ci: update pipelines

.github/workflows/codeql.yml

@@ -1,78 +1,42 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
+name: 'CodeQL'
 on:
   push:
-    branches: ["master"]
+    branches:
+      - 'master'
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: ["master"]
+    branches:
+      - 'master'
   schedule:
-    - cron: "0 0 * * 1"
-
+    - cron: '0 0 * * 1'
 permissions:
-  contents: read
-
+  contents: 'read'
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
+    name: 'Analyze'
+    runs-on: 'ubuntu-latest'
     permissions:
-      actions: read
-      contents: read
-      security-events: write
-
+      actions: 'read'
+      contents: 'read'
+      security-events: 'write'
     strategy:
       fail-fast: false
       matrix:
-        language: ["go"]
-        # CodeQL supports [ $supported-codeql-languages ]
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
+        language:
+          - 'go'
     steps:
-      - name: Harden Runner
+      - name: 'Harden Runner'
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
-          egress-policy: audit
-
-      - name: Checkout repository
+          egress-policy: 'audit'
+      - name: 'Checkout'
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.10
+      - name: 'Initialize CodeQL'
+        uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
         with:
           languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.10
-
-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-      #   If the Autobuild fails above, remove it and uncomment the following three lines.
-      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-      # - run: |
-      #   echo "Run, Build Application using script"
-      #   ./location_of_script_within_repo/buildscript.sh
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.10
+      - name: 'Build'
+        uses: github/codeql-action/autobuild@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+      - name: 'Perform CodeQL Analysis'
+        uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependabot.yml

@@ -0,0 +1,27 @@
+name: 'Dependabot'
+on:
+  pull_request: {}
+permissions:
+  contents: 'write'
+  pull-requests: 'write'
+jobs:
+  automerge:
+    name: 'Auto-Merge'
+    runs-on: 'ubuntu-latest'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'go-crypt/crypt'
+    steps:
+      - name: 'Harden Runner'
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: 'audit'
+      - name: 'Dependabot Fetch Metadata'
+        id: 'metadata'
+        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: 'Enable Auto-Merge'
+        run: |
+          gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/dependency-review.yml

@@ -1,26 +1,17 @@
-# Dependency Review Action
-#
-# This Action will scan dependency manifest files that change as part of a Pull Request,
-# surfacing known-vulnerable versions of the packages declared or updated in the PR.
-# Once installed, if the workflow run is marked as required,
-# PRs introducing known-vulnerable packages will be blocked from merging.
-#
-# Source repository: https://github.com/actions/dependency-review-action
 name: 'Dependency Review'
-on: [pull_request]
-
+on:
+  pull_request: {}
 permissions:
-  contents: read
-
+  contents: 'read'
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    name: 'Dependency Review'
+    runs-on: 'ubuntu-latest'
     steps:
-      - name: Harden Runner
+      - name: 'Harden Runner'
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
-          egress-policy: audit
-
+          egress-policy: 'audit'
       - name: 'Checkout Repository'
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: 'Dependency Review'

.github/workflows/go.yml

@@ -1,16 +1,39 @@
-name: Go
+name: 'Go'
 on:
   pull_request: {}
   push:
     branches:
-      - master
+      - 'master'
 permissions:
-  contents: read
-
+  contents: 'read'
 jobs:
+  cover:
+    name: 'Coverage'
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: 'Harden Runner'
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: 'audit'
+      - name: 'Set up Go'
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: 1.25
+      - name: 'Checkout'
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: 'Get Dependencies'
+        run: |
+          go get -v -t -d ./...
+      - name: 'Test'
+        run: |
+          go test -coverprofile=coverage.txt -v ./...
+      - name: 'Coverage'
+        uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
   build:
-    name: Build
-    runs-on: ubuntu-latest
+    name: 'Build and Test'
+    runs-on: 'ubuntu-latest'
     strategy:
       matrix:
         go:
@@ -19,25 +42,22 @@ jobs:
           - '1.25'
       fail-fast: false
     steps:
-      - name: Harden Runner
+      - name: 'Harden Runner'
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
-          egress-policy: audit
-
-      - name: Set up Go ${{ matrix.go }}
+          egress-policy: 'audit'
+      - name: 'Set up Go ${{ matrix.go }}'
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: ${{ matrix.go }}
-      - name: Check out code into the Go module directory
+      - name: 'Checkout'
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - name: Get dependencies
+      - name: 'Get Dependencies'
         run: |
           go get -v -t -d ./...
-          if [ -f Gopkg.toml ]; then
-              curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
-              dep ensure
-          fi
-      #- name: Build
-      #  run: go build -v ./...
-      - name: Test
-        run: go test -v ./...
+      - name: 'Build'
+        run: |
+          go build -v ./...
+      - name: 'Test'
+        run: |
+          go test -v ./...

.github/workflows/scorecards.yml

@@ -1,76 +1,43 @@
-# This workflow uses actions that are not certified by GitHub. They are provided
-# by a third-party and are governed by separate terms of service, privacy
-# policy, and support documentation.
-
-name: Scorecard supply-chain security
+name: 'Scorecard'
 on:
-  # For Branch-Protection check. Only the default branch is supported. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
-  # To guarantee Maintained check is occasionally updated. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  branch_protection_rule: {}
   schedule:
     - cron: '20 7 * * 2'
   push:
-    branches: ["master"]
-
-# Declare default permissions as read only.
-permissions: read-all
-
+    branches:
+      - 'master'
+permissions: 'read-all'
 jobs:
   analysis:
-    name: Scorecard analysis
-    runs-on: ubuntu-latest
+    name: 'Analysis'
+    runs-on: 'ubuntu-latest'
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
-      id-token: write
-      contents: read
-      actions: read
-
+      security-events: 'write'
+      id-token: 'write'
+      contents: 'read'
+      actions: 'read'
     steps:
-      - name: Harden Runner
+      - name: 'Harden Runner'
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
-          egress-policy: audit
-
-      - name: "Checkout code"
+          egress-policy: 'audit'
+      - name: 'Checkout'
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-
-      - name: "Run analysis"
+      - name: 'Run'
         uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
-          results_file: results.sarif
-          results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecards on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
+          results_file: 'results.sarif'
+          results_format: 'sarif'
           publish_results: true
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
+      - name: 'Upload'
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: SARIF file
-          path: results.sarif
+          name: 'SARIF file'
+          path: 'results.sarif'
           retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.10
+      - name: 'Upload to Code Scanning Dashboard'
+        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
         with:
-          sarif_file: results.sarif
+          sarif_file: 'results.sarif'

go.mod

@@ -1,6 +1,6 @@
 module github.com/go-crypt/crypt
 
-go 1.23
+go 1.23.0
 
 toolchain go1.25.0