Merge pull request #13 from akoserwal/add-github-workflows

fix go lint issues and add github workflow

.github/dependabot.yml

@@ -0,0 +1,19 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: 'gomod' # to check go dependencies
+    directory: '/'
+    schedule:
+      interval: 'daily' # runs MO to FR
+  - package-ecosystem: "docker" # to check versions used in Dockerfile
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "github-actions" # to check versions of github actions we use
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/pull_request_template.md

@@ -0,0 +1,31 @@
+### PR Template:
+
+## Describe your changes
+
+- ...
+
+## Ticket reference (if applicable)
+Fixes #
+
+## Checklist
+
+* [ ] Are the agreed upon acceptance criteria fulfilled?
+
+* [ ] Was the 4-eye-principle applied? (async PR review, pairing, ensembling)
+
+* [ ] Do your changes have passing automated tests and sufficient observability?
+
+* [ ] Are the work steps you introduced repeatable by others, either through automation or documentation?
+  * [ ] If automation is possible but not done due to other constraints, a ticket to the tech debt sprint is added
+  * [ ] An SOP (Standard Operating Procedure) was created
+
+* [ ] The Changes were automatically built, tested, and  - if needed, behind a feature flag - deployed to our production environment. (**Please check this when the new deployment is done and you could verify it.**)
+
+* [ ] Are the agreed upon coding/architectural practices applied?
+
+* [ ] Are security needs fullfilled? (e.g. no internal URL)
+
+* [ ] Is the corresponding Ticket in the right state? (should be on "review" now, put to done when this change made it to production)
+
+* [ ] For changes to the public API / code dependencies: Was the whole team (or a sufficient amount of ppl) able to review?
+

.github/workflows/build-test.yml

@@ -0,0 +1,29 @@
+name: CI Build and Test
+
+on:
+  workflow_call:
+  pull_request:
+    branches: ['main']
+
+concurrency:
+  # Cancel in-progress runs on PR update
+  group: ci-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build-and-test:
+    name: Build & run tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22.x'
+          cache: true
+      - name: Install dependencies
+        run: go get ./...
+      - name: Build
+        run: go build -tags release -v ./...
+      - name: Test
+        run: go test -v ./...

.github/workflows/codeql.yml

@@ -0,0 +1,86 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL analysis"
+
+on:
+  push:
+    branches: [ "main"]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+    # do not run on md- or txt-only file changes
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+    # do not run on md- or txt-only file changes
+  schedule:
+    - cron: '0 0 * * *'
+  # ^ also scan every 24h at 12am because even if the code didn't change, the database may have changed.
+
+jobs:
+  analyze:
+    name: Analyze code via CodeQL
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #     echo "Run, Build Application using script"
+      #     ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/golangci-lint.yml

@@ -0,0 +1,22 @@
+name: golangci-lint
+on:
+  push:
+    branches: [ 'main' ]
+  pull_request:
+    branches: [ 'main' ]
+permissions:
+  contents: read
+jobs:
+  golangci-lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.22.x'
+      - uses: actions/checkout@v4
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
+          version: latest

.github/workflows/pull-request.yml

@@ -0,0 +1,17 @@
+name: buf-pull-request
+on: pull_request
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: bufbuild/buf-setup-action@v1
+      - uses: bufbuild/buf-lint-action@v1
+        with:
+          input: "api"
+      - uses: bufbuild/buf-breaking-action@v1
+        with:
+          input: "api"
+          against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=main"
+
+

.github/workflows/push.yml

@@ -0,0 +1,23 @@
+name: buf-push
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: bufbuild/buf-setup-action@v1
+      - uses: bufbuild/buf-lint-action@v1
+        with:
+          input: "api"
+      - uses: bufbuild/buf-breaking-action@v1
+        with:
+          input: "api"
+          against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=main,ref=HEAD~1"
+      - uses: bufbuild/buf-push-action@v1
+        with:
+          input: "api"
+          buf_token: ${{ secrets.BUF_TOKEN }}

.github/workflows/security-scanning.yml

@@ -0,0 +1,49 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# The default values used in the docker build commands are the root
+# directory '.' and the dockerfile name of 'Dockerfile'. If there is 
+# a need to change these do so in your local workflow template (this file) and
+# change them there. HINT: Look at the bottom of this file.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Anchore's Grype tool, and generates an
+# SBOM via Anchore's Syft tool
+
+# For more information on Anchore's container image scanning tool Grype, see
+# https://github.com/anchore/grype
+
+# For more information about the Anchore SBOM tool, Syft, see
+# https://github.com/anchore/syft
+
+name: ConsoleDot Platform Security Scan
+
+on:
+  push:
+    branches: [ "main", "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main", "master" ]
+
+jobs:
+  PlatSec-Security-Workflow:
+    uses: RedHatInsights/platform-security-gh-workflow/.github/workflows/platsec-security-scan-reusable-workflow.yml@master
+    ## The optional parameters below are used if you are using something other than the
+    ## the defaults of root '.' for the path and 'Dockerfile' for the Dockerfile name.
+    ## Additionally, if you have a Dockerfile you use as your BASE_IMG or you need to
+    ## use '--build-arg', those can be define below as well.
+
+    # with:
+    #   dockerbuild_path: './buildtest'
+    #   dockerfile_path: './test'
+    #   dockerfile_name: 'Dockerfile.main'
+    #   base_image_build: true
+    #   base_dockerbuild_path: './testbuild.base'
+    #   base_dockerfile_path: './test'
+    #   base_dockerfile_name: 'Dockerfile.base'
+    #   build_arg: '--build-arg BASE_IMAGE="localbuild/baseimage:latest"'
+    #   only_fixed: true
+    #   fail_on_vulns: true
+    #   severity_fail_cutoff: high

