From 4a98d66b2407bdfa9bb5e582bc3201b769b957b1 Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 00:22:36 -0400 Subject: [PATCH 01/12] restructure and adding functionality --- README.md | 37 +++++----------------------------- action.yaml | 53 +++++++++++++++++++++++++++++++++---------------- src/install.sh | 16 +++++++++++++++ src/security.sh | 34 +++++++++++++++++++++++++++++++ src/test.sh | 37 ++++++++++++++++++++++++++++++++++ test.sh | 28 -------------------------- 6 files changed, 128 insertions(+), 77 deletions(-) create mode 100644 src/install.sh create mode 100644 src/security.sh create mode 100644 src/test.sh delete mode 100755 test.sh diff --git a/README.md b/README.md index c4f70d8..4e22371 100644 --- a/README.md +++ b/README.md @@ -1,34 +1,7 @@ # donotpassgo -A composite workflow that runs general code checks on Go projects, an optional test input is available to trigger unit tests. See [steps](#steps) for more information on the jobs run +donotpassgo is a github/gitea action to run standard go checks in pipelines. -## Usage -adding donotpassgo to workflows is simple, just add the following step to your yaml file: -```yaml -- name: "checkpoint" - uses: https://code.jakeyoungdev.com/actions/donotpassgo@main -``` - -donotpassgo has optional support for running unit tests, this can be added by setting the test flag to standard -```yaml -- name: "checkpoint" - uses: https://code.jakeyoungdev.com/actions/donotpassgo@main - with: - test: standard -``` - -running unit tests with ginkgo is also supported by setting the test flag to ginkgo -```yaml -- name: "checkpoint" - uses: https://code.jakeyoungdev.com/actions/donotpassgo@main - with: - test: ginkgo -``` - -## Steps -donotpassgo runs several workflow jobs to ensure quality and secure go code, these steps may be updated as new tools develop. -### Dependency Scans -[govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) is installed using golang and is used to scan for vulnerabilities in the project dependencies and standard library. -### Static Code Analysis -[gosec](https://github.com/securego/gosec) inspects source code for security problems -### Unit Tests -donotpassgo supports two unit tests libraries: the standard go library and [ginkgo](https://github.com/onsi/ginkgo) \ No newline at end of file +## TODO +explain inputs in readme +test +does file naming matter here if the project has install.sh or /src will we overwrite? \ No newline at end of file diff --git a/action.yaml b/action.yaml index aed5b2f..6d8e704 100644 --- a/action.yaml +++ b/action.yaml @@ -1,27 +1,46 @@ name: "donotpassgo" -description: "general go code checks" +description: "go security checks and unit tests" inputs: - test: - description: "runs unit tests with specified library" + test-library: #TEST_LIBRARY + description: "if set, tests are run with the specific library (standard|ginkgo)" required: false default: "none" + test-version: #TEST_VERSION + description: "the test library version, if the version is none or standard this value is ignored" + required: false + default: "latest" + test-fail: #TEST_FAIL + description: "override switch to prevent jobs from failing when unit tests do" + required: false + default: "yes" + static: #STATIC_FLAG + description: "if set, static code checks are ran with gosec (yes|no)" + required: false + default: "yes" + static-fail: #STATIC_FAIL + description: "override switch to prevent jobs from failing when static code analysis does" + required: false + default: "yes" + vulnerability: #VULN_CHECK + description: "if set, dependencies are scanned with govulncheck (yes|no)" + required: false + default: "yes" + vulnerability-fail: #VULN_FAIL + description: "override switch to prevent jobs from failing when vulnerability scan does" + required: false + default: "yes" + runs: using: "composite" steps: + - name: "install dependencies" + shell: