h2non · leknoppix · Sep 29, 2023 · Sep 29, 2023 · Sep 29, 2023 · Sep 29, 2023
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -1,49 +1,44 @@
-# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.217.4/containers/go/.devcontainer/base.Dockerfile
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+#
+# Copyright (c) 2025 sycured
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, version 3.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+#
 
-# [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1, 1.16, 1.17, 1-bullseye, 1.16-bullseye, 1.17-bullseye, 1-buster, 1.16-buster, 1.17-buster
-ARG VARIANT="1.17-bullseye"
-FROM mcr.microsoft.com/vscode/devcontainers/go:0-${VARIANT}
+FROM golang:1.24.4-alpine3.21@sha256:56a23791af0f77c87b049230ead03bd8c3ad41683415ea4595e84ce7eada121a
+ARG GOLANGCILINT_VERSION=2.1.5
+ARG VEGETA_VERSION=12.12.0
 
-# Versions of libvips and golanci-lint
-ARG LIBVIPS_VERSION=8.12.2
-ARG GOLANGCILINT_VERSION=1.29.0
+ENV CGO_ENABLED=1
+ENV GO111MODULE=on
 
-# Install additional OS packages
-RUN DEBIAN_FRONTEND=noninteractive \
-  apt-get update && \
-  apt-get install --no-install-recommends -y \
-  ca-certificates \
-  automake build-essential curl \
-  procps    libopenexr25 libmagickwand-6.q16-6 libpango1.0-0 libmatio11 \
-  libopenslide0 libjemalloc2 gobject-introspection gtk-doc-tools \
-  libglib2.0-0 libglib2.0-dev libjpeg62-turbo libjpeg62-turbo-dev \
-  libpng16-16 libpng-dev libwebp6 libwebpmux3 libwebpdemux2 libwebp-dev \
-  libtiff5 libtiff5-dev libgif7 libgif-dev libexif12 libexif-dev \
-  libxml2 libxml2-dev libpoppler-glib8 libpoppler-glib-dev \
-  swig libmagickwand-dev libpango1.0-dev libmatio-dev libopenslide-dev \
-  libcfitsio9 libcfitsio-dev libgsf-1-114 libgsf-1-dev fftw3 fftw3-dev \
-  liborc-0.4-0 liborc-0.4-dev librsvg2-2 librsvg2-dev libimagequant0 \
-  libimagequant-dev libheif1 libheif-dev && \
-  cd /tmp && \
-  curl -fsSLO https://github.com/libvips/libvips/releases/download/v${LIBVIPS_VERSION}/vips-${LIBVIPS_VERSION}.tar.gz && \
-  tar zvxf vips-${LIBVIPS_VERSION}.tar.gz && \
-  cd /tmp/vips-${LIBVIPS_VERSION} && \
-	CFLAGS="-g -O3" CXXFLAGS="-D_GLIBCXX_USE_CXX11_ABI=0 -g -O3" \
-    ./configure \
-    --disable-debug \
-    --disable-dependency-tracking \
-    --disable-introspection \
-    --disable-static \
-    --enable-gtk-doc-html=no \
-    --enable-gtk-doc=no \
-    --enable-pyvips8=no && \
-  make && \
-  make install && \
-  ldconfig
+RUN addgroup -g 1000 nonroot \
+    && adduser -u 1000 -G nonroot -D nonroot \
+    && apk add --no-cache \
+        bash=5.2.37-r0 \
+        build-base=0.5-r3 \
+        ca-certificates=20241121-r1 \
+        curl=8.12.1-r1 \
+        git=2.47.2-r0 \
+        pkgconf=2.3.0-r0 \
+        vips-dev=8.15.3-r5 \
+    && curl --proto "=https" --tlsv1.2 -fsSL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v${GOLANGCILINT_VERSION} \
+    && cpuarch=$(uname -m) \
+    && [[ $cpuarch == x86_64 ]] && vegeta_arch=amd64 || vegeta_arch=arm \
+    && curl --proto "=https" --tlsv1.2 -fsSLO https://github.com/tsenart/vegeta/releases/download/v${VEGETA_VERSION}/vegeta_${VEGETA_VERSION}_linux_${vegeta_arch}.tar.gz \
+    && tar xf vegeta_${VEGETA_VERSION}_linux_${vegeta_arch}.tar.gz \
+    && install -oroot -groot vegeta /usr/local/bin/vegeta \
+    && rm vegeta_${VEGETA_VERSION}_linux_${vegeta_arch}.tar.gz
 
-# Installing golangci-lint
-RUN curl -fsSL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v${GOLANGCILINT_VERSION}
-
-# [Optional] Uncomment the next lines to use go get to install anything else you need
-# USER vscode
-# RUN go get -x <your-dependency-or-tool>
+WORKDIR /workspace
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,40 +1,26 @@
-// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
-// https://github.com/microsoft/vscode-dev-containers/tree/v0.217.4/containers/go
 {
 	"name": "Go",
 	"build": {
 		"dockerfile": "Dockerfile",
 		"args": {
-			// Update the VARIANT arg to pick a version of Go: 1, 1.16, 1.17
-			// Append -bullseye or -buster to pin to an OS version.
-			// Use -bullseye variants on local arm64/Apple Silicon.
-			"VARIANT": "1.17-bullseye"
+			"GOLANGCILINT_VERSION": "2.1.5",
+			"VEGETA_VERSION": "12.12.0"
 		}
 	},
 	"runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined" ],
 
