[pull] master from zalando:master

.clusterfuzzlite/Dockerfile

@@ -0,0 +1,6 @@
+FROM gcr.io/oss-fuzz-base/base-builder-go@sha256:41601fc0fe28208aa765cdfa45e9d194b6e1e6447be4bf8efd3ccaca67373180
+
+COPY . $SRC/skipper
+COPY ./.clusterfuzzlite/build.sh $SRC/
+
+WORKDIR $SRC/skipper

.clusterfuzzlite/build.sh

@@ -0,0 +1,24 @@
+#!/bin/bash -eu
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+for target in $(find $SRC/skipper/fuzz/fuzz_targets -name 'Fuzz*.go'); do
+        target_basename=$(basename -s .go $target)
+
+        compile_go_fuzzer github.com/zalando/skipper/fuzz/fuzz_targets $target_basename $target_basename gofuzz
+done
+
+mv $SRC/skipper/fuzz/dictionaries/*.dict $OUT/

.clusterfuzzlite/project.yaml

@@ -0,0 +1,5 @@
+language: go
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address

.github/dependabot.yml

@@ -0,0 +1,36 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# * https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# * https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      all-go-mod-patch-and-minor:
+        patterns: ["*"]
+        update-types: ["patch", "minor"]
+    ignore:
+      - dependency-name: "github.com/open-policy-agent/opa"
+      - dependency-name: "github.com/open-policy-agent/opa-envoy-plugin"
+      - dependency-name: "github.com/envoyproxy/go-control-plane"
+  - package-ecosystem: "github-actions"
+    directory: "/" # For GitHub Actions, set the directory to / to check for workflow files in .github/workflows
+    schedule:
+      interval: "weekly"
+  # Keep Docker dependencies up to date
+  - package-ecosystem: "docker"
+    directory: "/packaging"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "docker"
+    directory: "/fuzz"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "docker"
+    directory: "/.clusterfuzzlite"
+    schedule:
+      interval: "weekly"

.github/workflows/cflite_pr.yaml

@@ -0,0 +1,35 @@
+name: ClusterFuzzLite PR fuzzing
+on:
+  pull_request:
+    paths:
+      - '**'
+permissions: read-all
+jobs:
+  PR:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer:
+        - address
+    steps:
+    - name: Build Fuzzers (${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
+      with:
+        language: go
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        sanitizer: ${{ matrix.sanitizer }}
+    - name: Run Fuzzers (${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 300
+        mode: 'code-change'
+        sanitizer: ${{ matrix.sanitizer }}
+        output-sarif: true
+        parallel-fuzzing: true

.github/workflows/codeql-analysis.yml

@@ -4,6 +4,7 @@
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
 name: "CodeQL"
+permissions: {}
 
 on:
   push:
@@ -16,8 +17,17 @@ on:
 
 jobs:
   analyze:
+    if: ${{ github.actor != 'dependabot[bot]' }}
+
     name: Analyze
     runs-on: ubuntu-latest
+    # Adding this block will overridw default values to None if not specified in the block
+    # https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+    permissions:
+      contents: read    # to fetch the code (actions/checkout)
+      actions: read   # to be able to run codeql-actions
+      security-events: write
+      pull-requests: read
 
     strategy:
       fail-fast: false
@@ -30,26 +40,32 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
 
+    - name: Setup Go
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34
+      with:
+        go-version: '^1.23'
+        check-latest: true
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@9a866ed4524fc3422c3af1e446dab8efa3503411
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
+        # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@9a866ed4524fc3422c3af1e446dab8efa3503411
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -63,4 +79,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@9a866ed4524fc3422c3af1e446dab8efa3503411

.github/workflows/docs.yaml

@@ -0,0 +1,28 @@
+name: docs-ci
+
+permissions: {}
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+    paths:
+      - 'docs/**'
+
+jobs:
+  deploy:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38
+        with:
+          python-version: 3.x
+      - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf
+        with:
+          key: ${{ github.ref }}
+          path: .cache
+      - run: pip install mkdocs mkdocs-material markdown-include
+      - run: mkdocs gh-deploy --force

.github/workflows/gh-packages.yaml

@@ -0,0 +1,83 @@
+name: gh-package-deploy
+permissions: {}
+
+on:
+  push:
+    tags:
+      - '*'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: "${{ github.repository }}"
+
+jobs:
+  docker:
+    if: ${{ github.actor != 'dependabot[bot]' }}
+
+    runs-on: ubuntu-latest
+    # Adding this block will overridw default values to None if not specified in the block
+    # https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+    permissions:
+      contents: read
+      actions: read
+      packages: write # to push packages
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34
+        with:
+          # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
+          go-version: '^1.23'
+          check-latest: true
+
+      - name: Login to Github Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions-ecosystem/action-get-latest-tag@b7c32daec3395a9616f88548363a42652b22d435
+        id: get-latest-tag
+
+      - name: Build Skipper Packages
+        run: |
+          cd packaging
+          make build.linux
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
+        id: meta
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}.{{minor}}
+          labels: |
+            org.opencontainers.image.licenses=Apache-2.0
+            org.opencontainers.image.vendor=Zalando SE
+
+      - name: Build and push
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
+        with:
+          context: ./packaging
+          build-args: BASE_IMAGE=golang:alpine
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/master.yaml

@@ -3,23 +3,35 @@ on:
   push:
     branches:
       - master
+permissions: {}
+env:
+  TESTCONTAINERS_RYUK_DISABLED: true
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34
         with:
           # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
-          go-version: '^1.17'
+          go-version: "^1.23"
+          check-latest: true
       - run: go version
-      - run: sudo apt-get install redis-server
       - run: make deps
       - run: make check-fmt
-      - run: make build
       - run: make vet
       - run: make staticcheck
       - run: make check-race
-      - run: make cicheck
-      - run: make gosec
-      - run: make publish-coverage
+      - run: make osv-scanner
+      - run: make govulncheck
+      - run: make capslock
+      - run: make coverprofile
+      - name: Convert coverage to lcov
+        uses: jandelgado/gcov2lcov-action@4e1989767862652e6ca8d3e2e61aabe6d43be28b
+      - name: Coveralls
+        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path-to-lcov: coverage.lcov