ci: harden release pipeline and pin tooling

Un-neuter grype CVE gate (was || echo, now fails on critical). Add .grype.yaml with ignore for CVE-2026-41589 (wish SCP — unreachable, we only import wish/bubbletea). Pin: grype v0.114.0, git-cliff v2.13.1, govulncheck v1.1.4. Tag `latest` only on tag push, not workflow_dispatch. Build path ./cmd/uptop (survives a main.go split). Add dist/ and uptop to .dockerignore.
2026-06-11 13:03:53 -04:00
parent 92efb8e270
commit d1ab842283
7 changed files with 23 additions and 11 deletions
@@ -10,3 +10,5 @@ vendor/
 *.local
 .env
 .github/
+dist/
+uptop
@@ -65,7 +65,7 @@ jobs:
          go-version: "1.26"

      - name: Install govulncheck
-        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+        run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4

      - name: Run govulncheck
        run: govulncheck ./...
@@ -33,8 +33,8 @@ jobs:

      - name: Install git-cliff
        run: |
-          apk add --no-cache curl jq
-          VERSION=$(curl -sS https://api.github.com/repos/orhun/git-cliff/releases/latest | jq -r '.tag_name' | sed 's/^v//')
+          apk add --no-cache curl
+          VERSION=2.13.1
          curl -sSL "https://github.com/orhun/git-cliff/releases/download/v${VERSION}/git-cliff-${VERSION}-x86_64-unknown-linux-musl.tar.gz" | tar xz -C /tmp
          mv /tmp/git-cliff-*/git-cliff /usr/local/bin/
          git-cliff --version
@@ -31,6 +31,13 @@ jobs:
          fi
          echo "tag=$TAG" >> "$GITHUB_OUTPUT"

+          TAGS="lerkolabs/uptop:${TAG}"
+          TAGS="${TAGS},lerkolabs/uptop:sha-${SHORT_SHA}"
+          if [ "${{ github.ref_type }}" = "tag" ]; then
+            TAGS="${TAGS},lerkolabs/uptop:latest"
+          fi
+          echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
+
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

@@ -51,10 +58,7 @@ jobs:
          platforms: linux/amd64,linux/arm64
          sbom: true
          provenance: mode=max
-          tags: |
-            lerkolabs/uptop:${{ steps.meta.outputs.tag }}
-            lerkolabs/uptop:latest
-            lerkolabs/uptop:sha-${{ steps.meta.outputs.short_sha }}
+          tags: ${{ steps.meta.outputs.tags }}
          build-args: |
            VERSION=${{ steps.meta.outputs.tag }}
            COMMIT=${{ github.sha }}
@@ -62,8 +66,8 @@ jobs:

      - name: Scan image for CVEs
        run: |
-          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
-          grype lerkolabs/uptop:${{ steps.meta.outputs.tag }} --fail-on critical --output table || echo "::warning::CVE scan found critical issues — review output above"
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.114.0
+          grype lerkolabs/uptop:${{ steps.meta.outputs.tag }} --fail-on critical --output table

      - name: Update Docker Hub description
        uses: peter-evans/dockerhub-description@v4
@@ -10,7 +10,7 @@ release:
    name: uptop

 builds:
-  - main: ./cmd/uptop/main.go
+  - main: ./cmd/uptop
    binary: uptop
    env:
      - CGO_ENABLED=1
@@ -0,0 +1,6 @@
+ignore:
+  # CVE-2026-41589: SCP path traversal in charmbracelet/wish.
+  # We only import wish/bubbletea for the SSH TUI server — the vulnerable
+  # scp.Middleware / scp.NewFileSystemHandler symbols are never compiled in.
+  # No fix available for wish v1; v2 (charm.land/wish/v2) patched in 2.0.1.
+  - vulnerability: CVE-2026-41589
@@ -12,7 +12,7 @@ ARG COMMIT=none
 ARG BUILD_DATE=unknown
 RUN --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
-    go build -trimpath -ldflags="-s -w -X main.version=${VERSION} -X main.commit=${COMMIT} -X main.date=${BUILD_DATE}" -o uptop ./cmd/uptop/main.go
+    go build -trimpath -ldflags="-s -w -X main.version=${VERSION} -X main.commit=${COMMIT} -X main.date=${BUILD_DATE}" -o uptop ./cmd/uptop

 # --- Stage 2: Runner ---
 FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11