chore: checksum validation, dep upgrades, consistent lint rules (#85)

.github/renovate.json

@@ -1,6 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "local>go-vela/renovate-config"
+    "local>go-vela/renovate-config",
+    "customManagers:dockerfileVersions"
   ]
 }

.golangci.yml

@@ -8,7 +8,10 @@
 # outputs it results from the linters it executes.
 output:
   # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
-  format: colored-line-number
+  formats:
+    - format: json
+      path: stderr
+    - format: colored-line-number
 
   # print lines of code with issue, default is true
   print-issued-lines: true
@@ -32,6 +35,18 @@ linters-settings:
     lines: 160
     statements: 70
 
+  # https://github.com/daixiang0/gci
+  # ensure import order is consistent
+  # gci write --custom-order -s standard -s default -s blank -s dot -s "prefix(github.com/go-vela)" .
+  gci:
+    custom-order: true
+    sections:
+      - standard
+      - default
+      - blank
+      - dot
+      - prefix(github.com/go-vela)
+
   # https://github.com/denis-tingaikin/go-header
   goheader:
     template: |-
@@ -43,9 +58,9 @@ linters-settings:
 
   # https://github.com/golangci/golangci-lint/blob/master/pkg/golinters/nolintlint
   nolintlint:
-    allow-unused: false           # allow nolint directives that don't address a linting issue
-    require-explanation: true     # require an explanation for nolint directives
-    require-specific: true        # require nolint directives to be specific about which linter is being skipped
+    allow-unused: false # allow nolint directives that don't address a linting issue
+    require-explanation: true # require an explanation for nolint directives
+    require-specific: true # require nolint directives to be specific about which linter is being skipped
 
 # This section provides the configuration for which linters
 # golangci will execute. Several of them were disabled by
@@ -56,46 +71,43 @@ linters:
 
