Use a "linter aggregator" for static analysis in pull requests

mozilla-services / go-cose

go library for CBOR Object Signing and Encryption (COSE)

Mozilla Public License 2.0

40 stars 18 forks source link

Use a "linter aggregator" for static analysis in pull requests #63

Closed x448 closed 4 years ago

x448 commented 4 years ago

There are 20+ linters available ranging from format checks to security checks.

golangci-lint makes it easy to configure and run dozens of linters.

It was easy to use GitHub Actions Workflow (free feature from GitHub, Inc.) with golangci-lint.

Here's how it looks at fxamacker/cbor configured to run 18 required linters + 5 optional linters.

Auto-updated "linters" badge.svg on README.md indicates if any linter failed:

Screenshot of workflow results shown in pull request provided by @fxamacker

(click to expand) Screenshot with 4 workflow results

![image](https://user-images.githubusercontent.com/57072051/78592327-8f746f00-780a-11ea-8529-312f45534e35.png)

Using golangci-lint + GitHub Actions Workflow doesn't require signup with 3rd-party vendor. :smile:

g-k commented 4 years ago

:+1: looks nice! I'd be happy to try it out

Using golangci-lint + GitHub Actions Workflow doesn't require signup with 3rd-party vendor. :smile:

3rd party actions are currently disabled for this github org, so I think we'd need to review then fork the actions repo into this org then see if @hwine or another GH org admin can enable it.

In the meantime, we could run the CLI version in CI.

cc @jvehent re: usage in autograph-* projects to recommend to golang devs at Mozilla for https://github.com/mozilla-services/websec-check/issues/19

x448 commented 4 years ago

3rd party actions are currently disabled for this github org, so I think we'd need to review then fork the actions repo into this org ...

I like the way you think! :+1:

... In the meantime, we could run the CLI version in CI.

Although I don't have a CircleCI account, someone who does can cherry-pick from these configs to save time:

.golangci.yml specifying 18 linters:
https://github.com/fxamacker/cbor/blob/master/.golangci.yml
GitHub Actions Workflow running 18 required linters and then 5 optional linters: https://github.com/fxamacker/cbor/blob/master/.github/workflows/linters.yml

Inside Rust Blog - Evaluating GitHub Actions https://blog.rust-lang.org/inside-rust/2019/11/14/evaluating-github-actions.html

hwine commented 4 years ago

3rd party actions are currently disabled for this github org,

Actually, they are not available for mozilla-services, as it is billed as a "legacy" account.

x448 commented 4 years ago

@hwine, if we fork 3rd-party actions into this repo, would it remain disabled as a 3rd-party action or would the forked functionality become enabled?

Also, given recent changes to GitHub free accounts and price reductions, does remaining on a legacy account still have advantages that outweigh the disadvantages?

hwine commented 4 years ago

@hwine, if we fork 3rd-party actions into this repo, would it remain disabled as a 3rd-party action or would the forked functionality become enabled?

We think we may have the ability to enable actions now, but no security review has yet been requested for GitHub Actions.

Also, given recent changes to GitHub free accounts and price reductions, does remaining on a legacy account still have advantages that outweigh the disadvantages?

Yes. paid team is more expensive and free team doesn't have any support (plus other removed features)