Fix linter pre-submit (slsa-framework#333)

* Update perms to make reviewdog work

* Add test files

* Fix sha for shfmt action

* Rename linter pre-submit file

* run golangci-lint manually

* Fix workflows

* Reduce permissions

* fix lint workflow

* fix lint workflow

* use sha for setup-go

* Add shellcheck job

* run yamllint manually

* add runs-on

* fix untarring githubci-lint

* fix untarring githubci-lint

* output github actions commands

* remove uncessary code

* Remove test files

* code cleanup

* Add golangci-lint checksum check

* Actually untar golangci-lint

* add debug

* Restore correct hash

* Checksum the right file

* fix dir

* Remove unused ldflags

* Disable linters generating issues for now

* Disable stylecheck for now

* Fix trailing spaces

* Exit with positive error codes

* Update references to reusable actions.

* Add Makefile to make running linters easier

* remove trailing whitespace

* Fix formatting options for yamllint

* Fix yamllint issues

* Fix tag comments

* Add docs on local development.

* Update comment

* Linters ignore vendor directory

* Fix whitespace

Author: Ian Lewis

.github/actions/compute-sha256/action.yml

@@ -27,5 +27,5 @@ runs:
         fi
         digest=$(sha256sum "$UNTRUSTED_PATH" | awk '{print $1}')
         echo "computed sha: $digest"
-        
+
         echo "::set-output name=sha256::$digest"

.github/actions/generate-builder/action.yml

@@ -44,15 +44,15 @@ runs:
       shell: bash
       env:
         # Builder.
-        BUILDER_REPOSITORY: slsa-framework/slsa-github-generator  # The repository to download the pre-built builder binary from.
-        BUILDER_RELEASE_BINARY: "${{ inputs.binary }}"            # The name of the pre-built binary in the release assets. This is also used as the final binary name when compiling the builder from source.
+        BUILDER_REPOSITORY: slsa-framework/slsa-github-generator # The repository to download the pre-built builder binary from.
+        BUILDER_RELEASE_BINARY: "${{ inputs.binary }}" # The name of the pre-built binary in the release assets. This is also used as the final binary name when compiling the builder from source.
         # Verifier
         # NOTE: These VERIFIER_* variables are used in the builder-fetch.sh script for verification of builder
         # release binaries when the compile-builder input is false.
-        VERIFIER_REPOSITORY: slsa-framework/slsa-verifier         # The repository to download the pre-built verifier binary from.
-        VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64        # The name of the verifier binary in the release assets.
-        VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21  # The expected hash of the verifier binary.
-        VERIFIER_RELEASE: v1.1.1                                   # The version of the verifier to download.
+        VERIFIER_REPOSITORY: slsa-framework/slsa-verifier # The repository to download the pre-built verifier binary from.
+        VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64 # The name of the verifier binary in the release assets.
+        VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21 # The expected hash of the verifier binary.
+        VERIFIER_RELEASE: v1.1.1 # The version of the verifier to download.
 
         COMPILE_BUILDER: "${{ inputs.compile-builder }}"
         BUILDER_REF: "${{ inputs.ref }}"

.github/actions/rng/action.yml

@@ -29,4 +29,3 @@ runs:
         # -c: the number of bytes displayed per column
         value=$(xxd -p -l "$LENGTH" -c "$LENGTH" /dev/urandom)
         echo "::set-output name=result::$value"
-

.github/actions/secure-download-artifact/action.yml

@@ -22,7 +22,6 @@ runs:
       env:
         UNTRUSTED_PATH: "${{ inputs.path }}"
       run: |
-      
         set -euo pipefail
 
         if [ -e "$UNTRUSTED_PATH" ]; then
@@ -49,14 +48,13 @@ runs:
         SET_EXECUTABLE: "${{ inputs.set-executable }}"
       shell: bash
       run: |
-      
         set -euo pipefail
 
         if ! [[ -f "$UNTRUSTED_PATH" ]]; then
             echo "File $UNTRUSTED_PATH not present"
             exit 5
         fi
-            
+
         echo "expected hash is $UNTRUSTED_EXPECTED_HASH"
         echo "computed hash is $UNTRUSTED_COMPUTED_HASH"
         if [[ "$UNTRUSTED_COMPUTED_HASH" != "$UNTRUSTED_EXPECTED_HASH" ]]; then
@@ -68,4 +66,3 @@ runs:
             echo "Setting $UNTRUSTED_PATH as executable"
             chmod u+x "$UNTRUSTED_PATH"
         fi
-

.github/workflows/builder_go_slsa3.yml

@@ -21,8 +21,8 @@ env:
   # Project.
   GENERATED_BINARY_NAME: go-compiled-binary
   # Builder.
-  BUILDER_BINARY: slsa-builder-go-linux-amd64         # Name of the binary in the release assets.
-  BUILDER_DIR: internal/builders/go                   # Source directory if we compile the builder.
+  BUILDER_BINARY: slsa-builder-go-linux-amd64 # Name of the binary in the release assets.
+  BUILDER_DIR: internal/builders/go # Source directory if we compile the builder.
 
