From b502f31d6524eb1caa559afe1429aebb8ff95aa0 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 27 Aug 2024 11:23:17 +0800
Subject: [PATCH 1/9] chore: add dependabot configuration

---
 .github/dependabot.yaml | 44 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .github/dependabot.yaml

diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
new file mode 100644
index 00000000..c344a506
--- /dev/null
+++ b/.github/dependabot.yaml
@@ -0,0 +1,44 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    github-actions:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
+- package-ecosystem: docker
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    docker:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
+- package-ecosystem: gomod
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    gomod:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"

From 690bc920b653e5fc1c4183b8339887b43b0ba5ec Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 27 Aug 2024 15:23:48 +0800
Subject: [PATCH 2/9] chore: enable dependency review

---
 .github/dependency-review-config.yaml    | 20 ++++++++++++++++++++
 .github/workflows/dependency-review.yaml | 16 ++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 .github/dependency-review-config.yaml
 create mode 100644 .github/workflows/dependency-review.yaml

diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml
new file mode 100644
index 00000000..08389a1e
--- /dev/null
+++ b/.github/dependency-review-config.yaml
@@ -0,0 +1,20 @@
+# https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
+allow-licenses:
+- 'Apache-2.0'
+- 'BSD-2-Clause'
+- 'BSD-2-Clause-FreeBSD'
+- 'BSD-3-Clause'
+- 'ISC'
+- 'MIT'
+- 'PostgreSQL'
+- 'Python-2.0'
+- 'X11'
+- 'Zlib'
+
+allow-dependencies-licenses:
+# this action is GPL-3 but it is only used in CI
+# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806
+- pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787
+# this package is MPL-2.0 and has a CNCF exception
+# https://github.com/cncf/foundation/blob/9b8c9173c2101c1b4aedad3caf2c0128715133f6/license-exceptions/cncf-exceptions-2022-04-12.json#L43C17-L43C47
+- pkg:golang/github.com/go-sql-driver/mysql
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
new file mode 100644
index 00000000..86d7a9ec
--- /dev/null
+++ b/.github/workflows/dependency-review.yaml
@@ -0,0 +1,16 @@
+name: dependency review
+on:
+  pull_request:
+    branches:
+    - main
+permissions: {}
+jobs:
+  dependency-review:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+      with:
+        config-file: .github/dependency-review-config.yaml

From 6f13e4c4582ddfb783a8e0a4587434aeffde4e0a Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 27 Aug 2024 15:34:10 +0800
Subject: [PATCH 3/9] chore: enable the ossf security analysis

---
 .github/workflows/ossf-analysis.yaml | 31 ++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .github/workflows/ossf-analysis.yaml

diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml
new file mode 100644
index 00000000..655b3f41
--- /dev/null
+++ b/.github/workflows/ossf-analysis.yaml
@@ -0,0 +1,31 @@
+name: OSSF scorecard
+on:
+  push:
+    branches:
+    - main
+permissions: {}
+jobs:
+  ossf-scorecard-analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # Needed if using Code scanning alerts
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - name: Run analysis
+      uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # Publish the results for public repositories to enable scorecard badges. For more details, see
+        # https://github.com/ossf/scorecard-action#publishing-results.
+        # For private repositories, `publish_results` will automatically be set to `false`, regardless
+        # of the value entered here.
+        publish_results: true
+    - name: Upload SARIF results to code scanning
+      uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+      with:
+        sarif_file: results.sarif

From 3a2b5cbada62114e3429ed5a7ed46e344500b2be Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 27 Aug 2024 15:51:54 +0800
Subject: [PATCH 4/9] chore: add badges to README

---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 35eaa81f..67847158 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,12 @@
 ## Lagoon CLI
 
+[![Go Reference](https://pkg.go.dev/badge/github.com/uselagoon/lagoon-cli.svg)](https://pkg.go.dev/github.com/uselagoon/lagoon-cli)
+[![Release](https://github.com/uselagoon/lagoon-cli/actions/workflows/goreleaser.yaml/badge.svg)](https://github.com/uselagoon/lagoon-cli/actions/workflows/goreleaser.yaml)
+[![coverage](https://raw.githubusercontent.com/uselagoon/lagoon-cli/badges/.badges/main/coverage.svg)](https://github.com/uselagoon/lagoon-cli/actions/workflows/coverage.yaml)
+[![Go Report Card](https://goreportcard.com/badge/github.com/uselagoon/lagoon-cli)](https://goreportcard.com/report/github.com/uselagoon/lagoon-cli)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/uselagoon/lagoon-cli/badge)](https://securityscorecards.dev/viewer/?uri=github.com/uselagoon/lagoon-cli)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9386/badge)](https://www.bestpractices.dev/projects/9386)
+
 <img src="./docs/lagoon-cli-logo.png" width=100>
 
 This is a CLI for interacting with a [Lagoon](https://github.com/uselagoon/lagoon) instance. By default, it is configured

From b085defaaf3415607c074162d1c3913c2f847148 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 27 Aug 2024 17:03:57 +0800
Subject: [PATCH 5/9] chore: add coverage workflow