bash + run: ${{ github.action_path }}/src/install.sh + - name: "run unit tests" shell: bash - run: ${{ github.action_path }}/test.sh - env: - LIBRARY: ${{ inputs.test }} + run: ${{ github.action_path }}/src/test.sh - - name: "install govulncheck" - run: | - go install golang.org/x/vuln/cmd/govulncheck@latest - - - name: "dependency scan" - run: govulncheck ./... - - - name: "static code analysis" - uses: securego/gosec@master - with: - args: ./... \ No newline at end of file + - name: "run security checks" + shell: bash + run: ${{ github.action_path }}/src/security.sh \ No newline at end of file diff --git a/src/install.sh b/src/install.sh new file mode 100644 index 0000000..13ce6e5 --- /dev/null +++ b/src/install.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -eo pipefail + +version=$(go version); +if [[ -z "$version" ]]; then + echo "[FATAL] golang is not installed"; + exit 1; +fi + +go install golang.org/x/vuln/cmd/govulncheck@latest +go install github.com/securego/gosec/v2/cmd/gosec@latest + +if [[ "$TEST_LIBRARY" == "ginkgo" ]]; then + go install github.com/onsi/ginkgo/v2/ginkgo@$TEST_VERSION +fi \ No newline at end of file diff --git a/src/security.sh b/src/security.sh new file mode 100644 index 0000000..14b90f3 --- /dev/null +++ b/src/security.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +set -eo pipefail + +if [[ "$STATIC_FLAG" == "no" && "$VULN_SCAN" == "no" ]]; then + echo "[INFO] no security flags set, skipping!"; + exit 0; +fi + +if [[ "$STATIC_FLAG" == "yes" ]]; then + if gosec ./...; then + echo "[INFO] gosec passed!"; + else + if [[ "$STATIC_FAIL" == "yes" ]]; then + echo "[FATAL] gosec failed!"; + exit 1; + else + echo "[INFO] gosec failed!"; + fi + fi +fi + +if [[ "$VULN_CHECK" == "yes" ]]; then + if govulncheck ./...; then + echo "[INFO] govulncheck passed!"; + else + if [[ "$VULN_FAIL" == "yes" ]]; then + echo "[FATAL] govulncheck failed!" + exit 1; + else + echo "[INFO] govulncheck failed!" + fi + fi +fi \ No newline at end of file diff --git a/src/test.sh b/src/test.sh new file mode 100644 index 0000000..29e6a8c --- /dev/null +++ b/src/test.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +set -eo pipefail + +if [[ "$TEST_LIBRARY" == "none" ]]; then + echo "[INFO] test-library input not set, skipping unit tests."; + exit 0; +fi + +echo "[INFO] running unit tests"; +if [[ "$TEST_LIBRARY" == "standard" ]]; then + if go test ./...; then + echo "[INFO] unit tests passed!"; + exit 0; + else + if [[ "$TEST_FAIL" == "yes" ]]; then + echo "[FATAL] unit tests failed!"; + exit 1; + else + echo "[INFO] unit tests failed!"; + fi + fi +fi + +if [[ "$TEST_LIBRARY" == "ginkgo" ]]; then + if ginkgo ./...; then + echo "[INFO] unit tests passed!"; + exit 0; + else + if [[ "$TEST_FAIL" == "yes" ]]; then + echo "[FATAL] unit tests failed!"; + exit 1; + else + echo "[INFO] unit tests failed!"; + fi + fi +fi \ No newline at end of file diff --git a/test.sh b/test.sh deleted file mode 100755 index 39dfe8a..0000000 --- a/test.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash -if [[ "$LIBRARY" == "none" ]]; then - echo "Test flag not set, skipping unit tests." - exit 0 -fi - -if [[ "$LIBRARY" == "standard" ]]; then - echo "Running unit tests with standard library" - if go test ./...; then - echo "Tests passed!" - exit 0 - else - echo "Tests failed!" - exit 1 - fi -fi - -if [[ "$LIBRARY" == "ginkgo" ]]; then - echo "Running unit tests with ginkgo" - go install github.com/onsi/ginkgo/v2/ginkgo@v2.23.4 - if ginkgo ./...; then - echo "Tests passed!" - exit 0 - else - echo "Tests failed!" - exit 1 - fi -fi \ No newline at end of file From f8222f2953b21ddfc35608e3d461db362d1bd678 Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 00:27:33 -0400 Subject: [PATCH 02/12] adding todo and saving spot, its late --- README.md | 4 +++- action.yaml | 8 +++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4e22371..6239b19 