Reusable workflow

.github/codeql/codeql-config.yml

@@ -0,0 +1,16 @@
+# Copyright 2020 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+#
+name: "CodeQL config"
+queries:
+  # Run all extra query suites, both because we want to
+  # and because it'll act as extra testing. This is why
+  # we include both even though one is a superset of the
+  # other, because we're testing the parsing logic and
+  # that the suites exist in the codeql bundle.
+  - uses: security-extended
+  - uses: security-and-quality
+paths-ignore:
+  - tests
+  - lib

.github/workflows/analysis.yml

@@ -0,0 +1,76 @@
+# Copyright 2023 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+
+name: "Analysis"
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '33 23 * * 4'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  scorecards:
+    name: Scorecards
+    uses: wabarc/.github/.github/workflows/reusable-scorecards.yml@main
+    if: |
+      github.event_name == 'pull_request' ||
+      github.ref == 'refs/heads/main'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      actions: read
+      contents: read
+
+  codeql:
+    name: CodeQL
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+    uses: wabarc/.github/.github/workflows/reusable-codeql.yml@main
+    with:
+      language: ${{ matrix.language }}
+      config-file: './.github/codeql/codeql-config.yml'
+
+  nancy:
+    name: Sonatype Nancy
+    uses: wabarc/.github/.github/workflows/reusable-nancy.yml@main
+
+  semgrep:
+    name: Semgrep Scan
+    if: github.actor != 'dependabot[bot]'
+    uses: wabarc/.github/.github/workflows/reusable-semgrep.yml@main
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+
+  fossa:
+    if: github.event_name != 'pull_request'
+    name: FOSSA
+    uses: wabarc/.github/.github/workflows/reusable-fossa.yml@main
+    secrets:
+      fossa-apikey: ${{ secrets.FOSSA_APIKEY }}
+
+  dependency-review:
+    name: Dependency Review
+    uses: wabarc/.github/.github/workflows/reusable-dependency-review.yml@main

.github/workflows/linter.yml

@@ -1,3 +1,7 @@
+# Copyright 2023 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+#
 name: Linter
 
 on:
@@ -9,115 +13,36 @@ on:
       - '**'
     types: [ opened, synchronize, reopened ]
 
-permissions: write-all
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code base
-        if: github.event_name == 'push'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Lint Code Base
-        uses: github/super-linter@v4
-        env:
-          DEFAULT_BRANCH: 'main'
-          VALIDATE_MARKDOWN: true
-          VALIDATE_DOCKERFILE: true
-          VALIDATE_BASH: true
-          VALIDATE_BASH_EXEC: true
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+  contents: read
 
-  go:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code base
-        if: github.event_name == 'push'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+jobs:
+  super-linter:
+    name: Super Linter
+    uses: wabarc/.github/.github/workflows/reusable-super-linter.yml@main
 
-      - name: Golang linter
-        uses: golangci/golangci-lint-action@v2
+  golangci:
+    name: golangci-lint
+    uses: wabarc/.github/.github/workflows/reusable-golangci.yml@main
 
   shellcheck:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code base
-        if: github.event_name == 'push'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Run shellcheck with reviewdog
-        uses: reviewdog/action-shellcheck@v1
+    name: ShellCheck
+    uses: wabarc/.github/.github/workflows/reusable-shellcheck.yml@main
 
   misspell:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code base
-        if: github.event_name == 'push'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Run misspell with reviewdog
-        uses: reviewdog/action-misspell@v1
+    name: Misspell
+    uses: wabarc/.github/.github/workflows/reusable-misspell.yml@main
 
   alex:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code base
-        if: github.event_name == 'push'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
+    name: Alex
+    uses: wabarc/.github/.github/workflows/reusable-alex.yml@main
 
-      - name: Run alex with reviewdog
-        uses: reviewdog/action-alex@v1
+  urlcheck:
+    name: URLCheck
+    uses: wabarc/.github/.github/workflows/reusable-urlcheck.yml@main
+    with:
+      exclude-patterns: ${{ vars.URLCHECH_EXCLUDE }}
 
   goreportcard:
-    if: ${{ github.ref == 'refs/heads/main' }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Run Go report card
-        run: |
-          path=$(curl -sf -X POST -F "repo=github.com/$GITHUB_REPOSITORY" https://goreportcard.com/checks | jq -r '.redirect')
-          echo -e "\nSee report for https://goreportcard.com${path}"
+    name: Go Report Card
+    uses: wabarc/.github/.github/workflows/reusable-goreportcard.yml@main

.github/workflows/stale.yml

@@ -1,24 +1,19 @@
+# Copyright 2020 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+#
 name: Stale
 
 on:
   schedule:
     - cron: "0 3 * * 6"
+  workflow_dispatch:
 
 permissions:
   issues: write
   pull-requests: write
+
 jobs:
   stale:
     name: Stale
-    runs-on: ubuntu-latest
-    steps:
-      - name: Mark stale issues and pull requests
-        uses: actions/stale@v4
-        with:
-          repo-token: ${{ github.token }}
-          exempt-issue-labels: "enhancement,question,help wanted,bug"
-          exempt-pr-labels: "need-help,WIP"
-          stale-issue-message: "This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days"
-          stale-pr-message: 'It has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-          days-before-stale: 120
-          days-before-close: 5
+    uses: wabarc/.github/.github/workflows/reusable-stale.yml@main

.github/workflows/testing.yml

@@ -21,7 +21,9 @@ on:
       - "Makefile"
   workflow_dispatch:
 
-permissions: write-all
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Testing