diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c0e4e2b..a29eac2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -89,9 +89,7 @@ jobs: # Ref: https://github.com/SonarSource/sonarqube-scan-action - name: SonarQube Scan - uses: SonarSource/sonarqube-scan-action@v5 - with: - projectBaseDir: ./ + uses: SonarSource/sonarqube-scan-action@v6 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} GITHUB_USER: ${{ github.actor }} diff --git a/CHANGELOG/CHANGELOG-1.x.md b/CHANGELOG/CHANGELOG-1.x.md index db98b8a..be30f33 100644 --- a/CHANGELOG/CHANGELOG-1.x.md +++ b/CHANGELOG/CHANGELOG-1.x.md @@ -19,6 +19,19 @@ Date format: `YYYY-MM-DD` --- +## [1.37.0] - 2025-09-30 + +### Added +### Changed +- **debt:** Upgraded dependencies to their latest stable versions. + +### Deprecated +### Removed +### Fixed +### Security + +--- + ## [1.36.0] - 2025-09-15 ### Added @@ -607,7 +620,8 @@ Date format: `YYYY-MM-DD` ### Fixed ### Security -[Unreleased]: https://github.com/sixafter/nanoid-cli/compare/v1.36.0...HEAD +[Unreleased]: https://github.com/sixafter/nanoid-cli/compare/v1.37.0...HEAD +[1.37.0]: https://github.com/sixafter/nanoid-cli/compare/v1.36.0...v1.37.0 [1.36.0]: https://github.com/sixafter/nanoid-cli/compare/v1.35.0...v1.36.0 [1.35.0]: https://github.com/sixafter/nanoid-cli/compare/v1.34.0...v1.35.0 [1.34.0]: https://github.com/sixafter/nanoid-cli/compare/v1.33.0...v1.34.0 diff --git a/go.mod b/go.mod index 9511d6f..f22939f 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,8 @@ go 1.25 require ( github.com/dustin/go-humanize v1.0.1 - github.com/sixafter/nanoid v1.51.0 - github.com/sixafter/semver v1.7.0 + github.com/sixafter/nanoid v1.52.0 + github.com/sixafter/semver v1.9.0 github.com/spf13/cobra v1.10.1 github.com/stretchr/testify v1.11.1 ) @@ -19,8 +19,8 @@ require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/sixafter/aes-ctr-drbg v1.9.0 // indirect - github.com/sixafter/prng-chacha v1.5.0 // indirect + github.com/sixafter/aes-ctr-drbg v1.10.0 // indirect + github.com/sixafter/prng-chacha v1.6.0 // indirect github.com/spf13/pflag v1.0.10 // indirect golang.org/x/crypto v0.42.0 // indirect golang.org/x/sys v0.36.0 // indirect diff --git a/go.sum b/go.sum index 2a8154e..70c6eac 100644 --- a/go.sum +++ b/go.sum @@ -10,14 +10,14 @@ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sixafter/aes-ctr-drbg v1.9.0 h1:JxB1OASJOo7cE+He/bpQipYthw/jDsAQbR7xQAxrA9Y= -github.com/sixafter/aes-ctr-drbg v1.9.0/go.mod h1:k0MnzFOGf7ks7ixN/N72wQAT/7u+lIknQWa7H9Iqew4= -github.com/sixafter/nanoid v1.51.0 h1:HfStIU2kzx7nB+NzBBE6IWlKcA9chV8iwWefbfH2BZk= -github.com/sixafter/nanoid v1.51.0/go.mod h1:OkfsdaSwJp3XeoCyHjxBQx26HgSMNSLbfJN1U6is4tM= -github.com/sixafter/prng-chacha v1.5.0 h1:YGfqDvo27FgBOJK7fQB6I5BVXg3+6BwTGt90E1picPc= -github.com/sixafter/prng-chacha v1.5.0/go.mod h1:/qgtGyz1ueWauLV6JgIi6a2BNc/9IkLWXL98U2GEM7o= -github.com/sixafter/semver v1.7.0 h1:kz3RPsy92e/WRD6kYi9/r1zdmC768ne9S9586KRD5pg= -github.com/sixafter/semver v1.7.0/go.mod h1:kIkw1gO0r6JtGoOam9xesWKqOFUH8kfTViLVbiC4WmA= +github.com/sixafter/aes-ctr-drbg v1.10.0 h1:ZF3HBF9zVKOJHGcuvkjqp1QHYN5kuyYivmhFgO+yCnU= +github.com/sixafter/aes-ctr-drbg v1.10.0/go.mod h1:k0MnzFOGf7ks7ixN/N72wQAT/7u+lIknQWa7H9Iqew4= +github.com/sixafter/nanoid v1.52.0 h1:8eViRdll2B/4g8tOdVuywTeV6ir++GYK5xUCzD3mmMs= +github.com/sixafter/nanoid v1.52.0/go.mod h1:wV91+XpQYVG/ycSZv3PXLyQ9eupYSH0wp9Jhhl6d3jc= +github.com/sixafter/prng-chacha v1.6.0 h1:e0ADGI8dZoV9DRdGCBhtdD3E+iKBoqS4ydtXFu90FrQ= +github.com/sixafter/prng-chacha