-
Notifications
You must be signed in to change notification settings - Fork 0
v0.9.0 compliance: full upgrade against core/go reference #4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
eeee7a4
9478ac3
e9e3aae
769d5cf
85b1bdf
faa7b98
a29e41a
bd06985
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,80 @@ | ||||||||||||||||||||||||
| name: CI | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||
| push: | ||||||||||||||||||||||||
| branches: [dev, main] | ||||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||||
| branches: [dev, main] | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||
| contents: read | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| env: | ||||||||||||||||||||||||
| GOFLAGS: -buildvcs=false | ||||||||||||||||||||||||
| GOWORK: "off" | ||||||||||||||||||||||||
| GOPROXY: "direct" | ||||||||||||||||||||||||
| GOSUMDB: "off" | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||
| test: | ||||||||||||||||||||||||
| name: Test + Coverage | ||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||
| - uses: actions/checkout@v5 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| fetch-depth: 0 | ||||||||||||||||||||||||
| - uses: actions/setup-go@v6 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| go-version: '1.26' | ||||||||||||||||||||||||
| - name: Test with coverage | ||||||||||||||||||||||||
| working-directory: go | ||||||||||||||||||||||||
| run: go test -race -coverprofile=coverage.out -covermode=atomic -count=1 ./... | ||||||||||||||||||||||||
| - name: Upload coverage to Codecov | ||||||||||||||||||||||||
| uses: codecov/codecov-action@v5 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| token: ${{ secrets.CODECOV_TOKEN }} | ||||||||||||||||||||||||
| files: go/coverage.out | ||||||||||||||||||||||||
| flags: unittests | ||||||||||||||||||||||||
| fail_ci_if_error: false | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| lint: | ||||||||||||||||||||||||
| name: golangci-lint | ||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||
| - uses: actions/checkout@v5 | ||||||||||||||||||||||||
| - uses: actions/setup-go@v6 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| go-version: '1.26' | ||||||||||||||||||||||||
| - uses: golangci/golangci-lint-action@v9 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| version: latest | ||||||||||||||||||||||||
| working-directory: go | ||||||||||||||||||||||||
| args: --timeout=5m --tests=false | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| sonarcloud: | ||||||||||||||||||||||||
| name: SonarCloud | ||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||
| needs: test | ||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||
| - uses: actions/checkout@v5 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| fetch-depth: 0 | ||||||||||||||||||||||||
| - uses: actions/setup-go@v6 | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| go-version: '1.26' | ||||||||||||||||||||||||
| - name: Test for coverage | ||||||||||||||||||||||||
| working-directory: go | ||||||||||||||||||||||||
| run: go test -coverprofile=coverage.out -covermode=atomic -count=1 ./... | ||||||||||||||||||||||||
| - name: SonarCloud Scan | ||||||||||||||||||||||||
| uses: SonarSource/sonarqube-scan-action@v6 | ||||||||||||||||||||||||
| env: | ||||||||||||||||||||||||
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||
| args: > | ||||||||||||||||||||||||
| -Dsonar.organization=dappcore | ||||||||||||||||||||||||
| -Dsonar.projectKey=dappcore_go-git | ||||||||||||||||||||||||
| -Dsonar.sources=go | ||||||||||||||||||||||||
| -Dsonar.exclusions=**/vendor/**,**/third_party/**,**/.tmp/**,**/*_test.go | ||||||||||||||||||||||||
| -Dsonar.tests=go | ||||||||||||||||||||||||
| -Dsonar.test.inclusions=**/*_test.go | ||||||||||||||||||||||||
| -Dsonar.go.coverage.reportPaths=go/coverage.out | ||||||||||||||||||||||||
|
Comment on lines
+73
to
+80
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
rg -n "sonar\\.projectKey|sonar\\.sources|sonar\\.tests|sonar\\.go\\.coverage\\.reportPaths" sonar-project.properties .github/workflows/ci.ymlRepository: dAppCore/go-git Length of output: 551 🏁 Script executed: cat -n sonar-project.propertiesRepository: dAppCore/go-git Length of output: 643 🌐 Web query:
💡 Result: Yes, SonarQube command-line properties override those in sonar-project.properties. The official documentation states the settings hierarchy in order of precedence: 1. Global properties (UI), 2. Project properties (UI), 3. Scanner configuration files (like sonar-project.properties), 4. Scanner arguments (command-line -D parameters). Command-line arguments explicitly override scanner configuration files. This applies to the SonarScanner CLI (sonar-scanner command). Example: sonar-scanner -Dsonar.projectKey=myproject -Dsonar.sources=src1 will override values from sonar-project.properties. Citations:
