diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a44a150..cab0619 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,9 +8,18 @@ updates: schedule: interval: "daily" open-pull-requests-limit: 10 + groups: + all: + update-types: + - "minor" + - "patch" - package-ecosystem: gomod directory: "/" schedule: interval: "daily" open-pull-requests-limit: 10 + groups: + all: + update-types: + - "patch" diff --git a/.github/workflows/ci-build-test.yaml b/.github/workflows/ci-build-test.yaml index e58ae71..2592d16 100644 --- a/.github/workflows/ci-build-test.yaml +++ b/.github/workflows/ci-build-test.yaml @@ -19,7 +19,7 @@ jobs: - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0 with: - go-version: '1.21' + go-version: '1.22' check-latest: true cache: true @@ -35,7 +35,7 @@ jobs: - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0 with: - go-version: '1.21' + go-version: '1.22' check-latest: true cache: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index caa6964..99e0d97 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -26,7 +26,7 @@ jobs: - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v3.3.0 with: - go-version: '1.21' + go-version: '1.22' check-latest: true - name: Install cosign diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml index beddf0a..7ee5d89 100644 --- a/.github/workflows/snapshot.yaml +++ b/.github/workflows/snapshot.yaml @@ -19,7 +19,7 @@ jobs: - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: '1.21' + go-version: '1.22' check-latest: true - name: Install GoReleaser diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml index ab73d0e..497f449 100644 --- a/.github/workflows/verify.yaml +++ b/.github/workflows/verify.yaml @@ -19,11 +19,11 @@ jobs: - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v3 with: - go-version: '1.21' + go-version: '1.22' check-latest: true cache: true - name: golangci-lint uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0 with: - version: v1.55 + version: v1.57 args: --timeout=5m diff --git a/.golangci.yml b/.golangci.yml index 5308be3..4800247 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,7 +1,9 @@ +# Copyright 2023 The OpenVEX Authors +# SPDX-License-Identifier: Apache-2.0 + --- run: concurrency: 6 - deadline: 5m issues: exclude-rules: # counterfeiter fakes are usually named 'fake_.go' @@ -98,22 +100,8 @@ linters-settings: gocritic: enabled-checks: # Diagnostic - - appendAssign - - argOrder - - badCond - - caseOrder - - codegenComment - commentedOutCode - - deprecatedComment - - dupArg - - dupBranchBody - - dupCase - - dupSubExpr - - exitAfterDefer - - flagDeref - - flagName - nilValReturn - - offBy1 - sloppyReassign - weakCond - octalLiteral @@ -127,31 +115,16 @@ linters-settings: - rangeValCopy # Style - - assignOp - boolExprSimplify - - captLocal - - commentFormatting - commentedOutImport - - defaultCaseOrder - docStub - - elseif - emptyFallthrough - emptyStringTest - hexLiteral - methodExprCall - - regexpMust - - singleCaseSwitch - - sloppyLen - stringXbytes - - switchTrue - typeAssertChain - - typeSwitchVar - - underef - unlabelStmt - - unlambda - - unslice - - valSwap - - wrapperFunc - yodaStyleExpr # - ifElseChain diff --git a/Makefile b/Makefile index 94a57c5..79a55c5 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,6 @@ # Copyright 2022 The OpenVEX Authors # SPDX-License-Identifier: Apache-2.0 + # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) GOBIN=$(shell go env GOPATH)/bin diff --git a/go.mod b/go.mod index eeebf61..7565243 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/openvex/vexctl -go 1.21 +go 1.22 require ( github.com/google/go-containerregistry v0.19.1 diff --git a/internal/cmd/add.go b/internal/cmd/add.go index 4fb6e98..0b01543 100644 --- a/internal/cmd/add.go +++ b/internal/cmd/add.go @@ -92,7 +92,7 @@ to preserve the original file, specify it using the --file flag: SilenceUsage: false, SilenceErrors: true, PersistentPreRunE: initLogging, - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { // If we have arguments, add them for i := range args { switch i { diff --git a/internal/cmd/create.go