Merge pull request #2 from step-security/release

onboarding codeowners-validator action

Author: Raj-StepSecurity

.dockerignore

@@ -0,0 +1,7 @@
+.git
+.github
+docs
+hack
+tests
+bin
+coverage.txt

.github/workflows/actions_release.yml

@@ -0,0 +1,22 @@
+name: Release GitHub Actions
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag for the release"
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+
+    uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1
+    with:
+      tag: "${{ github.event.inputs.tag }}"

.github/workflows/auto_cherry_pick.yml

@@ -0,0 +1,36 @@
+name: Auto Cherry-Pick from Upstream
+
+on:
+  workflow_run:
+    workflows: ["Release GitHub Actions"]
+    types:
+      - completed
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: "Base branch to create the PR against"
+        required: true
+        default: "main"
+      mode:
+        description: "Run mode: cherry-pick or verify"
+        required: false
+        default: "cherry-pick"
+
+  pull_request:
+    types: [opened, synchronize, labeled]
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: read
+  issues: write
+
+jobs:
+  cherry-pick:
+    if: github.event_name == 'workflow_dispatch' || contains(fromJson(toJson(github.event.pull_request.labels)).*.name, 'review-required')
+    uses: step-security/reusable-workflows/.github/workflows/auto_cherry_pick.yaml@v1
+    with:
+      original-owner: "mszostok"
+      repo-name: "codeowners-validator"
+      base_branch: ${{ inputs.base_branch }}
+      mode: ${{ github.event_name == 'pull_request' && 'verify' || inputs.mode }}

.github/workflows/docker.yml

@@ -0,0 +1,55 @@
+name: Publish docker image
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Tag to release'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        if: startsWith(github.event.inputs.release_tag, 'v')
+        steps:
+        - name: Harden the runner (Audit all outbound calls)
+          uses: step-security/harden-runner@0v2
+          with:
+            egress-policy: audit
+
+        - name: Checkout
+          uses: actions/checkout@v6
+        - name: Validate tag format
+          run: |
+            TAG=${{ github.event.inputs.release_tag }}
+            if ! echo "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+              echo "❌ Invalid tag format: $TAG"
+              exit 1
+            fi
+            echo "✅ Valid semver tag: $TAG"
+        - name: Log in to GitHub Container Registry
+          uses: step-security/docker-login-action@v4
+          with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+        - name: Set up QEMU for ARM builds
+          uses: step-security/setup-qemu-action@v4
+
+        - name: Set up Docker Buildx
+          uses: step-security/setup-buildx-action@v4
+
+        - name: Build and push Docker image
+          uses: step-security/docker-build-push-action@v7
+          with:
+            context: .
+            push: true
+            platforms: linux/amd64,linux/arm64
+            tags: |
+              ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}

.github/workflows/pull-requests.yml

@@ -0,0 +1,47 @@
+name: Pull request
+
+on:
+  pull_request:
+    branches: [ main ]
+
+env:
+  GO111MODULE: on
+  INSTALL_DEPS: true
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || 'branch' }} # scope to for the current workflow
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }} # cancel only PR related jobs
+
+jobs:
+  unit-test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ${{ github.actor == 'dependabot[bot]' && fromJSON('["ubuntu-latest"]') || fromJSON('["ubuntu-latest", "macos-latest"]') }}
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+      - name: "Build and unit-test"
+        run: make test-unit
+      - name: "Hammer unit-test"
+        run: make test-hammer
+  code-quality-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+      - name: "Code Quality Analysis"
+        run: make test-lint

.gitignore

@@ -0,0 +1,7 @@
+scripts/
+.idea
+codeowners-validator
+dist/
+tmp/
+bin/
+coverage.txt

.golangci.yml

@@ -0,0 +1,41 @@
+issues:
+  exclude:
+    # Check this issue for more info: https://github.com/kyoh86/scopelint/issues/4
+    - Using the variable on range scope `tc` in function literal
+
+run:
+  tests: true
+linters:
+  disable-all: true
+  enable:
+    - gocritic
+    - errcheck
+    - gosimple
+    - govet
+    - ineffassign
+    - staticcheck
+    - typecheck
+    - unused
+    - revive
+    - gofmt
+    - misspell
+    - gochecknoinits
+    - unparam
+    - exportloopref
+    - gosec
+    - goimports
+    - whitespace
+    - bodyclose
+    - gocyclo
+
+  fast: false
+
+
+linters-settings:
+  gocritic:
+    enabled-tags:
+      - diagnostic
+      - style
+      - performance
+      - experimental
+      - opinionated

Dockerfile

@@ -0,0 +1,23 @@
+FROM golang:1.21-alpine AS builder
+
+# hadolint ignore=DL3018
+RUN apk --no-cache add ca-certificates git
+
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 GOOS=linux go build -o /codeowners-validator .
+
+FROM scratch
+
+LABEL org.opencontainers.image.source=https://github.com/step-security/codeowners-validator
+
+COPY --from=builder /codeowners-validator /codeowners-validator
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /usr/bin/git /usr/bin/git
+COPY --from=builder /usr/bin/xargs /usr/bin/xargs
+COPY --from=builder /lib /lib
+COPY --from=builder /usr/lib /usr/lib
+
+ENTRYPOINT ["/codeowners-validator"]