add github action for coverage, lint and vulnerability

.github/workflows/docker-build-publish.yaml

@@ -110,7 +110,19 @@ jobs:
           go version
           rm -rf example
           go test -v -race -covermode=atomic -coverprofile=coverage.out ./...
-          go tool cover -html=coverage.out -o coverage.html
+
+      # This action uploads coverage to Codecov.
+      # https://github.com/codecov/codecov-action
+      -
+        name: Upload coverage to Codecov
+        id: go-coverage
+        uses: codecov/codecov-action@v3
+        with:
+          files: ./coverage.out
+          flags: unittests
+          fail_ci_if_error: true
+          verbose: true
+          version: "latest"
 
       # The Github action runs CIS Dockerfile benchmark against dockerfiles in repository (CIS 4.1, 4.2, 4.3, 4.6, 4.7, 4.9, 4.10)
       # https://github.com/sysdiglabs/benchmark-dockerfile

.github/workflows/github-releases.yaml

@@ -15,3 +15,4 @@ jobs:
     - uses: ncipollo/release-action@v1
       with:
         generateReleaseNotes: true
+        skipIfReleaseExists: true

.github/workflows/lint.yaml

@@ -0,0 +1,85 @@
+name: lint
+
+on:
+  # If any commit message in your push or the HEAD commit of your PR contains the strings
+  # [skip ci], [ci skip], [no ci], [skip actions], or [actions skip]
+  # workflows triggered on the push or pull_request events will be skipped.
+  # https://github.blog/changelog/2021-02-08-github-actions-skip-pull-request-and-push-workflows-with-skip-ci/
+  push:
+    branches: [ master ]
+    # Publish semver tags as releases.
+    tags: [ 'v[0-9]+.[0-9]+.[0-9]+' ]
+  # If any commit message in your push or the HEAD commit of your PR contains the strings
+  # [skip ci], [ci skip], [no ci], [skip actions], or [actions skip]
+  # workflows triggered on the push or pull_request events will be skipped.
+  # https://github.blog/changelog/2021-02-08-github-actions-skip-pull-request-and-push-workflows-with-skip-ci/
+  pull_request:
+    branches: [ master ]
+
+env:
+  GOLANG_VERSION: ^1.19
+
+jobs:
+  # This job runs golangci-lint and reports issues from linters.
+  # https://github.com/golangci/golangci-lint-action
+  golangci-lint:
+    name: golangci-lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Setup Golang
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        # continue-on-error: true
+        with:
+          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
+          version: "latest"
+          # Optional: golangci-lint command line arguments.
+          args: --issues-exit-code=0 -c ./.golangci.yml
+
+  # This job runs markdownlint and reports issues from linters.
+  # https://github.com/DavidAnson/markdownlint-cli2-action
+  markdownlint:
+    name: markdownlint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: markdownlint
+        uses: DavidAnson/markdownlint-cli2-action@v7
+        continue-on-error: true
+        with:
+          globs: |
+            README.md
+            CHANGELOG.md
+            docs/*.md
+
+  CodeQL:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['go']
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.golangci.yml

@@ -1,6 +1,31 @@
 linters-settings:
   errcheck:
-    ignore: fmt:.*,glg:.*
+    ignore: "fmt:.*,github.com/kpango/glg:.*"
 issues:
-  exclude:
-    - Error return value of .(glg.(Info|Log|Debug|Warn|Error|Success|Fail|Print|Println|CustomLog)f?). is not checked
+  max-same-issues: 0
+  # exclude:
+  #   - Error return value of .(glg.(Info|Log|Debug|Warn|Error|Success|Fail|Print|Println|CustomLog)f?). is not checked
+linters:
+  presets:
+    # - bugs
+    - comment
+    # - complexity
+    # - error
+    # - format
+    # - import
+    # - metalinter
+    - module
+    - performance
+    # - sql
+    # - style
+    # - test
+    - unused
+  disable:
+    - varcheck
+    - deadcode
+    - structcheck
+    - maligned
+    - dupword
+    - godox
+    - gomoddirectives
+    - bodyclose

Makefile

@@ -2,7 +2,10 @@ GO_VERSION:=$(shell go version)
 
 .PHONY: all clean bench bench-all profile lint test contributors update install
 
-all: clean install lint test bench
+all: build
+
+build:
+	go build
 
 clean:
 	go clean ./...
@@ -29,7 +32,7 @@ deps: clean
 	rm -rf vendor
 
 lint:
-	gometalinter --enable-all . | rg -v comment
+	golangci-lint run -c ./.golangci.yml
 
 test: clean init
 	GO111MODULE=on go test --race -v ./...

