From 0d6118ea7a2304c968e8e87f8faf9779efcc2a49 Mon Sep 17 00:00:00 2001
From: Daniel Bourdrez <3641580+bytemare@users.noreply.github.com>
Date: Sun, 27 Mar 2022 15:22:16 +0200
Subject: [PATCH] Mention DCO (#20)

* Mention DCO for contributors

* refactor some workflows

Signed-off-by: bytemare <3641580+bytemare@users.noreply.github.com>
---
 .github/CONTRIBUTING.md                       |  4 ++-
 .github/workflows/ci.yml                      |  9 +++----
 .../workflows/{security.yml => codeql.yml}    | 12 ---------
 .github/workflows/snyk.yml                    | 27 +++++++++++++++++++
 Makefile                                      | 11 +++++---
 go.mod                                        |  2 +-
 go.sum                                        |  4 +--
 7 files changed, 43 insertions(+), 26 deletions(-)
 rename .github/workflows/{security.yml => codeql.yml} (70%)
 create mode 100644 .github/workflows/snyk.yml

diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
index 5ab5580..7a3460b 100644
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -28,10 +28,12 @@ Please note that changes that are purely cosmetic and do not add anything substa
 
 ### Coding Convention
 
-This project tries to be as Go idiomatic as possible. Conventions from [Effective Go](https://golang.org/doc/effective_go) apply here. Tests use a very opinionated linting configuration that you can use before committing to your changes.
+This project tries to be as Go idiomatic as possible. Conventions from [Effective Go](https://golang.org/doc/effective_go) apply here. Tests use a very opinionated linting configuration that you should use before committing to your changes.
 
 ### Licence
 
 By contributing to this project, you agree that your contributions will be licensed under the project's [License](https://github.com/bytemare/opaque/blob/main/LICENSE).
 
+All contributions (including pull requests) must agree to the [Developer Certificate of Origin (DCO) version 1.1](http://developercertificate.org). It states that the contributor has the right to submit the patch for inclusion into the project. Simply submitting a contribution implies this agreement, however, please include the "Signed-off-by" git tag in every commit (this tag is a conventional way to confirm that you agree to the DCO).
+
 Thanks! :heart:
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 93b0370..a2816b8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,13 +1,10 @@
 name: OPAQUE
 on:
   push:
-    tags:
-      - v*
-    branches:
-      - main
+    branches: [ main ]
   pull_request:
-    branches:
-      - main
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
 
 permissions:
   contents: read
diff --git a/.github/workflows/security.yml b/.github/workflows/codeql.yml
similarity index 70%
rename from .github/workflows/security.yml
rename to .github/workflows/codeql.yml
index 4ecf321..e6d9878 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/codeql.yml
@@ -39,15 +39,3 @@ jobs:
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@883476649888a9e8e219d5b2e6b789dc024f690c # pin@v1
-
-  snyk:
-    name: Snyk
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # pin@master
-      - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/golang@7ec817579fddb2593590d5ff74227a837ff97be6 # pin@master
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --sarif-file-output=snyk.sarif
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
new file mode 100644
index 0000000..f029d7c
--- /dev/null
+++ b/.github/workflows/snyk.yml
@@ -0,0 +1,27 @@
+name: Snyk
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '31 10 * * 0'
+
+jobs:
+  snyk:
+    name: Snyk
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # pin@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/golang@7ec817579fddb2593590d5ff74227a837ff97be6 # pin@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@883476649888a9e8e219d5b2e6b789dc024f690c # pin@v1
+        with:
+          sarif_file: snyk.sarif
diff --git a/Makefile b/Makefile
index 0fcb6a1..4954b27 100644
--- a/Makefile
+++ b/Makefile
@@ -1,13 +1,16 @@
 PACKAGES    := $(shell go list ./...)
 COMMIT      := $(shell git rev-parse HEAD)
 
+GH_ACTIONS = .github/workflows
+
 .PHONY: update
 update:
-	@echo "Updating dependencies and linters ..."
+	@echo "Updating dependencies..."
 	@go get -u
 	@go mod tidy
-	@pin-github-action .github/workflows/ci.yml
-	@pin-github-action .github/workflows/security.yml
+	@echo "Updating Github Actions pins..."
+	@$(foreach file, $(wildcard $(GH_ACTIONS)/*.yml), pin-github-action $(file);)
+	@echo "Updating linters..."
 	@go get -u mvdan.cc/gofumpt@latest github.com/daixiang0/gci github.com/segmentio/golines@latest
 	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
 
@@ -17,7 +20,7 @@ fmt:
 	@go mod tidy
 	@golines -m 120 -t 4 -w .
 	@gofumpt -w -extra .
-	@gci write --Section Standard --Section Default --Section "Prefix(github.com/bytemare/opaque)" .
+	@gci write --Section Standard --Section Default --Section "Prefix($(shell go list -m))" .
 
 .PHONY: lint
 
diff --git a/go.mod b/go.mod
index c646d95..176ae42 100644
--- a/go.mod
+++ b/go.mod
@@ -10,5 +10,5 @@ require (
 	github.com/armfazh/tozan-ecc v0.1.4 // indirect
 	github.com/gtank/ristretto255 v0.1.2 // indirect
 	golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064 // indirect
-	golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8 // indirect
+	golang.org/x/sys v0.0.0-20220325203850-36772127a21f // indirect
 )
diff --git a/go.sum b/go.sum
index c9b5713..e9de411 100644
--- a/go.sum
+++ b/go.sum
@@ -16,8 +16,8 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8 h1:OH54vjqzRWmbJ62fjuhxy7AxFFgoHN0/DPc/UrL8cAs=
-golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220325203850-36772127a21f h1:TrmogKRsSOxRMJbLYGrB4SBbW+LJcEllYBLME5Zk5pU=
+golang.org/x/sys v0.0.0-20220325203850-36772127a21f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=