Merge branch 'development'

.dockerignore

@@ -1,6 +1,13 @@
-bin/
-dist/
+bin
+dist
+site
+docs
+node_modules
+.git
 .idea
 .github
-testdata/
-node_modules/
+.vscode
+.gitignore
+*.md
+LICENSE
+vendor

.github/dependabot.yml

@@ -7,3 +7,8 @@ updates:
   open-pull-requests-limit: 10
   assignees:
   - 0xERR0R
+
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily

.github/workflows/ci-build.yml

@@ -1,45 +1,35 @@
 name: CI Build
 on: [push, pull_request]
 jobs:
-
-  build:
-    name: Build
+  make:
+    name: Test
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        make: [build, test, race, docker-build, goreleaser]
     steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
 
-      - name: Set up Go 1.18
-        uses: actions/setup-go@v1
+      - name: Set up Go
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.18
+          go-version-file: go.mod
         id: go
 
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v1
-
       - name: Get dependencies
-        run: |
-          go get -v -t -d ./...
-          if [ -f Gopkg.toml ]; then
-              curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
-              dep ensure
-          fi
+        run: go mod download
 
-      - name: Build
-        run: make build
-
-      - name: Test
-        run: make test
-
-      - name: Race detection
-        run: make race
+      - name: make ${{ matrix.make }}
+        run: make ${{ matrix.make }}
+        if: matrix.make != 'goreleaser'  
 
       - name: Upload results to codecov
-        run: bash <(curl -s https://codecov.io/bash) -t 48d6a1a8-a66e-4f27-9cc1-a7b91c4209b2
-
-      - name: Docker images
-        run: make docker-build
+        uses: codecov/codecov-action@v3
+        if: matrix.make == 'test'
 
       - name: Check GoReleaser configuration
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v3
+        if: matrix.make == 'goreleaser' 
         with:
           args: check

.github/workflows/close_stale.yml

@@ -0,0 +1,25 @@
+name: 'Close stale issues and PRs'
+on:
+  schedule:
+    - cron: '0 4 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == '0xERR0R'
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v6
+        with:
+          stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
+          stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
+          close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.'
+          close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.'
+          days-before-issue-stale: 90
+          days-before-pr-stale: 45
+          days-before-issue-close: 5
+          days-before-pr-close: 10
+          exempt-all-milestones: true
+          operations-per-run: 60

.github/workflows/codeql-analysis.yml

@@ -35,11 +35,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,7 +50,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -64,4 +64,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/development-docker.yml

@@ -1,55 +1,207 @@
 name: Development docker build
+
 on:
   push:
     branches:
       - development
       - fb-*
 
