From 5a14262f8fe068b0a90f85022bd454a22aacb9aa Mon Sep 17 00:00:00 2001
From: Jay Pipes <jaypipes@gmail.com>
Date: Sat, 1 Jun 2024 08:28:55 -0400
Subject: [PATCH] uplift Go and harden Github action workflows

Gets the library to Go 1.21 and uplifts the Github action workflows to
use a security-hardened setup that matches github.com/jaypipes/ghw.

Signed-off-by: Jay Pipes <jaypipes@gmail.com>
---
 .github/workflows/fmtcheck.yml |  35 +++++++++++
 .github/workflows/go.yml       |  91 ---------------------------
 .github/workflows/lint.yml     |  40 ++++++++++++
 .github/workflows/test.yml     | 109 +++++++++++++++++++++++++++++++++
 README.md                      |   2 +-
 go.mod                         |   2 +-
 6 files changed, 186 insertions(+), 93 deletions(-)
 create mode 100644 .github/workflows/fmtcheck.yml
 delete mode 100644 .github/workflows/go.yml
 create mode 100644 .github/workflows/lint.yml
 create mode 100644 .github/workflows/test.yml

diff --git a/.github/workflows/fmtcheck.yml b/.github/workflows/fmtcheck.yml
new file mode 100644
index 0000000..d1202b6
--- /dev/null
+++ b/.github/workflows/fmtcheck.yml
@@ -0,0 +1,35 @@
+name: fmtcheck
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  fmtcheck:
+    runs-on: ubuntu-latest
+    steps:
+     - name: harden runner
+       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+       with:
+         egress-policy: block
+         disable-sudo: true
+         allowed-endpoints: >
+           github.com:443
+           api.github.com:443
+           proxy.github.com:443
+           raw.githubusercontent.com:443
+           objects.githubusercontent.com:443
+     - name: checkout code
+       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+     - name: setup go
+       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+       with:
+         go-version: 1.21
+     - name: check fmt
+       run: 'bash -c "diff -u <(echo -n) <(gofmt -d .)"'
+
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
deleted file mode 100644
index 5ed3614..0000000
--- a/.github/workflows/go.yml
+++ /dev/null
@@ -1,91 +0,0 @@
-name: CI tests
-
-on:
-  push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
-
-# see: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
-jobs:
-  # tier 0: system-independent checks
-  format:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-      with:
-        fetch-depth: 0
-
-    - name: set up golang
-      uses: actions/setup-go@v2
-      with:
-        go-version: 1.17
-
-    - name: format
-      run: ./hack/check-format.sh
-
-  lint:
-    runs-on: ubuntu-20.04
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v2
-      with:
-        fetch-depth: 0
-
-    - name: Verify
-      uses: golangci/golangci-lint-action@v2
-      with:
-        version: v1.41.1
-        args: --timeout=15m0s --verbose
-
-  build-ubuntu-2004:
-    runs-on: ubuntu-20.04
-    strategy:
-      matrix:
-        go: [ '1.15', '1.16', '1.17' ]
-    steps:
-    - uses: actions/checkout@v2
-      with:
-        fetch-depth: 0
-
-    - name: set up go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ matrix.go }}
-
-    - name: run unit-tests
-      run: go test -v ./...
-
-  build-windows-2019:
-    runs-on: windows-2019
-    strategy:
-      matrix:
-        go: [ '1.16' ]
-    steps:
-    - uses: actions/checkout@v2
-
-    - name: set up go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ matrix.go }}
-
-    - name: run unit-tests
-      env:
-        PCIDB_ENABLE_NETWORK_FETCH: "1"
-      run: go test -v ./...
-
-  build-macos-1015:
-    runs-on: macos-10.15
-    strategy:
-      matrix:
-        go: [ '1.16' ]
-    steps:
-    - uses: actions/checkout@v2
-
-    - name: set up go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ matrix.go }}
-
-    - name: run unit-tests
-      run: go test -v ./...
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..3b8af08
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,40 @@
+name: lint
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+  pull-requests: read # needed for only-new-issues option below
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+     - name: harden runner
+       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+       with:
+         egress-policy: block
+         disable-sudo: true
+         allowed-endpoints: >
+           github.com:443
+           api.github.com:443
+           proxy.github.com:443
+           raw.githubusercontent.com:443
+           objects.githubusercontent.com:443
