Merge branch 'main' into chore-fix-goreleaser-config

.golangci.yml

@@ -11,10 +11,10 @@ linters:
     - structcheck # WARN [runner] The linter 'structcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused. 
     - nosnakecase # WARN [runner] The linter 'nosnakecase' is deprecated (since v1.48.1) due to: The repository of the linter has been deprecated by the owner.  Replaced by revive(var-naming). 
     - deadcode # WARN [runner] The linter 'deadcode' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused. 
-
+    - gomnd # WARN The linter 'gomnd' is deprecated (since v1.58.0) due to: The linter has been renamed. Replaced by mnd
     - tagliatelle
     - wsl
-    - goerr113
+    - err113
     - nlreturn
     - lll
     - godot

README.md

@@ -101,12 +101,22 @@ You can specify the configuration file with the command line option `-config (-c
 ghalint -c foo.yaml run
 ```
 
-You can exclude the policy `job_secrets` and `action_ref_should_be_full_length_commit_sha`.
+### Disable policies
+
+You can disable the following policies.
+
+- [deny_inherit_secrets](docs/policies/004.md)
+- [job_secrets](docs/policies/006.md)
+- [action_ref_should_be_full_length_commit_sha](docs/policies/008.md)
+- [github_app_should_limit_repositories](docs/policies/009.md)
 
 e.g.
 
 ```yaml
 excludes:
+  - policy_name: deny_inherit_secrets
+    workflow_file_path: .github/workflows/actionlint.yaml
+    job_name: actionlint
   - policy_name: job_secrets
     workflow_file_path: .github/workflows/actionlint.yaml
     job_name: actionlint
@@ -118,14 +128,6 @@ excludes:
     step_id: create_token
 ```
 
-### excludes[].policy_name
-
-Required. You can exclude only the following policies.
-
-- [job_secrets](docs/policies/006.md)
-- [action_ref_should_be_full_length_commit_sha](docs/policies/008.md)
-- [github_app_should_limit_repositories](docs/policies/009.md)
-
 ## Environment variables
 
 - `GHALINT_CONFIG`: Configuration file path

aqua-checksums.json

@@ -1,33 +1,33 @@
 {
   "checksums": [
     {
-      "id": "github_release/github.com/golangci/golangci-lint/v1.57.2/golangci-lint-1.57.2-darwin-amd64.tar.gz",
-      "checksum": "83157F5378D259D51C88E310E88513BD80BD42E497974A1BBE51B82931F229C7",
+      "id": "github_release/github.com/golangci/golangci-lint/v1.58.0/golangci-lint-1.58.0-darwin-amd64.tar.gz",
+      "checksum": "53FD0E562119D7190F7AFA0E4AE054C4B3BF7B0BA104C51D0558EDCEAE83688A",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/golangci/golangci-lint/v1.57.2/golangci-lint-1.57.2-darwin-arm64.tar.gz",
-      "checksum": "0D6F10544FC0B5BD94B9EEB20D89646B9C19B52A98DCA1CA62F94C08AC641B98",
+      "id": "github_release/github.com/golangci/golangci-lint/v1.58.0/golangci-lint-1.58.0-darwin-arm64.tar.gz",
+      "checksum": "7338B4371045D5618FE2B6C2258CCD6EA14FB9822065D4FE48FF40B13DBA1029",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/golangci/golangci-lint/v1.57.2/golangci-lint-1.57.2-linux-amd64.tar.gz",
-      "checksum": "391483DAA5D58D037832BA2FAC709FDB5DF0C67471C0D7698D1F67CBFA5F10F0",
+      "id": "github_release/github.com/golangci/golangci-lint/v1.58.0/golangci-lint-1.58.0-linux-amd64.tar.gz",
+      "checksum": "2E6AB34A3B0B8D35DC49D8E4E84D37CE631F55FCC549B944B0CC14F7F276971C",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/golangci/golangci-lint/v1.57.2/golangci-lint-1.57.2-linux-arm64.tar.gz",
-      "checksum": "9E079E19B3D81E357D2ACC90518C6A86A533E26A74AF1E5EADF8DFCD640B66EE",
+      "id": "github_release/github.com/golangci/golangci-lint/v1.58.0/golangci-lint-1.58.0-linux-arm64.tar.gz",
