From 506cb3a5026008b4aacc8dcf83dae59e5bb67f14 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 13:48:42 +0800 Subject: [PATCH 01/14] docs: update license Signed-off-by: Shiwei Zhang --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 261eeb9..ea79125 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright [yyyy] [name of copyright owner] + Copyright 2021 Ratify Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 161d4e2a5b7168cdef0f78baed8d9169f68a73a7 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 13:59:55 +0800 Subject: [PATCH 02/14] chore: add license checker Signed-off-by: Shiwei Zhang --- .github/licenserc.yml | 44 +++++++++++++++++++++++++++ .github/workflows/license-checker.yml | 44 +++++++++++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 .github/licenserc.yml create mode 100644 .github/workflows/license-checker.yml diff --git a/.github/licenserc.yml b/.github/licenserc.yml new file mode 100644 index 0000000..60a1a42 --- /dev/null +++ b/.github/licenserc.yml @@ -0,0 +1,44 @@ +# Copyright The Ratify Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +header: + license: + spdx-id: Apache-2.0 + content: | + Copyright The Ratify Authors. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + paths-ignore: + - '**/*.md' + - 'CODEOWNERS' + - 'LICENSE' + - 'MAINTAINERS' + - 'go.mod' + - 'go.sum' + - '**/testdata/**' + + comment: on-failure + +dependency: + files: + - go.mod diff --git a/.github/workflows/license-checker.yml b/.github/workflows/license-checker.yml new file mode 100644 index 0000000..990d867 --- /dev/null +++ b/.github/workflows/license-checker.yml @@ -0,0 +1,44 @@ +# Copyright The Ratify Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: License Checker + +on: + push: + branches: + - main + - release-* + pull_request: + branches: + - main + - release-* + +permissions: + contents: write + pull-requests: write + +jobs: + check-license: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Check license header + uses: apache/skywalking-eyes/header@v0.6.0 + with: + mode: check + config: .github/licenserc.yml + - name: Check dependencies license + uses: apache/skywalking-eyes/dependency@v0.6.0 + with: + config: .github/licenserc.yml From 6881162de1be767cb5c3dc72cbf8b4c4c85f0fdc Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:01:12 +0800 Subject: [PATCH 03/14] feat: init go module Signed-off-by: Shiwei Zhang --- go.mod | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 go.mod diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..3e23a02 --- /dev/null +++ b/go.mod @@ -0,0 +1,3 @@ +module github.com/ratify-project/ratify-go + +go 1.23.1 From 444e277f505386bc8bf264fdfa84712cbafc4395 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:03:31 +0800 Subject: [PATCH 04/14] chore: fix line endings Signed-off-by: Shiwei Zhang --- .github/licenserc.yml | 88 +++++++++++++-------------- .github/workflows/license-checker.yml | 88 +++++++++++++-------------- 2 files changed, 88 insertions(+), 88 deletions(-) diff --git a/.github/licenserc.yml b/.github/licenserc.yml index 60a1a42..805a433 100644 --- a/.github/licenserc.yml +++ b/.github/licenserc.yml @@ -1,44 +1,44 @@ -# Copyright The Ratify Authors. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -header: - license: - spdx-id: Apache-2.0 - content: | - Copyright The Ratify Authors. - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - paths-ignore: - - '**/*.md' - - 'CODEOWNERS' - - 'LICENSE' - - 'MAINTAINERS' - - 'go.mod' - - 'go.sum' - - '**/testdata/**' - - comment: on-failure - -dependency: - files: - - go.mod +# Copyright The Ratify Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +header: + license: + spdx-id: Apache-2.0 + content: | + Copyright The Ratify Authors. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + paths-ignore: + - '**/*.md' + - 'CODEOWNERS' + - 'LICENSE' + - 'MAINTAINERS' + - 'go.mod' + - 'go.sum' + - '**/testdata/**' + + comment: on-failure + +dependency: + files: + - go.mod diff --git a/.github/workflows/license-checker.yml b/.github/workflows/license-checker.yml index 990d867..4dfe212 100644 --- a/.github/workflows/license-checker.yml +++ b/.github/workflows/license-checker.yml @@ -1,44 +1,44 @@ -# Copyright The Ratify Authors. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: License Checker - -on: - push: - branches: - - main - - release-* - pull_request: - branches: - - main - - release-* - -permissions: - contents: write - pull-requests: write - -jobs: - check-license: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Check license header - uses: apache/skywalking-eyes/header@v0.6.0 - with: - mode: check - config: .github/licenserc.yml - - name: Check dependencies license - uses: apache/skywalking-eyes/dependency@v0.6.0 - with: - config: .github/licenserc.yml +# Copyright The Ratify Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: License Checker + +on: + push: + branches: + - main + - release-* + pull_request: + branches: + - main + - release-* + +permissions: + contents: write + pull-requests: write + +jobs: + check-license: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Check license header + uses: apache/skywalking-eyes/header@v0.6.0 + with: + mode: check + config: .github/licenserc.yml + - name: Check dependencies license + uses: apache/skywalking-eyes/dependency@v0.6.0 + with: + config: .github/licenserc.yml From 4863ad37182931a9280dfc41abbe4ede4642b6b1 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:08:39 +0800 Subject: [PATCH 05/14] chore: add makefile Signed-off-by: Shiwei Zhang --- Makefile | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..56de7b3 --- /dev/null +++ b/Makefile @@ -0,0 +1,32 @@ +# Copyright The Ratify Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.PHONY: all +all: test + +.PHONY: test +test: check-line-endings ## run unit tests + go test -race -v -coverprofile=coverage.txt -covermode=atomic ./... + +.PHONY: clean +clean: + git status --ignored --short | grep '^!! ' | sed 's/!! //' | xargs rm -rf + +.PHONY: check-line-endings +check-line-endings: ## check line endings + ! find . -name "*.go" -type f -exec file "{}" ";" | grep CRLF + ! find -name "*.sh" -type f -exec file "{}" ";" | grep CRLF + +.PHONY: fix-line-endings +fix-line-endings: ## fix line endings + find . -type f -name "*.go" -exec sed -i -e "s/\r//g" {} + From 1d79dad7bf0bdb3ca79e76d3d228bd29e3c1d12b Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:12:58 +0800 Subject: [PATCH 06/14] feat: add the first go file Signed-off-by: Shiwei Zhang --- doc.