+permissions:
+  security-events: write
+  actions: read
+  contents: read
+  packages: write
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
+  check:
+    name: Check if workflow should run 
+    runs-on: ubuntu-latest
+    outputs:
+      enabled: ${{ steps.check.outputs.enabled }}
+    steps:
+      - name: Enabled Check
+        id: check
+        shell: bash
+        run: | 
+          ENABLED=${{ secrets.DEVELOPMENT_DOCKER }}
+
+          if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then
+            ENABLED="true"
+          fi          
+
+          if [[ "${ENABLED,,}" != "true" ]]; then
+            echo "enabled=0" >> $GITHUB_OUTPUT
+
+            echo "Workflow is disabled"
+
+            echo "### Workflow is disabled" >> $GITHUB_STEP_SUMMARY
+            echo "To enable this workflow by creating a secret 'DEVELOPMENT_DOCKER' with the value 'true'" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "enabled=1" >> $GITHUB_OUTPUT
+
+            echo "Workflow is enabled"
+          fi
+
   docker:
-    if: github.repository_owner == '0xERR0R'
+    name: Build Docker image
     runs-on: ubuntu-latest
+    needs: check
+    if: ${{ needs.check.outputs.enabled == 1 }}
+    outputs:
+      repository: ${{ steps.get_vars.outputs.repository }}
+      branch: ${{ steps.get_vars.outputs.branch }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: arm,arm64
+
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+
+      - name: Get registry token
+        id: get_token
+        shell: bash
+        run: |
+          if [ "${{ secrets.CR_PAT }}" ]; then
+            echo "token=${{ secrets.CR_PAT }}" >> $GITHUB_OUTPUT
+          else
+            echo "token=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_OUTPUT
+          fi
+
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.CR_PAT }}
+          password: ${{ steps.get_token.outputs.token }}
+
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        if: github.repository_owner == '0xERR0R'
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Extract branch name
+
+      - name: Populate build variables
+        id: get_vars
         shell: bash
-        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-        id: extract_branch
+        run: |
+          REPOSITORY=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+          echo "repository=${REPOSITORY}" >> $GITHUB_OUTPUT
+          echo "REPOSITORY: ${REPOSITORY}"
+
+          BRANCH=${GITHUB_REF#refs/heads/}
+          echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
+          echo "Branch: ${BRANCH}"
+          
+          VERSION=$(git describe --always --tags)
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "VERSION: ${VERSION}"
+
+          BUILD_TIME=$(date '+%Y%m%d-%H%M%S')
+          echo "build_time=${BUILD_TIME}" >> $GITHUB_OUTPUT
+          echo "BUILD_TIME: ${BUILD_TIME}"
+
+          TAGS="ghcr.io/${REPOSITORY}:${BRANCH}"
+          if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then
+            TAGS="${TAGS} , spx01/blocky:${BRANCH}"
+          fi
+          echo "tags=${TAGS}" >> $GITHUB_OUTPUT
+          echo "TAGS: ${TAGS}"
+      
       - name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: .
           platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
           push: true
-          tags: |
-            ghcr.io/0xerr0r/blocky:${{ steps.extract_branch.outputs.branch }}
-            spx01/blocky:${{ steps.extract_branch.outputs.branch }}
-      - name: Scan image
-        uses: anchore/scan-action@v3
-        id: scan
-        with:
-          image: "spx01/blocky:${{ steps.extract_branch.outputs.branch }}"
-          fail-build: false
-          acs-report-enable: true
-      - name: upload Anchore scan SARIF report
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          tags: ${{ steps.get_vars.outputs.tags }}
+          build-args: |
+            VERSION=${{ steps.get_vars.outputs.version }}
+            BUILD_TIME=${{ steps.get_vars.outputs.build_time }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  repo-scan:
+    name: Repo vulnerability scan
+    runs-on: ubuntu-latest
+    needs: check
+    if: needs.check.outputs.enabled == 1
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-repo-results.sarif'
+          severity: 'CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-repo-results.sarif'
+
+  image-scan:
+    name: Image vulnerability scan
+    runs-on: ubuntu-latest
+    needs: docker
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Run Trivy vulnerability scanner on Docker image
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }}'
+          format: 'sarif'
+          output: 'trivy-image-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-image-results.sarif'
+
+  image-test:
+    name: Test docker images
+    runs-on: ubuntu-latest
+    needs: docker
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: arm,arm64
+
+      - name: Test images
+        shell: bash
+        run: | 
+          echo '::group::Version for linux/amd64'
+          docker run --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
+          echo '::endgroup::'
+
+          echo '::group::Version for linux/arm/v6'
+          docker run --platform linux/arm/v6 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
+          echo '::endgroup::'
+
+          echo '::group::Version for linux/arm/v7'
+          docker run --platform linux/arm/v7 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
+          echo '::endgroup::'
+
+          echo '::group::Version for linux/arm64'
+          docker run --platform linux/arm64 --rm ghcr.io/${{ needs.docker.outputs.repository }}:${{ needs.docker.outputs.branch }} version
+          echo '::endgroup::'

.github/workflows/docs.yml

@@ -8,8 +8,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.x
       - run: pip install mkdocs-material