Merge pull request #29 from fluxcd/ci-scan

ci: Setup dependabot and govulncheck

Author: stefanprodan

.github/dependabot.yaml

@@ -0,0 +1,12 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    labels: ["dependencies"]
+    groups:
+      actions:
+        patterns:
+          - "*"
+    schedule:
+      interval: "monthly"

.github/workflows/scan.yml

@@ -0,0 +1,24 @@
+name: scan
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * 1'
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: 1.26.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Scan
+        run: make scan

.github/workflows/test.yml

@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - '*'
+      - main
   pull_request:
 
 jobs:

Makefile

@@ -15,28 +15,34 @@ SHELL = /usr/bin/env bash -o pipefail
 .SHELLFLAGS = -ec
 
 .PHONY: all
-all: tidy vet fmt lint test
+all: tidy vet fmt lint test ## Run the full verification pipeline (tidy, vet, fmt, lint, test).
+
+##@ Development
 
 .PHONY: fmt
-fmt:
+fmt: ## Format Go source files in-place with gofmt.
 	go fmt ./...
 
 .PHONY: lint
-lint: golangci-lint ## Run golangci linters and ESLint.
+lint: golangci-lint ## Run golangci-lint against the whole module.
 	$(GOLANGCI_LINT) run
 
 .PHONY: tidy
-tidy:
+tidy: ## Sync go.mod and go.sum with the module's imports.
 	go mod tidy
 
 .PHONY: test
-test:
+test: ## Run unit tests under ./pkg/... with the race detector and coverage enabled.
 	go test -race -cover ./pkg/...
 
 .PHONY: vet
-vet:
+vet: ## Run go vet to catch suspicious constructs.
 	go vet ./...
 
+.PHONY: scan
+scan: govulncheck ## Scan the module for known vulnerabilities.
+	@$(GOVULNCHECK) ./...
+
 ##@ Dependencies
 
 ## Location to install dependencies to
@@ -48,17 +54,17 @@ $(LOCALBIN):
 GOLANGCI_LINT = $(LOCALBIN)/golangci-lint-$(GOLANGCI_LINT_VERSION)
 GOVULNCHECK ?= $(LOCALBIN)/govulncheck
 
+# Pinned version of golangci-lint; bump here to upgrade the linter across CI and local runs.
 GOLANGCI_LINT_VERSION ?= v2.11.4
 .PHONY: golangci-lint
 golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary.
 $(GOLANGCI_LINT): $(LOCALBIN)
 	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION))
 
 .PHONY: govulncheck
-govulncheck: $(GOVULNCHECK) ## Run govulncheck.
+govulncheck: $(GOVULNCHECK) ## Install govulncheck locally if necessary.
 $(GOVULNCHECK): $(LOCALBIN)
 	$(call go-install-tool,$(GOVULNCHECK),golang.org/x/vuln/cmd/govulncheck,latest)
-	@$(GOVULNCHECK) ./...
 
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary (ideally with version)

README.md

@@ -3,6 +3,7 @@
 [![release](https://img.shields.io/github/v/tag/fluxcd/cli-utils?label=release)](https://github.com/fluxcd/cli-utils/tags)
 [![license](https://img.shields.io/github/license/fluxcd/cli-utils.svg)](https://github.com/fluxcd/cli-utils/blob/main/LICENSE)
 [![test](https://github.com/fluxcd/cli-utils/workflows/test/badge.svg)](https://github.com/fluxcd/cli-utils/actions)
+[![scan](https://github.com/fluxcd/cli-utils/workflows/scan/badge.svg)](https://github.com/fluxcd/cli-utils/actions)
 
 This repository is a hard fork of [kubernetes-sigs/cli-utils](https://github.com/kubernetes-sigs/cli-utils) reducing it to the `kstatus` package
 and adding extensions for Flux's use cases.