sync

.editorconfig

@@ -0,0 +1,15 @@
+# This file is for unifying the coding style for different editors and IDEs.
+# More information at http://editorconfig.org
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false

.github/dependabot.yml

@@ -0,0 +1,32 @@
+version: 2
+updates:
+  - package-ecosystem: 'gomod'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+      time: '08:00'
+    labels:
+      - 'dependencies'
+    commit-message:
+      prefix: 'chore'
+      include: 'scope'
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+      time: '08:00'
+    labels:
+      - 'dependencies'
+    commit-message:
+      prefix: 'chore'
+      include: 'scope'
+  - package-ecosystem: 'docker'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+      time: '08:00'
+    labels:
+      - 'dependencies'
+    commit-message:
+      prefix: 'chore'
+      include: 'scope'

.github/stale.yml

@@ -0,0 +1,22 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 14
+
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

.github/workflows/build.yml

@@ -0,0 +1,77 @@
+name: build
+
+on:
+  push:
+    branches:
+      - "main"
+
+  pull_request:
+    paths:
+      - "go.*"
+      - "**/*.go"
+      - "Taskfile.yml"
+      - "Dockerfile"
+      - ".github/workflows/*.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  govulncheck:
+    uses: caarlos0/meta/.github/workflows/govulncheck.yml@main
+
+  semgrep:
+    uses: caarlos0/meta/.github/workflows/semgrep.yml@main
+
+  ruleguard:
+    uses: caarlos0/meta/.github/workflows/ruleguard.yml@main
+    with:
+      args: "-disable largeloopcopy"
+
+  test:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: arduino/setup-task@v1
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - name: setup-snapcraft
+        # FIXME: the mkdirs are a hack for https://github.com/goreleaser/goreleaser/issues/1715
+        run: |
+          sudo apt-get update
+          sudo apt-get -yq --no-install-suggests --no-install-recommends install snapcraft
+          mkdir -p $HOME/.cache/snapcraft/download
+          mkdir -p $HOME/.cache/snapcraft/stage-packages
+      - uses: crazy-max/ghaction-upx@v3
+        with:
+          install-only: true
+      - uses: cachix/install-nix-action@v25
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4
+        with:
+          go-version: stable
+      - uses: sigstore/cosign-installer@v3.4.0
+      - uses: anchore/sbom-action/download-syft@v0.15.8
+      - name: setup-validate-krew-manifest
+        run: go install sigs.k8s.io/krew/cmd/validate-krew-manifest@latest
+      - name: setup-tparse
+        run: go install github.com/mfridman/tparse@latest
+      - name: setup
+        run: |
+          task setup
+          task build
+      - name: test
+        run: ./scripts/test.sh
+      - uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4
+        with:
+          file: ./coverage.txt
+      - run: ./goreleaser check
+      - run: git diff

.github/workflows/codeql.yml

@@ -0,0 +1,24 @@
+name: "codeql"
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  analyze:
+    name: analyze
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
+      - uses: github/codeql-action/init@v2
+      - uses: github/codeql-action/autobuild@v2
+      - uses: github/codeql-action/analyze@v2

.github/workflows/dependency-review.yml

@@ -0,0 +1,14 @@
+name: dependency-review
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/dependency-review-action@v4
+        with:
+          allow-licenses: BSD-2-Clause, BSD-3-Clause, MIT, Apache-2.0, MPL-2.0

.github/workflows/generate.yml.disabled

@@ -0,0 +1,39 @@
+name: generate
+
+on:
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GH_PAT }}
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: true
+      - uses: arduino/setup-task@e26d8975574116b0097a1161e0fe16ba75d84c1c # v1
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+      - run: "go install mvdan.cc/gofumpt@latest"
+      - run: "go install github.com/santhosh-tekuri/jsonschema/cmd/jv@latest"
+      - run: task docs:releases
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - run: task docs:generate
+      - run: task schema:generate
+      - run: task nix:licenses:generate
+      - run: task schema:validate
+      - uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5
+        with:
+          commit_message: "chore: docs auto-update"
+          branch: main
+          commit_user_name: actions-user
+          commit_user_email: actions@github.com
+          commit_author: actions-user <actions@github.com>

.github/workflows/gitleaks.yml

@@ -0,0 +1,23 @@
+name: gitleaks
+
+on:
+  push:
+    branches: ["main"]
+    tags: ["v*"]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
+        # if: ${{ env.GITLEAKS_LICENSE != '' }}

.github/workflows/grype.yml

@@ -0,0 +1,25 @@
+name: "grype"
+
+on:
+  push:
+    branches: ["main"]
+    tags: ["v*"]
+
+  pull_request:
+
+jobs:
+  scan-source:
+    name: scan-source
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: anchore/scan-action@v3
+        with:
+          path: "."
+          fail-build: true

.github/workflows/lint.yml

@@ -0,0 +1,29 @@
+name: golangci-lint
+
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
+
+jobs:
+  golangci-lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: false
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          args: --timeout=5m
+          only-new-issues: true

.github/workflows/nightly.yml

@@ -0,0 +1,57 @@
+name: nightly
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: 0 0 * * 4
+
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
+        with:
+          fetch-depth: 0
+      - uses: arduino/setup-task@e26d8975574116b0097a1161e0fe16ba75d84c1c # v1
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v2
+      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v2
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4
+        with:
+          go-version: stable
+      - uses: sigstore/cosign-installer@v3.4.0
+      - uses: anchore/sbom-action/download-syft@v0.15.8
+      # - uses: crazy-max/ghaction-upx@v3
+      #   with:
+      #     install-only: true
+      # - uses: cachix/install-nix-action@v25
+      #   with:
+      #     github_access_token: ${{ secrets.GITHUB_TOKEN }}
+      # - name: dockerhub-login
+      #   uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v2
+      #   with:
+      #     username: ${{ secrets.DOCKER_USERNAME }}
+      #     password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: ghcr-login
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: goreleaser/goreleaser-action@v5
+        with:
+          distribution: goreleaser-pro
+          version: nightly
+          args: release --clean --nightly -f .goreleaser-nightly.yaml --timeout 60m
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}