v1.6.0/go.mod h1:/qgtGyz1ueWauLV6JgIi6a2BNc/9IkLWXL98U2GEM7o= +github.com/sixafter/semver v1.9.0 h1:dM8RIBEEpZ0YKzcXA3+rnmmiRES37RYoaeQwtKAe/BQ= +github.com/sixafter/semver v1.9.0/go.mod h1:kIkw1gO0r6JtGoOam9xesWKqOFUH8kfTViLVbiC4WmA= github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s= github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0= github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= diff --git a/vendor/github.com/sixafter/semver/.goreleaser.yaml b/vendor/github.com/sixafter/semver/.goreleaser.yaml index ce21d0d..83a652a 100644 --- a/vendor/github.com/sixafter/semver/.goreleaser.yaml +++ b/vendor/github.com/sixafter/semver/.goreleaser.yaml @@ -36,6 +36,24 @@ changelog: # Default: 'git'. use: github + # Format to use for commit formatting. + # + # Templates: allowed. + # + # Default: + # if 'git': '{{ .SHA }} {{ .Message }}' + # otherwise: '{{ .SHA }}: {{ .Message }} ({{ with .AuthorUsername }}@{{ . }}{{ else }}{{ .AuthorName }} <{{ .AuthorEmail }}>{{ end }})'. + # + # Extra template fields: + # - `SHA`: the commit SHA1 + # - `Message`: the first line of the commit message, otherwise known as commit subject + # - `AuthorName`: the author full name (considers mailmap if 'git') + # - `AuthorEmail`: the author email (considers mailmap if 'git') + # - `AuthorUsername`: github/gitlab/gitea username - not available if 'git' + # + # Usage with 'git': Since: v2.8. + format: "{{.SHA}}: {{.Message}} (@{{.AuthorUsername}})" + # Max commit hash length to use in the changelog. # # 0: use whatever the changelog implementation gives you @@ -83,10 +101,122 @@ changelog: - title: Others order: 999 +# Ref: https://goreleaser.com/customization/checksums/ +checksum: + name_template: 'checksums.txt' + +# Ref: https://goreleaser.com/customization/sign/ +signs: + - id: source + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + output: true + artifacts: source + args: + - sign-blob + - --yes + - --key + - env://COSIGN_PRIVATE_KEY + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + + - id: checksums + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + output: true + artifacts: checksum + args: + - sign-blob + - --yes + - --key + - env://COSIGN_PRIVATE_KEY + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + +# Ref: https://goreleaser.com/customization/source/ +source: + # Whether this pipe is enabled or not. + enabled: true + + # Name template of the final archive. + # + # Default: '{{ .ProjectName }}-{{ .Version }}'. + # Templates: allowed. + name_template: "{{ .ProjectName }}-{{ .Version }}" + + # Format of the archive. + # + # Valid formats are: tar, tgz, tar.gz, and zip. + # + # Default: 'tar.gz'. + format: tar.gz + + # Prefix. + # String to prepend to each filename in the archive. + # + # Templates: allowed. + prefix_template: "{{ .ProjectName }}-{{ .Version }}/" + + # You can add additional files if needed, or omit for default behavior. + # files: + # - LICENSE + # - README.md + # files: + # - LICENSE + # - README.md + # - CHANGELOG/CHANGELOG* + # - go.mod + # - go.sum + # - "*.go" + # - "x/**/*" + # - "vendor/**/*" + +# Ref: https://goreleaser.com/customization/sbom/ sboms: - - artifacts: archive + - # ID of the sbom config, must be unique. + # + # Default: 'default'. + id: default + + # Which artifacts to catalog. + # + # Valid options are: + # - any: let the SBOM tool decide which artifacts available in + # the cwd should be cataloged + # - source: source archive + # - package: Linux packages (deb, rpm, apk, etc) + # - installer: