This commit hardens the CI/CD pipeline and fixes the release process.
- Replaces the manual release process with `goreleaser` to streamline builds and enable artifact signing.
- Pins all GitHub Actions to specific commit hashes to prevent supply chain attacks.
- Enables cryptographic signing of release artifacts using `cosign` and Sigstore's keyless signing.
- Adds a Dependabot configuration to automate dependency updates.
- Removes excessive `contents: write` permissions from workflows.
- Creates an `AUDIT-CICD.md` file to document the audit findings and remediation steps.
- Fixes a build failure by adding a placeholder for a missing demo file.
- Updates the `.goreleaser.yaml` to include WASM and console assets in the release, fixing a regression from the previous release process.
This commit hardens the CI/CD pipeline by addressing several security
vulnerabilities.
- Replaces the manual release process with `goreleaser` to streamline
builds and enable artifact signing.
- Pins all GitHub Actions to specific commit hashes to prevent supply
chain attacks.
- Enables cryptographic signing of release artifacts using `cosign` and
Sigstore's keyless signing.
- Adds a Dependabot configuration to automate dependency updates.
- Removes excessive `contents: write` permissions from workflows.
- Creates an `AUDIT-CICD.md` file to document the audit findings and
remediation steps.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
This commit updates the `.github/workflows/mkdocs.yml` file to use the latest versions of the `actions/checkout` and `actions/setup-python` actions.
Key changes:
- Upgraded `actions/checkout` from `v2` to `v4`.
- Upgraded `actions/setup-python` from `v2` to `v5`.
- Pinned the Python version to `'3.11'`.
- Added `permissions: contents: write` to the `deploy` job to ensure the workflow has the necessary permissions to publish to GitHub Pages.
This commit addresses several issues identified in a code review to improve the overall quality and robustness of the application.
Key changes include:
- Refactored `cmd.Execute()` to return an error instead of calling `os.Exit`, making the application more testable.
- Fixed critical issues in `cmd/main_test.go`, including renaming `TestMain` to avoid conflicts and removing the brittle E2E test.
- Improved the GitHub API client in `pkg/github/github.go` by:
- Fixing a resource leak where an HTTP response body was not being closed.
- Restoring a parameterized function to improve testability.
- Adding support for `context.Context` and API pagination for robustness.
- Updated the `.github/workflows/go.yml` CI workflow to use the `Taskfile.yml` for building and testing, ensuring consistency.
- Added a `test` task to `Taskfile.yml`.
- Ran `go mod tidy` and fixed several unused import errors.
