feat: add github actions

.github/workflows/main.yaml

@@ -0,0 +1,87 @@
+name: main
+
+on:
+  workflow_dispatch:
+  push:
+
+env:
+  APP_NAME: iam-runtime-static
+  IMAGE_REPO: ghcr.io/metal-toolbox/iam-runtime-static
+
+jobs:
+  setup:
+    name: ⚙️ setup
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ github.run_number }}-${{ steps.shortsha.outputs.short-sha }}
+      image_repo: ${{ env.IMAGE_REPO }}
+      app_name: ${{ env.APP_NAME }}
+    steps:
+      - id: shortsha
+        uses: metal-toolbox/ci-toolbox/actions/short-sha@v0.0.1
+
+  lint:
+    name: 📎 lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: metal-toolbox/ci-toolbox/actions/golangci-lint@v0.0.1
+
+  test:
+    name: 🧪 test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: metal-toolbox/ci-toolbox/actions/setup-go@v0.0.1
+      - name: tests
+        run: go test -cover -race ./...
+
+  build-go:
+    name: 🏗️ build go
+    runs-on: ubuntu-latest
+    env:
+      CGO_ENABLED: 0
+      GOOS: linux
+    steps:
+      - uses: metal-toolbox/ci-toolbox/actions/setup-go@v0.0.1
+      - name: build
+        run: go build -buildvcs=false -mod=mod -a -o bin/${{ env.APP_NAME }}
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: ${{ env.APP_NAME }}-bin
+          path: bin/${{ env.APP_NAME }}
+    outputs:
+      artifact-name: ${{ env.APP_NAME }}-bin
+
+  build-docker:
+    name: 🐳 build and publish docker image
+    needs:
+      - setup
+      - build-go
+      - lint
+      - test
+    permissions:
+      contents: write
+      id-token: write
+      packages: write
+    uses: metal-toolbox/ci-toolbox/.github/workflows/build-docker.yaml@v0.0.1
+    with:
+      artifact-name: ${{ needs.build-go.outputs.artifact-name }}
+      artifact-path: bin
+      user: ${{ github.actor }}
+      image-repo: ${{ needs.setup.outputs.image_repo }}
+      image-tag: ${{ needs.setup.outputs.image_tag }}
+      build-args: |
+        NAME=${{ needs.setup.outputs.app_name }}
+    secrets: inherit
+
+  trivy-scan:
+    name: 🔍 scan image
+    needs:
+      - build-docker
+      - setup
+    permissions:
+      contents: read
+      security-events: write
+    uses: metal-toolbox/ci-toolbox/.github/workflows/trivy.yaml@v0.0.1
+    with:
+      scan-type: image
+      image-ref: ${{ needs.setup.outputs.image_repo }}:${{ needs.setup.outputs.image_tag }}

