CI maintenance including verifiable builds

.github/SECURITY.md

@@ -0,0 +1,14 @@
+# Security Policy
+
+## Automated Scans
+
+The following automated security scans are performed on a regular basis for this repository via continuous integration:
+
+- CodeQL analysis
+
+## Reporting a Vulnerability
+
+This repository has GitHub private vulnerability reporting enabled.
+
+To report a security vulnerability please follow the guide at:
+https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability

.github/workflows/release.yml

@@ -1,31 +1,35 @@
 name: goreleaser
-
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 
 permissions:
   contents: write
+  id-token: write
+  attestations: write
 
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - run: git fetch --force --tags
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: "1.24"
+          go-version-file: "go.mod"
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
         with:
           distribution: goreleaser
           version: "~> v2"
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
+      # After GoReleaser runs, attest all the files in ./dist/checksums.txt:
+      - uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
+        with:
+          subject-checksums: ./dist/checksums.txt

.github/workflows/test.yml

@@ -1,14 +1,16 @@
 on: push
 name: Test
+
+permissions:
+  contents: read
+
 jobs:
   test:
+    name: Go unit tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          fetch-depth: 1
-      - uses: actions/setup-go@v5
-        with:
-          go-version: "1.24"
-      - run: go mod download
+          go-version-file: "go.mod"
       - run: go test ./...

.goreleaser.yml

@@ -1,40 +1,53 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
 version: 2
 
 before:
   hooks:
     - go mod download
+
 builds:
-- env:
-    - CGO_ENABLED=0
-  goos:
-    - linux
-    - darwin
-    - windows
-  goarch:
-    - amd64
-    - arm64
-  # Custom ldflags templates.
-  # Default is `-s -w -X main.version={{.Version}} -X main.commit={{.ShortCommit}} -X main.date={{.Date}}`.
-  ldflags:
-     - -s -w -X main.buildVersion={{.Version}} -X main.buildCommit={{.ShortCommit}} -X main.buildDate={{.Date}}
-archives:
-- format_overrides:
-  - goos: windows
-    formats: [ 'zip' ]
-universal_binaries:
-- replace: true
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w -X main.buildVersion={{.Version}} -X main.buildCommit={{.ShortCommit}} -X main.buildDate={{.Date}}
+
+gomod:
+  # Proxy a module from proxy.golang.org, making the builds verifiable.
+  # This will only be effective if running against a tag. Snapshots will ignore
+  # this setting.
+  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
+  proxy: true
+
+# static file path for checksums for build attestations
 checksum:
-  name_template: 'checksums.txt'
-snapshot:
-  version_template: "{{ .Tag }}-next"
+  name_template: "checksums.txt"
+
+archives:
+  - format_overrides:
+      - goos: windows
+        formats: ["zip"]
+
+# disable changelog generation entirely, since bump will manage that itself!
+changelog:
+  disable: true
+
+release:
+  # If set to auto, will mark the release as not ready for production
+  # in case there is an indicator for this in the tag e.g. v1.0.0-rc1
+  prerelease: auto
+
 brews:
-  -
-    repository:
+  - repository:
       owner: mroth
       name: homebrew-tap
     description: "Draft GitHub Release of the next semver in web browser"
     homepage: "https://github.com/mroth/bump"
     skip_upload: false
-# disable changelog generation entirely, since bump will manage that itself!
-changelog:
-  disable: true

git.go

@@ -79,7 +79,7 @@ func _detectRemoteURL_LocalGit(path string) (string, error) {
 func parseGithubRemote(remoteURL string) (owner, repo string, ok bool) {
 	re := regexp.MustCompile(`^(?:https://|git@)github.com[:/](.*)/(.*?)(?:\.git$|$)`)
 	matches := re.FindStringSubmatch(remoteURL)
-	if matches == nil || len(matches) < 3 {
+	if len(matches) < 3 {
 		return
 	}
 	return matches[1], matches[2], true

git_test.go

@@ -33,7 +33,6 @@ func Test_parseGithubRemote(t *testing.T) {
 		},
 	}
 	for _, tt := range tests {
-		tt := tt // pin to avoid scope issues (see scopelint)
 		t.Run(tt.name, func(t *testing.T) {
 			gotOwner, gotRepo, gotOk := parseGithubRemote(tt.remoteURL)
 			if gotOwner != tt.wantOwner {
@@ -62,19 +61,19 @@ func Test_githubRepoDetect(t *testing.T) {
 }
 
 func Benchmark_detectRemoteURL_GoGit(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for b.Loop() {
 		_detectRemoteURL_GoGit(".")
 	}
 }
 
 func Benchmark_detectRemoteURL_LocalGit(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for b.Loop() {
 		_detectRemoteURL_LocalGit(".")
 	}
 }
 
 func Benchmark_parseGithubRemote(b *testing.B) {
-	for i := 0; i < b.N; i++ {
+	for b.Loop() {
 		parseGithubRemote("https://github.com/mroth/bump.git")
 	}
 }

main.go

@@ -24,7 +24,7 @@ var (
 // VerboseLogging sets whether to log debug/timing info to stderr
 var VerboseLogging = false
 
-func logVerbose(format string, v ...interface{}) {
+func logVerbose(format string, v ...any) {
 	if VerboseLogging {
 		log.Printf(format, v...)
 	}

options_test.go

@@ -85,7 +85,6 @@ func TestOptionsPrecedence(t *testing.T) {
 
 	originalEnv := os.Environ()
 	for _, tC := range testCases {
-		tC := tC // pin to avoid scope issues (see scopelint)
 		t.Run(tC.desc, func(t *testing.T) {
 			resetEnviron(tC.env)
 			actualOpts, _ := ParseFlags(NewOptionsFromEnv(), tC.args)