+      "checksum": "32E5B3DD259F1ECABD5C4997CABAC9B01E120366CFFD67811EAC9F1955899F8F",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/golangci/golangci-lint/v1.57.2/golangci-lint-1.57.2-windows-amd64.zip",
-      "checksum": "10C1AB7EB4A99F8B292A8F910BC78A50E9547A4FFE7444FCDDC68F722ADF6612",
+      "id": "github_release/github.com/golangci/golangci-lint/v1.58.0/golangci-lint-1.58.0-windows-amd64.zip",
+      "checksum": "245E9BC6F4878414ED0E4CC53CB94BD441CF0BE7E18CBF84D409CC9AC61AB901",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/golangci/golangci-lint/v1.57.2/golangci-lint-1.57.2-windows-arm64.zip",
-      "checksum": "F88AC03FAA185DA6547BEAB8A91983DB2767E2E154323518F592F7E24772CA9E",
+      "id": "github_release/github.com/golangci/golangci-lint/v1.58.0/golangci-lint-1.58.0-windows-arm64.zip",
+      "checksum": "5F629A5D0FB6F9A1ABCFDE89CE1EAA8CD69F79F51B0A14A6A8B6AA1D9236F755",
       "algorithm": "sha256"
     },
     {

aqua.yaml

@@ -6,5 +6,5 @@ registries:
 packages:
   - import: aqua/*.yaml
   - name: suzuki-shunsuke/cmdx@v1.7.4
-  - name: golangci/golangci-lint@v1.57.2
+  - name: golangci/golangci-lint@v1.58.0
   - name: sigstore/cosign@v2.2.4

aqua/golangci-lint.yaml

@@ -1,2 +1,2 @@
 packages:
-  - name: golangci/golangci-lint@v1.57.2
+  - name: golangci/golangci-lint@v1.58.0

docs/policies/004.md

@@ -27,3 +27,20 @@ jobs:
 ## Why?
 
 Secrets should be exposed to only required jobs.
+
+## How to ignore the violation
+
+We don't recommend, but if you want to ignore the violation of this policy, please configure it with [the configuration file](../../README.md#configuration-file).
+
+e.g.
+
+ghalint.yaml
+
+```yaml
+excludes:
+  - policy_name: deny_inherit_secrets
+    workflow_file_path: .github/workflows/actionlint.yaml
+    job_name: actionlint
+```
+
+`policy_name`, `workflow_file_path`, and `job_name` are required.

go.mod

@@ -1,6 +1,6 @@
 module github.com/suzuki-shunsuke/ghalint
 
-go 1.19
+go 1.22.4
 
 require (
 	github.com/mattn/go-colorable v0.1.13

pkg/config/config.go

@@ -76,6 +76,13 @@ func validate(exclude *Exclude) error { //nolint:cyclop
 		if exclude.JobName == "" {
 			return errors.New(`job_name is required to exclude job_secrets`)
 		}
+	case "deny_inherit_secrets":
+		if exclude.WorkflowFilePath == "" {
+			return errors.New(`workflow_file_path is required to exclude deny_inherit_secrets`)
+		}
+		if exclude.JobName == "" {
+			return errors.New(`job_name is required to exclude deny_inherit_secrets`)
+		}
 	case "github_app_should_limit_repositories":
 		if exclude.WorkflowFilePath == "" && exclude.ActionFilePath == "" {
 			return errors.New(`workflow_file_path or action_file_path is required to exclude github_app_should_limit_repositories`)

pkg/config/config_test.go

@@ -71,7 +71,6 @@ func TestValidate(t *testing.T) { //nolint:funlen
 		},
 	}
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			if err := config.Validate(d.cfg); err != nil {

pkg/policy/action_ref_should_be_full_length_commit_sha_policy_test.go

@@ -51,7 +51,6 @@ func TestActionRefShouldBeSHA1Policy_ApplyJob(t *testing.T) {
 	p := policy.NewActionRefShouldBeSHA1Policy()
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			if err := p.ApplyJob(logE, d.cfg, nil, d.job); err != nil {
@@ -114,7 +113,6 @@ func TestActionRefShouldBeSHA1Policy_ApplyStep(t *testing.T) {
 	p := policy.NewActionRefShouldBeSHA1Policy()
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			if err := p.ApplyStep(logE, d.cfg, nil, d.step); err != nil {

