From c85345f0918a4f1ec94cfc1950d804119209d9a6 Mon Sep 17 00:00:00 2001 From: Johnny Miller <163300+millerjp@users.noreply.github.com> Date: Tue, 21 Apr 2026 07:57:57 +0200 Subject: [PATCH] ci: add build-provenance attestations and CodeQL scanning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two free-on-public-repos security additions pre-v1.0.0: * release.yml — new `attest-build-provenance` step on the goreleaser job after publish. Runs only on real releases (dry_run=false), subject-paths cover every dist/*.tar.gz, dist/*.zip, and dist/checksums.txt produced by GoReleaser. Needs id-token:write + attestations:write on the job, added to the permissions block. Keyless Sigstore signing; no secrets required. * codeql.yml — new workflow running GitHub's security-and-quality Go query set on push to main, every PR, and a weekly schedule (Mondays 06:17 UTC). Standard doc-file path-ignores so doc-only PRs don't trip the scan. No code change. No runtime dependency change. make check green, coverage 100%, actionlint clean on both workflow files. --- .github/workflows/codeql.yml | 77 +++++++++++++++++++++++++++++++++++ .github/workflows/release.yml | 11 +++++ 2 files changed, 88 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..b7b2cf5 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,77 @@ +name: CodeQL + +# GitHub's free security scanner for Go source. Runs on every PR +# against main, on every push to main, and on a weekly schedule so +# newly-disclosed query rules catch any drift in the committed tree. +# +# Free on public repositories; no billing impact. + +on: + push: + branches: [main] + paths-ignore: + - "signatures/**" + - "CONTRIBUTORS.md" + - "**.md" + - ".github/images/**" + - "llms.txt" + - "llms-full.txt" + - "bench.txt" + pull_request: + branches: [main] + paths-ignore: + - "signatures/**" + - "CONTRIBUTORS.md" + - "**.md" + - ".github/images/**" + - "llms.txt" + - "llms-full.txt" + - "bench.txt" + schedule: + # Mondays 06:17 UTC — off the hour to avoid queueing with every + # other repo that schedules on :00. + - cron: "17 6 * * 1" + +permissions: + contents: read + +concurrency: + group: codeql-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + security-events: write + packages: read + actions: read + strategy: + fail-fast: false + matrix: + include: + - language: go + build-mode: autobuild + steps: + - uses: actions/checkout@v6.0.2 + + - uses: actions/setup-go@v6.4.0 + with: + go-version: "1.26" + cache: true + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # `security-and-quality` runs the standard security queries + # plus maintainability checks. Small library, zero runtime + # deps — the extra rules have negligible runtime cost. + queries: security-and-quality + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 37523f9..71d1f83 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -91,6 +91,8 @@ jobs: runs-on: ubuntu-latest permissions: contents: write + id-token: write + attestations: write steps: # On a real release the tag has just been pushed by the `tag` # job, so we check it out. On a dry run no tag exists yet; @@ -121,6 +123,15 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Attest build provenance + if: inputs.dry_run != true + uses: actions/attest-build-provenance@v2 + with: + subject-path: | + dist/*.tar.gz + dist/*.zip + dist/checksums.txt + proxy-warm: name: Warm Go module proxy needs: goreleaser