fix: govulncheck, semgrep & ruleguard scan/fixes (#544)

* chore: added some scan jobs Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com> * fix: version Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com> * chore: dispatch Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com> * fix: ruleguard and semgrep issues * fix: syntax * fix: skip-go-installation no longer a valid option Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
goreleaser · Sep 12, 2022 · 92d4dc2 · 92d4dc2
1 parent 437d9ef
commit 92d4dc2
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 47 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -8,11 +8,21 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
+  govulncheck:
+    uses: caarlos0/meta/.github/workflows/govulncheck.yml@main
+  semgrep:
+    uses: caarlos0/meta/.github/workflows/semgrep.yml@main
+  ruleguard:
+    uses: caarlos0/meta/.github/workflows/ruleguard.yml@main
   unit-tests:
     strategy:
       matrix:
-        go-version: [ 1.19 ]
         os: [ ubuntu-latest, macos-latest, windows-latest ]
     runs-on: ${{ matrix.os }}
     steps:
@@ -21,18 +31,11 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-go@v3
         with:
-          go-version: ${{ matrix.go-version }}
+          go-version: '~1.19'
+          cache: true
       - uses: arduino/setup-task@v1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/cache@v3
-        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
       - name: setup-tparse
         run: go install github.com/mfridman/tparse@latest
       - run: task setup
@@ -43,10 +46,9 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           file: ./coverage.txt
-  Acceptance-Tests:
+  acceptance-tests:
     strategy:
       matrix:
-        go-version: [ 1.19 ]
         pkgFormat: [ deb, rpm, apk ]
         pkgPlatform: [ amd64, arm64, 386, ppc64le, armv6, armv7, s390x ]
     runs-on: ubuntu-latest
@@ -57,18 +59,11 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: ${{ matrix.go-version }}
+          go-version: '~1.19'
+          cache: true
       - uses: arduino/setup-task@v1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/cache@v3
-        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
       - uses: docker/setup-qemu-action@v2
       - uses: docker/setup-buildx-action@v2
       - run: task setup
@@ -79,9 +74,6 @@ jobs:
         env:
           TEST_PATTERN: "/${{ matrix.pkgFormat }}/${{ matrix.pkgPlatform }}/"
   goreleaser:
-    strategy:
-      matrix:
-        go-version: [ 1.19 ]
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/')
     needs:
@@ -97,18 +89,11 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-go@v3
         with:
-          go-version: ${{ matrix.go-version }}
+          go-version: '~1.19'
+          cache: true
       - uses: arduino/setup-task@v1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/cache@v3
-        with:
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
       - uses: sigstore/cosign-installer@v2.5.1
       - uses: anchore/sbom-action/download-syft@v0.12.0
       - uses: docker/setup-qemu-action@v2

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -18,7 +18,4 @@ jobs:
         with:
           go-version: ~1.19
       - uses: actions/checkout@v3
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          skip-go-installation: true
+      - uses: golangci/golangci-lint-action@v3
diff --git a/apk/apk.go b/apk/apk.go
@@ -170,11 +170,7 @@ func writeFile(tw *tar.Writer, header *tar.Header, file io.Reader) error {
 	}
 
 	_, err = io.Copy(tw, file)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return err
 }
 
 type tarKind int

diff --git a/deb/deb.go b/deb/deb.go
@@ -490,7 +490,7 @@ func createChangelogInsideDataTar(tarw *tar.Writer, md5w io.Writer,
 		return 0, err
 	}
 
-	if _, err = out.Write([]byte(changelogContent)); err != nil {
+	if _, err = io.WriteString(out, changelogContent); err != nil {
 		return 0, err
 	}
 

diff --git a/internal/glob/glob.go b/internal/glob/glob.go
@@ -4,6 +4,7 @@ package glob
 import (
 	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
@@ -81,7 +82,7 @@ func Glob(pattern, dst string, ignoreMatchers bool) (map[string]string, error) {
 	files := make(map[string]string)
 	prefix := pattern
 	// the prefix may not be a complete path or may use glob patterns, in that case use the parent directory
-	if _, err := os.Stat(prefix); os.IsNotExist(err) || (fileglob.ContainsMatchers(pattern) && !ignoreMatchers) {
+	if _, err := os.Stat(prefix); errors.Is(err, fs.ErrNotExist) || (fileglob.ContainsMatchers(pattern) && !ignoreMatchers) {
 		prefix = filepath.Dir(longestCommonPrefix(matches))
 	}
 

diff --git a/nfpm.go b/nfpm.go
@@ -3,8 +3,10 @@
 package nfpm
 
 import (
+	"errors"
 	"fmt"
 	"io"
+	"io/fs"
 	"os"
 	"sync"
 
@@ -227,7 +229,7 @@ func (i *Info) Validate() error {
 func (i *Info) GetChangeLog() (log *chglog.PackageChangeLog, err error) {
 	// if the file does not exist chglog.Parse will just silently
 	// create an empty changelog but we should notify the user instead
-	if _, err = os.Stat(i.Changelog); os.IsNotExist(err) {
+	if _, err = os.Stat(i.Changelog); errors.Is(err, fs.ErrNotExist) {
 		return nil, err
 	}
 

diff --git a/nfpm_test.go b/nfpm_test.go
@@ -3,6 +3,7 @@ package nfpm_test
 import (
 	"fmt"
 	"io"
+	"net/mail"
 	"os"
 	"reflect"
 	"strings"
@@ -270,9 +271,16 @@ func TestOptionsFromEnvironment(t *testing.T) {
 		os.Clearenv()
 		os.Setenv("GIT_COMMITTER_NAME", packager)
 		os.Setenv("GIT_COMMITTER_EMAIL", maintainerEmail)
-		info, err := nfpm.Parse(strings.NewReader("name: foo\nmaintainer: $GIT_COMMITTER_NAME <$GIT_COMMITTER_EMAIL>"))
+		info, err := nfpm.Parse(strings.NewReader(`
+name: foo
+maintainer: '"$GIT_COMMITTER_NAME" <$GIT_COMMITTER_EMAIL>'
+`))
 		require.NoError(t, err)
-		require.Equal(t, fmt.Sprintf("%s <%s>", packager, maintainerEmail), info.Maintainer)
+		addr := mail.Address{
+			Name:    packager,
+			Address: maintainerEmail,
+		}
+		require.Equal(t, addr.String(), info.Maintainer)
 	})
 
 	t.Run("vendor", func(t *testing.T) {