cmd/root.go

@@ -74,15 +74,22 @@ func init() {
 
 	configHelp := fmt.Sprintf("config file (default is $PWD/.%s.yaml)", Name)
 	rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", configHelp)
-	viper.BindPFlag("config", rootCmd.PersistentFlags().Lookup("config"))
-
+	err := viper.BindPFlag("config", rootCmd.PersistentFlags().Lookup("config"))
+	if err != nil {
+		panic(err)
+	}
 	migrateCmd := migrate.NewCommand(options.Storage, log.With(rootLog, "group", "storage"))
 	rootCmd.AddCommand(migrateCmd)
-	viper.BindPFlags(migrateCmd.Flags())
-
+	err = viper.BindPFlags(migrateCmd.Flags())
+	if err != nil {
+		panic(err)
+	}
 	serveCmd := serve.NewCommand(options.Server, options.Storage, options.Authn, options.Authz, options.Eventing, log.With(rootLog, "group", "server"))
 	rootCmd.AddCommand(serveCmd)
-	viper.BindPFlags(serveCmd.Flags())
+	err = viper.BindPFlags(serveCmd.Flags())
+	if err != nil {
+		panic(err)
+	}
 }
 
 // initConfig reads in config file and ENV variables if set.
@@ -125,5 +132,8 @@ func initConfig() {
 	}
 
 	// put the values into the options struct.
-	viper.Unmarshal(&options)
+	err := viper.Unmarshal(&options)
+	if err != nil {
+		panic(err)
+	}
 }

internal/authn/api/authenticator.go

@@ -10,8 +10,8 @@ type Decision string
 
 const (
 	Allow  Decision = "ALLOW"
-	Deny            = "DENY"
-	Ignore          = "IGNORE"
+	Deny   Decision = "DENY"
+	Ignore Decision = "IGNORE"
 )
 
 type Authenticator interface {

internal/authn/clientcert/client-cert.go

@@ -22,9 +22,9 @@ func New() *ClientCertAuthenticator {
 func (a *ClientCertAuthenticator) Authenticate(ctx context.Context, t transport.Transporter) (*api.Identity, api.Decision) {
 	var cert *x509.Certificate
 
-	switch t.(type) {
+	switch t := t.(type) {
 	case *khttp.Transport:
-		tr, _ := t.(*khttp.Transport)
+		tr := t
 		r := tr.Request()
 
 		if r.TLS == nil {

internal/authn/oidc/oidc.go

@@ -54,7 +54,10 @@ func (o *OAuth2Authenticator) Authenticate(ctx context.Context, t transport.Tran
 	// TODO: make JWT claim fields configurable
 	// extract the claims we care about
 	u := &Claims{}
-	tok.Claims(u)
+	err = tok.Claims(u)
+	if err != nil {
+		return nil, api.Deny
+	}
 	if u.Id == "" {
 		return nil, api.Deny
 	}

internal/authz/kessel/kessel.go

@@ -33,9 +33,9 @@ func (a *KesselAuthz) Check(ctx context.Context, r *kessel.CheckRequest) (*kesse
 }
 
 func (a *KesselAuthz) CreateTuples(ctx context.Context, r *kessel.CreateTuplesRequest) (*kessel.CreateTuplesResponse, error) {
-	return a.CreateTuples(ctx, r)
+	return a.TupleService.CreateTuples(ctx, r)
 }
 
 func (a *KesselAuthz) DeleteTuples(ctx context.Context, r *kessel.DeleteTuplesRequest) (*kessel.DeleteTuplesResponse, error) {
-	return a.DeleteTuples(ctx, r)
+	return a.TupleService.DeleteTuples(ctx, r)
 }

internal/data/hosts/hosts.go

@@ -51,7 +51,10 @@ func (r *hostsRepo) Save(ctx context.Context, model *biz.Host) (*biz.Host, error
 			ResourceType: biz.ResourceType,
 			Object:       model,
 		}
-		producer.Produce(ctx, evt)
+		err = producer.Produce(ctx, evt)
+		if err != nil {
+			return nil, err
+		}
 	}
 	return model, nil
 }

internal/data/notificationsintegrations/notificationsintegrations.go

@@ -51,7 +51,10 @@ func (r *notificationsIntegrationsRepo) Save(ctx context.Context, model *biz.Not
 			ResourceType: biz.ResourceType,
 			Object:       model,
 		}
-		producer.Produce(ctx, evt)
+		err = producer.Produce(ctx, evt)
+		if err != nil {
+			return nil, err
+		}
 	}
 	return model, nil
 }