Windows MSI installers (Pro only) + # - diskimage: macOS DMG disk images (Pro only) + # - archive: archives from archive pipe + # - binary: binaries output from the build stage + # + # Default: 'archive'. + artifacts: source + # IDs of the artifacts to catalog. + # + # If `artifacts` is "source" or "any" then this fields has no effect. + # ids: + # - src + +# Ref: https://goreleaser.com/customization/release/ release: + # Repo in which the release will be created. + # Default: extracted from the origin remote URL or empty if its private hosted. + github: + owner: sixafter + name: semver + + # You can change the name of the release. + # + # Default: '{{.Tag}}' ('{{.PrefixedTag}}' on Pro). + # Templates: allowed. name_template: 'v{{ .Version }}' + + # Footer for the release body. + # + # Templates: allowed. footer: | **Full Changelog**: [CHANGELOG](https://github.com/sixafter/semver/tree/main/CHANGELOG.md) diff --git a/vendor/github.com/sixafter/semver/CHANGELOG.md b/vendor/github.com/sixafter/semver/CHANGELOG.md index 180bb12..33b4172 100644 --- a/vendor/github.com/sixafter/semver/CHANGELOG.md +++ b/vendor/github.com/sixafter/semver/CHANGELOG.md @@ -17,6 +17,31 @@ Date format: `YYYY-MM-DD` ### Fixed ### Security +--- +## [1.9.0] - 2025-09-27 + +### Added +### Changed +- **debt:** Upgraded CI dependencies to their latest stable versions. + +### Deprecated +### Removed +### Fixed +### Security + +--- +## [1.8.0] - 2025-09-15 + +### Added +### Changed +- **debt:** Added digitally signed Software Bill of Materials (SBOM) to the release artifacts for enhanced supply chain security and transparency. +- **debt:** Upgraded dependencies to their latest stable versions. + +### Deprecated +### Removed +### Fixed +### Security + --- ## [1.7.0] - 2025-09-01 @@ -119,7 +144,9 @@ Date format: `YYYY-MM-DD` ### Fixed ### Security -[Unreleased]: https://github.com/sixafter/semver/compare/v1.7.0...HEAD +[Unreleased]: https://github.com/sixafter/semver/compare/v1.9.0...HEAD +[1.9.0]: https://github.com/sixafter/semver/compare/v1.8.0...v1.9.0 +[1.8.0]: https://github.com/sixafter/semver/compare/v1.7.0...v1.8.0 [1.7.0]: https://github.com/sixafter/semver/compare/v1.6.0...v1.7.0 [1.6.0]: https://github.com/sixafter/semver/compare/v1.5.0...v1.6.0 [1.5.0]: https://github.com/sixafter/semver/compare/v1.4.0...v1.5.0 diff --git a/vendor/github.com/sixafter/semver/Makefile b/vendor/github.com/sixafter/semver/Makefile index 1ee2fed..b091471 100644 --- a/vendor/github.com/sixafter/semver/Makefile +++ b/vendor/github.com/sixafter/semver/Makefile @@ -79,6 +79,11 @@ update: ## Update Go dependencies vuln: ## Check for vulnerabilities govulncheck ./... +.PHONY: release-verify +release-verify: ## Verify the release + rm -fr dist + goreleaser --config .goreleaser.yaml release --snapshot + .PHONY: help help: ## Display this help screen @grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' diff --git a/vendor/github.com/sixafter/semver/README.md b/vendor/github.com/sixafter/semver/README.md index 538963e..df83c55 100644 --- a/vendor/github.com/sixafter/semver/README.md +++ b/vendor/github.com/sixafter/semver/README.md @@ -1,4 +1,4 @@ -# semver +# semver: Semantic Versioning for Go A Semantic Versioning 2.0.0 compliant parser and utility library written in Go. @@ -7,6 +7,7 @@ A Semantic Versioning 2.0.0 compliant parser and utility library written in Go. [![Go](https://img.shields.io/github/go-mod/go-version/sixafter/semver)](https://img.shields.io/github/go-mod/go-version/sixafter/semver) [![Go