Improve CI and security

.github/workflows/build-and-snapshot.yml

@@ -21,10 +21,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
@@ -52,10 +52,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go-version }}
 
@@ -70,10 +70,49 @@ jobs:
         run: go mod tidy -e || true
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
           version: latest
 
+      - name: Run govulncheck
+        shell: bash
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          # Run in JSON mode and emit GitHub Actions warning annotations for each finding.
+          # govulncheck outputs multi-line JSON objects (not line-delimited), so we use
+          # raw_decode to parse successive top-level objects from the output stream.
+          govulncheck -json . 2>/dev/null | python3 -c "
+          import sys, json
+          decoder = json.JSONDecoder()
+          data = sys.stdin.read().strip()
+          pos = 0
+          while pos < len(data):
+              obj, idx = decoder.raw_decode(data, pos)
+              pos = idx
+              while pos < len(data) and data[pos] in ' \t\n\r':
+                  pos += 1
+              if not isinstance(obj, dict):
+                  continue
+              finding = obj.get('finding')
+              if not finding:
+                  continue
+              osv_id = finding.get('osv', '')
+              traces = finding.get('trace', [])
+              mod = traces[0].get('module', '') if traces else ''
+              ver = traces[0].get('version', '') if traces else ''
+              fixed = finding.get('fixed_version', '')
+              summary = f'{mod} {ver} is vulnerable ({osv_id}); fixed in {fixed}' if fixed else osv_id
+              loc = ''
+              for frame in reversed(traces):
+                  fpos = frame.get('position', {})
+                  fname = fpos.get('filename', '')
+                  line_no = fpos.get('line', '')
+                  if fname:
+                      loc = f'file={fname},line={line_no},'
+                      break
+              print(f'::warning {loc}title=govulncheck [{osv_id}]::{summary}')
+          " || true
+
       - name: Lint and format Go files
         run: ./scripts/lint-go.sh ci
 
@@ -83,7 +122,7 @@ jobs:
           python3 .github/workflows/build.py
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: cf-cli-java-plugin-${{ matrix.os }}
           path: |
@@ -94,16 +133,17 @@ jobs:
     name: Create Snapshot Release
     needs: [build, lint-and-test-python]
     runs-on: ubuntu-latest
+    environment: release
     if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && (needs.lint-and-test-python.result == 'success' || needs.lint-and-test-python.result == 'skipped')
     permissions:
       contents: write
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
@@ -113,7 +153,7 @@ jobs:
           pip install PyYAML
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           path: dist/
 
@@ -144,7 +184,7 @@ jobs:
           JSTALL_VERSION=$(curl -s https://api.github.com/repos/parttimenerd/jstall/releases/latest | python3 -c "import sys,json; print(json.load(sys.stdin).get('tag_name','unknown'))")
           echo "version=$JSTALL_VERSION" >> $GITHUB_OUTPUT
 
-      - uses: thomashampson/delete-older-releases@main
+      - uses: thomashampson/delete-older-releases@2ff234dfe6ad2757ac7e53d96e298fbe82b0fd56 # @main
         with:
           keep_latest: 0
           delete_tag_regex: snapshot
@@ -163,7 +203,7 @@ jobs:
           git push origin snapshot --force
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           files: |
             dist/*

.github/workflows/plugin-repo.yml

@@ -11,13 +11,14 @@ jobs:
   generate-plugin-repo:
     name: Generate Plugin Repository YAML
     runs-on: ubuntu-latest
+    environment: release
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v6
         with:
           python-version: "3.x"
 

.github/workflows/pr-validation.yml

@@ -16,22 +16,22 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ">=1.23.5"
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
       - name: Set up Node.js for markdownlint
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
-          node-version: "18"
+          node-version: "24"
 
       - name: Download JStall minimal JAR for go:embed
         run: |
@@ -42,10 +42,48 @@ jobs:
         run: go mod tidy -e || true
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
           version: latest
 
+      - name: Run govulncheck
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          # Run in JSON mode and emit GitHub Actions warning annotations for each finding.
+          # govulncheck outputs multi-line JSON objects (not line-delimited), so we use
+          # raw_decode to parse successive top-level objects from the output stream.
+          govulncheck -json . 2>/dev/null | python3 -c "
+          import sys, json
+          decoder = json.JSONDecoder()
+          data = sys.stdin.read().strip()
+          pos = 0
+          while pos < len(data):
+              obj, idx = decoder.raw_decode(data, pos)
+              pos = idx
+              while pos < len(data) and data[pos] in ' \t\n\r':
+                  pos += 1
+              if not isinstance(obj, dict):
+                  continue
+              finding = obj.get('finding')
+              if not finding:
+                  continue
+              osv_id = finding.get('osv', '')
+              traces = finding.get('trace', [])
+              mod = traces[0].get('module', '') if traces else ''
+              ver = traces[0].get('version', '') if traces else ''
+              fixed = finding.get('fixed_version', '')
+              summary = f'{mod} {ver} is vulnerable ({osv_id}); fixed in {fixed}' if fixed else osv_id
+              loc = ''
+              for frame in reversed(traces):
+                  fpos = frame.get('position', {})
+                  fname = fpos.get('filename', '')
+                  line_no = fpos.get('line', '')
+                  if fname:
+                      loc = f'file={fname},line={line_no},'
+                      break
+              print(f'::warning {loc}title=govulncheck [{osv_id}]::{summary}')
+          " || true
+
       - name: Lint Go code
         run: ./scripts/lint-go.sh ci
 

.github/workflows/release.yml

@@ -23,15 +23,15 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go-version }}
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v6
         with:
           python-version: "3.x"
 
@@ -50,7 +50,7 @@ jobs:
         run: go mod tidy -e || true
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
           version: latest
 
@@ -73,16 +73,17 @@ jobs:
     name: Create GitHub Release with Plugin Repository Entry
     needs: release
     runs-on: ubuntu-latest
+    environment: release
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           fetch-depth: 0
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v6
         with:
           python-version: "3.x"
 
@@ -159,7 +160,7 @@ jobs:
         run: echo "timestamp=$(date -u +'%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_OUTPUT
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           tag_name: ${{ github.event.inputs.version }}
           name: ${{ github.event.inputs.version }}

.golangci.yml

@@ -43,12 +43,22 @@ linters:
     - wastedassign     # Check wasted assignments
     - whitespace       # Check for extra whitespace
     - gocritic
+    - gosec            # Security-focused linter (shell commands, file perms, crypto)
+
+  settings:
+    gosec:
+      # exec.Command("cf", ...) — "cf" is a hardcoded binary; only SSH/CF args vary.
+      # exec.Command(javaPath, ...) — resolved from JAVA_HOME/PATH, not user input.
+      excludes:
+        - G204  # Subprocess launched with variable
+    nolintlint:
+      allow-unused: true  # G702 nolint directives are unused on older linter versions
 
 
   disable:
     # Disabled as requested
     - gochecknoglobals  # Ignore global variables (as requested)
-    
+
     # Disabled for being too strict or problematic
     - testpackage      # Too strict - requires separate test packages
     - paralleltest     # Not always applicable
@@ -70,5 +80,4 @@ linters:
     - gocyclo          # Check cyclomatic complexity
     - cyclop           # Check cyclomatic complexity
     - funlen           # Check function length
-    - gosec            # Security-focused linter
     - revive           # Fast, configurable, extensible linter