Conflicting SonarCloud configuration between workflow and Workflow arguments set Suggested simplification (remove conflicting workflow args) - name: SonarCloud Scan
uses: SonarSource/sonarqube-scan-action@v6
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: >
-Dsonar.organization=dappcore
- -Dsonar.projectKey=dappcore_go-git
- -Dsonar.sources=go
- -Dsonar.exclusions=**/vendor/**,**/third_party/**,**/.tmp/**,**/*_test.go
- -Dsonar.tests=go
- -Dsonar.test.inclusions=**/*_test.go
-Dsonar.go.coverage.reportPaths=go/coverage.out📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| run: | ||
| timeout: 5m | ||
| go: "1.26" | ||
|
|
||
| linters: | ||
| enable: | ||
| - govet | ||
| - errcheck | ||
| - staticcheck | ||
| - unused | ||
| - gosimple | ||
| - ineffassign | ||
| - typecheck | ||
| - gocritic | ||
| - gofmt | ||
| disable: | ||
| - exhaustive | ||
| - wrapcheck | ||
|
|
||
| issues: | ||
| exclude-use-default: false | ||
| max-same-issues: 0 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,22 +1,26 @@ | ||
| version: "2" | ||
| run: | ||
| timeout: 5m | ||
| go: "1.26" | ||
|
|
||
| linters: | ||
| enable: | ||
| - govet | ||
| - errcheck | ||
| - staticcheck | ||
| - unused | ||
| - gosimple | ||
| - ineffassign | ||
| - typecheck | ||
| - gocritic | ||
| - gofmt | ||
| disable: | ||
| - exhaustive | ||
| - wrapcheck | ||
|
|
||
| exclusions: | ||
| generated: lax | ||
| paths: | ||
| - third_party$ | ||
| - builtin$ | ||
| - examples$ | ||
| issues: | ||
| exclude-use-default: false | ||
| max-same-issues: 0 | ||
| formatters: | ||
| enable: | ||
| - gofmt | ||
| exclusions: | ||
| generated: lax | ||
| paths: | ||
| - third_party$ | ||
| - builtin$ | ||
| - examples$ |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # Woodpecker CI pipeline. | ||
| # Server: ci.lthn.sh. Lint + sonar in parallel, both depend only on clone. | ||
| # sonar_token is admin-scoped on the Woodpecker server. | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Reduce Sonar token privilege scope. The comment confirms an admin-scoped token is used for CI scanning. That is broader than required and increases blast radius if CI secrets are exposed. Use a project-scoped token with analysis-only permissions. 🤖 Prompt for AI Agents |
||
|
|
||
| when: | ||
| - event: push | ||
| branch: [dev, main] | ||
|
|
||
| steps: | ||
| - name: golangci-lint | ||
| image: golangci/golangci-lint:latest-alpine | ||
| depends_on: [] | ||
| environment: | ||
| GOFLAGS: -buildvcs=false | ||
| GOWORK: "off" | ||
| commands: | ||
| - cd go && golangci-lint run --timeout=5m ./... | ||
|
|
||
| - name: go-test | ||
| image: golang:1.26-alpine | ||
| depends_on: [] | ||
| environment: | ||
| GOFLAGS: -buildvcs=false | ||
| GOWORK: "off" | ||
| CGO_ENABLED: "1" | ||
| commands: | ||
| - apk add --no-cache git build-base | ||
| - cd go && go test -race -coverprofile=coverage.out -covermode=atomic -count=1 ./... | ||
| - name: sonar | ||
| image: sonarsource/sonar-scanner-cli:latest | ||
| depends_on: [go-test] | ||
| environment: | ||
| SONAR_HOST_URL: https://sonar.lthn.sh | ||
| SONAR_TOKEN: | ||
| from_secret: sonar_token | ||
| commands: | ||
| - sonar-scanner | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| # go-git Agent Notes | ||
|
|
||
| This repository provides `dappco.re/go/git`, a Core-compatible git service and | ||
| helper package. It wraps status, push, pull, and multi-repository operations in | ||
| the `dappco.re/go` `Result` shape so callers can branch on `r.OK` and inspect | ||
| per-repository errors without importing standard-library compatibility shims. | ||
|
|
||
| Keep production code on the Core wrapper surface. Use `core.Context`, | ||
| `core.Result`, `core.Path*`, `core.WriteFile`, `core.NewBuffer`, | ||
| `core.Sprintf`, `core.NewError`, and the Core assertion helpers instead of | ||
| direct imports of formatting, filesystem, process, string, or error packages. | ||
| The package still exposes iterator-based APIs for streaming repository results; | ||
| tests should collect those iterators directly in the sibling test file for the | ||
| source that defines the symbol. | ||
|
|
||
| Public symbol coverage follows the repository's AX-7 convention. Every public | ||
| function or method in `git.go` is tested in `git_test.go` with | ||
| `TestGit_<Symbol>_{Good,Bad,Ugly}`, and every public service method in | ||
| `service.go` is tested in `service_test.go` with the matching | ||
| `TestService_<Symbol>_{Good,Bad,Ugly}` name. Examples live in | ||
| `git_example_test.go` and `service_example_test.go`, use `Println` from | ||