pkg/policy/action_shell_is_required_test.go

@@ -33,7 +33,6 @@ func TestActionShellIsRequiredPolicy_ApplyStep(t *testing.T) {
 	p := &policy.ActionShellIsRequiredPolicy{}
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			if err := p.ApplyStep(logE, nil, nil, d.step); err != nil {

pkg/policy/deny_inherit_secrets.go

@@ -18,7 +18,10 @@ func (p *DenyInheritSecretsPolicy) ID() string {
 	return "004"
 }
 
-func (p *DenyInheritSecretsPolicy) ApplyJob(_ *logrus.Entry, _ *config.Config, _ *JobContext, job *workflow.Job) error {
+func (p *DenyInheritSecretsPolicy) ApplyJob(_ *logrus.Entry, cfg *config.Config, jobCtx *JobContext, job *workflow.Job) error {
+	if checkExcludes(p.Name(), jobCtx, cfg) {
+		return nil
+	}
 	if job.Secrets.Inherit() {
 		return errors.New("`secrets: inherit` should not be used. Only required secrets should be passed explicitly")
 	}

pkg/policy/deny_inherit_secrets_test.go

@@ -1,9 +1,11 @@
+//nolint:funlen
 package policy_test
 
 import (
 	"testing"
 
 	"github.com/sirupsen/logrus"
+	"github.com/suzuki-shunsuke/ghalint/pkg/config"
 	"github.com/suzuki-shunsuke/ghalint/pkg/policy"
 	"github.com/suzuki-shunsuke/ghalint/pkg/workflow"
 	"gopkg.in/yaml.v3"
@@ -12,32 +14,86 @@ import (
 func TestDenyInheritSecretsPolicy_ApplyJob(t *testing.T) {
 	t.Parallel()
 	data := []struct {
-		name  string
-		job   string
-		isErr bool
+		name   string
+		job    string
+		cfg    *config.Config
+		jobCtx *policy.JobContext
+		isErr  bool
 	}{
 		{
-			name:  "error",
+			name: "exclude",
+			cfg: &config.Config{
+				Excludes: []*config.Exclude{
+					{
+						PolicyName:       "deny_inherit_secrets",
+						WorkflowFilePath: ".github/workflows/test.yaml",
+						JobName:          "foo",
+					},
+				},
+			},
+			jobCtx: &policy.JobContext{
+				Workflow: &policy.WorkflowContext{
+					FilePath: ".github/workflows/test.yaml",
+				},
+				Name: "foo",
+			},
+			job: `secrets: inherit`,
+		},
+		{
+			name: "not exclude",
+			cfg: &config.Config{
+				Excludes: []*config.Exclude{
+					{
+						PolicyName:       "deny_inherit_secrets",
+						WorkflowFilePath: ".github/workflows/test.yaml",
+						JobName:          "bar",
+					},
+				},
+			},
+			jobCtx: &policy.JobContext{
+				Workflow: &policy.WorkflowContext{
+					FilePath: ".github/workflows/test.yaml",
+				},
+				Name: "foo",
+			},
 			job:   `secrets: inherit`,
 			isErr: true,
 		},
+		{
+			name: "error",
+			job:  `secrets: inherit`,
+			cfg:  &config.Config{},
+			jobCtx: &policy.JobContext{
+				Workflow: &policy.WorkflowContext{
+					FilePath: ".github/workflows/test.yaml",
+				},
+				Name: "foo",
+			},
+			isErr: true,
+		},
 		{
 			name: "pass",
+			cfg:  &config.Config{},
+			jobCtx: &policy.JobContext{
+				Workflow: &policy.WorkflowContext{
+					FilePath: ".github/workflows/test.yaml",
+				},
+				Name: "foo",
+			},
 			job: `secrets:
       foo: ${{secrets.API_KEY}}`,
 		},
 	}
 	p := &policy.DenyInheritSecretsPolicy{}
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			job := &workflow.Job{}
 			if err := yaml.Unmarshal([]byte(d.job), job); err != nil {
 				t.Fatal(err)
 			}
-			if err := p.ApplyJob(logE, nil, nil, job); err != nil {
+			if err := p.ApplyJob(logE, d.cfg, d.jobCtx, job); err != nil {
 				if d.isErr {
 					return
 				}

pkg/policy/deny_job_container_latest_image_test.go

@@ -52,7 +52,6 @@ func TestDenyJobContainerLatestImagePolicy_ApplyJob(t *testing.T) {
 	p := &policy.DenyJobContainerLatestImagePolicy{}
