ci: add CLA check, linting and security scanning (canonical#31)

* ci: add cla-check, lint and security scan workflows

This commit adds the following github workflows:

  - CLA check: Check if Canonical's Contributor License Agreement has
    been signed by the PR author(s).
  - Lint: Ensure fomatting changes using ``gofmt`` and run errcheck,
    unused, staticcheck linters using golangci-lint.
  - Security: Run Trivy vulnerability scanner to check for known
    vulnerabilities.

Co-authored-by: Cristovao Cordeiro <[email protected]>

* refactor: format with ``go fmt ./...``

* refactor: remove unused code

This commit removes unused code (variables, functions etc.) across the
codebase, with a few exceptions. Namely the unused functions from
``log.go`` in various packages are kept for future use. Additionally
the ``addDebugCommand`` function in `cmd/chisel/main.go` is kept too.

* refactor: remove deprecated (imported) packages

The ``io/ioutil`` package has been deprecated since Go 1.19. Usage of
this package have been removed appropriately.

The ``golang.org/x/crypto/ssh/terminal`` package has been deprecated and
moved to ``golang.org/x/term`` package. Usage have been updated likewise.

* refactor: always check errors

* ci: configure linters

This commit adds a config file ``.golangci.yaml`` for the lint workflow.
It removes the previous arguments passed to golangci-lint in favor of
the new configuration file.

---------

Co-authored-by: Cristovao Cordeiro <[email protected]>

.github/workflows/cla-check.yml

@@ -0,0 +1,12 @@
+name: CLA check
+
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  cla-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check if Canonical's Contributor License Agreement has been signed
+        uses: canonical/has-signed-canonical-cla@v1

.github/workflows/lint.yaml

@@ -0,0 +1,29 @@
+name: Lint
+
+on:
+  push:
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Ensure no formatting changes
+        run: |
+          go fmt ./...
+          git diff --exit-code
+
+      - name: Check bugs and unused code
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.54.1

.github/workflows/security.yaml

@@ -0,0 +1,20 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  scan:
+    name: Scan for known vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'

.golangci.yaml

@@ -0,0 +1,55 @@
+linters:
+  # Disable all linters.
+  # Default: false
+  disable-all: true
+  # Enable specific linter
+  # https://golangci-lint.run/usage/linters/#enabled-by-default
+  enable:
+    - errcheck
+    - staticcheck
+    - unused
+
+issues:
+  exclude-rules:
+    # exclusions for errcheck
+    - path: "^.*/log.go$"
+      text: "globalLogger.Output.*not checked"
+      linters:
+        - errcheck
+    - path: "^.*_test.go$"
+      text: "release.Render.*not checked"
+      linters:
+        - errcheck
+    - path: "^.*_test.go$"
+      text: "release.Walk.*not checked"
+      linters:
+        - errcheck
+    - path: "internal/setup/fetch.go"
+      text: "lockFile.Unlock.*not checked"
+      linters:
+        - errcheck
+    # exclusions for unused
+    # addDebugCommand is an useful function that may be used later
+    - path: "cmd/chisel/main.go"
+      text: "addDebugCommand.*unused"
+      linters:
+        - unused
+    # exclude common (unused) issues from log.go files
+    - path: "^.*/log.go$"
+      text: "logf.*unused"
+      linters:
+        - unused
+    - path: "^.*/log.go$"
+      text: "debugf.*unused"
+      linters:
+        - unused
+    - path: "^.*/log.go$"
+      text: "globalDebug.*unused"
+      linters:
+        - unused
+    - path: "^.*/log.go$"
+      text: "globalLogger.*unused"
+      linters:
+        - unused
+  max-issues-per-linter: 0
+  max-same-issues: 0

cmd/chisel/cmd_cut.go

@@ -4,7 +4,7 @@ import (
 	"github.com/jessevdk/go-flags"
 
 	"fmt"
-	"io/ioutil"
+	"os"
 	"regexp"
 	"strings"
 
@@ -103,8 +103,6 @@ func (cmd *cmdCut) Execute(args []string) error {
 		Archives:  archives,
 		TargetDir: cmd.RootDir,
 	})
-
-	return printVersions()
 }
 
 // TODO These need testing, and maybe moving into a common file.
@@ -120,7 +118,7 @@ func parseReleaseInfo(release string) (label, version string, err error) {
 }
 
 func readReleaseInfo() (label, version string, err error) {
-	data, err := ioutil.ReadFile("/etc/lsb-release")
+	data, err := os.ReadFile("/etc/lsb-release")
 	if err == nil {
 		const labelPrefix = "DISTRIB_ID="
 		const versionPrefix = "DISTRIB_RELEASE="

cmd/chisel/cmd_help.go

@@ -100,9 +100,10 @@ func (w *manfixer) Write(buf []byte) (int, error) {
 
 var tpRegexp = regexp.MustCompile(`(?m)(?:^\.TP\n)+`)
 
-func (w *manfixer) flush() {
+func (w *manfixer) flush() error {
 	str := tpRegexp.ReplaceAllLiteralString(w.Buffer.String(), ".TP\n")
-	io.Copy(Stdout, strings.NewReader(str))
+	_, err := io.Copy(Stdout, strings.NewReader(str))
+	return err
 }
 
 func (cmd cmdHelp) Execute(args []string) error {
@@ -114,8 +115,8 @@ func (cmd cmdHelp) Execute(args []string) error {
 		// subcommand, but --man is hidden so no real need to check.
 		out := &manfixer{}
 		cmd.parser.WriteManPage(out)
-		out.flush()
-		return nil
+		err := out.flush()
+		return err
 	}
 	if cmd.All {
 		if len(cmd.Positional.Subs) > 0 {

cmd/chisel/cmd_version.go

@@ -1,4 +1,3 @@
-
 package main
 
 import (
@@ -14,7 +13,7 @@ var longVersionHelp = `
 The version command displays the versions of the running client and server.
 `
 
