README.md

@@ -1,34 +1,13 @@
 # donotpassgo
-A composite workflow that runs general code checks on Go projects, an optional <b>test</b> input is available to trigger unit tests. See [steps](#steps) for more information on the jobs run
+donotpassgo is a github/gitea action to run unit tests and standards/security checks for Go applications. donotpassgo supports running unit tests using the standard go library as well as support for Ginkgo. Static code analysis is ran using gosec and dependencies are scanned using govulncheck
 
-## Usage
-adding donotpassgo to workflows is simple, just add the following step to your yaml file:
-```yaml
-- name: "checkpoint"
-  uses: https://code.jakeyoungdev.com/actions/donotpassgo@main
-```
-
-donotpassgo has optional support for running unit tests, this can be added by setting the <b>test</b> flag to <b>standard</b>
-```yaml
-- name: "checkpoint"
-  uses: https://code.jakeyoungdev.com/actions/donotpassgo@main
-  with:
-    test: standard
-```
-
-running unit tests with ginkgo is also supported by setting the <b>test</b> flag to <b>ginkgo</b> 
-```yaml
-- name: "checkpoint"
-  uses: https://code.jakeyoungdev.com/actions/donotpassgo@main
-  with:
-    test: ginkgo
-```
-
-## Steps
-donotpassgo runs several workflow jobs to ensure quality and secure go code, these steps may be updated as new tools develop.
-### Dependency Scans
-[govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) is installed using golang and is used to scan for vulnerabilities in the project dependencies and standard library.
-### Static Code Analysis
-[gosec](https://github.com/securego/gosec) inspects source code for security problems
-### Unit Tests
-donotpassgo supports two unit tests libraries: the standard go library and [ginkgo](https://github.com/onsi/ginkgo)
+## Inputs
+|Input|Required|Values|Default|Description|
+|-----|-----|-----|-----|-----|
+|test-library|false|standard,ginkgo,none|none|unit testing library to use, tests are skipped if set to 'none'|
+|test-version|false|any ginkgo version|latest|the version of the testing library to use (only ginkgo supported atm, value is ignored if using standard lib testing)|
+|test-fail|false|yes,no|yes|does the job fail if unit tests fail|
+|static|false|yes,no|yes|do static code checks run|
+|static-fail|false|yes,no|yes|does the job fail if static code checks fail|
+|vulnerability|false|yes,no|yes|do dependencies get scanned for vulnerabilities|
+|vulnerability-fail|false|yes,no|yes|does the job fail if vulnerabilities are found|

action.yaml

@@ -1,27 +1,57 @@
 name: "donotpassgo"
-description: "general go code checks"
+description: "go security checks and unit tests"
 inputs:
-  test:
-    description: "runs unit tests with specified library"
+  test-library: #TEST_LIBRARY
+    description: "if set, tests are run with the specific library (standard|ginkgo)"
     required: false
     default: "none"
+  test-version: #TEST_VERSION
+    description: "the test library version, if the library is none or standard this value is ignored"
+    required: false
+    default: "latest"
+  test-fail: #TEST_FAIL
+    description: "override switch to prevent jobs from failing when unit tests do"
+    required: false
+    default: "yes"
+  static: #STATIC_FLAG
+    description: "if set, static code checks are ran with gosec (yes|no)"
+    required: false
+    default: "yes"
+  static-fail: #STATIC_FAIL
+    description: "override switch to prevent jobs from failing when static code analysis does"
+    required: false
+    default: "yes"
+  vulnerability: #VULN_CHECK
+    description: "if set, dependencies are scanned with govulncheck (yes|no)"
+    required: false
+    default: "yes"
+  vulnerability-fail: #VULN_FAIL
+    description: "override switch to prevent jobs from failing when vulnerability scan does"
+    required: false
+    default: "yes"
+  
 runs:
   using: "composite"
   steps:
+    - name: "install dependencies"
+      shell: bash
+      run:  ${{ github.action_path }}/src/install.sh
+      env:
+        TEST_LIBRARY: ${{ inputs.test-library }}
+        TEST_VERSION: ${{ inputs.test-version }}
+
     - name: "run unit tests"
       shell: bash
-      run: ${{ github.action_path }}/test.sh
+      run:  ${{ github.action_path }}/src/test.sh
       env:
-        LIBRARY: ${{ inputs.test }}
+        TEST_LIBRARY: ${{ inputs.test-library }}
+        TEST_FAIL: ${{ inputs.test-fail }}
 
