Merge pull request 'restructuring logic and adding more inputs' (#2) from cleanup into main

Reviewed-on: #2

README.md

@@ -1,3 +1,13 @@
 # donotpassgo
+donotpassgo is a github/gitea action to run unit tests and standards/security checks for Go applications. donotpassgo supports running unit tests using the standard go library as well as support for Ginkgo. Static code analysis is ran using gosec and dependencies are scanned using govulncheck
 
-action to run general go code scans, includes dependency scan with govulncheck and static code analysis from gosec
+## Inputs
+|Input|Required|Values|Default|Description|
+|-----|-----|-----|-----|-----|
+|test-library|false|standard,ginkgo,none|none|unit testing library to use, tests are skipped if set to 'none'|
+|test-version|false|any ginkgo version|latest|the version of the testing library to use (only ginkgo supported atm, value is ignored if using standard lib testing)|
+|test-fail|false|yes,no|yes|does the job fail if unit tests fail|
+|static|false|yes,no|yes|do static code checks run|
+|static-fail|false|yes,no|yes|does the job fail if static code checks fail|
+|vulnerability|false|yes,no|yes|do dependencies get scanned for vulnerabilities|
+|vulnerability-fail|false|yes,no|yes|does the job fail if vulnerabilities are found|

action.yaml

@@ -1,16 +1,57 @@
 name: "donotpassgo"
-description: "general go code checks"
+description: "go security checks and unit tests"
+inputs:
+  test-library: #TEST_LIBRARY
+    description: "if set, tests are run with the specific library (standard|ginkgo)"
+    required: false
+    default: "none"
+  test-version: #TEST_VERSION
+    description: "the test library version, if the library is none or standard this value is ignored"
+    required: false
+    default: "latest"
+  test-fail: #TEST_FAIL
+    description: "override switch to prevent jobs from failing when unit tests do"
+    required: false
+    default: "yes"
+  static: #STATIC_FLAG
+    description: "if set, static code checks are ran with gosec (yes|no)"
+    required: false
+    default: "yes"
+  static-fail: #STATIC_FAIL
+    description: "override switch to prevent jobs from failing when static code analysis does"
+    required: false
+    default: "yes"
+  vulnerability: #VULN_CHECK
+    description: "if set, dependencies are scanned with govulncheck (yes|no)"
+    required: false
+    default: "yes"
+  vulnerability-fail: #VULN_FAIL
+    description: "override switch to prevent jobs from failing when vulnerability scan does"
+    required: false
+    default: "yes"
+  
 runs:
   using: "composite"
   steps:
-    - name: "install go packages"
+    - name: "install dependencies"
-      run: |
+      shell: bash
-        go install golang.org/x/vuln/cmd/govulncheck@latest
+      run:  ${{ github.action_path }}/src/install.sh
+      env:
+        TEST_LIBRARY: ${{ inputs.test-library }}
+        TEST_VERSION: ${{ inputs.test-version }}
 
-    - name: "dependency scan"
+    - name: "run unit tests"
-      run: govulncheck ./...
+      shell: bash
+      run:  ${{ github.action_path }}/src/test.sh
+      env:
+        TEST_LIBRARY: ${{ inputs.test-library }}
+        TEST_FAIL: ${{ inputs.test-fail }}
 
-    - name: "static code analysis"
+    - name: "run security checks"
-      uses: securego/gosec@master
+      shell: bash
-      with:
+      run:  ${{ github.action_path }}/src/security.sh
-        args: ./...
+      env:
+        STATIC_FLAG: ${{ inputs.static }}
+        STATIC_FAIL: ${{ inputs.static-fail }}
+        VULN_CHECK: ${{ inputs.vulnerability }}
+        VULN_FAIL: ${{ inputs.vulnerability-fail }}

src/install.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -eo pipefail
+
+version=$(go version);
+if [[ ! -n "$version" ]]; then
+    echo "[FATAL] golang is not installed";
+    exit 1;
+fi
+
+go install golang.org/x/vuln/cmd/govulncheck@latest
+go install github.com/securego/gosec/v2/cmd/gosec@latest
+
+if [[ "$TEST_LIBRARY" == "ginkgo" ]]; then
+    go install github.com/onsi/ginkgo/v2/ginkgo@$TEST_VERSION
+fi

src/security.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -eo pipefail
+
+if [[ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]]; then
+    echo "[INFO] no security flags set, skipping!";
+    exit 0;
+fi
+
+toolchain=$(go mod edit -json go.mod | jq -r ".Toolchain // empty");
+version=$(go env -json | jq -r ".GOVERSION // empty");
+
+if [[ -n "$toolchain" ]]; then
+    echo "[DEBUG] overwriting version with toolchain";
+    version=$toolchain;
+fi
+
+if [[ "$STATIC_FLAG" == "yes" ]]; then
+    if GOTOOLCHAIN=$version gosec ./...; then
+        echo "[INFO] gosec passed!";
+    else
+        if [[ "$STATIC_FAIL" == "yes" ]]; then
+            echo "[FATAL] gosec failed!";
+            exit 1;
+        else
+            echo "[INFO] gosec failed!";
+        fi
+    fi
+fi
+
+if [ "$VULN_CHECK" == "yes" ]; then
+    if GOTOOLCHAIN=$version govulncheck ./...; then
+        echo "[INFO] govulncheck passed!";
+    else
+        if [ "$VULN_FAIL" == "yes" ]; then
+            echo "[FATAL] govulncheck failed!"
+            exit 1;
+        else
+            echo "[INFO] govulncheck failed!"
+        fi
+    fi
+fi

src/test.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -eo pipefail
+
+if [[ "$TEST_LIBRARY" == "none" ]]; then
+    echo "[INFO] test-library input not set, skipping unit tests.";
+    exit 0;
+fi
+
+echo "[INFO] running unit tests";
+if [[ "$TEST_LIBRARY" == "standard" ]]; then
+    if go test ./...; then
+        echo "[INFO] unit tests passed!";
+        exit 0;
+    else
+        if [[ "$TEST_FAIL" == "yes" ]]; then
+            echo "[FATAL] unit tests failed!";
+            exit 1;
+        else
+            echo "[INFO] unit tests failed!";
+        fi
+    fi
+fi
+
+if [[ "$TEST_LIBRARY" == "ginkgo" ]]; then
+    if ginkgo ./...; then
+        echo "[INFO] unit tests passed!";
+        exit 0;
+    else
+        if [[ "$TEST_FAIL" == "yes" ]]; then
+            echo "[FATAL] unit tests failed!";
+            exit 1;
+        else
+            echo "[INFO] unit tests failed!";
+        fi
+    fi
+fi