100644 --- a/README.md +++ b/README.md @@ -4,4 +4,6 @@ donotpassgo is a github/gitea action to run standard go checks in pipelines. ## TODO explain inputs in readme test -does file naming matter here if the project has install.sh or /src will we overwrite? \ No newline at end of file +does file naming matter here if the project has install.sh or /src will we overwrite? +review MR, im drunk-ish +some jobs need env vars still lol \ No newline at end of file diff --git a/action.yaml b/action.yaml index 6d8e704..8f9e5d1 100644 --- a/action.yaml +++ b/action.yaml @@ -6,7 +6,7 @@ inputs: required: false default: "none" test-version: #TEST_VERSION - description: "the test library version, if the version is none or standard this value is ignored" + description: "the test library version, if the library is none or standard this value is ignored" required: false default: "latest" test-fail: #TEST_FAIL @@ -36,10 +36,16 @@ runs: - name: "install dependencies" shell: bash run: ${{ github.action_path }}/src/install.sh + env: + TEST_LIBRARY: ${{ inputs.test-library }} + TEST_VERSION: ${{ inputs.test-version }} - name: "run unit tests" shell: bash run: ${{ github.action_path }}/src/test.sh + env: + TEST_LIBRARY: ${{ inputs.test-library }} + TEST_FAIL: ${{ inputs.test-fail }} - name: "run security checks" shell: bash From f83527aa2d9b9b94d9ef7fe60d5e488df7f17fbb Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 15:11:33 -0400 Subject: [PATCH 03/12] ready to test --- action.yaml | 7 ++++++- src/security.sh | 12 +++++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/action.yaml b/action.yaml index 8f9e5d1..481c534 100644 --- a/action.yaml +++ b/action.yaml @@ -49,4 +49,9 @@ runs: - name: "run security checks" shell: bash - run: ${{ github.action_path }}/src/security.sh \ No newline at end of file + run: ${{ github.action_path }}/src/security.sh + env: + STATIC_FLAG: ${{ inputs.static }} + STATIC_FAIL: ${{ inputs.static-fail }} + VULN_CHECK: ${{ inputs.vulnerability }} + VULN_FAIL: ${{ inputs.vulnerability-fail }} \ No newline at end of file diff --git a/src/security.sh b/src/security.sh index 14b90f3..9451791 100644 --- a/src/security.sh +++ b/src/security.sh @@ -2,13 +2,19 @@ set -eo pipefail -if [[ "$STATIC_FLAG" == "no" && "$VULN_SCAN" == "no" ]]; then +if [[ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]]; then echo "[INFO] no security flags set, skipping!"; exit 0; fi +toolchain=$(go mod edit go.mod -json | jq ".Toolchain"); +version=$(go mod edit -json | jq ".Toolchain"); +if [[ ! -z "$toolchain" ]]; then + version=$toolchain; +fi + if [[ "$STATIC_FLAG" == "yes" ]]; then - if gosec ./...; then + if GOTOOLCHAIN=$version gosec ./...; then echo "[INFO] gosec passed!"; else if [[ "$STATIC_FAIL" == "yes" ]]; then @@ -21,7 +27,7 @@ if [[ "$STATIC_FLAG" == "yes" ]]; then fi if [[ "$VULN_CHECK" == "yes" ]]; then - if govulncheck ./...; then + if GOTOOLCHAIN=$version govulncheck ./...; then echo "[INFO] govulncheck passed!"; else if [[ "$VULN_FAIL" == "yes" ]]; then From e38f00fe696925712aaa72d5b7b459f2fd8c3476 Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 15:16:01 -0400 Subject: [PATCH 04/12] file permission fix --- src/install.sh | 0 src/security.sh | 0 src/test.sh | 0 3 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 src/install.sh mode change 100644 => 100755 src/security.sh mode change 100644 => 100755 src/test.sh diff --git a/src/install.sh b/src/install.sh old mode 100644 new mode 100755 diff --git a/src/security.sh b/src/security.sh old mode 100644 new mode 100755 diff --git a/src/test.sh b/src/test.sh old mode 100644 new mode 100755 From 1aff578a13b161cc707ef59c275c94763ecd7c29 Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 15:28:01 -0400 Subject: [PATCH 05/12] bugfixes --- src/install.sh | 2 ++ src/security.sh | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/install.sh