 ###################################################################
 #                                                                 #

.github/workflows/generator_generic_slsa3.yml

@@ -19,8 +19,8 @@ permissions:
 
 env:
   # Generator
-  BUILDER_BINARY: slsa-generator-generic-linux-amd64  # Name of the binary in the release assets.
-  BUILDER_DIR: internal/builders/generic              # Source directory if we compile the builder.
+  BUILDER_BINARY: slsa-generator-generic-linux-amd64 # Name of the binary in the release assets.
+  BUILDER_DIR: internal/builders/generic # Source directory if we compile the builder.
 
 on:
   workflow_call:
@@ -36,7 +36,7 @@ on:
         default: false
       attestation-name:
         description: >
-          The artifact name of the signed provenance. 
+          The artifact name of the signed provenance.
           The file must have the intoto.jsonl extension.
 
           Default: attestation.intoto.jsonl

.github/workflows/pre-submit.lint.yml

@@ -0,0 +1,64 @@
+name: Lint
+
+on: [pull_request]
+
+permissions:
+  # Needed to check out the repo.
+  contents: read
+
+jobs:
+  golangci-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # tag=v3.2.0
+        with:
+          go-version: "1.18"
+      - env:
+          GOLANGCI_LINT_VERSION: "1.46.2"
+          GOLANGCI_LINT_CHECKSUM: "242cd4f2d6ac0556e315192e8555784d13da5d1874e51304711570769c4f2b9b"
+        run: |
+          set -euo pipefail
+
+          #Install golangci-lint
+          curl -sSLo golangci-lint.tar.gz "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz"
+          echo "golangci-lint checksum is $(sha256sum golangci-lint.tar.gz | awk '{ print $1 }')"
+          echo "expected checksum is $GOLANGCI_LINT_CHECKSUM"
+          echo "$GOLANGCI_LINT_CHECKSUM golangci-lint.tar.gz" | sha256sum --strict --check --status || exit -2
+          tar xf golangci-lint.tar.gz
+          mv golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint /usr/local/bin
+
+          # Run golangci-lint
+          make golangci-lint
+
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - env:
+          SHELLCHECK_VERSION: "0.8.0"
+        run: |
+          set -euo pipefail
+
+          # Install shellcheck
+          wget -qO- "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" | tar -xJf -
+          mv "shellcheck-v$SHELLCHECK_VERSION/shellcheck" /usr/local/bin
+
+          # Run shellcheck and output github actions commands.
+          # See: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions
+          make shellcheck
+
+  yamllint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      - env:
+          YAMLLINT_VERSION: "1.26.3"
+        run: |
+          set -euo pipefail
+
+          # Install yamllint
+          pip install "yamllint==${YAMLLINT_VERSION}"
+
+          # Run yamllint
+          make yamllint

.github/workflows/release.yml

@@ -35,4 +35,3 @@ jobs:
       go-version: 1.18
       config-file: .github/workflows/configs-go/config-release.yml
       compile-builder: true
-

.golangci.yml

@@ -3,12 +3,12 @@ run:
   concurrency: 2
   deadline: 5m
 issues:
-  include:
-    # revive `package-comments` and `exported` rules.
-    - EXC0012
-    - EXC0013
-    - EXC0014
-    - EXC0015
+  # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): revive `package-comments` and `exported` rules.
+  # include:
+  #   - EXC0012
+  #   - EXC0013
+  #   - EXC0014
+  #   - EXC0015
   # Maximum issues count per one linter.
   # Set to 0 to disable.
   # Default: 50
@@ -27,47 +27,62 @@ linters:
     - deadcode
     - depguard
     - dogsled
-    - errcheck
-    - errorlint
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable errcheck
+    # - errcheck
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable errorlint
+    # - errorlint
     - exhaustive
-    - exportloopref
-    - gci
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable exportloopref
+    # - exportloopref
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable gci
+    # - gci
     - gochecknoinits
     - gocognit
     - goconst
-    - gocritic
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable gocritic
+    # - gocritic
     - gocyclo
     - godot
-    - godox
-    - goerr113
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable godox
+    # - godox
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable goerr113
+    # - goerr113
     - gofmt
     - gofumpt
     - goheader
     - goimports
     - gomodguard
     - goprintffuncname
-    - gosec
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable gosec
+    # - gosec
     - gosimple
-    - govet
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable govet
+    # - govet
     - ineffassign
-    - lll
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable lll
+    # - lll
     - makezero
     - misspell
     - nakedret
-    - nestif
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable nestif
+    # - nestif
     - nolintlint
-    - paralleltest
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable paralleltest
+    # - paralleltest
     - predeclared
     - revive
     - staticcheck
-    - stylecheck
-    - thelper
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable stylecheck
+    # - stylecheck
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable thelper
+    # - thelper
     - typecheck
     - unconvert
     - unused
     - varcheck
     - whitespace
-    - wrapcheck
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/450): enable thelper
+    # - wrapcheck
 linters-settings:
   errcheck:
     check-type-assertions: true

