[]:Syncs

.contentful/vault-secrets.yaml

@@ -0,0 +1,5 @@
+version: 1
+services:
+  github-action:
+    policies:
+      - dependabot

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+* @contentful/team-security
+go.mod
+go.sum
+.github/workflows

.github/dependabot.yml

@@ -9,3 +9,13 @@ updates:
   directory: "/"
   schedule:
     interval: "daily"
+- package-ecosystem: docker
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "00:00"
+    timezone: UTC
+  open-pull-requests-limit: 15
+  commit-message:
+    prefix: build
+    include: scope

.github/workflows/dependabot-approve-and-request-merge.yml

@@ -0,0 +1,15 @@
+name: "dependabot approve-and-request-merge"
+
+on: pull_request_target
+
+jobs:
+  worker:
+    permissions:
+      contents: write
+      id-token: write
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - uses: contentful/github-auto-merge@v1
+        with:
+          VAULT_URL: ${{ secrets.VAULT_URL }}

.github/workflows/docker-image.yaml

@@ -0,0 +1,46 @@
+name: Create and publish a Docker image
+
+on:
+  release:
+    types: [published]
+  # publish on pushes to the main branch (image tagged as "latest")
+  push:
+    branches:
+      - "main"
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    if: github.actor != 'dependabot[bot]' || github.actor != 'dependabot-preview[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/postmerge.yaml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - uses: ossf/scorecard-action@v2.1.3
+    - uses: ossf/scorecard-action@v2.3.3
       with:
         results_file: results.sarif
         results_format: sarif

.github/workflows/pr.yaml

@@ -9,9 +9,9 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.21'
+        go-version: '1.20'
         check-latest: true
-    - uses: golangci/golangci-lint-action@v4
+    - uses: golangci/golangci-lint-action@v6
       with:
         args: --timeout 3m --verbose
   build:
@@ -20,7 +20,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.21'
+        go-version: '1.20'
         check-latest: true
     - run: go build -v ./...
   test:
@@ -29,7 +29,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.21'
+        go-version: '1.20'
         check-latest: true
     - run: go test -v ./...
     - run: go vet ./...

.github/workflows/sast.yaml

@@ -0,0 +1,31 @@
+name: SAST (Static Application Security Testing)
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+    branches: [master, main]
+
+jobs:
+  polaris:
+    name: polaris / code-scan
+    continue-on-error: true
+    runs-on: ubuntu-latest
+    if: (github.repository_owner == 'contentful') && (endsWith(github.actor, '[bot]') == false)
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@v4 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Synopsys Polaris
+        uses: contentful/polaris-action@master
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          polaris_url: ${{ secrets.POLARIS_SERVER_URL }}
+          polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
+          debug: true
+          polaris_command: analyze -w --coverity-ignore-capture-failure
+          security_gate_filters: '{ "severity": ["High", "Medium"] }'
+          fail_on_error: false
+          report_url: "https://github.com/contentful/security-tools-config/issues/new?title=False%20positive%20in%20Polaris"

Dockerfile

@@ -0,0 +1,23 @@
+# Use the official Go image as the base image
+FROM golang:1.22 AS builder
+
+# Set the working directory
+WORKDIR /ko-app
+
+# Copy the Go application source code
+COPY . .
+
+# Tidy em packages
+RUN go mod tidy
+
+# Build the Go application
+RUN CGO_ENABLED=0 go build -o allstar ./cmd/allstar
+
+# Use a minimal base image to reduce the image size
+FROM gcr.io/distroless/base-debian10
+
+# Copy the binary from the builder stage to the final image
+COPY --from=builder /ko-app/allstar /ko-app/allstar
+
+# Set the entry point for the final image
+ENTRYPOINT ["/ko-app/allstar"]