README.md

@@ -9,37 +9,38 @@
 
 ![logo](./images/logo.png)
 
-<!-- TOC insertAnchor:false -->
+<!-- TOC -->
 
 - [What is Athenz client sidecar](#what-is-athenz-client-sidecar)
-    - [Get Athenz N-token from client sidecar](#get-athenz-n-token-from-client-sidecar)
-    - [Get Athenz Access Token from client sidecar](#get-athenz-access-token-from-client-sidecar)
-    - [Get Athenz Role Token from client sidecar](#get-athenz-role-token-from-client-sidecar)
-    - [Proxy HTTP request (add corresponding Athenz authorization token)](#proxy-http-request-add-corresponding-athenz-authorization-token)
+  - [Get Athenz N-token from client sidecar](#get-athenz-n-token-from-client-sidecar)
+  - [Get Athenz Access Token from client sidecar](#get-athenz-access-token-from-client-sidecar)
+  - [Get Athenz Role Token from client sidecar](#get-athenz-role-token-from-client-sidecar)
+  - [Proxy HTTP request (add corresponding Athenz authorization token)](#proxy-http-request-add-corresponding-athenz-authorization-token)
 - [Use Case](#use-case)
 - [Specification](#specification)
-    - [Get N-token from Athenz through client sidecar](#get-n-token-from-athenz-through-client-sidecar)
-    - [Get access token from Athenz through client sidecar](#get-access-token-from-athenz-through-client-sidecar)
-    - [Get role token from Athenz through client sidecar](#get-role-token-from-athenz-through-client-sidecar)
-    - [Get service certificate from Athenz through client sidecar](#get-service-certificate-from-athenz-through-client-sidecar)
-    - [Proxy requests and append N-token authentication header](#proxy-requests-and-append-n-token-authentication-header)
-    - [Proxy requests and append role token authentication header](#proxy-requests-and-append-role-token-authentication-header)
+  - [Get N-token from Athenz through client sidecar](#get-n-token-from-athenz-through-client-sidecar)
+  - [Get access token from Athenz through client sidecar](#get-access-token-from-athenz-through-client-sidecar)
+  - [Get role token from Athenz through client sidecar](#get-role-token-from-athenz-through-client-sidecar)
+  - [Get service certificate from Athenz through client sidecar](#get-service-certificate-from-athenz-through-client-sidecar)
+  - [Proxy requests and append N-token authentication header](#proxy-requests-and-append-n-token-authentication-header)
+  - [Proxy requests and append role token authentication header](#proxy-requests-and-append-role-token-authentication-header)
 - [Configuration](#configuration)
 - [Developer Guide](#developer-guide)
-    - [Example code](#example-code)
-        - [Get N-token from client sidecar](#get-n-token-from-client-sidecar)
-        - [Get access token from client sidecar](#get-access-token-from-client-sidecar)
-        - [Get role token from client sidecar](#get-role-token-from-client-sidecar)
-        - [Get service certificate from client sidecar](#get-service-certificate-from-client-sidecar)
-        - [Proxy request through client sidecar (append N-token)](#proxy-request-through-client-sidecar-append-n-token)
-        - [Proxy request through client sidecar (append role token)](#proxy-request-through-client-sidecar-append-role-token)
+  - [Example code](#example-code)
+    - [Get N-token from client sidecar](#get-n-token-from-client-sidecar)
+    - [Get access token from client sidecar](#get-access-token-from-client-sidecar)
+    - [Get role token from client sidecar](#get-role-token-from-client-sidecar)
+    - [Get service certificate from client sidecar](#get-service-certificate-from-client-sidecar)
+    - [Proxy request through client sidecar (append N-token)](#proxy-request-through-client-sidecar-append-n-token)
+    - [Proxy request through client sidecar (append role token)](#proxy-request-through-client-sidecar-append-role-token)
 - [Deployment Procedure](#deployment-procedure)
 - [License](#license)
 - [Contributor License Agreement](#contributor-license-agreement)
 - [About releases](#about-releases)
 - [Authors](#authors)
 
 <!-- /TOC -->
+<!--markdownlint-disable MD013-->
 
 ## What is Athenz client sidecar
 
@@ -638,8 +639,8 @@ Note that only for contributions to the `athenz-client-sidecar` repository on th
 ## About releases
 
