From 2e26cf6441fc74256a9fca34cdd7accf425c8bed Mon Sep 17 00:00:00 2001
From: Apoorva Jagtap <apoorvajagtap4@gmail.com>
Date: Sun, 23 Jul 2023 03:03:33 +0530
Subject: [PATCH] added gosec & govulncheck

---
 .github/workflows/issues.yml                  |  3 ++
 .../workflows/pull-request-size-labeler.yml   | 30 +++++++++++
 .github/workflows/test.yml                    | 23 ++++++--
 .gitignore                                    |  1 +
 Makefile                                      | 52 ++++++++++++++++---
 5 files changed, 97 insertions(+), 12 deletions(-)
 create mode 100644 .github/workflows/pull-request-size-labeler.yml
 create mode 100644 .gitignore

diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml
index 193eb32a..eb52d283 100644
--- a/.github/workflows/issues.yml
+++ b/.github/workflows/issues.yml
@@ -5,6 +5,9 @@ on:
   issues:
     types:
       - opened
+  pull_request:
+    types:
+      - opened
 
 jobs:
   add-to-project:
diff --git a/.github/workflows/pull-request-size-labeler.yml b/.github/workflows/pull-request-size-labeler.yml
new file mode 100644
index 00000000..b06f0222
--- /dev/null
+++ b/.github/workflows/pull-request-size-labeler.yml
@@ -0,0 +1,30 @@
+name: Pull request size labeler
+
+on: [pull_request]
+
+jobs:
+  labeler:
+    runs-on: ubuntu-latest
+    name: Label the PR size
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: codelytv/pr-size-labeler@v1
+        with:
+          GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_TOKEN }}
+          xs_label: 'size/xs'
+          xs_max_size: '10'
+          s_label: 'size/s'
+          s_max_size: '100'
+          m_label: 'size/m'
+          m_max_size: '500'
+          l_label: 'size/l'
+          l_max_size: '1000'
+          xl_label: 'size/xl'
+          fail_if_xl: 'false'
+          message_if_xl: >
+            This PR exceeds the recommended size of 1000 lines.
+            Please make sure you are NOT addressing multiple issues with one PR.
+            Note this PR might be rejected due to its size.
+          files_to_ignore: ''
\ No newline at end of file
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 152cd742..6bd19713 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
   verify-and-test:
     strategy:
       matrix: 
-        go: ['1.18', '1.19','1.20']
+        go: ['1.19','1.20']
         os: [ubuntu-latest, macos-latest, windows-latest]
       fail-fast: true
     runs-on: ${{ matrix.os }}
@@ -28,13 +28,28 @@ jobs:
           go-version: ${{ matrix.go }}
           cache: false
       
-      - name: Verify
+      - name: Run GolangCI-Lint
         uses: golangci/golangci-lint-action@v3
         with: 
           version: v1.53
           args: --timeout=5m
-      
+
+      - name: Run GoSec
+        if: matrix.os == 'ubuntu-latest'
+        uses: securego/gosec@master
+        with:
+          args: ./...
+
+      - name: Run GoVulnCheck
+        uses: golang/govulncheck-action@v1
+        with:
+          go-version-input: ${{ matrix.go }}
+          go-package: ./...
+
       - name: Test
         run: go test -race --coverprofile=coverage.txt --covermode=atomic -v ./...
+      
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
\ No newline at end of file
+        uses: codecov/codecov-action@v3
+        with:
+          files: ./coverage
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..84039fec
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+coverage.coverprofile
diff --git a/Makefile b/Makefile
index bdf224b0..977d456d 100644
--- a/Makefile
+++ b/Makefile
@@ -7,27 +7,63 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
-# LINT is the path to the golangci-lint binary
-LINT = $(shell which golangci-lint)
+# GOLINT is the path to the golangci-lint binary
+GOLINT = $(shell which golangci-lint 2> /dev/null || echo '')
+
+# GOSEC is the path to the gosec binary
+GOSEC = $(shell which gosec 2> /dev/null || echo '')
+
+# GOVULNCHECK is the path to the govulncheck binary
+GOVULNCHECK = $(shell which govulncheck 2> /dev/null || echo '')
 
 .PHONY: golangci-lint
 golangci-lint:
-ifeq (, $(LINT))
+ifeq (, $(GOLINT))
   ifeq (, $(shell which golangci-lint))
 	@{ \
 	set -e ;\
 	go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest ;\
 	}
-  override LINT=$(GOBIN)/golangci-lint
+  override GOLINT=$(GOBIN)/golangci-lint
+  else
+  override GOLINT=$(shell which golangci-lint)
+  endif
+endif
+
+.PHONY: gosec
+gosec:
+ifeq (, $(GOSEC))
+  ifeq (, $(shell which gosec))
+	@{ \
+	set -e ;\
+	go install github.com/securego/gosec/v2/cmd/gosec@latest ;\
+	}
+  override GOSEC=$(GOBIN)/gosec
+  else
+  override GOSEC=$(shell which gosec)
+  endif
+endif
+
+.PHONY: govulncheck
+govulncheck:
+ifeq (, $(GOVULNCHECK))
+  ifeq (, $(shell which govulncheck))
+	@{ \
+	set -e ;\
+	go install golang.org/x/vuln/cmd/govulncheck@latest ;\
+	}
+  override GOVULNCHECK=$(GOBIN)/govulncheck
   else
-  override LINT=$(shell which golangci-lint)
+  override GOVULNCHECK=$(shell which govulncheck)
   endif
 endif
 
 .PHONY: verify
-verify: golangci-lint
-	$(LINT) run
+verify: golangci-lint gosec govulncheck
+	$(GOLINT) run
+	$(GOSEC) ./...
+	$(GOVULNCHECK) ./...
 
 .PHONY: test
 test:
-	go test -race --coverprofile=coverage.coverprofile --covermode=atomic -v ./...
+	go test -race -cover -coverprofile=coverage.coverprofile -covermode=atomic -v ./...
\ No newline at end of file