From ab9a4f38eeff4e3d42e9dbb6490b9b0c3c029ddc Mon Sep 17 00:00:00 2001 From: m1rm Date: Wed, 20 May 2026 11:37:18 +0200 Subject: [PATCH 01/11] security: harden github actions security: harden github actions --- .github/actions/setup/action.yml | 4 ++-- .github/workflows/test.yml | 13 +++++++++---- .github/workflows/update-go.yml | 5 +++-- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index b5320b8..39b99e7 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -10,11 +10,11 @@ runs: using: "composite" steps: - name: Install Just - uses: extractions/setup-just@v3 + uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3 #v4 env: GITHUB_TOKEN: ${{ github.token }} - name: Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c #v6.4.0 with: go-version: ${{ inputs.go-version }} go-version-file: ${{ inputs.go-version && '' || 'go.mod' }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 35814de..478e3ec 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,9 +10,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup - name: golangci-lint @@ -25,9 +26,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup - run: just test @@ -36,9 +38,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup - run: just test-integration @@ -52,7 +55,9 @@ jobs: test: ['test', 'build', 'test-cpu-detection', 'test-os-detection'] steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + with: + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup - name: Install Qemu diff --git a/.github/workflows/update-go.yml b/.github/workflows/update-go.yml index f57fa63..ecdbe62 100644 --- a/.github/workflows/update-go.yml +++ b/.github/workflows/update-go.yml @@ -10,10 +10,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: token: ${{ secrets.MAINTENANCE_TOKEN }} fetch-depth: 0 + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup with: @@ -29,7 +30,7 @@ jobs: - name: Run all tests run: just test-all - name: Commit updates - uses: stefanzweifel/git-auto-commit-action@v7 + uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 #v7.1.0 with: commit_message: Update Go dependencies commit_user_name: Maintenance Bob From 2a177cb5c64ad98679e3067b64a58475a7bafce3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miriam=20M=C3=BCller?= <74644501+m1rm@users.noreply.github.com> Date: Sun, 14 Jun 2026 17:29:02 +0200 Subject: [PATCH 02/11] pass maintenance token to update job so the bot can commit --- .github/workflows/update-go.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-go.yml b/.github/workflows/update-go.yml index ecdbe62..69eb76b 100644 --- a/.github/workflows/update-go.yml +++ b/.github/workflows/update-go.yml @@ -14,7 +14,7 @@ jobs: with: token: ${{ secrets.MAINTENANCE_TOKEN }} fetch-depth: 0 - persist-credentials: false + persists-credentials: false - name: Run Common Setup uses: ./.github/actions/setup with: @@ -31,6 +31,8 @@ jobs: run: just test-all - name: Commit updates uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 #v7.1.0 + env: + GITHUB_TOKEN: ${{ secrets.MAINTENANCE_TOKEN }} with: commit_message: Update Go dependencies commit_user_name: Maintenance Bob From 045d287cad24096bd2f5368c7ce54d743ba40193 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miriam=20M=C3=BCller?= <74644501+m1rm@users.noreply.github.com> Date: Sun, 14 Jun 2026 17:35:09 +0200 Subject: [PATCH 03/11] Update justfile build recipe bc. of GH actions hardening hardened checkout step strips away the persistent Git environment. When just tries git describe --tags it either gets an access denied or empty string, malforming Go's -ldflags which breaks the docker build sequence --- justfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/justfile b/justfile index 436ab57..7c6e79a 100644 --- a/justfile +++ b/justfile @@ -8,6 +8,8 @@ export CGO_CXXFLAGS := env('CXXFLAGS', '') export CGO_LDFLAGS := env('LDFLAGS', '') export CGO_ENABLED := '0' +VERSION := `git describe --tags 2>/dev/null || echo "dev"` + # list all recipes [private] default: @@ -22,8 +24,8 @@ prepare: [group('install')] build: CGO_ENABLED=1 go build -a -o pkgstats \ - -buildmode=pie -mod=readonly -modcacherw -buildvcs=false \ - -ldflags '-compressdwarf=false -linkmode=external -s -w -X pkgstats-cli/internal/build.Version={{ `git describe --tags` }}' + -buildmode=pie -mod=readonly -modcacherw -buildvcs=false \ + -ldflags "-compressdwarf=false -linkmode=external -s -w -X pkgstats-cli/internal/build.Version={{ VERSION }}" # run unit tests [group('test')] From 04083a1b6e4ad0df15f8b48e28935909ee1302bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miriam=20M=C3=BCller?