feat: update tools and dependencies

.devcontainer/devcontainer.json

@@ -1,10 +1,10 @@
 {
 	"name": "Go",
-	"image": "golang:1.19.5",
+	"image": "golang:1.21.1",
 	"containerUser": "root",
 	"features": {
 		"ghcr.io/devcontainers/features/common-utils:1": {},
-		"ghcr.io/devcontainers/features/go:1": {"version": "none", "golangciLintVersion": "1.50.1"}
+		"ghcr.io/devcontainers/features/go:1": {"version": "none", "golangciLintVersion": "1.54.2"}
 	},
 	"runArgs": [
 		"--cap-add=SYS_PTRACE",
@@ -32,6 +32,12 @@
 				"davidanson.vscode-markdownlint",
 				"timonwong.shellcheck"
 			]
+		},
+		"codespaces": {
+			"openFiles": [
+				"README.md",
+				"CONTRIBUTING.md"
+			]
 		}
 	}
 }

.github/CODEOWNERS

@@ -1,2 +1,4 @@
 # All files
 * @mia-platform/sig-cli
+# Actions must also be checked by security
+.github/actions @mia-platform/sig-cli @mia-platform/sig-security

.github/dependabot.yml

@@ -1,12 +1,18 @@
 version: 2
 
 updates:
-# keep up to date the github-actions
+# keep up to date the github actions
 - package-ecosystem: github-actions
   directory: /
   schedule:
     interval: monthly
 
+# keep up to date the base docker image
+- package-ecosystem: docker
+  directory: /
+  schedule:
+    interval: daily
+
 # enable go dependencies security updates
 - directory: /
   open-pull-requests-limit: 0

.github/workflows/ci.yaml

@@ -14,17 +14,20 @@ on:
     - examples/**
 
 env:
-  GO_VERSION: 1.19.5
+  GO_VERSION: 1.21.1
+  GORELEASER_VERSION: v1.21.2
   GO_CACHE: true
 jobs:
   lint:
     name: Lint Code
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      with:
+        show-progress: false
     - name: Setup Golang
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ env.GO_VERSION }}
         cache: false
@@ -33,7 +36,7 @@ jobs:
       run: |
         echo "GOLANGCILINT_SHA=$(cat ./tools/GOLANGCI_LINT_VERSION | sha256sum - | awk '{ print $1 }')" >> $GITHUB_ENV
     - name: Setup golangci-lint Cache
-      uses: actions/cache@v3
+      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
         path: |
           ./tools/bin
@@ -51,17 +54,20 @@ jobs:
         - ubuntu-latest
         - macos-latest
         # k8s_version:
-        # - "1.22"
-        # - "1.23"
-        # - "1.24"
+        # - "1.25"
+        # - "1.26"
+        # - "1.27"
+        # - "1.28"
     runs-on: ${{ matrix.os }}
     # env:
     #   ENVTEST_K8S_VERSION: ${{matrix.k8s_version}}
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      with:
+        show-progress: false
     - name: Setup Golang
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ env.GO_VERSION }}
         cache: true
@@ -77,12 +83,19 @@ jobs:
     if: github.event_name != 'push'
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      with:
+        show-progress: false
     - name: Setup Golang
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ env.GO_VERSION }}
         cache: true
+    - name: Setup Goreleaser
+      uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+      with:
+        version: ${{ env.GORELEASER_VERSION }}
+        install-only: true
     - name: Run Build Multiarchitecture
       run: make build-multiarch
 
@@ -94,17 +107,19 @@ jobs:
     if: github.event_name == 'push'
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       with:
+        show-progress: false
         fetch-depth: 0
     - name: Setup Golang
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ env.GO_VERSION }}
         cache: true
     - name: Setup Goreleaser
-      uses: goreleaser/goreleaser-action@v5
+      uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
       with:
+        version: ${{ env.GORELEASER_VERSION }}
         install-only: true
     - name: Set Snapshot Release Environment
       if: github.ref_type == 'branch'
@@ -115,7 +130,7 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
     - name: Upload Binaries Artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: artifacts
         path: bin/
@@ -126,30 +141,32 @@ jobs:
     - publish-release
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      with:
+        show-progress: false
     - name: Download Binaries
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: artifacts
         path: bin/
     - name: Restore Executable Permissions
       run: |
         find ./bin/{darwin,linux} -type f -exec chmod +x {} \;
     - name: Docker Login to GitHub Repository
-      uses: docker/login-action@v3
+      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Docker Login to DockerHub
-      uses: docker/login-action@v3
+      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
       with:
         username: ${{ secrets.BOT_DOCKER_USERNAME }}
         password: ${{ secrets.BOT_DOCKER_TOKEN }}
     - name: Setup QEMU
       run: make docker-setup-multiarch
     - name: Setup Buildx Context
       id: buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
     - name: Build Latest Image
       run: make ci-docker BUILDX_CONTEXT=${{ steps.buildx.outputs.name }}

