Gh release workflow for lnproxy binary

[nir3shprabu]

Implemented gosec, trivy and goreleaser into this workflow

• Gosec is a security tool that performs a static code analysis for Golang projects for security flaws
• Trivy is a vulnerability scanner used to scan the vulnerabilities in the docker image
• GoReleaser builds Go binaries and delivers them as fast and easily as possible

[lnproxy]

This looks awesome. Sorry, I'm too much of a boomer to properly review this stuff, but from what I can tell it seems extremely solid. If anyone else using lnproxy can comment, it would be helpful.

[m0wer]

Great additions.

On top of them, added (as a suggestion):

• More up to date versions.
• Removing the insecure commands flag.
• Ensuring security scans are prerequisites for releases.

Needs to be tested.

[m0wer]

Suggested change

	permissions:
	contents: write
	id-token: write
	packages: write
	issues: write
	security-events: write
	env:
	GO111MODULE: on
	CGO_ENABLED: 0
	ACTIONS_ALLOW_UNSECURE_COMMANDS: true
	jobs:
	gosec:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout Source
	uses: actions/checkout@v3
	- name: Run Gosec Security Scanner
	uses: securego/gosec@master
	with:
	args: ./...
	trivy:
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout code
	uses: actions/checkout@v3
	- name: Build an image from Dockerfile
	run: |
	docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	goreleaser:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3
	- name: Unshallow
	run: git fetch --prune --unshallow
	- uses: actions/setup-go@v4
	with:
	go-version: 1.19
	- uses: goreleaser/goreleaser-action@v4
	with:
	distribution: goreleaser
	version: latest
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true
	permissions:
	contents: write
	id-token: write
	packages: write
	issues: write
	security-events: write
	env:
	GO111MODULE: on
	CGO_ENABLED: 0
	jobs:
	test:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout Source
	uses: actions/checkout@v3
	with:
	fetch-depth: 0
	- uses: actions/setup-go@v4
	with:
	go-version: '1.24'
	- name: Run Tests
	run: go test ./...
	gosec:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout Source
	uses: actions/checkout@v3
	- name: Run Gosec Security Scanner
	uses: securego/gosec@master
	with:
	args: ./...
	trivy:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v3
	- name: Build an image from Dockerfile
	run: |
	docker build -t ${{ vars.DOCKER_REGISTRY || 'docker.io/my-organization' }}/my-app:${{ github.sha }} .
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: '${{ vars.DOCKER_REGISTRY || 'docker.io/my-organization' }}/my-app:${{ github.sha }}'
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	goreleaser:
	needs: [test, gosec, trivy]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3
	with:
	fetch-depth: 0
	- uses: actions/setup-go@v4
	with:
	go-version: '1.24'
	- uses: goreleaser/goreleaser-action@v4
	with:
	distribution: goreleaser
	version: latest
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

[m0wer]

Tags are not really being used at the moment, at least with the v* format. @lnproxy how do you want to go about this?