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			if err := p.ApplyJob(logE, nil, nil, d.job); err != nil {

pkg/policy/deny_read_all_policy_test.go

@@ -47,7 +47,6 @@ func TestDenyReadAllPermissionPolicy_ApplyJob(t *testing.T) {
 	p := &policy.DenyReadAllPermissionPolicy{}
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		if d.jobCtx == nil {
 			d.jobCtx = &policy.JobContext{
 				Workflow: &policy.WorkflowContext{

pkg/policy/deny_write_all_policy_test.go

@@ -47,7 +47,6 @@ func TestDenyWriteAllPermissionPolicy_ApplyJob(t *testing.T) {
 	p := &policy.DenyWriteAllPermissionPolicy{}
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		if d.jobCtx == nil {
 			d.jobCtx = &policy.JobContext{
 				Workflow: &policy.WorkflowContext{

pkg/policy/github_app_should_limit_permissions_test.go

@@ -69,7 +69,6 @@ func TestGitHubAppShouldLimitPermissionsPolicy_ApplyStep(t *testing.T) { //nolin
 	p := &policy.GitHubAppShouldLimitPermissionsPolicy{}
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		if d.stepCtx == nil {
 			d.stepCtx = &policy.StepContext{
 				FilePath: ".github/workflows/test.yaml",

pkg/policy/github_app_should_limit_repositories_test.go

@@ -118,7 +118,6 @@ func TestGitHubAppShouldLimitRepositoriesPolicy_ApplyStep(t *testing.T) { //noli
 	p := &policy.GitHubAppShouldLimitRepositoriesPolicy{}
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		if d.stepCtx == nil {
 			d.stepCtx = &policy.StepContext{
 				FilePath: ".github/workflows/test.yaml",

pkg/policy/job_permissions_policy_test.go

@@ -66,7 +66,6 @@ func TestJobPermissionsPolicy_ApplyJob(t *testing.T) { //nolint:funlen
 	p := &policy.JobPermissionsPolicy{}
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			if err := p.ApplyJob(logE, nil, d.jobCtx, d.job); err != nil {

pkg/policy/job_secrets_policy.go

@@ -43,7 +43,7 @@ func (p *JobSecretsPolicy) ApplyJob(_ *logrus.Entry, cfg *config.Config, jobCtx
 	if checkExcludes(p.Name(), jobCtx, cfg) {
 		return nil
 	}
-	if len(job.Steps) < 2 { //nolint:gomnd
+	if len(job.Steps) < 2 { //nolint:mnd
 		return nil
 	}
 	for envName, envValue := range job.Env {

pkg/policy/job_secrets_policy_test.go

@@ -106,7 +106,6 @@ func TestJobSecretsPolicy_ApplyJob(t *testing.T) { //nolint:funlen
 	p := policy.NewJobSecretsPolicy()
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			if err := p.ApplyJob(logE, d.cfg, d.jobCtx, d.job); err != nil {

pkg/policy/workflow_secrets_policy.go

@@ -29,7 +29,7 @@ func (p *WorkflowSecretsPolicy) ID() string {
 }
 
 func (p *WorkflowSecretsPolicy) ApplyWorkflow(logE *logrus.Entry, _ *config.Config, _ *WorkflowContext, wf *workflow.Workflow) error {
-	if len(wf.Jobs) < 2 { //nolint:gomnd
+	if len(wf.Jobs) < 2 { //nolint:mnd
 		return nil
 	}
 	failed := false

pkg/policy/workflow_secrets_policy_test.go

@@ -78,7 +78,6 @@ func TestWorkflowSecretsPolicy_ApplyWorkflow(t *testing.T) { //nolint:funlen
 	p := policy.NewWorkflowSecretsPolicy()
 	logE := logrus.NewEntry(logrus.New())
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			if err := p.ApplyWorkflow(logE, d.cfg, nil, d.wf); err != nil {

pkg/workflow/container_test.go

@@ -26,7 +26,6 @@ func TestContainer_UnmarshalYAML(t *testing.T) {
 		},
 	}
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			c := &workflow.Container{}

pkg/workflow/job_secrets_test.go

@@ -25,7 +25,6 @@ func TestJobSecrets_UnmarshalYAML(t *testing.T) {
 		},
 	}
 	for _, d := range data {
-		d := d
 		t.Run(d.name, func(t *testing.T) {
 			t.Parallel()
 			js := &workflow.JobSecrets{}