-type cmdVersion struct {}
+type cmdVersion struct{}
 
 func init() {
 	addCommand("version", shortVersionHelp, longVersionHelp, func() flags.Commander { return &cmdVersion{} }, nil, nil)

cmd/chisel/main.go

@@ -1,4 +1,3 @@
-
 package main
 
 import (
@@ -11,16 +10,13 @@ import (
 	"unicode/utf8"
 
 	"github.com/jessevdk/go-flags"
-
-	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/term"
 
 	"github.com/canonical/chisel/internal/archive"
 	"github.com/canonical/chisel/internal/deb"
 	"github.com/canonical/chisel/internal/setup"
 	"github.com/canonical/chisel/internal/slicer"
-
 	//"github.com/canonical/chisel/internal/logger"
-
 )
 
 var (
@@ -29,16 +25,11 @@ var (
 	Stdout io.Writer = os.Stdout
 	Stderr io.Writer = os.Stderr
 	// overridden for testing
-	ReadPassword = terminal.ReadPassword
+	ReadPassword = term.ReadPassword
 	// set to logger.Panicf in testing
 	//noticef = logger.Noticef
 )
 
-// defaultChiselDir is the Chisel directory used if $CHISEL is not set. It is
-// created by the daemon ("chisel run") if it doesn't exist, and also used by
-// the chisel client.
-const defaultChiselDir = "/var/lib/chisel/default"
-
 type options struct {
 	Version func() `long:"version"`
 }
@@ -164,7 +155,10 @@ func fixupArg(optName string) string {
 // from each other.
 func Parser() *flags.Parser {
 	optionsData.Version = func() {
-		printVersions()
+		err := printVersions()
+		if err != nil {
+			panic(&exitStatus{1})
+		}
 		panic(&exitStatus{0})
 	}
 	flagopts := flags.Options(flags.PassDoubleDash)
@@ -178,7 +172,10 @@ func Parser() *flags.Parser {
 		version.Hidden = true
 	}
 	// add --help like what go-flags would do for us, but hidden
-	addHelp(parser)
+	err := addHelp(parser)
+	if err != nil {
+		debugf("cannot add --help: %v", err)
+	}
 
 	// Add all regular commands
 	for _, c := range commands {
@@ -293,8 +290,8 @@ func Parser() *flags.Parser {
 }
 
 var (
-	isStdinTTY  = terminal.IsTerminal(0)
-	isStdoutTTY = terminal.IsTerminal(1)
+	isStdinTTY  = term.IsTerminal(0)
+	isStdoutTTY = term.IsTerminal(1)
 )
 
 func main() {

cmd/chisel/main_test.go

@@ -5,8 +5,7 @@ import (
 	"os"
 	"testing"
 
-	"golang.org/x/crypto/ssh/terminal"
-
+	"golang.org/x/term"
 	. "gopkg.in/check.v1"
 
 	"github.com/canonical/chisel/cmd"
@@ -20,10 +19,10 @@ func Test(t *testing.T) { TestingT(t) }
 
 type BaseChiselSuite struct {
 	testutil.BaseTest
-	stdin     *bytes.Buffer
-	stdout    *bytes.Buffer
-	stderr    *bytes.Buffer
-	password  string
+	stdin    *bytes.Buffer
+	stdout   *bytes.Buffer
+	stderr   *bytes.Buffer
+	password string
 }
 
 func (s *BaseChiselSuite) readPassword(fd int) ([]byte, error) {
@@ -51,7 +50,7 @@ func (s *BaseChiselSuite) TearDownTest(c *C) {
 	chisel.Stdin = os.Stdin
 	chisel.Stdout = os.Stdout
 	chisel.Stderr = os.Stderr
-	chisel.ReadPassword = terminal.ReadPassword
+	chisel.ReadPassword = term.ReadPassword
 
 	s.BaseTest.TearDownTest(c)
 }
@@ -70,12 +69,6 @@ func (s *BaseChiselSuite) ResetStdStreams() {
 	s.stderr.Reset()
 }
 
-func fakeArgs(args ...string) (restore func()) {
-	old := os.Args
-	os.Args = args
-	return func() { os.Args = old }
-}
-
 func fakeVersion(v string) (restore func()) {
 	old := cmd.Version
 	cmd.Version = v

go.mod

@@ -9,14 +9,13 @@ require (
 	github.com/klauspost/compress v1.15.4
 	github.com/ulikunitz/xz v0.5.10
 	go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd
-	golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898
+	golang.org/x/term v0.12.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v3 v3.0.0-20220512140231-539c8e751b99
 )
 
 require (
 	github.com/kr/pretty v0.2.1 // indirect
 	github.com/kr/text v0.1.0 // indirect
-	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
-	golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 // indirect
+	golang.org/x/sys v0.12.0 // indirect
 )

go.sum

@@ -42,8 +42,6 @@ github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0o
 go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd h1:Uo/x0Ir5vQJ+683GXB9Ug+4fcjsbp7z7Ul8UaZbhsRM=
 go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd/go.mod h1:t3mmBBPzAVvK0L0n1drDmrQsJ8FoIx4INCqVMTr/Zo0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898 h1:SLP7Q4Di66FONjDJbCYrCRrh97focO6sLogHO7/g8F0=
-golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -59,12 +57,11 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=