.yamllint.yaml

@@ -1,6 +1,10 @@
 ---
 extends: default
 
+ignore: |
+  node_modules/
+  vendor/
+
 rules:
   comments:
     # prettier formats comments one space from content

Makefile

@@ -0,0 +1,82 @@
+SHELL := /bin/bash
+OUTPUT_FORMAT = $(shell if [ "${GITHUB_ACTIONS}" == "true" ]; then echo "github"; else echo ""; fi)
+
+.PHONY: help
+help: ## Shows all targets and help from the Makefile (this message).
+	@echo "slsa-github-generator Makefile"
+	@echo "Usage: make [COMMAND]"
+	@echo ""
+	@grep --no-filename -E '^([/a-z.A-Z0-9_%-]+:.*?|)##' $(MAKEFILE_LIST) | \
+		awk 'BEGIN {FS = "(:.*?|)## ?"}; { \
+			if (length($$1) > 0) { \
+				printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2; \
+			} else { \
+				if (length($$2) > 0) { \
+					printf "%s\n", $$2; \
+				} \
+			} \
+		}'
+
+## Testing
+#####################################################################
+
+unit-test: ## Runs all unit tests.
+	# Run unit tests for the detect-workflow action.
+	cd .github/actions/detect-workflow
+	go mod vendor
+	go test -mod=vendor -v ./...
+	# Run unit tests for the main package.
+	cd -
+	go mod vendor
+	go test -mod=vendor -v ./...
+
+
+## Linters
+#####################################################################
+
+lint: ## Run all linters.
+lint: golangci-lint shellcheck yamllint
+
+golangci-lint: ## Runs the golangci-lint linter.
+	@set -e;\
+		extraargs=""; \
+		if [ "$(OUTPUT_FORMAT)" == "github" ]; then \
+			extraargs="--out-format github-actions"; \
+		fi; \
+		golangci-lint run -c .golangci.yml ./... $$extraargs
+
+shellcheck: ## Runs the shellcheck linter.
+	@set -e;\
+		FILES=$$(find . -type f -not -iwholename '*/.git/*' -not -iwholename '*/vendor/*' -not -iwholename '*/node_modules/*' -exec bash -c 'file "$$1" | cut -d':' -f2 | grep --quiet shell' _ {} \; -print); \
+		if [ "$(OUTPUT_FORMAT)" == "github" ]; then \
+			echo -n $$FILES | xargs shellcheck -f json --external-sources | jq -c '.[]' | while IFS="" read -r p || [ -n "$$p" ]; do \
+				LEVEL=$$(echo "$$p" | jq -c '.level // empty' | tr -d '"'); \
+				FILE=$$(echo "$$p" | jq -c '.file // empty' | tr -d '"'); \
+				LINE=$$(echo "$$p" | jq -c '.line // empty' | tr -d '"'); \
+				ENDLINE=$$(echo "$$p" | jq -c '.endLine // empty' | tr -d '"'); \
+				COL=$$(echo "$$p" | jq -c '.column // empty' | tr -d '"'); \
+				ENDCOL=$$(echo "$$p" | jq -c '.endColumn // empty' | tr -d '"'); \
+				MESSAGE=$$(echo "$$p" | jq -c '.message // empty' | tr -d '"'); \
+				case $$LEVEL in \
+				"info") \
+					echo "::notice file=$${FILE},line=$${LINE},endLine=$${ENDLINE},col=$${COL},endColumn=$${ENDCOL}::$${MESSAGE}"; \
+					;; \
+				"warning") \
+					echo "::warning file=$${FILE},line=$${LINE},endLine=$${ENDLINE},col=$${COL},endColumn=$${ENDCOL}::$${MESSAGE}"; \
+					;; \
+				"error") \
+					echo "::error file=$${FILE},line=$${LINE},endLine=$${ENDLINE},col=$${COL},endColumn=$${ENDCOL}::$${MESSAGE}"; \
+					;; \
+				esac; \
+			done; \
+		else \
+			echo -n $$FILES | xargs shellcheck --external-sources; \
+		fi
+
+yamllint: ## Runs the yamllint linter.
+	@set -e;\
+		extraargs=""; \
+		if [ "$(OUTPUT_FORMAT)" == "github" ]; then \
+			extraargs="-f github"; \
+		fi; \
+		yamllint -c .yamllint.yaml . $$extraargs