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 doc.go diff --git a/doc.go b/doc.go new file mode 100644 index 0000000..a064350 --- /dev/null +++ b/doc.go @@ -0,0 +1,15 @@ +// Copyright The Ratify Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package ratify provides core functionality for the ratify library. +package ratify From 6777247c617ce544c830790fd199471d947ce54d Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:16:32 +0800 Subject: [PATCH 07/14] chore: add .gitignore Signed-off-by: Shiwei Zhang --- .gitignore | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5d90f1e --- /dev/null +++ b/.gitignore @@ -0,0 +1,36 @@ +# Copyright The Ratify Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, build with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# VS Code +.vscode +debug + +# Jetbrains +.idea + +# Custom +coverage.txt +vendor/ From 3583c28f7a2b8214a4e5c87a513937d3b46a2ebe Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:22:03 +0800 Subject: [PATCH 08/14] chore: add dependabot Signed-off-by: Shiwei Zhang --- .github/dependabot.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..a0101e0 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,23 @@ +# Copyright The Ratify Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version: 2 +updates: + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" From 1fd214b86791e3eaa55251f6627c7b6bfc746da8 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:24:01 +0800 Subject: [PATCH 09/14] chore: lower the min go version Signed-off-by: Shiwei Zhang --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 3e23a02..b1185cd 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ module github.com/ratify-project/ratify-go -go 1.23.1 +go 1.22.7 From bb1f512eeb6135bba4b3ea35d73d22be382adef6 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:25:23 +0800 Subject: [PATCH 10/14] chore: add PR gates Signed-off-by: Shiwei Zhang --- .github/workflows/build.yml | 46 +++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..8e22c15 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,46 @@ +# Copyright The Ratify Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: build + +on: + push: + branches: + - main + - release-* + pull_request: + branches: + - main + - release-* + +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + go-version: ['1.22', '1.23'] + fail-fast: true + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set up Go ${{ matrix.go-version }} environment + uses: actions/setup-go@v5 + with: + go-version: ${{ matrix.go-version }} + check-latest: true + - name: Run unit tests + run: make test + - name: Upload coverage to codecov.io + uses: codecov/codecov-action@v5 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} From 84f5700439622949104cfd768c561953b481eaab Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:33:10 +0800 Subject: [PATCH 11/14] chore: set up CodeQL Signed-off-by: Shiwei Zhang --- .github/workflows/codeql.yml | 54 ++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..4e55d61 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,54 @@ +# Copyright The Ratify Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: CodeQL + +on: + push: + branches: + - main + - release-* + pull_request: + branches: + - main + - release-* + schedule: + - cron: '19 7 * * 1' + workflow_dispatch: + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + strategy: + matrix: + go-version: ['1.22', '1.23'] + fail-fast: false + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Set up Go ${{ matrix.go-version }} environment + uses: actions/setup-go@v5 + with: + go-version: ${{ matrix.go-version }} + check-latest: true + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: go + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 9456a17e3efd5db82016ede5beddb49d56112f41 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:34:52 +0800 Subject: [PATCH 12/14] chore: add codecov Signed-off-by: Shiwei Zhang --- .github/.codecov.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/.codecov.yml diff --git a/.github/.codecov.yml b/.github/.codecov.yml new file mode 100644 index 0000000..a718e58 --- /dev/null +++ b/.github/.codecov.yml @@ -0,0 +1,23 @@ +# Copyright The Ratify Authors. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +coverage: + status: + project: + default: + target: 80% + if_ci_failed: error + patch: + default: + target: 80% + if_ci_failed: error From 614e98d50f5d59be350a16d941bbdd3de194ff81 Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 14:36:07 +0800 Subject: [PATCH 13/14] chore: lower go.mod to go 1.22 Signed-off-by: Shiwei Zhang --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index b1185cd..61145e6 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ module github.com/ratify-project/ratify-go -go 1.22.7 +go 1.22.0 From c51453bbf56f078cb475dc5c8f3f9a939c829f8d Mon Sep 17 00:00:00 2001 From: Shiwei Zhang Date: Thu, 26 Dec 2024 15:39:47 +0800 Subject: [PATCH 14/14] ci: update permissions Signed-off-by: Shiwei Zhang --- .github/workflows/build.yml | 4 ++++ .github/workflows/license-checker.yml | 6 ++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8e22c15..fe471a5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,6 +26,10 @@ on: jobs: build: runs-on: ubuntu-latest + permissions: + actions: read + contents: read + checks: write strategy: matrix: go-version: ['1.22', '1.23'] diff --git a/.github/workflows/license-checker.yml b/.github/workflows/license-checker.yml index 4dfe212..6ed38f5 100644 --- a/.github/workflows/license-checker.yml +++ b/.github/workflows/license-checker.yml @@ -23,13 +23,11 @@ on: - main - release-* -permissions: - contents: write - pull-requests: write - jobs: check-license: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v4