diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index d0c67af..3d1532e 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -27,6 +27,7 @@ permissions: jobs: codacy-security-scan: + environment: codacy permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -36,7 +37,9 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI @@ -56,6 +59,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4fa3e5e9f2c3aa23d97360b89423bb24f8e2c578 # v3 with: sarif_file: results.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 50f87ff..2cdd05a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -57,7 +57,9 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` @@ -67,7 +69,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@4fa3e5e9f2c3aa23d97360b89423bb24f8e2c578 # v3 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -95,6 +97,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@4fa3e5e9f2c3aa23d97360b89423bb24f8e2c578 # v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml index 1509e32..8cf907a 100644 --- a/.github/workflows/go-ossf-slsa3-publish.yml +++ b/.github/workflows/go-ossf-slsa3-publish.yml @@ -29,9 +29,9 @@ jobs: id-token: write # To sign. contents: write # To upload release assets. actions: read # To read workflow path. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@c027e128eb4df2eff6924c51b481c4e460a77b98 # v1.4.0 with: - go-version: 1.24 + go-version: 1.26 # ============================================================================================================= # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects # ============================================================================================================= diff --git a/.github/workflows/power-ci.yaml b/.github/workflows/power-ci.yaml index 91f232a..a31eaf9 100644 --- a/.github/workflows/power-ci.yaml +++ b/.github/workflows/power-ci.yaml @@ -15,12 +15,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@41dfa10ca2ca416f9bf1cf0b1e92d381cdfe9d0c # v4 with: - go-version: 1.22 + go-version-file: go.mod - name: Install QEMU run: sudo apt-get install -y qemu-user-static diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 772528c..17f97fc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,32 +13,35 @@ permissions: jobs: release: runs-on: ubuntu-latest + environment: release steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@41dfa10ca2ca416f9bf1cf0b1e92d381cdfe9d0c # v5 with: - go-version: '1.24' - + go-version-file: go.mod + cache: false + - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@aa996a7d1628d12b2b5113c9e758b29c16ceb4e7 # v3 - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@e92390c5fb421da1463c202d5462070b0807fba9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@9ed3f94e3ebe6a567a665a8183f81b141d833663 # v6 with: version: latest args: release --clean diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..192ab0b --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,8 @@ +repos: + # zizmor - Security linter for GitHub Actions + - repo: https://github.com/zizmorcore/zizmor-pre-commit + # pinned to last version [ea2eb407b4cbce87cf0d502f36578950494f5ac9] + rev: ea2eb407b4cbce87cf0d502f36578950494f5ac9 + hooks: + - id: zizmor + # zizmor finds security issues in GitHub Actions workflows diff --git a/LICENSE b/LICENSE index 2d4913a..bb6ecce 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,7 @@ GNU AFFERO GENERAL PUBLIC LICENSE Version 3, 19 November 2007 + Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. diff --git a/go.mod b/go.mod index da1f365..9b19152 100644 --- a/go.mod +++ b/go.mod @@ -1,24 +1,24 @@ module github.com/x-stp/rxtls -go 1.24.2 +go 1.26 require ( - github.com/prometheus/client_golang v1.22.0 - github.com/spf13/cobra v1.9.1 - github.com/zeebo/xxh3 v1.0.2 - golang.org/x/sys v0.33.0 - golang.org/x/time v0.11.0 + github.com/prometheus/client_golang v1.23.2 + github.com/spf13/cobra v1.10.2 + github.com/zeebo/xxh3 v1.1.0 + golang.org/x/sys v0.42.0 + golang.org/x/time v0.15.0 ) require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/klauspost/cpuid/v2 v2.0.9 // indirect + github.com/klauspost/cpuid/v2 v2.3.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/prometheus/client_model v0.6.1 // indirect - github.com/prometheus/common v0.62.0 // indirect - github.com/prometheus/procfs v0.15.1 // indirect - github.com/spf13/pflag v1.0.6 // indirect - google.golang.org/protobuf v1.36.5 // indirect + github.com/prometheus/client_model v0.6.2 // indirect + github.com/prometheus/common v0.66.1 // indirect + github.com/prometheus/procfs v0.16.1 // indirect + github.com/spf13/pflag v1.0.10 // indirect + google.golang.org/protobuf v1.36.8 // indirect )