= <74644501+m1rm@users.noreply.github.com> Date: Sun, 14 Jun 2026 17:36:04 +0200 Subject: [PATCH 04/11] Update test.yml bc. of GH actions hardening --- .github/workflows/test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 478e3ec..9b0e84a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -45,6 +45,8 @@ jobs: - name: Run Common Setup uses: ./.github/actions/setup - run: just test-integration + env: + VERSION: ${{ github.ref_name }} test-cross-platform: runs-on: ubuntu-latest From f14038771a4f2da479da8445ede196724d479446 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miriam=20M=C3=BCller?= <74644501+m1rm@users.noreply.github.com> Date: Sun, 14 Jun 2026 17:48:11 +0200 Subject: [PATCH 05/11] Update Dockerfile; accept version env var --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 9091fde..5109311 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,6 +6,8 @@ RUN pacman -Syu --noconfirm --cachedir /tmp/pacman-cache go just git gcc jq COPY . /app/ WORKDIR /app ENV INTEGRATION_TEST=1 +ARG VERSION=dev +ENV VERSION=${VERSION} RUN just prepare RUN just build RUN just test From 3a041da9609d6d3865ab091f45845ff96d82cc41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miriam=20M=C3=BCller?= <74644501+m1rm@users.noreply.github.com> Date: Sun, 14 Jun 2026 17:49:03 +0200 Subject: [PATCH 06/11] Update justfile regarding VERSION env var changes in Dockerfile --- justfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/justfile b/justfile index 7c6e79a..942b78d 100644 --- a/justfile +++ b/justfile @@ -8,7 +8,8 @@ export CGO_CXXFLAGS := env('CXXFLAGS', '') export CGO_LDFLAGS := env('LDFLAGS', '') export CGO_ENABLED := '0' -VERSION := `git describe --tags 2>/dev/null || echo "dev"` +# Use the environment variable if present, otherwise fall back to git or "dev" +VERSION := env('VERSION', `git describe --tags 2>/dev/null || echo "dev"`) # list all recipes [private] From 1f4af09f9bb66802a0075e77f8a34667be65e9fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miriam=20M=C3=BCller?= <74644501+m1rm@users.noreply.github.com> Date: Sun, 14 Jun 2026 17:49:38 +0200 Subject: [PATCH 07/11] Update dev.just regarding VERSION env var changes --- just/dev.just | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/just/dev.just b/just/dev.just index a3bd428..75a6a89 100644 --- a/just/dev.just +++ b/just/dev.just @@ -48,7 +48,7 @@ test-os-detection: aarch64::test-os-detection arm::test-os-detection i686::test- # run integration tests with a mocked API server [group('test')] test-integration: - docker buildx build --pull . -t pkgstats-test-integration + docker buildx build --pull --build-arg VERSION="{{ VERSION }}" . -t pkgstats-test-integration # run all available tests [group('test')] From 9d4b1db20ebfc4d3b93b7a93bfbc035bd790f380 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miriam=20M=C3=BCller?= <74644501+m1rm@users.noreply.github.com> Date: Sun, 14 Jun 2026 17:54:55 +0200 Subject: [PATCH 08/11] update lint action to latest --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9b0e84a..d684e53 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,7 +17,7 @@ jobs: - name: Run Common Setup uses: ./.github/actions/setup - name: golangci-lint - uses: golangci/golangci-lint-action@v8 + uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1 with: verify: false - run: just lint From 90716fcbd981bd6946420e70cec289e09713e40a Mon Sep 17 00:00:00 2001 From: m1rm Date: Sun, 21 Jun 2026 13:22:01 +0200 Subject: [PATCH 09/11] refactor: avoid global version plumbing; Docker build gets version via .dockerignore and build-arg instead of copying .git or relying on checkout credentials --- .dockerignore | 1 + .github/workflows/test.yml | 2 -- .github/workflows/update-go.yml | 4 ++-- just/dev.just | 2 +- justfile | 7 ++----- 5 files changed, 6 insertions(+), 10 deletions(-) diff --git a/.dockerignore b/.dockerignore index 2d2454f..afef7ce 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,4 +1,5 @@ /.idea +/.git /.github /pkgstats /pkgstats-cli diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d684e53..d281df4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -45,8 +45,6 @@ jobs: - name: Run Common Setup uses: ./.github/actions/setup - run: just test-integration - env: - VERSION: ${{ github.ref_name }} test-cross-platform: runs-on: ubuntu-latest diff --git a/.github/workflows/update-go.yml b/.github/workflows/update-go.yml index 69eb76b..52b269f 100644 --- a/.github/workflows/update-go.yml +++ b/.github/workflows/update-go.yml @@ -10,11 +10,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0 with: token: ${{ secrets.MAINTENANCE_TOKEN }} fetch-depth: 0 - persists-credentials: false + persist-credentials: false - name: Run Common Setup uses: ./.github/actions/setup with: diff --git a/just/dev.just b/just/dev.just index 75a6a89..3974314 100644 --- a/just/dev.just +++ b/just/dev.just @@ -48,7 +48,7 @@ test-os-detection: aarch64::test-os-detection arm::test-os-detection i686::test- # run integration tests with a mocked API server [group('test')] test-integration: - docker buildx build --pull --build-arg VERSION="{{ VERSION }}" . -t pkgstats-test-integration + docker buildx build --pull --build-arg VERSION="{{ `git describe --tags 2>/dev/null || echo dev` }}" . -t pkgstats-test-integration # run all available tests [group('test')] diff --git a/justfile b/justfile index 942b78d..5b8888a 100644 --- a/justfile +++ b/justfile @@ -8,9 +8,6 @@ export CGO_CXXFLAGS := env('CXXFLAGS', '') export CGO_LDFLAGS := env('LDFLAGS', '') export CGO_ENABLED := '0' -# Use the environment variable if present, otherwise fall back to git or "dev" -VERSION := env('VERSION', `git describe --tags 2>/dev/null || echo "dev"`) - # list all recipes [private] default: @@ -25,8 +22,8 @@ prepare: [group('install')] build: CGO_ENABLED=1 go build -a -o pkgstats \ - -buildmode=pie -mod=readonly -modcacherw -buildvcs=false \ - -ldflags "-compressdwarf=false -linkmode=external -s -w -X pkgstats-cli/internal/build.Version={{ VERSION }}" + -buildmode=pie -mod=readonly -modcacherw -buildvcs=false \ + -ldflags "-compressdwarf=false -linkmode=external -s -w -X pkgstats-cli/internal/build.Version={{ env('VERSION', `git describe --tags`) }}" # run unit tests [group('test')] From f99af8cf49dd0a859bf760dcb00575356e6cbb7a Mon Sep 17 00:00:00 2001 From: m1rm Date: Sun, 21 Jun 2026 13:23:17 +0200 Subject: [PATCH 10/11] maintenance: update other action checkouts to latest, too --- .github/workflows/test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d281df4..423b052 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0 with: fetch-depth: 0 persist-credentials: false @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0 with: fetch-depth: 0 persist-credentials: false @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0 with: fetch-depth: 0 persist-credentials: false @@ -55,7 +55,7 @@ jobs: test: ['test', 'build', 'test-cpu-detection', 'test-os-detection'] steps: - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0 with: persist-credentials: false - name: Run Common Setup From d43377f8eec1789cd10d69cd4a537bdd859073c0 Mon Sep 17 00:00:00 2001 From: m1rm Date: Sun, 21 Jun 2026 14:02:21 +0200 Subject: [PATCH 11/11] refactor: git describe --tags only fails on fork --- .dockerignore | 1 - Dockerfile | 2 -- just/dev.just | 2 +- justfile | 2 +- 4 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.dockerignore b/.dockerignore index afef7ce..2d2454f 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,5 +1,4 @@ /.idea -/.git /.github /pkgstats /pkgstats-cli diff --git a/Dockerfile b/Dockerfile index 5109311..9091fde 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,8 +6,6 @@ RUN pacman -Syu --noconfirm --cachedir /tmp/pacman-cache go just git gcc jq COPY . /app/ WORKDIR /app ENV INTEGRATION_TEST=1 -ARG VERSION=dev -ENV VERSION=${VERSION} RUN just prepare RUN just build RUN just test diff --git a/just/dev.just b/just/dev.just index 3974314..a3bd428 100644 --- a/just/dev.just +++ b/just/dev.just @@ -48,7 +48,7 @@ test-os-detection: aarch64::test-os-detection arm::test-os-detection i686::test- # run integration tests with a mocked API server [group('test')] test-integration: - docker buildx build --pull --build-arg VERSION="{{ `git describe --tags 2>/dev/null || echo dev` }}" . -t pkgstats-test-integration + docker buildx build --pull . -t pkgstats-test-integration # run all available tests [group('test')] diff --git a/justfile b/justfile index 5b8888a..436ab57 100644 --- a/justfile +++ b/justfile @@ -23,7 +23,7 @@ prepare: build: CGO_ENABLED=1 go build -a -o pkgstats \ -buildmode=pie -mod=readonly -modcacherw -buildvcs=false \ - -ldflags "-compressdwarf=false -linkmode=external -s -w -X pkgstats-cli/internal/build.Version={{ env('VERSION', `git describe --tags`) }}" + -ldflags '-compressdwarf=false -linkmode=external -s -w -X pkgstats-cli/internal/build.Version={{ `git describe --tags` }}' # run unit tests [group('test')]