Merge branch 'main' into new-irc-pkg

.github/workflows/analysis.yml

@@ -49,6 +49,7 @@ jobs:
     with:
       language: ${{ matrix.language }}
       config-file: './.github/codeql/codeql-config.yml'
+      egress-policy: audit
 
   nancy:
     name: Sonatype Nancy
@@ -85,3 +86,4 @@ jobs:
     with:
       scan-type: 'fs'
       sarif: 'filesystem.sarif'
+      egress-policy: audit

.github/workflows/builder.yml

@@ -99,6 +99,7 @@ jobs:
       go-mips64: ${{ matrix.mips64 }}
       go-mipsle: ${{ matrix.mipsle }}
       artifact-path: ./build/binary/wayback*
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -122,6 +123,7 @@ jobs:
       go-arch: ${{ matrix.arch }}
       go-arm: ${{ matrix.arm }}
       artifact-path: build/package/wayback*.deb
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -132,6 +134,7 @@ jobs:
       product: wayback
       params: 'make rpm'
       artifact-path: build/package/wayback*.rpm
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -145,6 +148,7 @@ jobs:
         build/aur/.SRCINFO
         build/aur/PKGBUILD
         build/aur/wayback*.pkg.tar.zst
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -153,8 +157,9 @@ jobs:
     uses: wabarc/.github/.github/workflows/reusable-builder-snap.yml@main
     with:
       product: wayback
-      channel: edge
+      channel: stable
       publish: ${{ github.repository == 'wabarc/wayback' && github.event_name == 'push' }}
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
       snapcraft-token: ${{ secrets.SNAPCRAFT_TOKEN }}
@@ -167,5 +172,6 @@ jobs:
       version: edge
       params: 'make build'
       artifact-path: org.wabarc.wayback-*.x86_64.flatpak
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}

.github/workflows/docker.yml

@@ -54,13 +54,13 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
         with:
-          egress-policy: block
+          egress-policy: audit
           disable-telemetry: true
           allowed-endpoints: >
             ghcr.io:443
             github.com:443
             api.github.com:443
-            pkg-containers.githubusercontent.com:443
+            *.githubusercontent.com
             docker.io:443
             auth.docker.io:443
             index.docker.io:443
@@ -78,9 +78,7 @@ jobs:
 
       - name: Install Cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
-        with:
-          cosign-release: 'v1.13.1'
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
 
       - name: Prepare
         id: prep
@@ -158,14 +156,14 @@ jobs:
             *.cache-from=type=local,src=/tmp/.image-cache/image
             *.cache-to=type=local,dest=/tmp/.image-cache-new/image
 
-      - name: Sign image with a key
+      - name: Siging image
         if: github.event_name != 'pull_request'
         env:
           TAGS: ${{ steps.meta.outputs.tags }}
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSPHARSE}}
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${TAGS}
 
       - name: Check manifest
         if: github.event_name != 'pull_request'
@@ -201,14 +199,14 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
         with:
-          egress-policy: block
+          egress-policy: audit
           disable-telemetry: true
           allowed-endpoints: >
             ghcr.io:443
             github.com:443
             api.github.com:443
             docker.io:443
-            pkg-containers.githubusercontent.com:443
+            *.githubusercontent.com
             auth.docker.io:443
             registry-1.docker.io:443
             production.cloudflare.docker.com:443
@@ -224,9 +222,7 @@ jobs:
 
       - name: Install Cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
-        with:
-          cosign-release: 'v1.13.1'
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
 
       - name: Prepare
         id: prep
@@ -304,7 +300,7 @@ jobs:
           COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
           COSIGN_PASSWORD: ${{secrets.COSIGN_PASSPHARSE}}
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${TAGS}
 
       - name: Check manifest
         if: github.event_name != 'pull_request'
@@ -331,11 +327,12 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     with:
       scan-type: 'image'
       image-ref: '${{ needs.publish.outputs.image }}:${{ needs.publish.outputs.version }}'
       sarif: 'container-standalone.sarif'
+      egress-policy: 'audit'
 
   trivy-bundle:
     name: Trivy for bundle
@@ -344,8 +341,9 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     with:
       scan-type: 'image'
       image-ref: '${{ needs.allinone.outputs.image }}:${{ needs.allinone.outputs.version }}'
       sarif: 'container-bundle.sarif'
+      egress-policy: 'audit'

.github/workflows/license.yml

@@ -26,3 +26,5 @@ jobs:
   license:
     name: License Checker
     uses: wabarc/.github/.github/workflows/reusable-license.yml@main
+    with:
+      egress-policy: audit

.github/workflows/linter.yml

@@ -25,10 +25,18 @@ jobs:
   super-linter:
     name: Super Linter
     uses: wabarc/.github/.github/workflows/reusable-super-linter.yml@main
+    with:
+      filter-regex-exclude: 'install.sh'
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
 
   golangci:
     name: golangci-lint
     uses: wabarc/.github/.github/workflows/reusable-golangci.yml@main
+    with:
+      egress-policy: audit
 
   shellcheck:
     name: ShellCheck

.github/workflows/pages.yml

@@ -36,7 +36,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0
         with:
-          egress-policy: block
+          egress-policy: audit
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443
@@ -52,7 +52,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Python
-        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: '3.x'
 