| `dappco.re/go`, and keep their output deterministic. | ||
|
|
||
| The tests create local temporary git repositories and bare remotes. They do not | ||
| contact network remotes, and they configure a local test author before making | ||
| commits. When changing push or pull behavior, keep the fixtures local and make | ||
| failure cases explicit through relative paths or repositories with no matching | ||
| remote state. |
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -1,8 +1,20 @@ | ||||||||||||||||||||||||
| [](https://pkg.go.dev/dappco.re/go/git) | ||||||||||||||||||||||||
| [](LICENSE.md) | ||||||||||||||||||||||||
| [](go.mod) | ||||||||||||||||||||||||
| <!-- SPDX-License-Identifier: EUPL-1.2 --> | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| > Git primitives — minimal in-house wrapper used by core tooling | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| [](https://github.com/dappcore/go-git/actions/workflows/ci.yml) | ||||||||||||||||||||||||
| [](https://sonarcloud.io/dashboard?id=dappcore_go-git) | ||||||||||||||||||||||||
| [](https://codecov.io/gh/dappcore/go-git) | ||||||||||||||||||||||||
| [](https://sonarcloud.io/dashboard?id=dappcore_go-git) | ||||||||||||||||||||||||
| [](https://sonarcloud.io/dashboard?id=dappcore_go-git) | ||||||||||||||||||||||||
| [](https://sonarcloud.io/dashboard?id=dappcore_go-git) | ||||||||||||||||||||||||
| [](https://sonarcloud.io/dashboard?id=dappcore_go-git) | ||||||||||||||||||||||||
| [](https://sonarcloud.io/dashboard?id=dappcore_go-git) | ||||||||||||||||||||||||
| [](https://pkg.go.dev/dappco.re/go/go-git) | ||||||||||||||||||||||||
| [](https://eupl.eu/1.2/en/) | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| # go-git | ||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
| Go module: `dappco.re/go/git` | ||||||||||||||||||||||||
|
Comment on lines
+15
to
19
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Go Reference badge target does not match the declared module path Line 15 points to Suggested fix-[](https://pkg.go.dev/dappco.re/go/go-git)
+[](https://pkg.go.dev/dappco.re/go/git)📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
|
|
||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🌐 Web query:
In Go modules, what are the security implications of setting GOSUMDB=off in CI, and what are the recommended GOPROXY/GOSUMDB settings for public dependencies?💡 Result:
Setting GOSUMDB=off in CI disables the Go checksum database (sum.golang.org by default), which verifies that downloaded public modules match expected cryptographic hashes recorded in a transparent log. This check occurs when adding new entries to go.sum. Without it, the go command accepts any unrecognized public modules without verifying against the database, giving up the security guarantee of verified repeatable downloads and protection against tampered or malicious modules not yet in go.sum. This exposes CI builds to supply chain attacks where an attacker could serve malicious content for public dependencies, especially if go.sum is incomplete or new versions are fetched. Even with go.sum present, it only checks local cache matches; GOSUMDB provides an external trust anchor for public modules. For public dependencies, use the default settings: GOPROXY=https://proxy.golang.org,direct and GOSUMDB=sum.golang.org. These ensure modules are fetched reliably from the official proxy (with direct fallback) and verified against the checksum database. In CI, commit complete go.mod and go.sum files, use go build -mod=readonly to prevent modifications, and avoid disabling GOSUMDB. If using private modules, set GOPRIVATE and GONOSUMDB for those paths only, keeping public ones verified.
Citations:
🏁 Script executed:
Repository: dAppCore/go-git
Length of output: 84
🏁 Script executed:
Repository: dAppCore/go-git
Length of output: 768
🏁 Script executed:
Repository: dAppCore/go-git
Length of output: 296
🏁 Script executed:
Repository: dAppCore/go-git
Length of output: 83
🏁 Script executed:
Repository: dAppCore/go-git
Length of output: 41
🏁 Script executed:
Repository: dAppCore/go-git
Length of output: 158
🏁 Script executed:
Repository: dAppCore/go-git
Length of output: 128
🏁 Script executed:
Repository: dAppCore/go-git
Length of output: 1048
Go module integrity checks are disabled in CI
Lines 15–16 disable both module proxy verification (
GOPROXY: "direct") and checksum database verification (GOSUMDB: "off"). This removes protection against tampered or malicious module downloads and exposes the build to supply-chain attacks. Given the public dependency ondappco.re/go v0.9.0, checksum verification is essential.Replace with standard Go security settings:
Suggested hardening
📝 Committable suggestion
🤖 Prompt for AI Agents