While the Caddy project has had very few valid security bug reports over the years, we have a low signal-to-noise ratio with them (lots of invalid reports). Most are out of scope, and it can take too much valuable time for us to determine that. We would prefer researchers do this first. Hopefully these paragraphs spell out much more clearly what we do and don't accept.
We decided that we'll use branches like `2.4` as the target for any changes that we might want to release in a `2.4.x` version like `2.4.1`, so that we can continue to merge changes targeting the next minor release (e.g. `2.5.0`) on master.
Our CI config wasn't set up for this to work properly though, since it was only running checks on PRs targeting master. This should fix it.
I couldn't find a way to do a pattern to only match digits for the branch names from Github's docs, it just looks like a pretty generic glob syntax. But this should do until we get to 3.0
* ci: Use golangci's github action for linting
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix most of the staticcheck lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the prealloc lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the misspell lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the varcheck lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the errcheck lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the bodyclose lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the deadcode lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the unused lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the gosec lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the gosimple lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the ineffassign lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the staticcheck lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Revert the misspell change, use a neutral English
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Remove broken golangci-lint CI job
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Re-add errantly-removed weakrand initialization
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* don't break the loop and return
* Removing extra handling for null rootKey
* unignore RegisterModule/RegisterAdapter
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* single-line log message
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Revert ticker change, ignore it instead
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Ignore some of the write errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Remove blank line
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Use lifetime
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* close immediately
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Preallocate configVals
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Update modules/caddytls/distributedstek/distributedstek.go
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* ci: Try Go 1.15 RC1 out of curiosity
* Go 1.15 was released; let's try it
* Update to latest quic-go
* Attempt at fixing broken test
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
* ci: include tracking of GOOS for which Caddy fails to build
* ci: split cross-build check into separate workflow
* ci: cross-build check: make it clear the cross-build check is not a blocker
* ci: cross-build check: set annotation instead of failing the build
* ci: cross-build check: explicitly set continue-on-error to force success marker
* ci: cross-build check: send stderr to /dev/null
* ci: Simplify workflow names
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* ci: lay out foundation for s390x tests
* ci: uncomment the s390x test script & replace placeholders with real values
* ci: amend the s390x test job name to be more consistent with others
* matcher: Add `split_path` option to file matcher; used in php_fastcgi
* matcher: Skip try_files split if not the final part of the filename
* matcher: Add MatchFile tests
* matcher: Clarify SplitPath godoc
* ci: Enable GoReleaser .deb support
* ci: Test .deb build
* ci: Fix typo
* ci: Turn off snapshot (breaks due to go mod edit)
* ci: Force the tag to rc3 for now
* ci: Let's try to publish the .debs
* ci: Attempt to enable build cache, rebuild after fixed line endings
* ci: Fix yml dupe ID issue, add caddy-api.service
* ci: Split cache keys between files so they're separate
* ci: Fix bindir
* ci: Update the script files
* ci: Retrigger
* ci: Push to gemfury
* ci: Use loop, fix bad env var
* ci: Retrigger
* ci: Try to force blank password?
* ci: Check if the token is actually present
* ci: Cleanup, remove debugging stuff
* ci: Remove useless comment
* ci: Let's see if caching GOCACHE helps...
* ci: Use GOCACHE env instead (fixes windows), remove build -a
* ci: Hack to pull the GOCACHE env up to CI vars
* ci: Change cache key (mainly to wipe cache now)
* docs: Pull contributing document from v1 branch
* Update .github/CONTRIBUTING.md
Co-Authored-By: Matt Holt <mholt@users.noreply.github.com>
* docs: [Responsible -> Coordinated] Disclosure
* docs: Link to the new security policy page
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* chore: ci: preliminary CD support
* chore: ci: split release process into its own workflow
* chore: ci: cleanup the ci.yml and .goreleaser.yml
* chore: ci: unshallowify the clone before searching for the closes tag
* chore: tidy up goreleaser config & the release githubaction
* chore: add --no-tty to gpg args
* chore: more gpg args
* chore: try with default gpg args by goreleaser
* chore: gpg...
* chore: set GPG_TTY
* chore: preset gpg conf
* Apply suggestions from code review
chore: tidy up the .goreleaser.yml
Co-Authored-By: Dave Henderson <dhenderson@gmail.com>
* chore: gpg debugging
* chore: set and export the tty for gpg
* chore: gpg..
* chore: use the exact same line from goreleaser-action README for singing
* chore: remove signing stanzas from ymls
* chore: clean up the release action for final submission
* quote the arguments of echo
Co-Authored-By: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Dave Henderson <dhenderson@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* WIP: Trying to make a new branch
* Create fuzzing.yml
* Update ci.yml
* Try using reviewdog for golangci-lint
* Only run lint on ubuntu
* Whoops, wrong matrix variable
* Let's try just ubuntu for the moment
* Remove integration tests
* Let's see what the tree looks like (where's the binary)
* Let's plant a tree
* Let's look at another tree
* Burn the tree
* Let's build in the right dir
* Turn on publishing artifacts
* Add gobin to path
* Try running golangci-lint earlier
* Try running golangci-lint on its own, with checkout@v1
* Try moving golangci-lint back into ci.yml as a separate job
* Turn off azure-pipelines
* Remove the redundant name, see how it looks
* Trim down the naming some more
* Turn on windows and mac
* Try to fix windows build, cleanup
* Try to fix strange failure on windows
* Print our the coerce reason
* Apparently $? is 'True' on Windows, not 1 or 0
* Try setting CGO_ENABLED as an env in yml
* Try enabling/fixing the fuzzer
* Print out github event to check, fix step name
* Fuzzer needs the code
* Add GOBIN to PATH for fuzzer
* Comment out fork condition, left in-case we want it again
* Remove obsolete comment
* Comment out the coverage/test conversions for now
* Set continue-on-error: true for fuzzer, it runs out of mem
* Add some clarification to the retained commented sections