@@ -65,10 +65,10 @@ jobs:
           mkdocs build
 
       - name: Upload Pages
-        uses: actions/upload-pages-artifact@253fd476ed429e83b7aae64a92a75b4ceb1a17cf # v1.0.7
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: 'site'
 
       - name: Deployment
-        uses: actions/deploy-pages@0243b6c10d06cb8e95ed8ee471231877621202c0 # v1.2.4
+        uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4.0.4
         id: deployment

.github/workflows/testing.yml

@@ -44,7 +44,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ ubuntu-latest, macos-latest, windows-latest ]
-        go: [ "1.18", "1.19", "1.20" ]
+        go: [ "1.19", "1.20", "1.21", "1.22" ]
         include:
           # only update test coverage stats with the most recent go version on linux
           - go: 1.x
@@ -65,6 +65,19 @@ jobs:
           egress-policy: audit
           disable-telemetry: true
 
+      - name: Check out code base
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Check out code base
+        if: github.event_name == 'pull_request'
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
       - name: Set up Go ${{ matrix.go }}.x
         uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.3.1
         with:
@@ -87,12 +100,10 @@ jobs:
           chrome-version: stable
 
       - name: Set up Meilisearch
-        if: matrix.os == 'ubuntu-latest'
-        uses: moy2010/meilisearch-github-action@fcc5ef714af0596633665032d459bfb279d3c730 # 0.1.4
+        uses: wabarc/.github/meilisearch@0c62d131c3884390bd63a2b7650a21fe16581bfe
         with:
-          meilisearch-version: ${{ vars.MEILISEARCH_VERSION }}
-          meilisearch-port: ${{ vars.MEILISEARCH_PORT }}
-          meilisearch-api-key: ${{ vars.MEILISEARCH_APIKEY }}
+          master-key: ${{ vars.MEILISEARCH_APIKEY }}
+          port: ${{ vars.MEILISEARCH_PORT }}
 
       - name: Set up Chocolatey
         if: matrix.os == 'windows-latest'
@@ -146,30 +157,12 @@ jobs:
           # echo "$(which you-get)" >> $GITHUB_PATH
           # echo "$(which ffmpeg)" >> $GITHUB_PATH
           # echo "$(which wget)" >> $GITHUB_PATH
-
-      - name: Set environments for Meilisearch
-        if: matrix.os == 'ubuntu-latest'
-        shell: bash
-        run: |
-          # Set env to enable reduxer
+          # Set environments for Meilisearch to enable reduxer
           echo "WAYBACK_MEILI_ENDPOINT=${{ vars.WAYBACK_MEILI_ENDPOINT }}" >> $GITHUB_ENV
           echo "PLAYBACK_MEILI_ENDPOINT=${{ vars.WAYBACK_MEILI_ENDPOINT }}" >> $GITHUB_ENV
           echo "WAYBACK_MEILI_APIKEY=${{ vars.MEILISEARCH_APIKEY }}" >> $GITHUB_ENV
           echo "PLAYBACK_MEILI_APIKEY=${{ vars.MEILISEARCH_APIKEY }}" >> $GITHUB_ENV
 
-      - name: Check out code base
-        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
-        with:
-          fetch-depth: 0
-
-      - name: Check out code base
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-
       - name: Cache go module
         uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
         with:
@@ -192,6 +185,9 @@ jobs:
           make test
           make test-cover
         shell: bash
+        env:
+          CHROMEDP_NO_SANDBOX: true
+          CHROMEDP_WSURLREADTIMEOUT: 60
 
       - name: Upload artifact
         uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
@@ -205,3 +201,6 @@ jobs:
 
       - name: Run integration test
         run: make test-integration
+        env:
+          CHROMEDP_NO_SANDBOX: true
+          CHROMEDP_WSURLREADTIMEOUT: 60

.licenserc.yaml

@@ -6,6 +6,7 @@ header:
   license:
     spdx-id: GPL-3.0-or-later
     copyright-owner: Wayback Archiver
+    software-name: wayback
     content: |
       Copyright 2020 Wayback Archiver. All rights reserved.
       Use of this source code is governed by the GNU GPL v3
@@ -44,3 +45,14 @@ header:
     - 'mkdocs.yml'
 
   comment: on-failure
+
+dependency:
+  files:
+    - go.mod
+  licenses:
+    - name: github.com/multiformats/go-base36
+      version: v0.2.0
+      license: Apache-2.0 OR MIT
+    - name: github.com/multiformats/go-multicodec
+      version: v0.9.0
+      license: Apache-2.0 OR MIT

Makefile

@@ -134,8 +134,7 @@ test: ## Run testing
 
 test-integration: ## Run integration testing
 	@echo 'mode: atomic' > coverage.out
-	@go list ./... | xargs -n1 -I{} sh -c 'CGO_ENABLED=1 go test -race -tags=integration -covermode=atomic -coverprofile=coverage.tmp -coverpkg $(go list ./... | tr "\n" ",") {} && tail -n +2 coverage.tmp >> coverage.out || exit 255'
-	@rm coverage.tmp
+	@CGO_ENABLED=1 go test -race -tags=integration -covermode=atomic -parallel=1 -coverprofile=coverage.out ./...
 
 test-cover: ## Collect code coverage
 	@echo "-> Running go tool cover"