---
 .github/workflows/coverage.yaml | 29 +++++++++++++++++++++++++++++
 .gitignore                      | 19 ++++---------------
 2 files changed, 33 insertions(+), 15 deletions(-)
 create mode 100644 .github/workflows/coverage.yaml

diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
new file mode 100644
index 00000000..2901dead
--- /dev/null
+++ b/.github/workflows/coverage.yaml
@@ -0,0 +1,29 @@
+name: coverage
+on:
+  push:
+    branches:
+    - main
+permissions: {}
+jobs:
+  coverage:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      with:
+        go-version: stable
+    - name: Calculate coverage
+      run: |
+        go test -v -covermode=atomic -coverprofile=cover.out.raw -coverpkg=./... ./...
+        # remove generated code from coverage calculation
+        grep -Ev 'internal/mock|_enumer.go' cover.out.raw > cover.out
+    - name: Generage coverage badge
+      uses: vladopajic/go-test-coverage@1079cd4e58dda229c04ffdb6324fc3756b8542ff # v2.10.1
+      with:
+        profile: cover.out
+        local-prefix: github.com/${{ github.repository }}
+        git-token: ${{ secrets.GITHUB_TOKEN }}
+        # orphan branch for storing badges
+        git-branch: badges
diff --git a/.gitignore b/.gitignore
index 84f7e26b..7e275b7b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,15 +1,4 @@
-# Binaries for programs and plugins
-*.exe
-*.exe~
-*.dll
-*.so
-*.dylib
-
-# Test binary, built with `go test -c`
-*.test
-
-/vendor
-/.idea
-site/
-
-/builds/lagoon-cli-*
+/dist
+/cover.out
+/cover.out.raw
+/sbom.spdx.json

From 25011c3b827156020ae6aa28ef3f75d8eeb7bb7c Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 27 Aug 2024 17:05:13 +0800
Subject: [PATCH 6/9] chore: add go and actions linters

---
 .github/workflows/lint.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 .github/workflows/lint.yaml

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
new file mode 100644
index 00000000..471ba565
--- /dev/null
+++ b/.github/workflows/lint.yaml
@@ -0,0 +1,28 @@
+name: lint
+on:
+  pull_request:
+    branches:
+    - main
+permissions: {}
+jobs:
+  lint-go:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      with:
+        go-version: stable
+    - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+      with:
+        args: --timeout=180s --enable gocritic
+  lint-actions:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0
+      with:
+        args: -color

From 656b2a6504682ce9ccd3c0643652381632b0f1a7 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Tue, 27 Aug 2024 17:14:57 +0800
Subject: [PATCH 7/9] chore: add SBOM generation and release attestation

---
 .github/workflows/release.yaml | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 21f08e8d..34c0759f 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,7 +3,7 @@ name: Release CLI
 on:
   push:
     tags:
-      - 'v*.*.*'
+    - 'v*.*.*'
 
 jobs:
   release:
@@ -29,9 +29,23 @@ jobs:
         # create the archived versions and remove anything not required for the release
         rm ./builds/README.md ./builds/release_template.md
         for BUILD in $(ls builds); do tar --transform="flags=r;s|${BUILD}|lagoon|" -czf builds/${BUILD}.tar.gz -C builds ${BUILD}; done
+    - name: Generate SBOM from Github API
+      uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
+      id: sbom
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Move SBOM to avoid dirty git
+      run: mv "$GITHUB_SBOM_PATH" ./sbom.spdx.json
+      env:
+        GITHUB_SBOM_PATH: ${{ steps.sbom.outputs.fileName }}
     - name: Create GitHub Release
       uses: softprops/action-gh-release@v1
       if: startsWith(github.ref, 'refs/tags/')
       with:
         files: |
-          builds/*
\ No newline at end of file
+          builds/*
+          sbom.spdx.json
+    - name: Attest build provenance
+      uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
+      with:
+        subject-path: "builds/*"

From 327d3226bff2830ea923060be6c6d15b8b86eba6 Mon Sep 17 00:00:00 2001
From: shreddedbacon <b@benjackson.email>
Date: Thu, 24 Oct 2024 15:53:40 +1100
Subject: [PATCH 8/9] chore: fix path error in legacy app

---
 pkg/app/app.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/app/app.go b/pkg/app/app.go
index 5a21e15f..eef4f5c2 100644
--- a/pkg/app/app.go
+++ b/pkg/app/app.go
@@ -98,7 +98,7 @@ func findLocalProjectRoot(path string) (string, error) {
 			return path, nil
 		}
 	}
-	return "", fmt.Errorf("no %s file was found in this directory or any parent", filepath.Join(".lagoon.yml"))
+	return "", fmt.Errorf("no .lagoon.yml file was found in this directory or any parent")
 }
 
 // FileExists checks a file's existence

From 0ce8f89adf3cd65564384ac5a4c2757c32f4e68a Mon Sep 17 00:00:00 2001
From: Toby Bellwood <toby.bellwood@amazee.io>
Date: Thu, 24 Oct 2024 16:43:01 +1100
Subject: [PATCH 9/9] chore: stop shellcheck linting actions

---
 .github/workflows/lint.yaml    | 2 +-
 .github/workflows/release.yaml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 471ba565..e13c0afe 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -25,4 +25,4 @@ jobs:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0
       with:
-        args: -color
+        args: -color -shellcheck=
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 34c0759f..5cec1a15 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,11 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         fetch-depth: "0"
     - name: Set up Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v4
       with:
         go-version: 1.21
     - name: Build CLI