   # enable a specific set of linters to run
   enable:
-    - bidichk             # checks for dangerous unicode character sequences
-    - bodyclose           # checks whether HTTP response body is closed successfully
-    - contextcheck        # check the function whether use a non-inherited context
-    - deadcode            # finds unused code
-    - dupl                # code clone detection
-    - errcheck            # checks for unchecked errors
-    - errorlint           # find misuses of errors
-    - exportloopref       # check for exported loop vars
-    - funlen              # detects long functions
-    - goconst             # finds repeated strings that could be replaced by a constant
-    - gocyclo             # computes and checks the cyclomatic complexity of functions
-    - godot               # checks if comments end in a period
-    - gofmt               # checks whether code was gofmt-ed
-    - goheader            # checks is file header matches to pattern
-    - goimports           # fixes imports and formats code in same style as gofmt
-    - gomoddirectives     # manage the use of 'replace', 'retract', and 'excludes' directives in go.mod
-    - goprintffuncname    # checks that printf-like functions are named with f at the end
-    - gosec               # inspects code for security problems
-    - gosimple            # linter that specializes in simplifying a code
-    - govet               # reports suspicious constructs, ex. Printf calls whose arguments don't align with the format string
-    - ineffassign         # detects when assignments to existing variables aren't used
-    - makezero            # finds slice declarations with non-zero initial length
-    - misspell            # finds commonly misspelled English words in comments
-    - nakedret            # finds naked returns in functions greater than a specified function length
-    - nilerr              # finds the code that returns nil even if it checks that the error is not nil
-    - noctx               # noctx finds sending http request without context.Context
-    - nolintlint          # reports ill-formed or insufficient nolint directives
-    - revive              # linter for go
-    - staticcheck         # applies static analysis checks, go vet on steroids
-    - structcheck         # finds unused struct fields
-    - stylecheck          # replacement for golint
-    - tenv                # analyzer that detects using os.Setenv instead of t.Setenv since Go1.17
-    - typecheck           # parses and type-checks go code, like the front-end of a go compiler
-    - unconvert           # remove unnecessary type conversions
-    - unparam             # reports unused function parameters
-    - unused              # checks for unused constants, variables, functions and types
-    - varcheck            # finds unused global variables and constants
-    - whitespace          # detects leading and trailing whitespace
-    - wsl                 # forces code to use empty lines
-
+    - bidichk # checks for dangerous unicode character sequences
+    - bodyclose # checks whether HTTP response body is closed successfully
+    - contextcheck # check the function whether use a non-inherited context
+    - dupl # code clone detection
+    - errcheck # checks for unchecked errors
+    - errorlint # find misuses of errors
+    - exportloopref # check for exported loop vars
+    - funlen # detects long functions
+    - gci # consistent import ordering
+    - goconst # finds repeated strings that could be replaced by a constant
+    - gocyclo # computes and checks the cyclomatic complexity of functions
+    - godot # checks if comments end in a period
+    - gofmt # checks whether code was gofmt-ed
+    - goheader # checks is file header matches to pattern
+    - gomoddirectives # manage the use of 'replace', 'retract', and 'excludes' directives in go.mod
+    - goprintffuncname # checks that printf-like functions are named with f at the end
+    - gosec # inspects code for security problems
+    - gosimple # linter that specializes in simplifying a code
+    - govet # reports suspicious constructs, ex. Printf calls whose arguments don't align with the format string
+    - ineffassign # detects when assignments to existing variables aren't used
+    - makezero # finds slice declarations with non-zero initial length
+    - misspell # finds commonly misspelled English words in comments
+    - nakedret # finds naked returns in functions greater than a specified function length
+    - nilerr # finds the code that returns nil even if it checks that the error is not nil
+    - noctx # noctx finds sending http request without context.Context
+    - nolintlint # reports ill-formed or insufficient nolint directives
+    - revive # linter for go
+    - staticcheck # applies static analysis checks, go vet on steroids
+    - stylecheck # replacement for golint
+    - tenv # analyzer that detects using os.Setenv instead of t.Setenv since Go1.17
+    - typecheck # parses and type-checks go code, like the front-end of a go compiler
+    - unconvert # remove unnecessary type conversions
+    - unparam # reports unused function parameters
+    - unused # checks for unused constants, variables, functions and types
+    - whitespace # detects leading and trailing whitespace
+    - wsl # forces code to use empty lines
+
   # static list of linters we know golangci can run but we've
   # chosen to leave disabled for now
   # - asciicheck          - non-critical
@@ -108,21 +120,21 @@ linters:
   # - exhaustivestruct    - style preference
   # - forbidigo           - unused
   # - forcetypeassert     - unused
-  # - gci                 - use goimports
   # - gochecknoinits      - unused
   # - gochecknoglobals    - global variables allowed
-  # - gocognit            - unused complexity metric 
+  # - gocognit            - unused complexity metric
   # - gocritic            - style preference
   # - godox               - to be used in the future
   # - goerr113            - to be used in the future
+  # - goimports           - use gci
   # - golint              - archived, replaced with revive
   # - gofumpt             - use gofmt
   # - gomnd               - get too many false-positives
   # - gomodguard          - unused
   # - ifshort             - use both styles
   # - ireturn             - allow interfaces to be returned
   # - importas            - want flexibility with naming
-  # - lll                 - not too concerned about line length 
+  # - lll                 - not too concerned about line length
   # - interfacer          - archived
   # - nestif              - non-critical
   # - nilnil              - style preference
@@ -131,7 +143,7 @@ linters:
   # - paralleltest        - false-positives
   # - prealloc            - don't use
   # - predeclared         - unused
-  # - promlinter          - style preference 
+  # - promlinter          - style preference
   # - rowserrcheck        - unused
   # - scopelint           - deprecated - replaced with exportloopref
   # - sqlclosecheck       - unused
@@ -154,3 +166,5 @@ issues:
         - funlen
         - goconst
         - gocyclo
+        - wsl
+

Dockerfile

@@ -3,21 +3,27 @@
 # set a global Docker argument for the default CLI version
 #
 # https://github.com/moby/moby/issues/37345
+# renovate: datasource=github-tags depName=gohugoio/hugo extractVersion=^v(?<version>.*)$
 ARG HUGO_VERSION=0.115.4
 
 ##########################################################################
 ##    docker build --no-cache --target binary -t vela-hugo:binary .     ##
 ##########################################################################
 
-FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 as binary
+FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS binary
 
 ARG HUGO_VERSION
 
-ADD https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz  /tmp/hugo.tar.gz
- 
-RUN tar -xzf /tmp/hugo.tar.gz -C /bin
+ENV HUGO_RELEASE_URL="https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}"
+ENV HUGO_FILENAME="hugo_${HUGO_VERSION}_linux-amd64.tar.gz"
+ENV HUGO_CHECKSUM_FILENAME="hugo_${HUGO_VERSION}_checksums.txt"
 