-	// Set *default* container specific settings.json values on container create.
 	"settings": {
 		"go.toolsManagement.checkForUpdates": "local",
 		"go.useLanguageServer": true,
 		"go.gopath": "/go",
 		"go.goroot": "/usr/local/go"
 	},
 
-	// Add the IDs of extensions you want installed when the container is created.
 	"extensions": [
 		"golang.Go"
 	],
 
-	// Use 'forwardPorts' to make a list of ports inside the container available locally.
 	"forwardPorts": [9000],
 
-	// Use 'postCreateCommand' to run commands after the container is created.
-	// "postCreateCommand": "go version",
-
-	// Comment out to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
-	"remoteUser": "vscode",
-	"features": {
-		"docker-from-docker": "latest"
-	}
+	"remoteUser": "nonroot"
 }
diff --git a/.dockerignore b/.dockerignore
diff --git a/.editorconfig b/.editorconfig
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+.       @sycured
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,42 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
+    groups:
+      gomod:
+        patterns:
+          - "*"
+
+  - package-ecosystem: docker
+    directory: /.devcontainer
+    schedule:
+      interval: daily
+    groups:
+      docker:
+        patterns:
+          - "*"
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+    groups:
+      docker:
+        patterns:
+          - "*"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,196 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - "**"
+    tags:
+      - "*"
+    paths-ignore:
+      - ".dockerignore"
+      - ".github/CODEOWNERS"
+      - ".github/dependabot.yml"
+      - ".github/workflows/clean-old-runs.yml"
+      - ".github/workflows/codeql.yml"
+      - ".github/workflows/dependency-review.yml"
+      - ".github/workflows/docker.yml"
+      - ".github/workflows/scorecard.yml"
+      - ".gitignore"
+      - ".golangci.toml"
+      - "benchmark.sh"
+      - "History.md"
+      - "LICENSE"
+      - "Makefile"
+      - "README.md"
+      - "SECURITY.md"
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: stable
+      - name: Install dependencies
+        run: |
+          sudo apt-get update && \
+          sudo apt-get dist-upgrade -y && \
+          sudo apt-get install --no-install-recommends -y \
+              automake \
+              build-essential \
+              ca-certificates \
+              curl \
+              gobject-introspection \
+              gtk-doc-tools \
+              libcfitsio-dev \
+              libexif-dev \
+              libfftw3-dev \
+              libgif-dev \
+              libglib2.0-dev \
+              libgsf-1-dev \
+              libheif-dev \
+              libimagequant-dev \
+              libjpeg-turbo8-dev \
+              libmagickwand-dev \
+              libmatio-dev \
+              libopenslide-dev \
+              liborc-0.4-dev \
+              libpango1.0-dev \
+              libpng-dev \
+              libpoppler-glib-dev \
+              librsvg2-dev \
+              libtiff-dev \
+              libvips-dev \
+              libwebp-dev \
+              libxml2-dev \
+              swig
+        env:
+          DEBIAN_FRONTEND: noninteractive
+      - name: Test
+        run: go test ./... -test.v -test.coverprofile=atomic .
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: stable
+      - name: Install dependencies
+        run: |
+          sudo apt update && \
+          sudo apt-get dist-upgrade -y && \
+          sudo apt-get install --no-install-recommends -y \
+              automake \
+              build-essential \
+              ca-certificates \
+              curl \
+              gobject-introspection \
+              gtk-doc-tools \
+              libcfitsio-dev \
+              libexif-dev \
+              libfftw3-dev \
+              libgif-dev \
+              libglib2.0-dev \
+              libgsf-1-dev \
+              libheif-dev \
+              libimagequant-dev \
+              libjpeg-turbo8-dev \
+              libmagickwand-dev \
+              libmatio-dev \
+              libopenslide-dev \
+              liborc-0.4-dev \
+              libpango1.0-dev \
+              libpng-dev \
+              libpoppler-glib-dev \
+              librsvg2-dev \
+              libtiff-dev \
+              libvips-dev \
+              libwebp-dev \
+              libxml2-dev \
+              swig
+        env:
+          DEBIAN_FRONTEND: noninteractive
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        with:
+          args: --timeout=30m --config=.golangci.toml --issues-exit-code=255
+          version: latest
+
+  fuzz:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: stable
+      - name: Install dependencies
+        run: |
+          sudo apt update && \
+          sudo apt-get dist-upgrade -y && \
+          sudo apt-get install --no-install-recommends -y \
+              automake \
+              build-essential \
+              ca-certificates \
+              curl \
+              gobject-introspection \
+              gtk-doc-tools \
+              libcfitsio-dev \
+              libexif-dev \
+              libfftw3-dev \
+              libgif-dev \
+              libglib2.0-dev \
+              libgsf-1-dev \
+              libheif-dev \
+              libimagequant-dev \
+              libjpeg-turbo8-dev \
+              libmagickwand-dev \
+              libmatio-dev \
+              libopenslide-dev \
+              liborc-0.4-dev \
+              libpango1.0-dev \
+              libpng-dev \
+              libpoppler-glib-dev \
+              librsvg2-dev \
+              libtiff-dev \
+              libvips-dev \
+              libwebp-dev \
+              libxml2-dev \
+              swig
+        env:
+          DEBIAN_FRONTEND: noninteractive
+      - name: fuzzing
+        run: ./run-fuzz-tests.sh 15s
+
+  docker:
+    needs:
+      - fuzz
+      - lint
+      - test
+    uses: ./.github/workflows/docker.yml
+    secrets: inherit
+    with:
+      branch: ${{ github.ref_name }}
+      commit: ${{ github.sha }}