b86e0c3e8e
This commit hardens the CI/CD pipeline by addressing several security vulnerabilities. - Replaces the manual release process with `goreleaser` to streamline builds and enable artifact signing. - Pins all GitHub Actions to specific commit hashes to prevent supply chain attacks. - Enables cryptographic signing of release artifacts using `cosign` and Sigstore's keyless signing. - Adds a Dependabot configuration to automate dependency updates. - Removes excessive `contents: write` permissions from workflows. - Creates an `AUDIT-CICD.md` file to document the audit findings and remediation steps. Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
34 lines
865 B
YAML
34 lines
865 B
YAML
# This workflow will build a golang project
|
|
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
|
|
|
|
name: Go
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
|
|
jobs:
|
|
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb4ccbf938fde # v5.0.0
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
|
|
- name: Install Task
|
|
run: go install github.com/go-task/task/v3/cmd/task@latest
|
|
|
|
- name: Build
|
|
run: ~/go/bin/task build
|
|
|
|
- name: Test
|
|
run: ~/go/bin/task test
|
|
|
|
- name: Upload coverage reports to Codecov
|
|
uses: codecov/codecov-action@e25bde834954415c4b24cc50117b342b59196b86 # v4.0.0-beta.3
|
|
with:
|
|
token: ${{ secrets.CODECOV_TOKEN }}
|