 - Releases
-    - [![GitHub release (latest by date)](https://img.shields.io/github/v/release/AthenZ/athenz-client-sidecar?style=flat-square&label=Github%20version)](https://github.com/AthenZ/athenz-client-sidecar/releases/latest)
-    - [![Docker Image Version (tag latest)](https://img.shields.io/docker/v/athenz/athenz-client-sidecar/latest?style=flat-square&label=Docker%20version)](https://hub.docker.com/r/athenz/athenz-client-sidecar/tags)
+  - [![GitHub release (latest by date)](https://img.shields.io/github/v/release/AthenZ/athenz-client-sidecar?style=flat-square&label=Github%20version)](https://github.com/AthenZ/athenz-client-sidecar/releases/latest)
+  - [![Docker Image Version (tag latest)](https://img.shields.io/docker/v/athenz/athenz-client-sidecar/latest?style=flat-square&label=Docker%20version)](https://hub.docker.com/r/athenz/athenz-client-sidecar/tags)
 
 ## Authors
 
@@ -648,4 +649,3 @@ Note that only for contributions to the `athenz-client-sidecar` repository on th
 - [TakuyaMatsu](https://github.com/TakuyaMatsu)
 - [tatyano](https://github.com/tatyano)
 - [WindzCUHK](https://github.com/WindzCUHK)
-

config/config.go

@@ -317,7 +317,7 @@ func GetActualValue(val string) string {
 	return val
 }
 
-// checkPrefixAndSuffix checks if the str has prefix and suffix
+// checkPrefixAndSuffix checks if the str has prefix and suffix.
 func checkPrefixAndSuffix(str, pref, suf string) bool {
 	return strings.HasPrefix(str, pref) && strings.HasSuffix(str, suf)
 }

config/config_test.go

@@ -97,7 +97,7 @@ func TestNew(t *testing.T) {
 					AthenzCAPath:        "_athenz_root_ca_",
 					CertPath:            "_client_cert_path_",
 					CertKeyPath:         "_client_cert_key_path_",
-					Expiry:              "30m",
+					RefreshPeriod:       "30m",
 				},
 				RoleToken: RoleToken{
 					Enable:              true,
@@ -106,7 +106,7 @@ func TestNew(t *testing.T) {
 					AthenzCAPath:        "_athenz_root_ca_",
 					CertPath:            "_client_cert_path_",
 					CertKeyPath:         "_client_cert_key_path_",
-					Expiry:              "30m",
+					RefreshPeriod:       "30m",
 				},
 				Proxy: Proxy{
 					Enable:              true,

docs/graceful-shutdown.md

@@ -1,3 +1,3 @@
 # graceful shutdown
 
-reference: https://github.com/AthenZ/authorization-proxy/blob/master/docs/graceful-shutdown.md
+reference: <https://github.com/AthenZ/authorization-proxy/blob/master/docs/graceful-shutdown.md>

infra/buffer.go

@@ -73,7 +73,7 @@ func (b *buffer) Put(buf []byte) {
 	b.pool.Put(buf[:0])
 }
 
-// max is copied from math.Max for uint64 type
+// max is copied from math.Max for uint64 type.
 func max(x, y uint64) uint64 {
 	if x > y {
 		return x

main.go

@@ -30,7 +30,7 @@ import (
 	"github.com/pkg/errors"
 )
 
-// Version is set by the build command via LDFLAGS
+// Version is set by the build command via LDFLAGS.
 var Version string
 
 type params struct {

main_test.go

@@ -94,16 +94,16 @@ func TestParseParams(t *testing.T) {
 	}
 }
 
-// invalid values are added to Config{} in each test case so that the test case can end with server error instead of running indefinitely
+// Test_run adds invalid values to Config{} in each test case so that the test cases can end with server error instead of running indefinitely.
 func Test_run(t *testing.T) {
 	type args struct {
 		cfg config.Config
 	}
 	type test struct {
-		name      string
-		args      args
+		name       string
+		args       args
 		beforeFunc func(os *os.Process)
-		checkFunc func([]error) error
+		checkFunc  func([]error) error
 	}
 	tests := []test{
 		{
@@ -484,12 +484,12 @@ func Test_run(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			proc, err := os.FindProcess(os.Getpid())
 
-			if (tt.beforeFunc != nil) {
-				time.AfterFunc(3 * time.Second, func() {
+			if tt.beforeFunc != nil {
+				time.AfterFunc(3*time.Second, func() {
 					tt.beforeFunc(proc)
 				})
 			}
-			
+
 			if err != nil {
 				t.Fatalf("os.FindProcess(os.Getpid()) fails: %v", err)
 			}

router/router.go

@@ -30,7 +30,7 @@ import (
 	"github.com/kpango/glg"
 )
 
-//New returns Routed ServeMux
+// New returns Routed ServeMux.
 func New(cfg config.Config, h handler.Handler) *http.ServeMux {
 
 	http.DefaultTransport.(*http.Transport).MaxIdleConnsPerHost = 32