b/src/install.sh index 13ce6e5..b602b49 100755 --- a/src/install.sh +++ b/src/install.sh @@ -8,6 +8,8 @@ if [[ -z "$version" ]]; then exit 1; fi +echo "[DEBUG] $version found in install.sh"; + go install golang.org/x/vuln/cmd/govulncheck@latest go install github.com/securego/gosec/v2/cmd/gosec@latest diff --git a/src/security.sh b/src/security.sh index 9451791..f92b74a 100755 --- a/src/security.sh +++ b/src/security.sh @@ -8,7 +8,11 @@ if [[ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]]; then fi toolchain=$(go mod edit go.mod -json | jq ".Toolchain"); -version=$(go mod edit -json | jq ".Toolchain"); +echo "[DEBUG] $toolchain found in go.mod"; + +version=$(go env -json | jq ".GOVERSION"); +echo "[DEBUG] $version found in go env"; + if [[ ! -z "$toolchain" ]]; then version=$toolchain; fi From d54c42045a6c9bcb5f7a05b7ea7cc8ce6c34f556 Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 15:33:31 -0400 Subject: [PATCH 06/12] fixing mod commands and jq outputs --- src/security.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/security.sh b/src/security.sh index f92b74a..6e298e5 100755 --- a/src/security.sh +++ b/src/security.sh @@ -7,10 +7,10 @@ if [[ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]]; then exit 0; fi -toolchain=$(go mod edit go.mod -json | jq ".Toolchain"); +toolchain=$(go mod edit -json go.mod | jq -r ".Toolchain"); echo "[DEBUG] $toolchain found in go.mod"; -version=$(go env -json | jq ".GOVERSION"); +version=$(go env -json | jq -r ".GOVERSION"); echo "[DEBUG] $version found in go env"; if [[ ! -z "$toolchain" ]]; then From 7c5206e9da1fcd1091eb9f29c3236545998d0b0f Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 15:41:13 -0400 Subject: [PATCH 07/12] bash syntax fixes --- src/install.sh | 4 ++-- src/security.sh | 13 +++++++------ src/test.sh | 10 +++++----- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/src/install.sh b/src/install.sh index b602b49..5c99db3 100755 --- a/src/install.sh +++ b/src/install.sh @@ -3,7 +3,7 @@ set -eo pipefail version=$(go version); -if [[ -z "$version" ]]; then +if [ -z "$version" ]; then echo "[FATAL] golang is not installed"; exit 1; fi @@ -13,6 +13,6 @@ echo "[DEBUG] $version found in install.sh"; go install golang.org/x/vuln/cmd/govulncheck@latest go install github.com/securego/gosec/v2/cmd/gosec@latest -if [[ "$TEST_LIBRARY" == "ginkgo" ]]; then +if [ "$TEST_LIBRARY" == "ginkgo" ]; then go install github.com/onsi/ginkgo/v2/ginkgo@$TEST_VERSION fi \ No newline at end of file diff --git a/src/security.sh b/src/security.sh index 6e298e5..ae77986 100755 --- a/src/security.sh +++ b/src/security.sh @@ -2,7 +2,7 @@ set -eo pipefail -if [[ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]]; then +if [ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]; then echo "[INFO] no security flags set, skipping!"; exit 0; fi @@ -13,15 +13,16 @@ echo "[DEBUG] $toolchain found in go.mod"; version=$(go env -json | jq -r ".GOVERSION"); echo "[DEBUG] $version found in go env"; -if [[ ! -z "$toolchain" ]]; then +if [ ! -z "$toolchain" ]; then + echo "[DEBUG] overwriting version with toolchain"; version=$toolchain; fi -if [[ "$STATIC_FLAG" == "yes" ]]; then +if [ "$STATIC_FLAG" == "yes" ]; then if GOTOOLCHAIN=$version gosec ./...; then echo "[INFO] gosec passed!"; else - if [[ "$STATIC_FAIL" == "yes" ]]; then + if [ "$STATIC_FAIL" == "yes" ]; then echo "[FATAL] gosec failed!"; exit 1; else @@ -30,11 +31,11 @@ if [[ "$STATIC_FLAG" == "yes" ]]; then fi fi -if [[ "$VULN_CHECK" == "yes" ]]; then +if [ "$VULN_CHECK" == "yes" ]; then if GOTOOLCHAIN=$version govulncheck ./...; then echo "[INFO] govulncheck passed!"; else - if [[ "$VULN_FAIL" == "yes" ]]; then + if [ "$VULN_FAIL" == "yes" ]; then echo "[FATAL] govulncheck failed!" exit 1; else diff --git a/src/test.sh b/src/test.sh index 29e6a8c..719318b 100755 --- a/src/test.sh +++ b/src/test.sh @@ -2,18 +2,18 @@ set -eo pipefail -if [[ "$TEST_LIBRARY" == "none" ]]; then +if [ "$TEST_LIBRARY" == "none" ]; then echo "[INFO] test-library input not set, skipping unit tests."; exit 0; fi echo "[INFO] running unit tests"; -if [[ "$TEST_LIBRARY" == "standard" ]]; then +if [ "$TEST_LIBRARY" == "standard" ]; then if go test ./...; then echo "[INFO] unit tests passed!"; exit 0; else - if [[ "$TEST_FAIL" == "yes" ]]; then + if [ "$TEST_FAIL" == "yes" ]; then echo "[FATAL] unit tests failed!"; exit 1; else @@ -22,12 +22,12 @@ if [[ "$TEST_LIBRARY" == "standard" ]]; then fi fi -if [[ "$TEST_LIBRARY" == "ginkgo" ]]; then +if [ "$TEST_LIBRARY" == "ginkgo" ]; then if ginkgo ./...; then echo "[INFO] unit tests passed!"; exit 0; else - if [[ "$TEST_FAIL" == "yes" ]]; then + if [ "$TEST_FAIL" == "yes" ]; then echo "[FATAL] unit tests failed!"; exit 1; else From 2887531b19c8add78c31afe1976e7fffccf716c0 Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 15:52:18 -0400 Subject: [PATCH 08/12] improving bash - i shouldve read thru it --- src/install.sh | 4 ++-- src/security.sh | 8 ++++---- src/test.sh | 10 +++++----- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/install.sh b/src/install.sh index 5c99db3..ec9632e 100755 --- a/src/install.sh +++ b/src/install.sh @@ -3,7 +3,7 @@ set -eo pipefail version=$(go version); -if [ -z "$version" ]; then +if [[ ! -n "$version" ]]; then echo "[FATAL] golang is not installed"; exit 1; fi @@ -13,6 +13,6 @@ echo "[DEBUG] $version found in install.sh"; go install golang.org/x/vuln/cmd/govulncheck@latest go install github.com/securego/gosec/v2/cmd/gosec@latest -if [ "$TEST_LIBRARY" == "ginkgo" ]; then +if [[ "$TEST_LIBRARY" == "ginkgo" ]]; then go install github.com/onsi/ginkgo/v2/ginkgo@$TEST_VERSION fi \ No newline at end of file diff --git a/src/security.sh b/src/security.sh index ae77986..c627b93 100755 --- a/src/security.sh +++ b/src/security.sh @@ -2,7 +2,7 @@ set -eo pipefail -if [ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]; then +if [[ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]]; then echo "[INFO] no security flags set, skipping!"; exit 0; fi @@ -13,16 +13,16 @@ echo "[DEBUG] $toolchain found in go.mod"; version=$(go env -json | jq -r ".GOVERSION"); echo "[DEBUG] $version found in go env"; -if [ ! -z "$toolchain" ]; then +if [[ -n "$toolchain" ]]; then echo "[DEBUG] overwriting version with toolchain"; version=$toolchain; fi -if [ "$STATIC_FLAG" == "yes" ]; then +if [[ "$STATIC_FLAG" == "yes" ]]; then if GOTOOLCHAIN=$version gosec ./...; then echo "[INFO] gosec passed!"; else - if [ "$STATIC_FAIL" == "yes" ]; then + if [[ "$STATIC_FAIL" == "yes" ]]; then echo "[FATAL] gosec failed!"; exit 1; else diff --git a/src/test.sh b/src/test.sh index 719318b..29e6a8c 100755 --- a/src/test.sh +++ b/src/test.sh @@ -2,18 +2,18 @@ set -eo pipefail -if [ "$TEST_LIBRARY" == "none" ]; then +if [[ "$TEST_LIBRARY" == "none" ]]; then echo "[INFO] test-library input not set, skipping unit tests."; exit 0; fi echo "[INFO] running unit tests"; -if [ "$TEST_LIBRARY" == "standard" ]; then +if [[ "$TEST_LIBRARY" == "standard" ]]; then if go test ./...; then echo "[INFO] unit tests passed!"; exit 0; else - if [ "$TEST_FAIL" == "yes" ]; then + if [[ "$TEST_FAIL" == "yes" ]]; then echo "[FATAL] unit tests failed!"; exit 1; else @@ -22,12 +22,12 @@ if [ "$TEST_LIBRARY" == "standard" ]; then fi fi -if [ "$TEST_LIBRARY" == "ginkgo" ]; then +if [[ "$TEST_LIBRARY" == "ginkgo" ]]; then if ginkgo ./...; then echo "[INFO] unit tests passed!"; exit 0; else - if [ "$TEST_FAIL" == "yes" ]; then + if [[ "$TEST_FAIL" == "yes" ]]; then echo "[FATAL] unit tests failed!"; exit 1; else From 407582719c4ebf85a0375128bd38d169608beeee Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 15:54:51 -0400 Subject: [PATCH 09/12] forgot jq empty --- src/security.