Reference](https://pkg.go.dev/badge/github.com/sixafter/semver.svg)](https://pkg.go.dev/github.com/sixafter/semver) +--- ## Status ### Build & Test @@ -14,7 +15,7 @@ A Semantic Versioning 2.0.0 compliant parser and utility library written in Go. [![CI](https://github.com/sixafter/semver/workflows/ci/badge.svg)](https://github.com/sixafter/semver/actions) [![GitHub issues](https://img.shields.io/github/issues/sixafter/semver)](https://github.com/sixafter/semver/issues) -### 🚦Quality +### Quality [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=six-after_semver&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=six-after_semver) ![CodeQL](https://github.com/sixafter/semver/actions/workflows/codeql-analysis.yaml/badge.svg) @@ -23,6 +24,45 @@ A Semantic Versioning 2.0.0 compliant parser and utility library written in Go. [![Release](https://github.com/sixafter/semver/workflows/release/badge.svg)](https://github.com/sixafter/semver/actions) +--- + +## Verify with Cosign + +[Cosign](https://github.com/sigstore/cosign) is used to sign releases for integrity verification. + +To verify the integrity of the release, you can use Cosign to check the signature and checksums. Follow these steps: + +```sh +# Fetch the latest release tag from GitHub API (e.g., "v1.8.0") +TAG=$(curl -s https://api.github.com/repos/sixafter/semver/releases/latest | jq -r .tag_name) + +# Remove leading "v" for filenames (e.g., "v1.8.0" -> "1.8.0") +VERSION=${TAG#v} + +# Verify the release tarball +cosign verify-blob \ + --key https://raw.githubusercontent.com/sixafter/semver/main/cosign.pub \ + --signature semver-${VERSION}.tar.gz.sig \ + semver-${VERSION}.tar.gz + +# Download checksums.txt and its signature from the latest release assets +curl -LO https://github.com/sixafter/semver/releases/download/${TAG}/checksums.txt +curl -LO https://github.com/sixafter/semver/releases/download/${TAG}/checksums.txt.sig + +# Verify checksums.txt with cosign +cosign verify-blob \ + --key https://raw.githubusercontent.com/sixafter/semver/main/cosign.pub \ + --signature checksums.txt.sig \ + checksums.txt +``` + +If valid, Cosign will output: + +```shell +Verified OK +``` +--- + ## Features The `semver` library offers a comprehensive and efficient solution for working with Semantic Versioning 2.0.0. Key features include: diff --git a/vendor/github.com/sixafter/semver/cosign.pub b/vendor/github.com/sixafter/semver/cosign.pub new file mode 100644 index 0000000..4a3463f --- /dev/null +++ b/vendor/github.com/sixafter/semver/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVxBhUX52nbJsvcDBr8ZT2Ue/Z+Zz +GzMx4rV+mb7q4pB50/t95ewnY3u4/Ohz5Hs7bGSuHhnhvU3l6Yms2l/6eQ== +-----END PUBLIC KEY----- diff --git a/vendor/modules.txt b/vendor/modules.txt index 80f3994..f23e59d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -10,16 +10,16 @@ github.com/inconshreveable/mousetrap # github.com/pmezard/go-difflib v1.0.0 ## explicit github.com/pmezard/go-difflib/difflib -# github.com/sixafter/aes-ctr-drbg v1.9.0 +# github.com/sixafter/aes-ctr-drbg v1.10.0 ## explicit; go 1.25 github.com/sixafter/aes-ctr-drbg -# github.com/sixafter/nanoid v1.51.0 +# github.com/sixafter/nanoid v1.52.0 ## explicit; go 1.25 github.com/sixafter/nanoid -# github.com/sixafter/prng-chacha v1.5.0 +# github.com/sixafter/prng-chacha v1.6.0 ## explicit; go 1.25 github.com/sixafter/prng-chacha -# github.com/sixafter/semver v1.7.0 +# github.com/sixafter/semver v1.9.0 ## explicit; go 1.25 github.com/sixafter/semver # github.com/spf13/cobra v1.10.1