.github/workflows/codeql.yaml

@@ -3,12 +3,15 @@ on:
   push:
     branches:
     - main
+    tags:
+    - "*"
   pull_request:
     branches:
     - main
     paths-ignore:
     - "**/*.md"
-    - "docs/**"
+    - docs/**
+    - examples/**
   schedule:
   - cron: 0 5 * * 1 # Run every monday at 5 UTC
 
@@ -19,12 +22,14 @@ jobs:
       security-events: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      with:
+        show-progress: false
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8
       with:
         languages: go
     - name: Run Build
       run: make build
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8

.github/workflows/dependency-review.yaml

@@ -8,15 +8,20 @@ on:
     - docs/**
     - examples/**
 
-permissions:
-  contents: read
-
 jobs:
   dependency-review:
     name: Dependencies Review
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      with:
+        show-progress: false
     - name: Dependency Review
-      uses: actions/dependency-review-action@v3
+      uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
+      with:
+        fail-on-scope: runtime,development,unknown
+        comment-summary-in-pr: on-failure

.go-version

@@ -1 +1 @@
-1.19.5
+1.21.1

.golangci.yaml

@@ -3,23 +3,35 @@ run:
 
 linters:
   enable:
+  - asasalint
   - asciicheck
   - bodyclose
   - goconst
   - gocritic
+  - gocyclo
   - gofmt
   - goheader
   - goimports
   - gomnd
   - gosec
+  - gosmopolitan
   - misspell
+  - nolintlint
+  - prealloc
+  - predeclared
   - revive
   - tagliatelle
+  - tenv
+  - thelper
   - unconvert
   - unparam
   - unused
+  - usestdlibvars
   - whitespace
+  - zerologlint
 linters-settings:
+  gocyclo:
+    min-complexity: 15
   gofmt:
     simplify: true
   goconst:
@@ -29,6 +41,8 @@ linters-settings:
       use-field-name: true
       rules:
         yaml: camel
+  tenv:
+    all: true
   unparam:
     check-exported: false
   gomnd:

.goreleaser.yaml

@@ -59,13 +59,10 @@ changelog:
 
 brews:
 - name: "{{ .Env.CMDNAME }}"
-  tap:
+  repository:
     owner: mia-platform
     name: homebrew-tap
 
-  url_template: "{{ .Env.SOURCE_URL }}/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
-  download_strategy: CurlDownloadStrategy
-  custom_require: custom_download_strategy
   commit_author:
     name: bot-targa
     email: github@mia-platform.eu

.pre-commit-config.yaml

@@ -8,6 +8,11 @@ repos:
     entry: make lint
     language: system
     pass_filenames: false
+  - id: run-tests
+    name: Run make test
+    entry: make test
+    language: system
+    pass_filenames: false
 - repo: https://github.com/pre-commit/pre-commit-hooks
   rev: v4.4.0
   hooks:
@@ -19,3 +24,13 @@ repos:
     name: Check that executable files have shebangs
   - id: check-shebang-scripts-are-executable
     name: Check that files with shebangs are executable
+  - id: end-of-file-fixer
+    name: Makes sure files end in a newline and only a newline
+  - id: trailing-whitespace
+    name: Trims trailing whitespace
+    args: [--markdown-linebreak-ext=md] # add exception for markdown linebreaks
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.18.0
+  hooks:
+  - id: gitleaks
+    name: Protect and discover secrets using Gitleaks

CONTRIBUTING.md

@@ -33,8 +33,23 @@ Every PR, issue, code and documentation must be inclusive to all and must adhere
 	information
 - Your PR title should be descriptive.
 - If your PR is co-authored or based on an earlier PR from another contributor,
-	please attribute them with Co-authored-by: name <name@example.com>.
+	please attribute them with `Co-authored-by: name <name@example.com>`.
 	See [GitHub’s multiple author guidance] for further details.
 
+## Commit Message Styling
+
+Every commit in this repository must follow the guidelines provided by [Conventional commits].
+The following *types* are allowed:
+
+1. `fix:` a commit that fixes a bug.
+1. `feat:` a commit that adds new functionality.
+1. `docs:` a commit that adds or improves the documentation.
+1. `test:` a commit that adds unit tests.
+1. `ci:` a commit that improves the pipelines or the integration mechanisms.
+1. `style:` a commit that changes the code or documentation format and/or style without modifying the implementation.
+1. `chore:` a catch-all type for any other commits. Generally used for commits that do not add or improve
+		functionalities to code or documentation.
+
 [Google Developer Documentation Style Guide]: https://developers.google.com/style/inclusive-documentation
 [GitHub’s multiple author guidance]: https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/creating-a-commit-with-multiple-authors
+[Conventional commits]: https://www.conventionalcommits.org/en/v1.0.0/

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=${TARGETPLATFORM} alpine:3.17
+FROM --platform=${TARGETPLATFORM} docker.io/library/alpine:3.18.3@sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a
 
 ARG TARGETPLATFORM
 ARG CMD_NAME