-RUN chmod 0700 /bin/hugo
+RUN wget -q "${HUGO_RELEASE_URL}/${HUGO_FILENAME}" -O "${HUGO_FILENAME}" && \
+  wget -q "${HUGO_RELEASE_URL}/${HUGO_CHECKSUM_FILENAME}" -O "${HUGO_CHECKSUM_FILENAME}" && \
+  grep "${HUGO_FILENAME}" "${HUGO_CHECKSUM_FILENAME}" | sha256sum -c && \
+  tar -xf "${HUGO_FILENAME}" && \
+  mv hugo /bin/hugo && \
+  chmod 0700 /bin/hugo
 
 ########################################################
 ##    docker build --no-cache -t vela-hugo:local .    ##

cmd/vela-hugo/hugo.go

@@ -17,6 +17,7 @@ const (
 	_hugo     = "/bin/hugo"
 	_hugoTmp  = "/bin/download"
 	_download = "https://github.com/gohugoio/hugo/releases/download/v%s/%s_%s_%s-%s.tar.gz"
+	_checksum = "https://github.com/gohugoio/hugo/releases/download/v%s/%s_%s_checksums.txt"
 )
 
 func install(extendedBinary bool, customVer, defaultVer string) error {
@@ -27,35 +28,9 @@ func install(extendedBinary bool, customVer, defaultVer string) error {
 
 	// setup vars for building the _download url
 	//   based off of https://github.com/gohugoio/hugo/releases for the naming convention
-	var (
-		binary   = "hugo"
-		osName   string
-		archType string
-	)
-
-	switch runtime.GOOS {
-	case "darwin":
-		osName = "macOS"
-	case "linux":
-		osName = "Linux"
-	case "windows":
-		osName = "Windows"
-	default:
-		osName = "unsupported"
-	}
-
-	switch runtime.GOARCH {
-	case "amd64":
-		archType = "64bit"
-	case "arm64":
-		archType = "arm64"
-	case "arm":
-		archType = "arm"
-	case "386":
-		archType = "32bit"
-	default:
-		archType = "unsupported"
-	}
+	binary := "hugo"
+	osName := runtime.GOOS
+	archType := runtime.GOARCH
 
 	// change the binary file name
 	// if the extended version for Sass/SCSS support
@@ -105,7 +80,7 @@ func install(extendedBinary bool, customVer, defaultVer string) error {
 	// a "fat" universal binary
 	//
 	// see notes here: https://github.com/gohugoio/hugo/releases/tag/v0.102.0
-	if osName == "macOS" && ver.Minor() > uint64(101) {
+	if osName == "darwin" && ver.Minor() > uint64(101) {
 		archType = "universal"
 	}
 
@@ -119,10 +94,12 @@ func install(extendedBinary bool, customVer, defaultVer string) error {
 
 	// create the download URL to install hugo - https://github.com/gohugoio/hugo/releases
 	url := fmt.Sprintf(_download, verWithoutV, binary, verWithoutV, osName, archType)
+	checksumURL := fmt.Sprintf(_checksum, verWithoutV, binary, verWithoutV)
+	fullURL := fmt.Sprintf("%s?checksum=file:%s", url, checksumURL)
 
-	logrus.Infof("downloading hugo version from: %s", url)
+	logrus.Infof("downloading hugo version from: %s", fullURL)
 	// send the HTTP request to install hugo
-	err = getter.Get(_hugoTmp, url, []getter.ClientOption{}...)
+	err = getter.Get(_hugoTmp, fullURL, []getter.ClientOption{}...)
 	if err != nil {
 		return err
 	}

cmd/vela-hugo/main.go

@@ -6,15 +6,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-
 	"time"
 
-	"github.com/go-vela/vela-hugo/version"
-
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
 
 	_ "github.com/joho/godotenv/autoload"
+
+	"github.com/go-vela/vela-hugo/version"
 )
 
 func main() {

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
-	github.com/hashicorp/go-version v1.6.0 // indirect
+	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/compress v1.15.11 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect

go.sum

@@ -340,8 +340,9 @@ github.com/hashicorp/go-getter v1.7.6 h1:5jHuM+aH373XNtXl9TNTUH5Qd69Trve11tHIrB+
 github.com/hashicorp/go-getter v1.7.6/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744=
 github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo=
 github.com/hashicorp/go-safetemp v1.0.0/go.mod h1:oaerMy3BhqiTbVye6QuFhFtIceqFoDHxNAB65b+Rj1I=
-github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
+github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=

version/version.go

@@ -6,11 +6,10 @@ import (
 	"fmt"
 	"runtime"
 
-	"github.com/go-vela/types/version"
-
 	"github.com/Masterminds/semver/v3"
-
 	"github.com/sirupsen/logrus"
+
+	"github.com/go-vela/types/version"
 )
 
 var (