Initial CI commit.

wrmedford · wrmedford · commit 62756700b232 · 2024-12-10T16:37:02.000-07:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,45 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.23'
+          cache: true
+
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Generate release notes
+        run: |
+          echo "# Release notes" > release-notes.txt
+          git log --pretty=format:"* %s" $(git describe --tags --abbrev=0 HEAD^)..HEAD >> release-notes.txt
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          body_path: release-notes.txt
+          token: ${{ secrets.GITHUB_TOKEN }}
+          files: |
+            terraform-provider-pomerium_*
+        env:
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,28 @@
+name: Security
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * 0'
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.23'
+          cache: true
+      
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./internal/provider/...
+      
+      - name: Run nancy for dependency scanning
+        uses: sonatype-nexus-community/nancy-github-action@main
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,51 @@
+name: Tests
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.23'
+          cache: true
+      
+      - name: Install dependencies
+        run: go mod download
+      
+      - name: Run tests
+        run: go test -v -cover ./internal/provider/...
+      
+      - name: Run acceptance tests
+        run: |
+          go test -v ./internal/provider/... -timeout 120m
+        env:
+          TF_ACC: "1"
+          POMERIUM_API_URL: ${{ secrets.POMERIUM_API_URL }}
+          POMERIUM_API_TOKEN: ${{ secrets.POMERIUM_API_TOKEN }}
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.23'
+          cache: true
+      
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: latest
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,81 @@
+run:
+  deadline: 20m
+
+linters-settings:
+  gci:
+    custom-order: true
+    sections:
+      - standard
+      - default
+      - prefix(github.com/pomerium)
+
+linters:
+  disable-all: true
+  enable:
+    - asasalint
+    - bodyclose
+    - dogsled
+    - errcheck
+    - errorlint
+    - exportloopref
+    # - gci # https://github.com/daixiang0/gci/issues/209
+    - gocheckcompilerdirectives
+    - gofumpt
+    - goimports
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - misspell
+    - nakedret
+    - nolintlint
+    - revive
+    - staticcheck
+    - stylecheck
+    - tenv
+    - unconvert
+    - unused
+    - usestdlibvars
+
+issues:
+  # List of regexps of issue texts to exclude, empty list by default.
+  # But independently from this option we use default exclude patterns,
+  # it can be disabled by `exclude-use-default: false`. To list all
+  # excluded by default patterns execute `golangci-lint run --help`
+  exclude:
+    ## Defaults we want from golangci-lint
+    # errcheck: Almost all programs ignore errors on these functions and in most cases it's ok
+    - Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked
+    - empty-block
+
+    # go sec : we want to allow skipping tls auth
+    - "TLS InsecureSkipVerify set true."
+    - "SA1019"
+
+  exclude-rules:
+    # Exclude some linters from running on test files.
+    - path: _test\.go$|^tests/|^integration/|^samples/|^internal/testutil/|templates\.go$
+      linters:
+        - bodyclose
+        - errcheck
+        - gomnd
+        - gosec
+        - lll
+        - maligned
+        - staticcheck
+        - unparam
+        - unused
+        - scopelint
+        - gosec
+        - gosimple
+    - path: internal/identity/oauth/github/github.go
+      text: "Potential hardcoded credentials"
+      linters:
+        - gosec
+    - text: "G112:"
+      linters:
+        - gosec
+    - text: "G402: TLS MinVersion too low."
+      linters:
+        - gosec