-    - name: "install govulncheck"
-      run: |
-        go install golang.org/x/vuln/cmd/govulncheck@latest
-      
-    - name: "dependency scan"
-      run: govulncheck ./...
-
-    - name: "static code analysis"
-      uses: securego/gosec@master
-      with:
-        args: ./...
+    - name: "run security checks"
+      shell: bash
+      run:  ${{ github.action_path }}/src/security.sh
+      env:
+        STATIC_FLAG: ${{ inputs.static }}
+        STATIC_FAIL: ${{ inputs.static-fail }}
+        VULN_CHECK: ${{ inputs.vulnerability }}
+        VULN_FAIL: ${{ inputs.vulnerability-fail }}

src/install.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -eo pipefail
+
+version=$(go version);
+if [[ ! -n "$version" ]]; then
+    echo "[FATAL] golang is not installed";
+    exit 1;
+fi
+
+go install golang.org/x/vuln/cmd/govulncheck@latest
+go install github.com/securego/gosec/v2/cmd/gosec@latest
+
+if [[ "$TEST_LIBRARY" == "ginkgo" ]]; then
+    go install github.com/onsi/ginkgo/v2/ginkgo@$TEST_VERSION
+fi

src/security.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -eo pipefail
+
+if [[ "$STATIC_FLAG" == "no" && "$VULN_CHECK" == "no" ]]; then
+    echo "[INFO] no security flags set, skipping!";
+    exit 0;
+fi
+
+toolchain=$(go mod edit -json go.mod | jq -r ".Toolchain // empty");
+version=$(go env -json | jq -r ".GOVERSION // empty");
+
+if [[ -n "$toolchain" ]]; then
+    echo "[DEBUG] overwriting version with toolchain";
+    version=$toolchain;
+fi
+
+if [[ "$STATIC_FLAG" == "yes" ]]; then
+    if GOTOOLCHAIN=$version gosec ./...; then
+        echo "[INFO] gosec passed!";
+    else
+        if [[ "$STATIC_FAIL" == "yes" ]]; then
+            echo "[FATAL] gosec failed!";
+            exit 1;
+        else
+            echo "[INFO] gosec failed!";
+        fi
+    fi
+fi
+
+if [ "$VULN_CHECK" == "yes" ]; then
+    if GOTOOLCHAIN=$version govulncheck ./...; then
+        echo "[INFO] govulncheck passed!";
+    else
+        if [ "$VULN_FAIL" == "yes" ]; then
+            echo "[FATAL] govulncheck failed!"
+            exit 1;
+        else
+            echo "[INFO] govulncheck failed!"
+        fi
+    fi
+fi

src/test.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -eo pipefail
+
+if [[ "$TEST_LIBRARY" == "none" ]]; then
+    echo "[INFO] test-library input not set, skipping unit tests.";
+    exit 0;
+fi
+
+echo "[INFO] running unit tests";
+if [[ "$TEST_LIBRARY" == "standard" ]]; then
+    if go test ./...; then
+        echo "[INFO] unit tests passed!";
+        exit 0;
+    else
+        if [[ "$TEST_FAIL" == "yes" ]]; then
+            echo "[FATAL] unit tests failed!";
+            exit 1;
+        else
+            echo "[INFO] unit tests failed!";
+        fi
+    fi
+fi
+
+if [[ "$TEST_LIBRARY" == "ginkgo" ]]; then
+    if ginkgo ./...; then
+        echo "[INFO] unit tests passed!";
+        exit 0;
+    else
+        if [[ "$TEST_FAIL" == "yes" ]]; then
+            echo "[FATAL] unit tests failed!";
+            exit 1;
+        else
+            echo "[INFO] unit tests failed!";
+        fi
+    fi
+fi

test.sh

@@ -1,28 +0,0 @@
-#!/bin/bash
-if [[ "$LIBRARY" == "none" ]]; then
-    echo "Test flag not set, skipping unit tests."
-    exit 0
-fi
-
-if [[ "$LIBRARY" == "standard" ]]; then
-    echo "Running unit tests with standard library"
-    if go test ./...; then
-        echo "Tests passed!"
-        exit 0
-    else
-        echo "Tests failed!"
-        exit 1
-    fi
-fi
-
-if [[ "$LIBRARY" == "ginkgo" ]]; then
-    echo "Running unit tests with ginkgo"
-    go install github.com/onsi/ginkgo/v2/ginkgo@v2.23.4
-    if ginkgo ./...; then
-        echo "Tests passed!"
-        exit 0
-    else
-        echo "Tests failed!"
-        exit 1
-    fi
-fi