.golangci.yml

@@ -1,61 +1,56 @@
-linters-settings:
-  goimports:
-    local-prefixes: github.com/metal-toolbox/iam-runtime-static
-
-run:
-  # default timeout is 1m
-  timeout: 3m
-
+version: "2"
 linters:
   enable:
-    # default linters
-    - errcheck
-    - gosimple
-    - govet
-    - ineffassign
-    - staticcheck
-    - typecheck
-    - unused
-
-    # additional linters
     - bodyclose
+    - err113
     - gocritic
     - gocyclo
-    - goerr113
-    - gofmt
-    - goimports
-    - gomnd
-    - govet
     - misspell
+    - mnd
     - noctx
     - revive
-    - stylecheck
+    - staticcheck
     - whitespace
-    - wsl
-    - paralleltest
-
-    # - bod
-issues:
-  exclude:
-    # Default excludes from `golangci-lint run --help` with EXC0002 removed
-    # EXC0001 errcheck: Almost all programs ignore errors on these functions and in most cases it's ok
-    - Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*print(f|ln)?|os\.(Un)?Setenv). is not checked
-    # EXC0002 golint: Annoying issue about not having a comment. The rare codebase has such comments
-    # - (comment on exported (method|function|type|const)|should have( a package)? comment|comment should be of the form)
-    # EXC0003 golint: False positive when tests are defined in package 'test'
-    - func name will be used as test\.Test.* by other packages, and that stutters; consider calling this
-    # EXC0004 govet: Common false positives
-    - (possible misuse of unsafe.Pointer|should have signature)
-    # EXC0005 staticcheck: Developers tend to write in C-style with an explicit 'break' in a 'switch', so it's ok to ignore
-    - ineffective break statement. Did you mean to break out of the outer loop
-    # EXC0006 gosec: Too many false-positives on 'unsafe' usage
-    - Use of unsafe calls should be audited
-    # EXC0007 gosec: Too many false-positives for parametrized shell calls
-    - Subprocess launch(ed with variable|ing should be audited)
-    # EXC0008 gosec: Duplicated errcheck checks
-    - (G104|G307)
-    # EXC0009 gosec: Too many issues in popular repos
-    - (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)
-    # EXC0010 gosec: False positive is triggered by 'src, err := ioutil.ReadFile(filename)'
-    - Potential file inclusion via variable
-  exclude-use-default: false
+    - wsl_v5
+  exclusions:
+    generated: lax
+    rules:
+      - path: (.+)\.go$
+        text: Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*print(f|ln)?|os\.(Un)?Setenv). is not checked
+      - path: (.+)\.go$
+        text: func name will be used as test\.Test.* by other packages, and that stutters; consider calling this
+      - path: (.+)\.go$
+        text: (possible misuse of unsafe.Pointer|should have signature)
+      - path: (.+)\.go$
+        text: ineffective break statement. Did you mean to break out of the outer loop
+      - path: (.+)\.go$
+        text: Use of unsafe calls should be audited
+      - path: (.+)\.go$
+        text: Subprocess launch(ed with variable|ing should be audited)
+      - path: (.+)\.go$
+        text: (G104|G307)
+      - path: (.+)\.go$
+        text: (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)
+      - path: (.+)\.go$
+        text: Potential file inclusion via variable
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+    - goimports
+  settings:
+    gofumpt:
+      extra-rules: true
+    goimports:
+      local-prefixes:
+        - go.metalkube.net/gov-okta-addon
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

cmd/serve.go

@@ -36,7 +36,7 @@ func init() {
 	viperBindFlag("policy", serveCmd.Flags().Lookup("policy"))
 }
 
-func serve(_ context.Context, v *viper.Viper) error {
+func serve(ctx context.Context, v *viper.Viper) error {
 	c := make(chan os.Signal, 1)
 	signal.Notify(c, os.Interrupt)
 
@@ -60,7 +60,9 @@ func serve(_ context.Context, v *viper.Viper) error {
 	authorization.RegisterAuthorizationServer(grpcSrv, iamSrv)
 	authentication.RegisterAuthenticationServer(grpcSrv, iamSrv)
 
-	listener, err := net.Listen("unix", socketPath)
+	listenCfg := &net.ListenConfig{}
+
+	listener, err := listenCfg.Listen(ctx, "unix", socketPath)
 	if err != nil {
 		logger.Fatalw("failed to listen", "error", err)
 	}

go.mod

@@ -1,42 +1,36 @@
 module github.com/metal-toolbox/iam-runtime-static
 
-go 1.21.6
+go 1.26.0
 
 require (
-	github.com/metal-toolbox/iam-runtime v0.3.0
+	github.com/metal-toolbox/iam-runtime v0.4.1
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/spf13/cobra v1.7.0
-	github.com/spf13/pflag v1.0.5
-	github.com/spf13/viper v1.17.0
-	github.com/stretchr/testify v1.8.4
-	go.uber.org/zap v1.26.0
-	google.golang.org/grpc v1.58.3
+	github.com/spf13/cobra v1.10.2
+	github.com/spf13/pflag v1.0.10
+	github.com/spf13/viper v1.21.0
+	github.com/stretchr/testify v1.11.1
+	go.uber.org/zap v1.27.1
+	google.golang.org/grpc v1.78.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/sagikazarmark/locafero v0.3.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.10.0 // indirect
-	github.com/spf13/cast v1.5.1 // indirect
+	github.com/sagikazarmark/locafero v0.12.0 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/net v0.50.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
 )