-
Notifications
You must be signed in to change notification settings - Fork 61
203 lines (181 loc) · 5.75 KB
/
style.yaml
File metadata and controls
203 lines (181 loc) · 5.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
# Copyright 2024 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0
name: Code Style
env:
GO_RELEASE: "go-1.26"
YARA_X_RELEASE: "1.15.0"
permissions: {}
on:
pull_request:
branches:
- "main"
push:
branches:
- "main"
jobs:
yrcompile:
name: check yr compile
runs-on: ubuntu-24.04-arm
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
*.blob.core.windows.net:443
*.githubapp.com:443
api.github.com:443
dl.google.com:443
github.com:443
go.dev:443
objects.githubusercontent.com:443
proxy.golang.org:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run make yara-x-compile
run: |
make yara-x-compile
ret=$?
if [[ $ret -ne 0 ]]; then
echo "Rule compilation failed; address findings and commit the changes"
exit 1
fi
yrfmt:
name: check yr fmt
runs-on: ubuntu-24.04-arm
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
*.blob.core.windows.net:443
*.githubapp.com:443
api.github.com:443
dl.google.com:443
github.com:443
go.dev:443
objects.githubusercontent.com:443
proxy.golang.org:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Run make yara-x-fmt
run: |
make yara-x-fmt
if [[ -n $(git status -s) ]]; then
echo "Rule files updated; please run 'make yara-x-fmt' locally and commit the changes"
exit 1
fi
gofmt:
name: check gofmt
runs-on: ubuntu-24.04-arm
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
*.blob.core.windows.net:443
*.githubapp.com:443
api.github.com:443
dl.google.com:443
github.com:443
go.dev:443
objects.githubusercontent.com:443
proxy.golang.org:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
check-latest: true
- uses: chainguard-dev/actions/gofmt@c69a264ec2a5934c3186c618f368fc1c86f16cff # main
with:
args: -s
goimports:
name: check goimports
runs-on: ubuntu-24.04-arm
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
with:
egress-policy: block
allowed-endpoints: >
*.blob.core.windows.net:443
*.githubapp.com:443
api.github.com:443
dl.google.com:443
github.com:443
go.dev:443
objects.githubusercontent.com:443
proxy.golang.org:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
check-latest: true
- uses: chainguard-dev/actions/goimports@c69a264ec2a5934c3186c618f368fc1c86f16cff # main
golangci-lint:
name: golangci-lint
runs-on: ubuntu-24.04-arm
permissions:
contents: read
container:
image: cgr.dev/chainguard/wolfi-base:latest@sha256:9a74366aa10eff2bf14dab0948123bd2c51703e1c553a73740ef687f723aecf4
options: >-
--cap-add DAC_OVERRIDE
--cap-add SETGID
--cap-add SETUID
--cap-drop ALL
--cgroupns private
--cpu-shares=4096
--memory-swappiness=0
--security-opt no-new-privileges
--ulimit core=0
--ulimit nofile=4096:4096
--ulimit nproc=4096:4096
steps:
- name: Install dependencies
run: |
apk update
apk add curl findutils git "${GO_RELEASE}" nodejs "yara-x~${YARA_X_RELEASE}"
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Trust repository
run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
- name: Run golangci-lint
run: |
make golangci-lint-lint