+     - name: checkout code
+       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+     - name: setup go
+       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+       with:
+         go-version: 1.21
+     - name: lint
+       uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
+       with:
+         version: v1.53
+         args: --timeout=5m0s --verbose
+         only-new-issues: true
+
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 0000000..369f99b
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,109 @@
+name: test
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+# see: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
+jobs:
+  ubuntu-latest:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go: [ '1.19', '1.20', '1.21' ]
+    steps:
+     - name: harden runner
+       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+       with:
+         egress-policy: block
+         disable-sudo: true
+         allowed-endpoints: >
+           github.com:443
+           api.github.com:443
+           proxy.github.com:443
+           proxy.golang.org:443
+           raw.githubusercontent.com:443
+           objects.githubusercontent.com:443
+     - name: checkout code
+       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+       with:
+         fetch-depth: 0
+     - name: setup go
+       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+       with:
+         go-version: ${{ matrix.go }}
+     - name: run unit-tests
+       run: go test -v ./...
+
+  windows-latest:
+    runs-on: windows-latest
+    strategy:
+      matrix:
+        # NOTE(jaypipes): Only running on a single Go version because we fetch
+        # the pciids file from the Internet on Windows and don't want to
+        # overload pciids.cz
+        go: [ '1.21' ]
+    steps:
+     - name: harden runner
+       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+       with:
+         egress-policy: block
+         disable-sudo: true
+         allowed-endpoints: >
+           github.com:443
+           api.github.com:443
+           proxy.github.com:443
+           proxy.golang.org:443
+           raw.githubusercontent.com:443
+           objects.githubusercontent.com:443
+     - name: checkout code
+       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+       with:
+         fetch-depth: 0
+     - name: setup go
+       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+       with:
+         go-version: ${{ matrix.go }}
+     - name: run unit-tests
+       env:
+         PCIDB_ENABLE_NETWORK_FETCH: "1"
+       run: go test -v ./...
+
+  macos-latest:
+    runs-on: macos-latest
+    strategy:
+      matrix:
+        # NOTE(jaypipes): Only running on a single Go version because we fetch
+        # the pciids file from the Internet on MacOS and don't want to
+        # overload pciids.cz
+        go: [ '1.21' ]
+    steps:
+     - name: harden runner
+       uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+       with:
+         egress-policy: block
+         disable-sudo: true
+         allowed-endpoints: >
+           github.com:443
+           api.github.com:443
+           proxy.github.com:443
+           proxy.golang.org:443
+           raw.githubusercontent.com:443
+           objects.githubusercontent.com:443
+     - name: checkout code
+       uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+       with:
+         fetch-depth: 0
+     - name: setup go
+       uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+       with:
+         go-version: ${{ matrix.go }}
+     - name: run unit-tests
+       run: go test -v ./...
+       env:
+         PCIDB_ENABLE_NETWORK_FETCH: "1"
diff --git a/README.md b/README.md
index ddfcde6..27485dc 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # `pcidb` - the Golang PCI DB library
 
-[![Build Status](https://github.com/jaypipes/pcidb/actions/workflows/go.yml/badge.svg?branch=main)](https://github.com/jaypipes/pcidb/actions)
+[![Build Status](https://github.com/jaypipes/pcidb/actions/workflows/test.yml/badge.svg?branch=main)](https://github.com/jaypipes/pcidb/actions)
 [![Go Report Card](https://goreportcard.com/badge/github.com/jaypipes/pcidb)](https://goreportcard.com/report/github.com/jaypipes/pcidb)
 [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](CODE_OF_CONDUCT.md)
 
diff --git a/go.mod b/go.mod
index 387a6a1..881259c 100644
--- a/go.mod
+++ b/go.mod
@@ -1,5 +1,5 @@
 module github.com/jaypipes/pcidb
 
-go 1.17
+go 1.21
 
 require github.com/mitchellh/go-homedir v1.0.0