Skip to content

Commit

Permalink
Add and configure Capslock
Browse files Browse the repository at this point in the history
Add Capslock (<https://github.com/google/capslock>) as a tool dependency
and use it to continuously check (statically) the capabilities used by
dependencies. The idea behind doing this is to ensure all potentially
dangerous function being used are known and make sense in the context in
which they're used.

The `capabilities.json` file is included in the commit history because
it is needed to do a comparison from one version to the next.
  • Loading branch information
ericcornelissen committed Oct 21, 2024
1 parent 855ebf3 commit 689e1f1
Show file tree
Hide file tree
Showing 6 changed files with 19,068 additions and 2 deletions.
22 changes: 21 additions & 1 deletion .github/workflows/audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ on:
paths:
- '**/*.go'
- .github/workflows/audit.yml
- capabilities.json
- go.mod
- go.sum
push:
Expand All @@ -16,6 +17,25 @@ on:
permissions: read-all

jobs:
capabilities:
name: Capabilities
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
uses: actions/checkout@v4.2.0
- name: Install Go
uses: actions/setup-go@v5.0.2
with:
go-version-file: go.mod
- name: Verify action checksums
env:
JOB: ${{ github.job }}
WORKFLOW: ${{ github.workflow_ref }}
run: |
WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5)
go run ./cmd/ghasum verify -cache /home/runner/work/_actions -no-evict -offline "$WORKFLOW:$JOB"
- name: Audit
run: go run tasks.go audit-capabilities
vulnerabilities:
name: Vulnerabilities
runs-on: ubuntu-24.04
Expand All @@ -34,4 +54,4 @@ jobs:
WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5)
go run ./cmd/ghasum verify -cache /home/runner/work/_actions -no-evict -offline "$WORKFLOW:$JOB"
- name: Audit
run: go run tasks.go audit
run: go run tasks.go audit-vulnerabilities
Loading

0 comments on commit 689e1f1

Please sign in to comment.