3 v3.7.2 h1:s2VBuDJM6OQfR0erDuopiZ+dHUQVqGxZeLrTsls03dw= -github.com/ardanlabs/conf/v3 v3.7.2/go.mod h1:XlL9P0quWP4m1weOVFmlezabinbZLI05niDof/+Ochk= +github.com/ardanlabs/conf/v3 v3.10.0 h1:qIrJ/WBmH/hFQ/IX4xH9LX9LzwK44T9aEOy78M+4S+0= +github.com/ardanlabs/conf/v3 v3.10.0/go.mod h1:XlL9P0quWP4m1weOVFmlezabinbZLI05niDof/+Ochk= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -27,8 +27,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= -go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc= +go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= @@ -40,8 +40,8 @@ golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ= +golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From f55a299b13368f6e84f7325e7e10d68db5ff68c7 Mon Sep 17 00:00:00 2001 From: g-bgg Date: Tue, 27 Jan 2026 10:41:51 +0100 Subject: [PATCH 2/2] use signed hashes for github actions --- .github/workflows/build.yaml | 10 +++++----- .github/workflows/docker.yaml | 14 +++++++------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 00abca2..90fbef8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -17,15 +17,15 @@ jobs: run: sudo apt install -y libpcap-dev - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Run golangci-lint - uses: reviewdog/action-golangci-lint@v2 + uses: reviewdog/action-golangci-lint@f9bba13753278f6a73b27a56a3ffb1bfda90ed71 # v2 with: go_version: "1.25.4" - name: Run hadolint - uses: reviewdog/action-hadolint@v1 + uses: reviewdog/action-hadolint@921946a7ebaaf08ac72607bad67209f4e52b5407 # v1 build: runs-on: ubuntu-latest needs: lint @@ -34,10 +34,10 @@ jobs: run: sudo apt install -y libpcap-dev - name: Checkout source code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Setup Go - uses: actions/setup-go@v3 + uses: actions/setup-go@be3c94b385c4f180051c996d336f57a34c397495 # v3 with: go-version: '1.24.3' diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index b97d72b..f3bdeba 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -20,33 +20,33 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Install cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ${{ env.GH_REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push id: buildpush - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: platforms: linux/amd64,linux/arm64 sbom: true