diff --git a/.dockerignore b/.dockerignore index e301cd3..c44a8b8 100644 --- a/.dockerignore +++ b/.dockerignore @@ -10,3 +10,5 @@ vendor/ *.local .env .github/ +dist/ +uptop diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index bf0eedd..2115da6 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -65,7 +65,7 @@ jobs: go-version: "1.26" - name: Install govulncheck - run: go install golang.org/x/vuln/cmd/govulncheck@latest + run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 - name: Run govulncheck run: govulncheck ./... diff --git a/.gitea/workflows/release-binaries.yml b/.gitea/workflows/release-binaries.yml index 88430f9..41bf0a3 100644 --- a/.gitea/workflows/release-binaries.yml +++ b/.gitea/workflows/release-binaries.yml @@ -33,8 +33,8 @@ jobs: - name: Install git-cliff run: | - apk add --no-cache curl jq - VERSION=$(curl -sS https://api.github.com/repos/orhun/git-cliff/releases/latest | jq -r '.tag_name' | sed 's/^v//') + apk add --no-cache curl + VERSION=2.13.1 curl -sSL "https://github.com/orhun/git-cliff/releases/download/v${VERSION}/git-cliff-${VERSION}-x86_64-unknown-linux-musl.tar.gz" | tar xz -C /tmp mv /tmp/git-cliff-*/git-cliff /usr/local/bin/ git-cliff --version diff --git a/.gitea/workflows/release-docker.yml b/.gitea/workflows/release-docker.yml index 50d9421..d535c64 100644 --- a/.gitea/workflows/release-docker.yml +++ b/.gitea/workflows/release-docker.yml @@ -31,6 +31,13 @@ jobs: fi echo "tag=$TAG" >> "$GITHUB_OUTPUT" + TAGS="lerkolabs/uptop:${TAG}" + TAGS="${TAGS},lerkolabs/uptop:sha-${SHORT_SHA}" + if [ "${{ github.ref_type }}" = "tag" ]; then + TAGS="${TAGS},lerkolabs/uptop:latest" + fi + echo "tags=$TAGS" >> "$GITHUB_OUTPUT" + - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -51,10 +58,7 @@ jobs: platforms: linux/amd64,linux/arm64 sbom: true provenance: mode=max - tags: | - lerkolabs/uptop:${{ steps.meta.outputs.tag }} - lerkolabs/uptop:latest - lerkolabs/uptop:sha-${{ steps.meta.outputs.short_sha }} + tags: ${{ steps.meta.outputs.tags }} build-args: | VERSION=${{ steps.meta.outputs.tag }} COMMIT=${{ github.sha }} @@ -62,8 +66,8 @@ jobs: - name: Scan image for CVEs run: | - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - grype lerkolabs/uptop:${{ steps.meta.outputs.tag }} --fail-on critical --output table || echo "::warning::CVE scan found critical issues — review output above" + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.114.0 + grype lerkolabs/uptop:${{ steps.meta.outputs.tag }} --fail-on critical --output table - name: Update Docker Hub description uses: peter-evans/dockerhub-description@v4 diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 20f139c..138e263 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -10,7 +10,7 @@ release: name: uptop builds: - - main: ./cmd/uptop/main.go + - main: ./cmd/uptop binary: uptop env: - CGO_ENABLED=1 diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 0000000..e145053 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,6 @@ +ignore: + # CVE-2026-41589: SCP path traversal in charmbracelet/wish. + # We only import wish/bubbletea for the SSH TUI server — the vulnerable + # scp.Middleware / scp.NewFileSystemHandler symbols are never compiled in. + # No fix available for wish v1; v2 (charm.land/wish/v2) patched in 2.0.1. + - vulnerability: CVE-2026-41589 diff --git a/Dockerfile b/Dockerfile index 5544ce8..8d88713 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ ARG COMMIT=none ARG BUILD_DATE=unknown RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ - go build -trimpath -ldflags="-s -w -X main.version=${VERSION} -X main.commit=${COMMIT} -X main.date=${BUILD_DATE}" -o uptop ./cmd/uptop/main.go + go build -trimpath -ldflags="-s -w -X main.version=${VERSION} -X main.commit=${COMMIT} -X main.date=${BUILD_DATE}" -o uptop ./cmd/uptop # --- Stage 2: Runner --- FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11