b/internal/cmd/create.go index b48b1db..c86172f 100644 --- a/internal/cmd/create.go +++ b/internal/cmd/create.go @@ -82,7 +82,7 @@ Examples: SilenceUsage: false, SilenceErrors: true, PersistentPreRunE: initLogging, - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { // If we have arguments, add them for i := range args { switch i { diff --git a/internal/cmd/generate.go b/internal/cmd/generate.go index 6c57634..8ba9cb7 100644 --- a/internal/cmd/generate.go +++ b/internal/cmd/generate.go @@ -151,7 +151,7 @@ using its canonicalization hash. SilenceUsage: false, SilenceErrors: true, PersistentPreRunE: initLogging, - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { if len(args) > 0 { if opts.Product != "" && opts.Product != args[0] { return errors.New("product can only be specified once") diff --git a/internal/cmd/list.go b/internal/cmd/list.go index ef67bec..b3b5833 100644 --- a/internal/cmd/list.go +++ b/internal/cmd/list.go @@ -36,7 +36,7 @@ Examples: SilenceUsage: false, SilenceErrors: false, PersistentPreRunE: initLogging, - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { if len(args) == 0 { return fmt.Errorf("selection of 'status' or 'justification' is required") } diff --git a/internal/cmd/merge.go b/internal/cmd/merge.go index e34739c..4af8f82 100644 --- a/internal/cmd/merge.go +++ b/internal/cmd/merge.go @@ -62,7 +62,7 @@ Examples: SilenceUsage: false, SilenceErrors: false, PersistentPreRunE: initLogging, - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { vexctl := ctl.New() // TODO(puerco): Change this to vex merge options when we move diff --git a/internal/cmd/options_test.go b/internal/cmd/options_test.go index f5323f1..88dfcca 100644 --- a/internal/cmd/options_test.go +++ b/internal/cmd/options_test.go @@ -131,7 +131,7 @@ func TestAddOptionsValidate(t *testing.T) { }{ { name: "no-error", - prepare: func(ao *addOptions) {}, + prepare: func(_ *addOptions) {}, sut: &addOptions{ vexStatementOptions: stubOpts, documentPath: filepath.Join(d, "openvex.test"), @@ -141,7 +141,7 @@ func TestAddOptionsValidate(t *testing.T) { }, { name: "inplace-and-outfile", - prepare: func(ao *addOptions) {}, + prepare: func(_ *addOptions) {}, sut: &addOptions{ vexStatementOptions: stubOpts, outFileOption: outFileOption{ diff --git a/pkg/ctl/implementation.go b/pkg/ctl/implementation.go index df3063f..9cf6916 100644 --- a/pkg/ctl/implementation.go +++ b/pkg/ctl/implementation.go @@ -538,8 +538,9 @@ func (impl *defaultVexCtlImplementation) NormalizeProducts(subjects []productRef if pref.Hashes == nil { pref.Hashes = make(map[vex.Algorithm]vex.Hash) } - if strings.HasPrefix(pref.Name, "pkg:oci/") || - strings.HasPrefix(pref.Name, "pkg:/oci/") { // Some buggy tools add this wrong slash + switch { + case strings.HasPrefix(pref.Name, "pkg:/oci/"), + strings.HasPrefix(pref.Name, "pkg:oci/"): // Deduct image purls to the reference as much as possible p, err := purl.FromString(pref.Name) if err != nil { @@ -577,7 +578,7 @@ func (impl *defaultVexCtlImplementation) NormalizeProducts(subjects []productRef pref.Name = ref logrus.Debugf("%s is a purl for %s", pref.Name, ref) imageRefs = append(imageRefs, pref) - } else if strings.HasPrefix(pref.Name, "pkg:") { + case strings.HasPrefix(pref.Name, "pkg:"): // When there are other purls, we only attest them as subjects if // the product reference has hashes if pref.Hashes != nil && len(pref.Hashes) > 0 { @@ -585,7 +586,7 @@ func (impl *defaultVexCtlImplementation) NormalizeProducts(subjects []productRef } else { unattestableRefs = append(unattestableRefs, pref) } - } else { + default: // If not,try to parse the string as an image reference. If they can // be parsed as image references but they cannot be looked up, attestting // will fail trying to fetch their digests. diff --git a/pkg/ctl/implementation_test.go b/pkg/ctl/implementation_test.go index 85d3ebb..9ae7b84 100644 --- a/pkg/ctl/implementation_test.go +++ b/pkg/ctl/implementation_test.go @@ -388,7 +388,7 @@ func TestInitTemplatesDir(t *testing.T) { }{ { name: "normal", - prepare: func(s string) {}, + prepare: func(_ string) {}, shouldErr: false, }, {