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/security.sh b/src/security.sh index c627b93..d54d8de 100755 --- a/src/security.sh +++ b/src/security.sh @@ -7,10 +7,10 @@ if [[ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]]; then exit 0; fi -toolchain=$(go mod edit -json go.mod | jq -r ".Toolchain"); +toolchain=$(go mod edit -json go.mod | jq -r ".Toolchain // empty"); echo "[DEBUG] $toolchain found in go.mod"; -version=$(go env -json | jq -r ".GOVERSION"); +version=$(go env -json | jq -r ".GOVERSION // empty"); echo "[DEBUG] $version found in go env"; if [[ -n "$toolchain" ]]; then From 46528033edfbe48ab500d26ce055f10f1fb9c63b Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 15:58:02 -0400 Subject: [PATCH 10/12] remove debug lines --- src/install.sh | 2 -- src/security.sh | 3 --- 2 files changed, 5 deletions(-) diff --git a/src/install.sh b/src/install.sh index ec9632e..4e285d1 100755 --- a/src/install.sh +++ b/src/install.sh @@ -8,8 +8,6 @@ if [[ ! -n "$version" ]]; then exit 1; fi -echo "[DEBUG] $version found in install.sh"; - go install golang.org/x/vuln/cmd/govulncheck@latest go install github.com/securego/gosec/v2/cmd/gosec@latest diff --git a/src/security.sh b/src/security.sh index d54d8de..54ee8ca 100755 --- a/src/security.sh +++ b/src/security.sh @@ -8,10 +8,7 @@ if [[ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]]; then fi toolchain=$(go mod edit -json go.mod | jq -r ".Toolchain // empty"); -echo "[DEBUG] $toolchain found in go.mod"; - version=$(go env -json | jq -r ".GOVERSION // empty"); -echo "[DEBUG] $version found in go env"; if [[ -n "$toolchain" ]]; then echo "[DEBUG] overwriting version with toolchain"; From 5d04db9a89795eede956f1d4cf7c5da1856f8643 Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 16:07:28 -0400 Subject: [PATCH 11/12] readme update --- README.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 6239b19..1675148 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,13 @@ # donotpassgo -donotpassgo is a github/gitea action to run standard go checks in pipelines. +donotpassgo is a github/gitea action to run unit tests and standards/security checks for Go applications -## TODO -explain inputs in readme -test -does file naming matter here if the project has install.sh or /src will we overwrite? -review MR, im drunk-ish -some jobs need env vars still lol \ No newline at end of file +## Inputs +|Input|Required|Values|Default|Description| +|-----|-----|-----|-----|-----| +|test-library|false|standard,ginkgo,none|none|unit testing library to use, tests are skipped if set to 'none'| +|test-version|false|any ginkgo version|latest|the version of the testing library to use (only ginkgo supported atm, value is ignored if using standard lib testing)| +|test-fail|false|yes,no|yes|does the job fail if unit tests fail| +|static|false|yes,no|yes|do static code checks run| +|static-fail|false|yes,no|yes|does the job fail if static code checks fail| +|vulnerability|false|yes,no|yes|do dependencies get scanned for vulnerabilities| +|vulnerability-fail|false|yes,no|yes|does the job fail if vulnerabilities are found| \ No newline at end of file From 7ee2fdee0eebb69e11afef0166c024bc7b50c797 Mon Sep 17 00:00:00 2001 From: jake Date: Fri, 3 Apr 2026 16:08:26 -0400 Subject: [PATCH 12/12] readme update --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1675148..9ead865 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # donotpassgo -donotpassgo is a github/gitea action to run unit tests and standards/security checks for Go applications +donotpassgo is a github/gitea action to run unit tests and standards/security checks for Go applications. donotpassgo supports running unit tests using the standard go library as well as support for Ginkgo. Static code analysis is ran using gosec and dependencies are scanned using govulncheck ## Inputs |Input|Required|Values|Default|Description|